Professional Documents
Culture Documents
INTERNAL CONTROLS - Section 3 Example of Documentation: Flowchart
INTERNAL CONTROLS - Section 3 Example of Documentation: Flowchart
CONTROLS – Section 3 Example of Documentation
FLOWCHART
INTERNAL CONTROLS – Section 3 Example of Documentation
PROCESS NARRATIVE
1. Procurement
a. Requisitioning
i. When employees need to buy goods or services, they will create a purchase requisition in the procurement application (Control Cl).
Once the requisition has been created, the buyer will review the purchase requisition for its appropriateness, completeness, and
accuracy. Components of the purchase requisition that are reviewed include, but are not limited to, the vendor, item, quantity, and
account coding. If the review does not reveal any errors, the buyer will approve the purchase requisition. If the buyer rejects the
purchase requisition for any reason, the requisitioner will be notified. Finally, if issues with the original requisition are resolved as
required, the buyer will approve the requisition.
ii. All purchase requisitions are reviewed on a monthly basis to detect any unauthorized requisitions as well as any excessive order
quantities (Controls C2 and C3).
b. Purchase Order Processing
i. Once the purchase requisition has been approved by the buyer, he or she will create a purchase order referencing the requisition in
the procurement application (Control C4). The buyer will then forward a copy of the purchase order to the supplier.
ii. All purchase orders are reviewed on a monthly basis to detect any unauthorized purchase orders as well as any excessive order
quantities (Controls CS and C6).
2. Receiving
a. All goods are received at the shipping and receiving dock. A warehouse employee will review the packing slip, make note of the purchase
order number, and count the items that are physically received. The warehouse employee then logs onto the procurement application and
enters the number of items received against the appropriate line item number on the purchase order.
b. The appropriate member of the accounting department reviews and reconciles the inventory general ledger account on a monthly basis to
determine the goods that have been received, but not invoiced by the vendor (Control C7).
c. The appropriate buyer from the purchasing department reviews all unmatched purchase order reports on a monthly basis (Control CS).
3. Accounts Payable
a. The accounts payable department receives invoices from the various suppliers on a daily basis. These invoices are sorted and assigned to
each accounts payable clerk, based on the vendor's name. Each clerk is required to stamp each invoice with the date it was received by the
accounts payable department. Each accounts payable clerk then matches the invoice quantities and prices to the purchase order and
receiver and enters the invoice in the accounts payable application (Controls C9 and C14).
b. The accounts payable application automatically generates requests for payments based on the vendor payment terms, and an accounts
payable check rw1 is processed every Wednesday (Controls C10, C12, and C13).
c. At month‐end, the accounts payable manager compares the accounts payable system's sub‐ledger total to the general ledger control total.
Any differences noted are then corrected (Control C11).
INTERNAL CONTROLS – Section 3 Example of Documentation
RISK AND CONTROL MATRIX: Procure To Pay
Business Process & Control
Risks Control Activities COSO Components Control Classification
Control Objectives Attributes
Objectives
Frequency
Likelihood
Activitites
Recorded
Classified
Man/Aut
Impact /
Number
Pre/Det
Control
Control
K (Y/N)
Valued
Posted
Timely
Risks
Real
I/C
RA
CA
CE
M
Major: Procurement
Sub: Purchase Requisition Processing
Activity: Create
Due to the lack of appropriate
Controls provide
segregation of duties, a user is able to Controls are such that
reasonable assurance
create, approve (i.e., release), assign, access is granted only
Always
that purchase
and convert a purchase requisition, to those individuals
C1 requisitions are created H X A P X X X X X
resulting in the inappropriate with a business
by authorized personnel
rewarding of business to suppliers, purpose for creating
completely and
overpayments. and excessive purchase requisitions.
accurately.
inventory levels.
Due to the lack of appropriate
Controls provide
segregation of duties, a user is able to Purchase requisitions
reasonable assurance
create, approve (i.e., release), assign, are reviewed on a
Monthly
that purchase
and convert a purchase requisition, monthly basis to
C2 requisitions are created H X X X M D X X X X X
resulting in the inappropriate detect any
by authorized personnel
rewarding of business to suppliers, unauthorized
completely and
overpayments. and excessive purchase requisitions.
accurately.
inventory levels.
INTERNAL CONTROLS – Section 3 Example of Documentation
RISK AND CONTROL MATRIX: Procure To Pay
Business Process & Control
Risks Control Activities COSO Components Control Classification
Control Objectives Attributes
Objectives
Frequency
Likelihood
Activitites
Recorded
Classified
Man/Aut
Impact /
Number
Pre/Det
Control
Control
K (Y/N)
Valued
Posted
Timely
Risks
Real
I/C
RA
CA
CE
M
Controls provide
Controls are such that
reasonable assurance Unauthorized or excessive purchase
access is granted only
Always
that purchase requisition quantities could lead to
to those individuals
C1 requisitions are created unfavorable prices. excessive M X A P X X X X X
with a business
by authorized personnel inventory, and unnecessary product
purpose for creating
completely and returns
purchase requisitions.
accurately.
Controls provide
reasonable assurance Unauthorized or excessive purchase Purchase requisitions
Monthly
that purchase requisition quantities could lead to are reviewed on a
C3 requisitions are created unfavorable prices. excessive M monthly basis to X X X M D X X X X
by authorized personnel inventory, and unnecessary product detect any excessive
completely and returns. order quantities
accurately.
Major: Procurement
Sub: Purchase Order Processing
Activity: Create
Due to the lack of appropriate
Controls provide segregation of duties, a user is able to Controls are such that
reasonable assurance create. approve (i.e., release). assign. access is granted only
Always
that purchase orders are and convert a purchase requisition, to those individuals
C4 H X A P X X X X X
created by authorized resulting in the inappropriate with a business
personnel completely rewarding of business to suppliers, purpose for creating
and accurately. overpayments. and excessive purchase orders.
inventory levels.
INTERNAL CONTROLS – Section 3 Example of Documentation
RISK AND CONTROL MATRIX: Procure To Pay
Business Process & Control
Risks Control Activities COSO Components Control Classification
Control Objectives Attributes
Objectives
Frequency
Likelihood
Activitites
Recorded
Classified
Man/Aut
Impact /
Number
Pre/Det
Control
Control
K (Y/N)
Valued
Posted
Timely
Risks
Real
I/C
RA
CA
CE
M
Due to the lack of appropriate
Controls provide segregation of duties, a user is able to Purchase orders are
reasonable assurance create. approve (i.e., release). assign. reviewed on a
Monthly
that purchase orders are and convert a purchase requisition, monthly basis to
C5 H X X X M D X X X X X
created by authorized resulting in the inappropriate detect any
personnel completely rewarding of business to suppliers, unauthorized
and accurately. overpayments. and excessive purchase orders
inventory levels.
Controls provide
Unauthorized or excessive purchase Purchase orders are
reasonable assurance
Monthly
requisition quantities could lead to reviewed on a
that purchase orders are
C6 unfavorable prices. excessive M monthly basis to X X X M D X X X X X
created by authorized
inventory, and unnecessary product detect any excessive
personnel completely
returns. order quantities.
and accurately.
Major: Receiving
Sub: Good Receipt Processing
Activity: Create
Controls provide Associating a goods receipt with an
reasonable assurance incorrect purchase order or incorrect
The goods
Monthly
that goods receipts are line item could result in the inaccurate
received/not invoiced
C7 processed by authorized valuing of inventory and the goods H X X X M D X X X X X
account is reconciled
personnel completely, received/not invoiced account.
on a monthly basis
accurately, and in a thereby causing delays in invoice and
timely manner. payment processing.
INTERNAL CONTROLS – Section 3 Example of Documentation
RISK AND CONTROL MATRIX: Procure To Pay
Business Process & Control
Risks Control Activities COSO Components Control Classification
Control Objectives Attributes
Objectives
Frequency
Likelihood
Activitites
Recorded
Classified
Man/Aut
Impact /
Number
Pre/Det
Control
Control
K (Y/N)
Valued
Posted
Timely
Risks
Real
I/C
RA
CA
CE
M
Controls provide
reasonable assurance
Unmatched purchase
Monthly
that goods receipts are
Goods receipts are not recorded order reports are
C8 processed by authorized M X X X M D X X X X
appropriately reviewed on a
personnel completely,
monthly basis
accurately, and in a
timely manner.
Major: Accounts Payable
Sub: Invoice Processing
Activity: Create
Controls provide An invoice that should be paid by
Application security is
reasonable assurance matching it to a purchase order is paid
such that access to
Always
that vendor invoices are without a reference to a purchase
the non‐purchase
C9 created by authorized order, which could result in an M X A P X X X X X
order invoice entry
personnel completely. unacceptable payment for material or
transaction is limited
accurately. and in a services. (i.e .. unacceptable and
as much as possible.
timely manner. unfavorable price variations).
Checks are matched
Controls provide
to supporting
reasonable assurance
As Required
documents (invoice,
that vendor invoices are Incorrect invoice amounts are entered,
check requests, or
C10 created by authorized resulting in incorrect payments to H X X M P X X X X
expense
personnel completely. vendors
reimbursements)
accurately. and in a
based on a dollar
timely manner.
thresh hold
INTERNAL CONTROLS – Section 3 Example of Documentation
RISK AND CONTROL MATRIX: Procure To Pay
Business Process & Control
Risks Control Activities COSO Components Control Classification
Control Objectives Attributes
Objectives
Frequency
Likelihood
Activitites
Recorded
Classified
Man/Aut
Impact /
Number
Pre/Det
Control
Control
K (Y/N)
Valued
Posted
Timely
Risks
Real
I/C
RA
CA
CE
M
TheAP
Controls provide
sub‐ledger total is
reasonable assurance
compared to the GL
Monthly
that vendor invoices are
AP invoice sub‐ledger postings are not balance at the end of
C11 created by authorized L X X X M D X X X X
posted to the GL. the month via an
personnel completely.
aging report.Any
accurately. and in a
differences noted are
timely manner.
corrected
Major: Accounts Payable
Sub: Process Payments
Activity: Create
The AP application
Controls provide
automatically writes
reasonable assurance
checks or electronic
Always
that vendor payments
Disbursements recorded differ from payments based on
C12 are processed by L X A P X X X X X X
amounts paid. the value of approved
authorized personnel
invoices according to
completely and
vendor payment and
accurately
system terms
Controls provide
reasonable assurance
Always
that vendor payments Access is restricted to
Disbursements made are not
C13 are processed by H authorized personnel X A P X X X X
recorded.
authorized personnel to create checks
completely and
accurately
INTERNAL CONTROLS – Section 3 Example of Documentation
RISK AND CONTROL MATRIX: Procure To Pay
Business Process & Control
Risks Control Activities COSO Components Control Classification
Control Objectives Attributes
Objectives
Frequency
Likelihood
Activitites
Recorded
Classified
Man/Aut
Impact /
Number
Pre/Det
Control
Control
K (Y/N)
Valued
Posted
Timely
Risks
Real
I/C
RA
CA
CE
M
The AP application
Controls provide
performs a three‐way
reasonable assurance
match between the
Always
that vendor payments
purchase order line
C14 are processed by Fictitious disbursements are recorded M X X A P X X X
item. the receiver, and
authorized personnel
the invoice when AP
completely and
invoices are
accurately
processed.
List of acronyms used in the chart:
COSO Components
1. CE: control environment
2. RA: risk assessment
3. CA: control activities
4. I/C: information and communication
5. M: monitoring
Control Attributes
6. K: key control
7. Man/ Aut: manual or automatic
8. Pre/Det: prevent or detect
Source ‐ Auditing Application Controls ‐ Christine Bellino, Jefferson Wells & Steve Hunt; Enterprise Controls Consulting LP