Professional Documents
Culture Documents
S Ox Inventory Management Risks and Controls
S Ox Inventory Management Risks and Controls
S Ox Inventory Management Risks and Controls
REFERENCE
OBJECTIVE
OBJECTIVE
CATEGORY
Unit:
Subject: Sarbanes-Oxley Act Review - Inventory Management
Title: Risk & Control Identification
Year end:
POTENTIAL RISK
CONTROL OWNER
(Name)
Raw materials are checked for quantity and quality O,F, INV102 Raw materials received are not subject to an inspection
before being accepted.
for quality / quantity. Criteria are not clearly established
C
for inspecting received goods and services. No policy
is established for inspecting receipts in proportion to
their importance and value. Only the vendor's delivery
note (and not the physical goods) is matched to the
Purchase Order. Inspection results are not recorded to
be available for the vendor evaluation process.
Vendors do not deliver the expected quantity or
materials. Goods receipt discrepancies are not
addressed. Company policy regarding the handling of
under/over deliveries is not followed. Tolerances for
under/over deliveries are set to inappropriate values.
Raw materials are accepted without authorised
documentation (e.g. COAs - Certificate Of Analysis).
Defective raw materials received from suppliers are logged. The log is
monitored to ensure that the defective goods are returned promptly
and that the credit (AP) is received timely. Rejected raw materials are
adequately segregated from other raw materials and are not used.
Rejected raw materials are regularly monitored to ensure timely return
to suppliers. A security check to either an authorised return form or a
delivery note is performed on all goods leaving the premises.
335046805.xls 10/28/2016
Page 1 of 21
RISK
REFERENCE
OBJECTIVE
CATEGORY
OBJECTIVE
POTENTIAL RISK
Only raw materials received are recorded. (validity) O, F INV104 Fictitious receipts of raw materials may be recorded.
Invalid materials may be recorded. Payments may be
made for fictitious goods.
CONTROL OWNER
(Name)
SAP edits and validates input GRN data on-line. The values that are
allowed, for example, for a material master, are known to the system.
Upon entry in the field SAP automatically checks the value entered
against the values available in the configuration tables. Most goods
receipts are created with reference to a Purchase Order.
O, F INV108 All raw materials received are not recorded in the period Documentation in respect of goods received at, before, or after the
in which they have been received. Goods receipts are end of an accounting period is scrutinised and/or reconciled to ensure
not entered immediately into the system, particularly on complete and consistent recording in the appropriate period.
period-end dates.
O, F INV109 Raw materials are received by unauthorised personnel. Goods are delivered only to designated, physically secure locations
Received goods are not physically secured to protect
within a warehouse or storage building and are accepted only by
them from theft. Personnel are not required to
authorised personnel (stores personnel).
acknowledge receipt of goods.
Raw materials are delivered to the correct location. O, F INV110 Raw materials are delivered to the incorrect location.
Purchase Order forms are pre-printed with the receiving location and
that instruct vendors only to deliver to that location. Security
accompanies vendors which deliver toxic, chemicals and other
environmentally sensitive material to the correct location.
Expected and overdue orders for raw materials are O, F INV111 No monitoring of expected or overdue goods receipts.
monitored.
Vendors do not deliver on time. No action is taken for
late deliveries.
335046805.xls 10/28/2016
Page 2 of 21
RISK
REFERENCE
OBJECTIVE
CATEGORY
OBJECTIVE
POTENTIAL RISK
CONTROL OWNER
(Name)
O, C INV302 Unauthorised access to raw materials inventory misappropriation of raw materials inventory.
335046805.xls 10/28/2016
Page 3 of 21
RISK
REFERENCE
OBJECTIVE
CATEGORY
OBJECTIVE
POTENTIAL RISK
INV305 Receiving and despatch of raw materials take place out Physical storage areas for goods issued and goods received should
of the same entrance. Lack of segregation of duties.
be segregated. Different personal are responsible for receiving and/or
issuing raw materials.
335046805.xls 10/28/2016
O,F INV312 Raw materials inventory may expire - exceed the shelf
life - or become obsolete.
O
CONTROL OWNER
(Name)
The item master record should contain a field to identify the material
as hazardous. Appropriate procedures for handling and storing
hazardous materials should be maintained. There should be proper
follow up on reported safety concerns. Relevant policies should be
maintained which are consistent with Occupational Safety and Health
Administration and other pertinent laws and regulations approved at
technical and legal personnel. Compliance should be monitored.
Page 4 of 21
RISK
REFERENCE
OBJECTIVE
CATEGORY
OBJECTIVE
POTENTIAL RISK
CONTROL OWNER
(Name)
INV316 Obsolete and slow moving raw materials items have not The usability of raw materials is assessed regularly including a review
been identified.
during physical inventory counts. Inventory ageing reports are
prepared and analysed regularly.
All raw material master entries must be reviewed against the existing
material master before entry into SAP to ensure there are no
unnecessary duplication of materials in the material master. Standard
naming conventions are used to reduce the possibility of duplicate
material names. The Material List (RMMVRZ00) report is generated
and reviewed at least quarterly or as needed for duplicate materials.
This lists materials by number, type, group, and user who created the
material. Duplicate materials will be investigated and deleted from the
material master record if they are not held in inventory, used in a
BOM, or purchase requisition or Purchase Order.
INV405 Not all valid changes to the raw materials master data
are input and processed. Not all materials are included
in the material master.
335046805.xls 10/28/2016
Page 5 of 21
RISK
REFERENCE
OBJECTIVE
CATEGORY
OBJECTIVE
POTENTIAL RISK
The field status group defines for a particular material type which
fields are mandatory.
Requests to change raw material master file data are logged. The log
is reviewed to ensure that all request changes are processed
timeously.
CONTROL OWNER
(Name)
O,F INV503 Damaged or low quality goods received are not properly
identified and handled. Defective engineering stores
items are not returned to the supplier and are accepted
into stock. Accounts payable is not notified of goods
returned to vendor, and the invoice is paid. Return
deliveries are not entered promptly into the system in
order to reverse the goods receipt updates. No process
is established to ensure the vendor issues credit
memos when appropriate.
335046805.xls 10/28/2016
Page 6 of 21
RISK
REFERENCE
OBJECTIVE
CATEGORY
OBJECTIVE
POTENTIAL RISK
O,F INV505 Engineering stores receipts are not recorded accurately. Capturing of receipts directly into SAP: Mandatory fields, Tolerance
Incorrect goods receipt information is entered.
levels, Visual checks by operator e.g. key in material number and
description appears on the screen, Limit/reasonableness checks on
quantities (e.g. no negative amounts). SAP edits and validates input
GRN data on-line. Most goods receipts are created with reference to
a Purchase Order. SAP then copies information from Purchase Order
into GRNs per configuration. The SAP material movement
automatically creates both a material (for quantity) and accounting (for
value) document. The transactions update these items: Purchase
Order history, stock overview, MRP (planning file), general ledger
accounts.
CONTROL OWNER
(Name)
SAP edits and validates input GRN data on-line. The values that are
allowed, for example, for a material master, are known to the system.
Upon entry in the field SAP automatically checks the value entered
against the values available in the configuration tables. Most goods
receipts are created with reference to a Purchase Order.
Receipts of engineering stores items are recorded O,F INV508 All engineering stores items received are not recorded Documentation in respect of goods received at, before, or after the
timeously and in the correct period. (proper period)
in the period in which they have been received. Goods end of an accounting period is scrutinised and/or reconciled to ensure
Perpetual inventory records are updated as of the
movements are not captured on SAP (i.e. receipt of
complete and consistent recording in the appropriate period.
date the goods are received.
engineering stores items).
Received engineering stores items are
safeguarded. Engineering stores items are
delivered to the correct location.
O,F INV601 Costs are not allocated to the correct department or not All costs of repairs allocated should be reviewed by management for
allocated accurately. Incorrect costs are allocated to
accuracy.
the works order. Repairs are not allocated to the
correct sub-order or allocated to the incorrect sub-order.
335046805.xls 10/28/2016
Page 7 of 21
RISK
REFERENCE
OBJECTIVE
CATEGORY
OBJECTIVE
POTENTIAL RISK
INV605 Items sent for repair are swapped with inferior items
before they are sent back to the mill. Long outstanding
items are not followed up. Vendors do not return
scrapped items to the mill and items are not sent to the
salvage yard at the mill. Items sent for repair are not
returned.
CONTROL OWNER
(Name)
335046805.xls 10/28/2016
Page 8 of 21
RISK
REFERENCE
OBJECTIVE
CATEGORY
OBJECTIVE
POTENTIAL RISK
335046805.xls 10/28/2016
O,F INV814 Scrapped inventory stores items are not kept separate
from other inventory.
CONTROL OWNER
(Name)
Page 9 of 21
RISK
REFERENCE
OBJECTIVE
CATEGORY
OBJECTIVE
POTENTIAL RISK
CONTROL OWNER
(Name)
Sufficient inventory of engineering stores is kept on O,F INV815 Insufficient inventory levels of engineering stores
Obsolete, excess, and damaged inventories are adequately
hand.
resulting in loss of production time or excess inventory segregated from other stores inventories and are monitored to ensure
or inaccurate or untimely material requirement forecast. appropriate and timely disposition.
INV905 Not all valid changes to engineering stores master data Requests to change engineering stores master file data are submitted
are input and processed. Not all engineering stores are on prenumbered forms, the numerical sequence of such forms is
included in the material master.
accounted for to ensure that all request changes are processed.
The field status group defines for a particular material type which
INV906 Incomplete material master data may be entered.
Critical fields that must be entered are not specified as fields are mandatory.
mandatory. Not all material components (general, plant,
storage location, batch valuation, forecast) are
established.
335046805.xls 10/28/2016
Page 10 of 21
RISK
REFERENCE
OBJECTIVE
CATEGORY
OBJECTIVE
POTENTIAL RISK
CONTROL OWNER
(Name)
PRODUCTION
Production Planning and Control
All production orders are accounted for as having
been fulfilled. (completeness) Production orders
are created and released on a timely basis to allow
for timely meeting of commitments to customers.
INV
1001
Work-in-progress may not be completed timeously, and Production plans and their associated demand requirements are
as a result commitments to customers may not be met, entered timely in the system which helps ensure required production
or finished goods may be unsaleable.
lead times are met. There is an established review and approval
procedure that includes the timeliness of the various cycles.
INV
1002
INV
1003
INV
1004
O,F
O,F
INV
1101
INV
1102
INV
1103
335046805.xls 10/28/2016
O,F
Page 11 of 21
OBJECTIVE
CATEGORY
RISK
REFERENCE
INV
1104
INV
1201
O,F
INV
1202
All scrap items (broke) should be written down/ off. WIP written off as
broke is reviewed by the Production Department and the
management team. Abnormal wastage's and variances between
actual production versus budget are investigated.
O,F
INV
1203
INV
1204
INV
1205
OBJECTIVE
POTENTIAL RISK
CONTROL OWNER
(Name)
O,F
INV
1301
O,F
INV
1302
O,F
INV
1303
O,F
INV
1304
O,F
INV
1305
O,F
INV
1306
Requests to change BOM master file data are logged. The log is
reviewed to ensure that all request changes are processed timeously.
O,F
INV
1307
335046805.xls 10/28/2016
Page 12 of 21
OBJECTIVE
CATEGORY
RISK
REFERENCE
OBJECTIVE
O,F
INV
1401
POTENTIAL RISK
CONTROL OWNER
(Name)
Paper Converters
Inventory transfers to / from paper converters
("subcontractors") are complete, accurate and
valid to ensure material transaction integrity and
that stock is properly tracked and safeguarded.
INV
1501
O,F
INV
1502
Finished goods inventory receipts from production may Finished goods sent to the warehouse are logged; the log is used to
not be recorded: Not all transfers of complete units of
ensure that all finished goods are recorded in the inventory records.
production to finished goods are recorded. Goods
movements are not captured in SAP (i.e. movements to
and from production).
O,F
INV
1503
Finished goods inventory receipts from production may Goods received input data is edited and validated; identified errors are
be inaccurately processed.
corrected promptly.
O,F
INV
1504
Proper reports should exist for all transfers; from raw materials to
production, production to work in progress, work in progress to
finished goods and finished goods to stores. These reports should be
reconciled to actual goods transferred.
INV
1505
335046805.xls 10/28/2016
O,F
INV
1601
Page 13 of 21
OBJECTIVE
CATEGORY
RISK
REFERENCE
O,F
INV
1602
INV
1603
O,F
INV
1604
Returned goods are not recorded in the period they are On a daily basis, the Sales Accountants create return orders using
received back.
appropriate data for approved returns (per CSRs).
INV
1605
O,F
INV
1606
O,F
INV
1607
Critical information for returns or return deliveries is not SAP standard functionality automatically creates an audit trail of all
specified as mandatory. Audit trail is lost. Returned
return order creation (Credit memo request) and maintenance.
goods are not tracked adequately, leading to a loss of
Appropriate validations are defined for critical fields
control over the goods.
OBJECTIVE
POTENTIAL RISK
CONTROL OWNER
(Name)
INV
1701
The delivery due list is printed and reviewed on a daily basis. SAP
reports of open sales documents are prepared and monitored to
ensure timely shipment. Deliveries not able to be fulfilled are
communicated to the relevant Sales Office.
O,F
INV
1702
O,F
INV
1703
O,F
INV
1704
Incorrect picked quantities are entered into the system. Finished goods are drawn for delivery against appropriate source
Picking lists may not match the delivery documents.
documents - picking slip. Bar code scanners are used to input actual
Incorrect goods may be despatched.
inventory picking and storage locations and quantities; differences
from picking and storage instructions are investigated.
O,F
INV
1705
Verification of completed picking lists to physical goods Before goods are shipped, the details of the picking list are compared
picked is not performed.
to actual goods prepared for shipment by an individual independent of
the order picking process.
335046805.xls 10/28/2016
Page 14 of 21
OBJECTIVE
CATEGORY
RISK
REFERENCE
O,F
INV
1706
Deleted and cancelled deliveries are neither logged nor Despatch personnel use real-time picking lists / delivery due lists
reviewed. A delivery may be prepared even though the when preparing product for deliveries. SAP will not generate a delivery
sales order was cancelled by the customer.
note (needed as authority to leave warehouse) if sales order is
cancelled by order flow personnel.
O,F
INV
1707
O,F
INV
1708
O,F
O,F
INV
1709
INV
1710
O,F
INV
1711
O,F
INV
1712
O,F
INV
1713
Goods shipped at, before, or after the end of an accounting period are
scrutinised and/or reconciled to ensure complete and consistent
recording in the appropriate accounting period including the raising
and recording of the related invoice.
O,F
INV
1714
INV
1715
O,F
INV
1716
INV
1717
INV
1801
OBJECTIVE
O,F
POTENTIAL RISK
CONTROL OWNER
(Name)
335046805.xls 10/28/2016
Page 15 of 21
OBJECTIVE
OBJECTIVE
CATEGORY
RISK
REFERENCE
INV
1802
Recorded Cost of Sales may be inaccurately calculated. SAP account assignment configuration ensures that amounts for
shipped goods are posted to the appropriate Cost of Goods Sold
account
INV
1803
INV
1804
INV
1901
O,F
INV
1902
O,F
INV
1903
O,F
INV
1904
O,F
INV
1905
O,F
INV
1906
INV
1907
INV
1908
POTENTIAL RISK
CONTROL OWNER
(Name)
335046805.xls 10/28/2016
Page 16 of 21
OBJECTIVE
CATEGORY
RISK
REFERENCE
INV
1909
O,F
INV
1910
INV
1911
O,F
INV
1912
INV
1913
INV
1914
Unauthorised access to inventory. Finished goods may Access should be restricted to authorised personnel only. Physical
be stolen, lost, damaged, or temporarily diverted.
security arrangements (fencing and gate security) should exist.
Periodic stock counts should be regularly performed. Bar codes: The
shipping label and bar code contain all relevant information. There is
a coding structure in place which ensures identification and
traceability of finished product.
OBJECTIVE
POTENTIAL RISK
CONTROL OWNER
(Name)
335046805.xls 10/28/2016
Page 17 of 21
RISK
REFERENCE
OBJECTIVE
CATEGORY
OBJECTIVE
INV
2001
INV
2002
POTENTIAL RISK
INV
2003
INV
2004
INV
2005
Not all valid changes to the finished goods master data Requests to change finished goods master file data are submitted on
are input and processed. Not all materials are included prenumbered forms, the numerical sequence of such forms is
in the material master.
accounted for to ensure that all request changes are processed.
INV
2006
The field status group defines for a particular material type which
fields are mandatory.
INV
2008
INV
2009
335046805.xls 10/28/2016
INV
2007
CONTROL OWNER
(Name)
Requests to change finished goods master file data are logged. The
log is reviewed to ensure that all request changes are processed
timeously.
Page 18 of 21
RISK
REFERENCE
OBJECTIVE
CATEGORY
OBJECTIVE
POTENTIAL RISK
CONTROL OWNER
(Name)
INV
2101
Security should ensure that all commercial vehicles, trucks & wagons
entering and exiting the mill go via the weighbridge, generating an In /
Out transaction in the weighbridge system file. The weighbridge
should be situated at the entrance/exit to the Mill. There should be no
by-pass lane into/out of the mill. If there is a by-pass lane, security
should monitor the use of the by-pass lane at the weighbridge.
INV
2102
INV
2103
The mass of the product (Vehicle Out mass less Vehicle In mass) is
automatically compared against the mass on the document
accompanying the product leaving the Mill. No vehicle outside a preset tolerance will be permitted to exit the Mill. Any variance outside
the tolerance should be reported to a Security Superintendent and
followed up by Security. Reasons therefore should be written onto the
weighbridge ticket / OB (Occurrence Book) entry system (also signed
by the investigating parties). Policies and procedures should exist
stipulating the prescribed tolerance levels and investigating
procedures.
INV
2104
Security should verify the nature of product being removed against the
description on the accompanying documentation (delivery note, etc),
and should sign the documentation as verification thereof.
INV
2105
INV
2106
Security should search trucks & trains (both the horse, trailer &
wagon) and all other vehicles on entry and exit for unauthorised
goods, fire arms, cameras etc. Goods leaving the premises should be
supported by the authorised relevant documentation.
INV
2107
Weighbridge masses and other data can be overwritten. The weighbridge system should be set up in such a way that it can not
be overridden by unauthorised staff. There must be a register or log
book to record any "overrides" that should be reconciled (by a senior
person) to the changes made.
INV
2108
O,C
INV
2109
Weighbridge not calibrated by independent contractor Policies and procedures should exist stipulating the weighbridge
on a regular basis resulting in inter alia contravention of calibration intervals and the regulatory requirements (i.e. calibrations
government regulations.
to be done every two years).
INV
2110
Inadequate control when weighbridge fails. i.e. when During a weighbridge failure, only urgent deliveries should be made.
the computer system or weighbridge scale equipment is There should be adequate manual documentation completed when
down (manual tickets).
the computer or weighbridge system is down. The mass that is
calculated manually should be checked by a senior person for
correctness before entry or exit. A register should be established and
maintained to record all "off-line" transactions.
335046805.xls 10/28/2016
Page 19 of 21
RISK
REFERENCE
OBJECTIVE
CATEGORY
OBJECTIVE
POTENTIAL RISK
INV
2111
Weighbridge movements during system failures are not All manual transactions should be captured into the weighbridge
recorded.
system as soon as the system is "up & running". A senior official
should agree the information captured to the manual transactions to
ensure accuracy and completeness of captured information.
INV
2112
INV
2201
INV
2202
INV
2203
INV
2204
CONTROL OWNER
(Name)
SEGREGATION OF DUTIES
INV
2301
INV
2302
INV
2303
INV
2304
INV
2305
335046805.xls 10/28/2016
Page 20 of 21
OBJECTIVE
CATEGORY
RISK
REFERENCE
O,F
INV
2306
Authority is inappropriately assigned for the steps and SAP restricts to authorised personnel the ability to create, change, or
functions in the shipping process (e.g. create deliveries, delete picking lists, delivery notes, and goods issues.
produce picking list, confirm deliveries, enter picking
information, post goods issue transactions).
INV
2401
Lack of procedures.
INV
2402
INV
2403
INV
2404
INV
2405
INV
2406
INV
2407
INV
2408
INV
2409
OBJECTIVE
POTENTIAL RISK
CONTROL OWNER
(Name)
GENERAL
335046805.xls 10/28/2016
O
O
Page 21 of 21