Risk Control Matrix (Populated)

a) Purchasing Process Controls

Control # Control Name

C1 Purchase Request Portal—Access

C2 Purchase Request Portal—Training

C3 Purchase Request Portal—Complete Request

Purchase Request Portal—Table of Employee

C4
Supervisors

C5 Purchase Request Portal—Automated Emails

Note: Based on the walkthrough, the client contact directed some of our questions to the Internal Audit HR and IT teams. Base
identified should be added to the above listing.

b) Purchasing Process Control Weaknesses

Control Weakness # Finding #

 Incorrect Reviewer Assignment by Purchase Request
Control Weakness 1
Portal

Control Weakness 2 Purchase Made Prior to Required Pre-Approval

Control Weakness 3 No Vendor Vetting Process

 Control Description

Each employee is assigned a unique user name and password to the Purchase Request Portal to
ensure that access and respective views within the system are restricted only to the defined user.

Annually, all employees must attest to receiving the latest version of the Purchase Policy.

Additionally, each year, all employees are required to pass a quiz to ensure that they are familiar
with the internal purchase process, associated controls, and the functionality of the Purchase
Request Portal.

The Purchase Request Portal is automatically configured to reject incomplete purchase requests.

For incompletely populated requests, the Portal provides an error message outlining the
unpopulated fields to complete before submitting the purchase request.

The Table of Employee Supervisors (within the Purchase Request Portal) assigns the purchase
requestor to the appropriate direct supervisor (for purchase request review and approval).

The table is reviewed annually (by the IT Department), sometimes more frequently, and
performed based on the updated version of the Organizational Chart (provided by the HR
Department).

Automated notices are provided to the respective requestors/reviewers (sent directly by the
Purchase Request Portal) at the following stages of the purchase request process:
a) A purchase request has been submitted within the Portal.
b) A reviewer decision has been submitted within the Portal.

Emails are sent to recipients based on the Table of Employee Supervisors (within the Portal) and
sent directly after the update (i.e., information is entered) in the system.

our questions to the Internal Audit HR and IT teams. Based on those follow-ups, any additional controls

Control Description
As noted in the detailed audit test work from Task 1, one instance was noted someone other than
the requestor's direct supervisor reviewed a purchase request.

Based on a follow-up with the client, an intra-year re-assignment of personnel was not captured
promptly within the Portal and caused the previous direct supervisor of the requestor to be
assigned with the purchase request review.

Control weakness noted.

As noted within the detailed audit test work from Task 1, one instance was noted where a
purchase was made with a vendor before pre-approval (as required by internal policy) was
obtained.

Based on a follow-up with the client, the exception resulted from a high-level employee making
urgent reservations.

Control weakness noted.

As noted during the walkthrough of the purchasing process from Task 3, no vendor
review/approval process exists.

The client could provide no additional detail on how ABC Company ensures that vendors are
independent before ABC employees submit orders.

Control weakness noted.