SU6 Internal controls

Question 1

Framework for internal controls

Answer 1

1. Segregation of duties
   - authorization of transactions
   - executing of transactions
   - custody of assets
   - recording of transaction
2. Use of source documents
   - Type of document
   - Number of copies
   - Who should issue/receive
   - Number sequence-internally generated documents
3. Isolation of responsibility
   - Signature of responsible staff member on source document
4. Physical and logical access controls
   - [Safeguarding of assets/data files]
   - [Password controls]
5. Information processing controls/ application controls
   - this is automated & programmed controls
   - [Capturing/Processing/Output]
   - [Screen aids/Edit checks]
6. Authorization of transactions
   - Signature of responsible staff member on
   source document
   - [Access/transaction logs]
7. Reconciliation
8. Review of transactions
   -Exception reports

Question 2

Flow of purchase and payment cycle

Answer 2

1) Ordering of goods
2) Receiving of goods
3) Recording of purchase
4) Payment preparation
5) Actual payment (incl EFTs)

Question 3

EFT controls

Answer 3

Preventive:
- all EFT payments should be documented on preprinted, sequenced EFT payment voucher
- each EFT payment should be authorised by two employees
- EFT payment vouchers should be sequenced checked, and verified against supporting documentation, before being authorised. The banking details of payees receiving once-off payments, should be verified independently.
- the financial manager should log onto the bank’s website and an SMS should be sent to his mobile phone, but the password to access the facility to make EFTs should not be known to him. Another senior employee should have this password and must enter it.
- the PIN and password should be strictly confidential, and the financial manager should not leave his phone lying around.
- a limit on the amount that can be transferred in 24 hours or in a single EFT payment should be set
- the terminal must shut down after three unsuccessful attempts to log onto the bank account.

Detective:
- confirmation of all EFT payments sent by bank should be printed, and matched to EFT payment voucher and attached to it.
- a senior manager should access the list of payees on the payee file and reconcile it to an audit trial of payees added and/or removed over the preceding period
- security violations should be logged nd followed up
- the cash book reconciliation should be carried out regularly, and by someone independent of the payment process.

Question 4

Other EFT controls

Answer 4

Preventive:
- strict controls over the compilation of the payments file to be transferred.
- bank software is to be loaded on the minimum number of terminals necessary to facilitate EFT payments.
- only more senior employees are to be authorised to effect an EFT
- only a limited number of employees are to be given privileges to make EFT payments.
- User IDs, PINs, passwords are to be subject to sound password controls
-two signatories principle
- Data can be encrypted

Detective:
- an audit trial of all EFT payments should be downloaded the following day and checked against the payment file
- the audit trial should be independently reviewed by a senior official and payments randomly checked against source document
- all bank accounts should be regularly reconciled in a timely manner by an employee independent of the EFT function