Threats and Controls in the Expenditure Cycle (Purchase Order- Receiving Report- Voucher)

ACTIVITY THREAT CONTROLS (FIRST NUMBER REFERS TO THE CORRESPONDING THREAT)

1. Inaccurate or invalid 1.1 Data processing integrity controls
master data 1.2 Restriction of access to master data
General issues 2. Unauthorized disclosure 1.3 Review of all changes to master data
throughout entire of sensitive information 2.1 Access controls
expenditure cycle 3. Loss or destruction of 2.2 Encryption
data 3.1 Backup and disaster recovery procedures
4. Poor performance 4.1 Managerial reports

5.1 Perpetual inventory system

5.2 Bar coding or RFID tags
5.3 Periodic physical counts of inventory
6.1 Perpetual inventory system
5. Stockouts and excess 6.2 Review and approval of purchase requisitions
inventory 6.3 Centralized purchasing function
6. Purchasing items not 7.1 Price lists 7.2 Competitive bidding
needed 7.3 Review of purchase orders
7. Purchasing at inflated 7.4 Budgets
prices 8.1 Purchasing only from approved suppliers
Ordering 8.2 Review and approval of purchases from new suppliers
8. Purchasing goods of
inferior quality 8.3 Tracking and monitoring product quality by supplier
9. Unreliable suppliers 8.4 Holding purchasing managers responsible for rework and scrap costs
10. Purchasing from 9.1 Requiring suppliers to possess quality certification (e.g., ISO 9000)
unauthorized suppliers 9.2 Collecting and monitoring supplier delivery performance data
11. Kickbacks 10.1 Maintaining a list of approved suppliers and configuring the system to permit purchase
orders only to approved suppliers
10.2 Review and approval of purchases from new suppliers
10.3 EDI-specific controls (access, review of orders, encryption, policy)
11.1 Prohibit acceptance of gifts from suppliers
11.2 Job rotation and mandatory vacations
11.3 Requiring purchasing agents to disclose financial and personal inte in suppliers
11.4 Supplier audits
 12.1 Requiring existence of approved purchase order prior to accepting any delivery
12. Accepting unordered 13.1 Do not inform receiving employees about quantity ordered
items 3.2 Require receiving employees to sign receiving report
13. Mistakes in counting 13.3 Incentives
Receiving 13.4 Use of bar codes and RFID tags
14. Not verifying receipt of
services 13.5 Configuration of the ERP system to flag discrepancies between received and ordered
15. Theft of inventory quantities that exceed tolerance threshold for investigation
14.1 Budgetary controls
14.2 Audits
15.1 Restriction of physical access to inventory
15.2 Documentation of all transfers of inventory between receiving and inventory employees
15.3 Periodic physical counts of inventory and reconciliation to recorded quantities
15.4 Segregation of duties: custody of inventory versus receiving

16.1 Verification of invoice accuracy

16. Errors in supplier 16.2 Requiring detailed receipts for procurement card purchases
Approving supplier invoices 16.3 ERS
invoices 17. Mistakes in posting to 16.4 Restriction of access to supplier master data
accounts payable 16.5 Verification of freight bill and use of approved delivery channels
17.1 Data entry edit controls
17.2 Reconciliation of detailed accounts payable records with the general ledger control account
18.1 Filing of invoices by due date for discounts
18.2 Cash flow budgets
19.1 Requiring that all supplier invoices be matched to supporting documents that are
acknowledged by both receiving and inventory control
18. Failure to take 19.2 Budgets (or services)
advantage of discounts for 19.3 Requiring receipts for travel expenses
prompt payment 19.4 Use of corporate credit cards for travel expenses
19. Paying for items not 20.1 Requiring a complete voucher package for all payments
Cash
received 20.2 Policy to pay only from original copies of supplier invoices
disbursements
20. Duplicate payments 20.3 Cancelling all supporting documents when payment is made
21. Theft of cash 21.1 Physical security of blank checks and check signing machine
22. Check alteration 21.2 Periodic accounting of all sequentially numbered checks by cashier
23. Cash flow problems 21.3 Access controls to EFT terminals
21.4 Use of dedicated computer and browser for online banking
21.5 ACH blocks on accounts not used for payments
21.6 Separation of check writing function from accounts payable
21.7 Requiring dual signatures on checks greater than a specific amount
21.8 Regular reconciliation of bank account with recorded amounts by someone independent of
cash disbursements procedures
21.9 Restriction of access to supplier master file
21.10 Limiting the number of employees with ability to create one-time suppliers and to process
invoices from one-time suppliers
21.11 Running petty cash as an imprest fund
21.12 Surprise audits of petty cash fund
22.1 Check protection machines
22.2 Use of special inks and papers
22.3 "Positive Pay arrangements with banks
23.1 Cash flow budget