Aa-Threat and Control For Each Cycle
Aa-Threat and Control For Each Cycle
Aa-Threat and Control For Each Cycle
AIS
JAMES SITUMORANG
-----------------------------------------------------------------------------------------------------------------------INTERNAL CONTROL, BUSINESS ACTIVITIES, CONTROL OBJECTIVES, THREATS, AND CONTROL PROCEDURES IN EACH TRANSACTION CYCLES
Internal control
Internal control is the process implemented by the board of directors, management and those under their direction to provide reasonable assurance that the following control objectives are achieved: 1. Safeguarding assets, including preventing or detecting, on a timely basis, the unauthorized acquisition, use or disposition of material company assets 2. Maintaining records in sufficient detail to accurately and fairly reflect company assets 3. Providing accurate and reliable information 4. Providing reasonable assurance that financial reporting is prepared in accordance with GAAP 5. Promoting and improving operational efficiency, including making sure company receipts and expenditures are made in accordance with management and directors authorizations 6. Encouraging adherence to prescribed managerial policies 7. Complying with applicable laws and regulations
SALES AND CASH COLLECTIONS CONTROL OBJECTIVES, THREATS, AND PROCEDURES In the revenue cycle (or any cycle), a well-designed AIS should provide adequate controls to ensure that the following objectives are met: 1. all transactions are properly authorized; 2. all recorded transactions are valid; 3. all valid and authorized transactions are recorded;
Page 1 of 9
AIS
JAMES SITUMORANG
4. 5. 6. 7. 8.
all transactions are recorded accurately; assets are safeguarded from loss or theft; business activities are performed efficiently and effectively; the company is in compliance with all applicable laws and regulations; and all disclosures are full and fair.
There are several actions a company can take with respect to any cycle to reduce threats of errors or irregularities. These include: 1. using simple, easy-to-complete documents with clear instructions (enhances accuracy and reliability); 2. using appropriate application controls, such as validity checks and field checks (enhances accuracy and reliability); 3. providing space on forms to record who completed and who reviewed the form (encourages proper authorizations and accountability); 4. pre-numbering documents (encourages recording of valid and only valid transactions); and 5. restricting access to blank documents (reduces risk of unauthorized transaction).
THREATS IN SALES ORDER ENTRY The primary objectives of this process: Accurately and efficiently process customer orders. Ensure that all sales are legitimate and that the company gets paid for all sales. Minimize revenue loss arising from poor inventory management. Threat No. 1Incomplete or inaccurate customer orders Causes inefficiencies and customer dissatisfaction. Controls include: data entry controls, such as completeness checks; automatic lookup of reference data like customer address; and reasonableness tests comparing quantity ordered to past history. Threat No. 2Sales to customers with poor credit Causes uncollectible sales and loss of revenues and assets. Control: Follow proper authorization procedures for credit sales. Threat No. 3Orders that are not legitimate Can cause poor credit decisions. Controls include: appropriate authorization evidenced by receipt of a signed purchase order and/or digital signatures, and maximum caution in online credit card transactions with retail customers. Threat No. 4Carrying too much or too little merchandise Causes lost sales or excess carrying costs and product markdowns. Controls include: accurate inventory control and sales forecasting systems; online, real-time inventory systems; periodic physical counts of inventory; and regular review of sales forecasts to make adjustments.
THREATS IN SHIPPING The primary objectives of the shipping process are: Fill customer orders efficiently and accurately. Safeguard inventory. Threat No. 5Shipping errors May cause customer dissatisfaction, lost sales, and loss of assets. Controls include: online shipping systems that check quantities shipped; bar code scanners and RFID tags to record picking and shipping; application controls such as field checks and
Page 2 of 9
AIS
JAMES SITUMORANG
completeness tests can reduce errors; and postponing printing of packing slip and bill of lading until accuracy of the shipment has been verified. Threat No. 6Theft of inventory Causes loss of assets and inaccurate inventory records. Controls include: secure inventory and restrict access; document inventory transfers; release inventory for shipping only with approved sales orders; employees who handle inventory should sign the documents or enter their codes online to ensure accountability; wireless communication and RFID tags to provide real-time tracking; and periodic physical counts of inventory.
THREATS IN BILLING The primary objectives of the billing process are to ensure: Customers are billed for all sales Invoices are accurate Customer accounts are accurately maintained Threat No. 7Failure to bill customers Causes loss of assets and revenues and inaccurate sales, inventory and accounts receivable data Controls include: segregate shipping and billing functions; sequentially pre-number sales orders, picking tickets, packing slips, and sales invoices; and in invoice-less systems, ensure every shipment is recorded, since the shipment triggers recording of the account receivable. Threat No. 8Billing errors May cause loss of assets or customer dissatisfaction Controls include: use computer to retrieve prices; check quantities on packing slip against quantities on sales order; and use bar code scanners to reduce data entry errors. Threat No. 9Errors in maintaining customer accounts Causes customer dissatisfaction and loss of sales and may indicate theft of cash. Controls include: conduct edit checks; reconcile batch totals to detect posting errors; compare number of accounts updated with number of checks received; reconciliations performed by an independent party; and monthly customer statements.
THREATS IN CASH COLLECTION The primary objective of the cash collection process: Safeguard customer remittances. Threat No. 10Theft of cash Causes loss of cash. Controls include: segregation of duties; minimizing money handling; prompt documentation and restrictive endorsements of remittances; two people opening mail together; remittance data sent to accounts receivable while cash and checks are sent to cashier; checking that total credits to accounts receivable equal total debits to cash; sending copy of remittance list to internal auditing to be compared with validated deposit slips and bank statements; monthly statements to customers; cash registers that automatically produce a written record of all cash received; inducements to customers to scrutinize receipts; daily deposit of all remittances in the bank; and bank reconciliations done by an independent party.
GENERAL CONTROL ISSUES Two general objectives pertain to activities in every cycle: Accurate data should be available when needed.
Page 3 of 9
AIS
JAMES SITUMORANG
Threat No. 11Loss, alteration, or unauthorized disclosure of data Could threaten a companys continued existence and could cause errors in reporting and/or in responding to customers. Could cause customer dissatisfaction, loss of sales, and legal sanctions or fines. Controls include: file backups; file labels; strong access controls; modification of default settings on ERP systems; encryption; and secure transmissions. Threat No. 12Poor performance Can damage customer relations and reduce profitability. Controls: Prepare and review performance reports. -----------------------------------------------------------------------------------------------------------------------------------
CONTROL OBJECTIVES, THREATS, AND PROCEDURES In the expenditure cycle (or any cycle), a well-designed AIS should provide adequate controls to ensure that the following objectives are met: 1. all transactions are properly authorized; 2. all recorded transactions are valid; 3. all valid and authorized transactions are recorded; 4. all transactions are recorded accurately; 5. assets are safeguarded from loss or theft; 6. business activities are performed efficiently and effectively; 7. the company is in compliance with all applicable laws and regulations; and 8. all disclosures are full and fair.
THREATS IN ORDERING GOODS Threat No. 1Stock-outs and/or Excess Inventory Controls: Accurate inventory control and sales forecasting; use of perpetual inventory method; supplier performance reports; recording of inventory changes in real time; barcoding inventory; and periodic physical counts. Threat No. 2Ordering Unnecessary Items Controls: Integrate databases of various divisions and produce reports that link item descriptions to part numbers to allow consolidation of orders. Threat No. 3Purchasing Goods at Inflated Prices Controls: Price lists for frequently-purchased items; use of catalogs for low-cost items; solicitation of bids for high-cost and specialized products; review of purchase orders; budgetary controls and responsibility accounting; and performance review. Threat No. 4Purchasing Goods of Inferior Quality Controls: Use of approved supplier list; review of purchase orders; tracking of supplier performance; purchasing accountability for rework and scrap. Threat No. 5Purchasing from Unauthorized Suppliers
Page 4 of 9
AIS
JAMES SITUMORANG
Controls: review of purchase orders; restriction of access to supplier list; periodic review of supplier list; and coordination with procurement card providers to restrict acceptance of cards. Threat No. 6Kickbacks Controls: No gift policy for buyers; employee training on gift handling; job rotation and mandatory vacation; audits of buyers; review of conflict of interest statements; vendor audits. EDI-Related Threats ControlsRestriction of EDI access; verification and authentication of EDI transactions; acknowledgment of EDI transactions; log and review EDI of transactions; encryption; digital signatures; EDI agreements with suppliers. Threats Related to Purchases of Services Controls: Hold supervisors accountable for costs; compare actual to budgeted expenses; review and audit contracts for services.
THREATS IN RECEIVING AND STORING GOODS The primary objectives of this process are to verify the receipt of ordered inventory and safeguard the inventory against loss or theft. Threat No. 7Receiving Unordered Goods Controls: Accept goods only when theres an approved purchase order. Threat No. 8Errors in Counting Received Goods Bar-coding of ordered goods; quantities blanked out on receiving forms; signature of receiving clerks; bonuses for catching discrepancies; re-counting of items by inventory control. Threat No. 9Theft of Inventory Controls: Secure storage locations for inventory; documentation of intra-company transfers; periodic physical counts; segregation of duties.
THREATS IN APPROVING AND PAYING VENDOR INVOICES The primary objectives of this process are to: Pay only for goods and services that were ordered and received. Safeguard cash. Threat No. 10Failure to Catch Invoice Errors Controls: Check mathematical accuracy; verify procurement card charges; adopt Evaluated Receipt Settlement; train staff on freight terminology; use common carrier to take advantage of discounts. Threat No. 11Paying for Goods Not Received. Controls: Compare invoice quantities to quantities reported by receiving and inventory control; use tight budgetary controls. Threat No. 12Failure to Take Available Discounts Controls: File and track invoices by due date; prepare cash flow budgets. Threat No. 13Paying the Same Invoice Twice Controls: Approve invoices only with complete voucher package; pay only on original invoices; cancel invoices once paid; use internal audit to detect and recover overpayments; control access to accounts payable master file. Threat No. 14Recording and Posting Errors to Accounts Payable Controls: Data entry and processing controls; reconcile supplier balances with control accounts. Threat No. 15Misappropriation of Cash, Checks, or EFT
Page 5 of 9
AIS
JAMES SITUMORANG
Controls: Restrict access to cash, checks, and check signing machines; use sequentially numbered checks and reconcile; segregate duties; two signatures on checks over a certain limit; restrict access to supplier list; cancel all documents; have independent bank reconciliation; use check protection measures and/or positive pay; provide strict logical and access controls for EFT; log, encrypt, stamp and number all EFT transactions; monitor EFT transactions; and use embedded audit modules.
GENERAL CONTROL ISSUES Threat No. 16Loss, Alteration, or Unauthorized Disclosure of Data Controls: File backups, use of file labels; strict access controls; alter default settings on ERP modules; encrypt data; and use message acknowledgment techniques. Threat No. 17Poor Performance Controls: Performance reports. ----------------------------------------------------------------------------------------------------------------------------------
CONTROL OBJECTIVES, THREATS, AND PROCEDURES In the production cycle (or any cycle), a well-designed AIS should provide adequate controls to ensure that the following objectives are met: 1. all transactions are properly authorized; 2. all recorded transactions are valid; 3. all valid and authorized transactions are recorded; 4. all transactions are recorded accurately; 5. assets are safeguarded from loss or theft; 6. business activities are performed efficiently and effectively; 7. the company is in compliance with all applicable laws and regulations; and 8. all disclosures are full and fair.
THREATS IN PRODUCT DESIGN Threat No. 1Poor Design Controls: Accurate data about components; analysis of warranty and repair costs.
THREATS IN PLANNING AND SCHEDULING Threat No. 2Over- or Under-Production Controls: Accurate sales forecasts and inventory data; investment in production planning; collection of production performance data; proper authorization of production orders; restricted access to production scheduling programs; validity checks on production orders.
Page 6 of 9
AIS
JAMES SITUMORANG
Threat No. 3Sup-optimal Investment in Fixed Assets Controls: Proper authorization of fixed asset transactions; competitive bidding.
THREATS IN PRODUCTION OPERATIONS Threat No. 4Theft of Inventory and Fixed Assets Controls: Restricted physical access; documentation of internal inventory movement; properly authorized material requisitions; RFID tags and bar codes; segregation of duties; logical and physical access controls; independent count of inventory; ID and recording of fixed assets; management accountability; physical security; authorization of disposal; fixed asset reports; adequate insurance. Threat No. 5Disruption of Operations Controls: Backup power sources; suppliers with disaster preparedness;
THREATS IN COST ACCOUNTING Threat No. 6Inaccurate Recording and Processing of Production Activity Data Controls: Automate data recording with bar codes, RFID, and badge readers; online terminals for data entry; logical access controls; input validation routines; periodic physical counts of inventory; inspections and counts of fixed assets.
GENERAL THREATS Threat No. 7Loss, Alteration, or Unauthorized Disclosure of Data Controls: File backups; external and internal file labels; logical access controls; adjustment to default ERP settings; encryption; and message acknowledgment techniques. Threat No. 8Poor Performance Controls: Performance reports. ----------------------------------------------------------------------------------------------------------------------------------
CONTROL OBJECTIVES, THREATS, AND PROCEDURES In the HRM/payroll cycle (or any cycle), a well-designed AIS should provide adequate controls to ensure that the following objectives are met: 1. all transactions are properly authorized; 2. all recorded transactions are valid; 3. all valid and authorized transactions are recorded; 4. all transactions are recorded accurately;
Page 7 of 9
AIS
JAMES SITUMORANG
5. 6. 7. 8.
assets are safeguarded from loss or theft; business activities are performed efficiently and effectively; the company is in compliance with all applicable laws and regulations; and all disclosures are full and fair.
THREATS IN EMPLOYMENT PRACTICES Main objective: Effectively hire, retain, and dismiss employees. Threat No. 1Hiring Unqualified or Larcenous Employees Controls: Specify job skills required; make candidates accountable for inaccurate information; perform background checks; verify skills and references. Threat No. 2Violation of Employment Law Controls: Document all employment actions; train employees to keep them abreast of legal requirements.
THREATS IN PAYROLL PROCESS Main objective: Efficiently and effectively compensate employees for services provided. Threat No. 3Unauthorized Changes to the Payroll Master File Controls: Proper segregation of duties; independent review of changes to the file; logical and physical access restrictions. Threat No. 4Inaccurate Time Data Controls: Automated recording of time; input edit routines; segregation of duties; reconciliation of time clock data to job time tickets by an independent party; and supervisory approval of time sheets. Threat No. 5Inaccurate Processing of Payroll Controls: Batch totals, cross-footing of payroll register; use of payroll clearing account; review of worker classification. Threat No. 6Theft or Fraudulent Distribution of Paychecks Controls: Sequentially number checks; restrict access to checks and check-signing devices; sign checks only with proper documentation; use an imprest payroll account; independent reconciliation of the payroll account; segregation of duties; surprise observations of check distribution; re-deposit of unclaimed checks.
GENERAL THREATS Threat No. 7Loss, Alteration, or Unauthorized Disclosure of Data Controls: Offsite backups of files; external and internal file labels; logical and physical access controls; modification of default ERP settings; encryption; VPNs; message acknowledgment techniques. Threat No. 8Poor Performance Controls: Performance reports. -----------------------------------------------------------------------------------------------------------------------------------
The four basic activities performed in the GL and FRS are : 1. update the general ledger, 2. post adjusting entries, 3. prepare financial statements, and
Page 8 of 9
AIS
JAMES SITUMORANG
4. prepare managerial reports CONTROL OBJECTIVES, THREATS, AND PROCEDURES In the general ledger and reporting system (or any cycle), a well-designed AIS should provide adequate controls to ensure that the following objectives are met: 1. all transactions are properly authorized; 2. all recorded transactions are valid; 3. all valid and authorized transactions are recorded; 4. all transactions are recorded accurately; 5. assets are safeguarded from loss or theft; 6. business activities are performed efficiently and effectively; 7. the company is in compliance with all applicable laws and regulations; and 8. all disclosures are full and fair.
THREATS IN THE GENERAL LEDGER AND REPORTING SYSTEM Threat 1: Errors in Updating the General Ledger and Generating Reports Controls: Input edit and processing controls; reconciliations and control reports; maintenance of an audit trail. Threat 2: Loss, Alteration, or Unauthorized Disclosure of Data Controls: Backup and recovery procedures; internal and external file labels; strict logical and physical access controls; modification of ERP settings; encryption; message acknowledgment techniques. Threat 3: Poor Performance Performance reports; implementation of XBRL; redesign of business processes. --------------------------------------------------------------------------------------------------------------------------------THE POWER OF LOVE IS THE ABILITY TO LOVE ENEMIES, NOT TO LOVE OTHERS WHO LOVE US IF BETTER IS POSSIBLE GOOD IS NOT ENOUGH
DRS. JAMES SITUMORANG, AKT., MBA., MM. Mobile - +62811.90.3423 Email [email protected]
Page 9 of 9