COSO Framework on Enterprise Risk Management

The COSO has provided a comprehensive ERM Framework that facilitates universal guidance on implementation of ERM practices in any form of organization. It consists of eight components and four objectives. Together these eight components and four objectives if implemented effectively will lead to good level of ERM practices in an organisation and will ensure achievement of its objectives.

The eight components are:
- Internal Environment
- Objective Setting
- Event Identification
- Risk Assessment
- Risk Response
- Control Activities
- Information and Communication
- Monitoring

The four objectives are:
- Strategic: high level goals, aligned with and supporting the organization's mission
- Operations: effective and efficient use of resources
- Financial Reporting: reliability of operational and financial reporting
- Compliance: compliance with applicable laws and regulations

Fig: The COSO ERM Cube

Video: COSO ERM Cube explained (Source: Youtube)

Elements of internal control

The success of an organization is dependent on the successful implementation of internal controls that mitigates risks and ensures achievement of business objectives. Internal controls are activities and arrangements set up by an organization to ensure efficiency in operations, accuracy of financial and operational reporting, safeguarding of assets, and compliance with laws, policies and contracts. In my view following are the key elements of internal controls:

1. Segregation of duties
The division of an operation into a series of sub-operations undertaken by different people, allows for internal checks to take place. Such a control merely reduces the chance of error or irregularity occurring, but it does not eliminate the risk. It reduces the risk of intentional manipulation and error with increased element of checking. Functions which needs to be separated include those of authorization, execution, custody, recording, reporting and in case of computer based accounting system; system development and daily operations.

2. Structure of the organization
The structure or patterns of an organization means a system of arrangement and relations as between various levels of personnel for carrying out of plans and policies towards achievement of objectives for which a business stands. Enterprises should have a plan of their organisation, defining and allocating responsibilities and identifying lines of reporting for all aspect of the enterprise's operations including the controls. The delegation of authority and responsibility should be clearly specified. It is important that critical operations are provided with the appropriate status and communication within the organizations. Internal auditor should check viability of the organization structure considering its business objectives.

3. Objectives and Policies
Objectives are definite goals, purposes or accomplishments which the top management lay down and aims to achieve. The functional segments of the company should comply with the policies, plans, procedures, external laws and regulations and the work should be performed in a coordinated manner.

Policies and procedures give an indication as to the nature of personnel behavior in their functioning and reflect the attitude of management. Functions of different staff members should be integrated in a manner that is complementary and each acts as check on the other. For instance, wage sheets should be prepared and checked by different set of staff and their disbursement should be in presence of a responsible official.

4. Authorization and approval

All transactions should require authorizations or approval by an appropriate responsible person. The limits of these authorizations should be specified.

5. Personnel

There should be procedures to ensure that personnel have capabilities commensurate with their responsibilities. In fact, the proper functioning of any system depends on the competence and integrity of those operating it. The qualifications, selection and training as well as the innate personal characteristics of the personnel involved are important features to be considered in setting up any control system.

6. Management

Management is responsible for establishing, monitoring and reviewing systems of internal control. In practice, management may delegate the reviewing function to the internal auditor. It is thus the duty of internal auditor to provide management with reassurance concerning the efficiency and effectiveness of internal controls.

7. Records and Reports

The accounting an other records should be maintained accurately and adequately so as to assist the management in formulating present and future events in decision making and planning.

Reports are the media of presentation of information to the management. In order to make reporting effective, it should be timely, tailor-made and present all facts concerning problem areas, assessments etc.

8. Accounting controls

These are controls within the recording function which check that the transactions to be recorded and processed have been authorized, and that they are all included and that they are correctly recorded and accurately processed. Such controls include checking the arithmetical accuracy of the records, the maintenance and checking of totals, reconciliations, control accounts and trial balances, and accounting for documents.

9. Protection of assets

These are concerned mainly with the custody of assets and involve procedures and security measures designed to ensure that access to assets is limited to authorized personnel. These include both direct access and indirect access via documentation. These control assume importance in the case of valuable, portable, exchangeable or desirable assets.

10. Supervision

Any system of internal control should include the supervision by responsible officials of day-to-day transactions and the recording thereof. The supervisory role undertake by staff should be allocated to those with proper training and suitability to such a function.

Accounts Payable Auditing in SAP

Modules for Accounts Payable
There are two modules in the SAP for processing payments. One is FI-AP and another is MM-AP.

The FI-AP module is generally used for payments to vendors other than those of material and services. For example, payments towards utility bills, payments to commission agents, payments of bank interest, etc. The FI-AP module allows booking of invoice towards expenses without any prior conditions or processes. The supporting documents towards the payments are usually the bills for the expenses. This mode of payment involves greater risks due to inadequate number of checks and controls. Hence, it is appropriate only for the nature of payments mentioned above. Any payment in relation of goods or services shall not be made through this module.

The MM-AP module involves a three-way matching process of Vendor Invoice, Goods Receipt or Service Entry, and Purchase Order. Payment in the MM-AP module cannot be processed without adequacy and matching of these three documents. This enables a greater level of control over payments and reduces risk of excess payments.

It is ideal to define in each Vendor Master entry whether the payment to that vendor be made through a GR (Goods Receipt) based IR (Invoice Receipt) entry. This will prevent the user from making payments to material or service vendors using the FI-AP module.


Transaction Blocks in SAP for Accounts Payable
SAP's transaction blocks acts as system controls and prevent the processing of transactions that do not meet certain predefined criteria. There are four types of transaction blocks in SAP:

1. Audit Block
An audit block is used within the invoice approval process. E.g. SAP can be configured to place an audit block on invoices that are entered directly in the FI-AP module without a corresponding Goods Receipt or a Purchase Order. The block requires invoices to be reviewed and released by someone other than the employee who created it, thus satisfying the typical audit requirements for a payables review by an independent employee.

2. Receiving Block
The receiving block handles system generated discrepancies arising in the MM-AP during the invoice verification process, i.e. any variations produced in the three-way match among the Purchase Order, Goods Receipt and  Invoice would trigger a receiving block.

3. Vendor Block
A vendor block is used for manual flagging of new vendors created in System to prevent processing of payments to the vendor without a thorough review by an independent person. It provides a means of ensuring that all newly created vendor master files are audited before any disbursements are made to the vendor.

4. Manual Block
A manual block is typically used to prevent payments while an outstanding issue in relation to that vendor, its service or its goods is being resolved. This block can be applied either during invoice entry or afterward, and it can be removed by the employee who initially blocked the transaction.

An auditor needs to note that there are three kinds of risks associated with transaction blocks. First, the system may not have been configured to use the functionality of transaction block. Secondly, the authorization for removal of blocks may not be appropriately restricted, allowing the unauthorized users to release blocked payables transactions for further processing. Finally, blocks can lead to delayed payments which may adversely affect company's credit ratings among vendors.

Overview of Audit Closure & Reporting

The audit report should serve the fundamental purpose of informing, persuading, & getting the desired improvements implemented.

- Inform the audience with required background, evidence, and conclusions of the issues.
- Persuade the audience on the impact of risks & concerns on the business in case adequate mitigation / control measures are not implemented.
- Obtain feedback from the management in the form of agreed corrective action plan with target dates & person responsible.

Define the objectives of your audit:

Tell your audience; what were the audit objectives, which include assurance of control effectiveness, mitigation of risks, achievement of business objectives, operation efficiency, cost effectiveness, etc.

At this point you can also highlight specific concerns raised by management for the area being audited.

Define the audit scope:

Summarize the scope of the audit in bullet points & the testing plan. List the bullets in order of process flow & criticality. It is advisable here to specify things that were not covered by the scope to make things pretty clear.

Findings:

Summarize all internal audit findings along with the reasons & root causes that lead to the issue. Also specify the risks resulting out of the finding & control weaknesses & its likely impact on the business operations.

Rate the findings based on the criticality of the risks such as serious / high / medium / low & arrange the most critical findings first & the least critical last in your report. This also ensures that reasonable amount of discussion time is contributed to critical issues.

Recommendations:

Present recommendations in sync with the business objectives of the organization audited. Also mention the corrective action plan set out by the management based on the findings & recommendations.

Follow-up:

Conduct a follow-up review based on the agreed corrective action. Report an appropriate opinion based on such follow-up review; whether the required action was carried out & what is the present state of controls.

Report significant deviations from implementation of corrective action plan, to the audit committee / other concerned authorities.

Purchase - Fraud Scenarios

Fraud scenarios in Purchase and Accounts Payable and methods to identify them:


1. In a case where amendments to purchase orders were not required to be approved in the System, an unauthorized amendment can be made to the purchase orders in favor of the vendor under a kick-back arrangement.
- Obtain log of amendments to purchase orders & compare with requisitions.

2. Where the responsibility of preparing / amending budget & ensuring procurement within budget limits is assigned to same individual, procurement in excess of budget can be concealed by unauthorized amendments to the budget.
- Check for frequent amendments to the budgets.

3. Where purchase invoices are passed without checking ‘goods received’ stamp affixed by stores, bills against which no material is received can be forwarded to the accounts payable team by purchase officer under a kick-back arrangement.
- Verify vendor bills for ‘goods received’ stamp. Compare log of goods receipt notes with vendor bills booked in ledger.

4. Where system of obtaining minimum number of quotations & preparation of comparative statements is not in place, the purchase officer may award order to vendors that charge higher than others without the management noticing.
- Compare rates of procurements with rates offered other vendors or market rates.

5. In case where access to vendor master is provided to personnel processing payments, unauthorized accounts can be created & payments can be made to such accounts without authorization. Further these accounts can be deleted later to conceal the unauthorized transactions.
- Check log of account creation & deletion. Also compare the log of goods receipt notes with vendor bills booked in ledger.

6. Where rights to access vendor master in System is not restricted, the database of vendors (including rates, terms etc.) can be downloaded & sold to competitors.
- Check if there is unrestricted access to the vendor master.