accounting

Note: This example is not complete and not perfect. This document is designed to save you time as you prepare your submission but a careful review of the requirements is important if a good score is desired.

Example PRJ3

Risks and Controls

The XYZ Company’s accounts payable department uses an information system to make the payments to our vendors. Our department is in charge of receiving vendor invoices and processing them through our system in order to ensure a timely payment to our vendors. This process requires careful review of all invoices as well as methods to reduce the risk associated with them. Maintaining the security and service is important to ensuring positive relations with our vendors. Some of our main risk factors are human errors and potential frauds or dishonest behavior from employees. Additionally …………………………………………………………

Control Table:

Control Name Control Zone Type of Control Implementation

Password Policy IT General Control Preventive Automated

Referential Integrity Application Preventive Automated

Off-Site Data Backups IT General Control Corrective Automated

Multiple Signatures Application Preventive/Detective Manual

Table 1 - The table provides an overview of different controls that affect the accounts payable (AP) process. Some controls are not specific to AP, but they do affect the processes of the accounting department.

Control Narratives:

Password Policy: The password policy is a standard that helps ensure that passwords are changed routinely. Implementing a password policy can help mitigate risks associated with …………… . The control is implemented by ………………………………….

Referential Integrity: The referential integrity check is an automated control that makes sure that the …………………………………………………………………………………………………….

Data Backup: Data Backup:

In the event of a disaster or a hard disk crash where the main data is suddenly lost or tampered with, off-site data backups are useful. These backups can be used for restoring the system to its state before the incident. The backup process involves ………………………………………………………………… Multiple Signatures:

Before we make a payment, we have two people review the transaction. This helps mitigate fraud and errors. Having two sets of eyes look at a document can make sure that more errors are caught, and it can help ensure that people are not writing fraudulent checks. Specifically, a supervisor and a manager must review and sign before any check is approved for payment. …………………………………………………………………………………………………………………………… ……………………………………….

Zone Classifications:

Our internal controls are divided into three zones: Application, IT General, and Entity level controls. Application controls:

Application controls deal with just a very particular function in a corporation. The controls we have for the application zone are referential integrity, multiple signatures, ………………………………. These are application controls as they are focused on ensuring the smooth functioning of the AP system.

Referential integrity between Vendors and Invoices ensures that we have invoices only from approved vendors stored in the system. As this control is directly associated with the AP process, it is an application level control. ………………………………………………………………………………………………………………………………………………………….. IT General Controls:

IT general controls generally deal with the IT systems that are used in multiple processes across many different departments. One of the controls that we have for the IT general control zone is the password policy. It is an IT general control because it deals with all the users of computer systems for the organization. ………………………………………………………………………………………………… Entity Level Controls:

Entity-level controls deal with how IT related matters for the whole organization are managed. ………………………………………………………..

Control Types: The three control types are preventive, detective and corrective.

Preventive: Preventive controls try to stop problems from happening by being proactive.

The password policy is implemented to stop hacking from happening by making the passwords harder to crack. ……………..……………………………………………………………….

Detective: Detective controls are there to identify problems after they have occurred.

The multiple signatures review is partly detective in nature because it can help in detecting an incorrect payment or a potential fraud.

Corrective: Corrective controls are to fix problems and restart operations.

The off-site data backup is a corrective control because if something were to happen to our system, we still have a copy of the data in an off-site place. ………………………………………………………………………………………………………..

Control Implementation: In our business process, we have a mix of Automated, Manual and hybrid

controls. Manual:

Manual controls are those that are in place and will be implemented by people. The multiple signatures review involves two persons manually going over the checks to make sure that they are correct. ……………………………………………………………………………………………………… Automated:

Automated controls are those that are automatically implemented in the system. Referential integrity is an automated … ……………………………………………………………………………..

Hybrid: Hybrid controls have both automated and manual features. In our process,

we have ……………………………………………. Control Metrics: Metrics are used to measure a control’s effectiveness in accomplishing its intended purpose. Lagging: Lag metrics measure the actual results achieved by implementing internal

controls and focus on numbers before and after the implementation of controls. A lag metric to assess the effectiveness of the referential integrity control would be to use a set of carefully chosen test data to check if the system allows entry of fraudulent invoices. If the system allows even a single fraudulent invoice entry, we need to take corrective action immediately.

Leading: Lead metrics measure the effort applied to implement controls and focus on

executing best practices/processes and strict implementation of policies. Our organization follows a strict policy about not storing passwords on any kind of paper document. . A lead metric that could be used to ensure the

optimal execution of the password policy would be having a member of management randomly check employee work stations to confirm that no one has any passwords written down on sticky notes ………………………………………………………………….

Compensating Control: These are controls that are there to make-up for a control that we would like to use but can’t because it is too costly or too difficult to implement. Ideally, we would like ……………………………………………………………………………………………………