Vendor Master Controls / Audit Checks

Only available on StudyMode
  • Download(s) : 640
  • Published : March 27, 2012
Open Document
Text Preview
LOGO
Process Area Process Sub Area

NONAME CONSULTANTS
Accounts Payable Vendor Master File Checklist Customized? YES NO Process Ref. If “YES”, Approved by AP/01/01

Name of Client:

Assignment:

Job No:

Introduction
This checklist shall outline the controls necessary for the creation and maintenance of vendor information in a VMF in a typical ERP environment. This may be applicable for most accounting systems which we generally experience during our audits and similar assignments. The applicability of these controls generally directly depends on the magnitude of the business (size of the operations) which we are reviewing. Always consult your senior, supervisor or your assistant manager before applying all the controls detailed below to your context.

Checklist (IC)
Ref. No. 1.1 Process Creation/editing of vendors Standard Internal Controls Access to create and edit Vendor Master File (VMF) should be restricted to one officer only (preferably one in an executive level). Or the total responsibility should be given to an officer in the Corporate IT. Any type of function relating to payment processing (entry, posting and approval) should not be given to the officer who is in charge of VMF (that is to create/edit) as this can lead to financial malpractices / fraud. A defined guideline should be available to clearly direct the vendor creation process. Use of a standard naming convention to create supplier names in the vendor master record, so that this would enable identification of vendors who are already in the database (to avoid duplication). Use of a form for creating/editing vendors should be used. This should be approved by the Head of Procurement (or a similarly designated individual). Using details of supplier registration will be ideal. (This is to avoid creation of “ghost vendors”.) All forms should be filed in sequential order. Criticality (H, M, L)

Y / N

Other Compensatory Controls (if available)

Risk Rating

WP Ref.

Other Remarks Ref.

OLR*

Rev. By

H

Y

1.2

H

Y

1.3 1.4

L

Y

L

Y

1.5

M

Y

1.6

L

Y

Completed By:

Date:

10/10/2011

Reviewed By:

Date:

13/10/2011

Page 1 of 7

LOGO

NONAME CONSULTANTS
Y / N Other Remarks Ref.

Ref. No. 2.1

Process VMF review and maintenance

Standard Internal Controls Existence of a weekly/monthly review of changes to VMF data by a higher officer (this should be the Finance Manager and/or the Procurement Manager) The changes should be derived using a report generated through the IS. All manual intervention should be traceable. It should be adequately signed off by the reviewer. Records should be filed. There should be a policy in place to identify and communicate duplicate vendors. Deactivation / activation should be done by the IT Department only on written request for which copies should be maintained by both the department. There should be a mechanism whereby the Head of Procurement (or equivalent) shall communicate any blacklisting of vendors, whereby he/she intends to stop transactions indefinitely/definitely, to the officer who is involved in maintaining VMF. Such blacklisted vendors should be immediately deactivated in the system. Records should be maintained in a traceable manner.

Criticality (H, M, L)

Other Compensatory Controls (if available)

Risk Rating

WP Ref.

OLR*

Rev. By

L

Y

2.2 2.3 2.4

L L

Y Y

M

Y

2.5

M

Y

*Observation Library Reference

Completed By:

Date:

10/10/2011

Reviewed By:

Date:

13/10/2011

Page 2 of 7

LOGO

NONAME CONSULTANTS

Salient Audit Checks (SAC)
Standard
No. Work to be done
Check whether any officer who is involved in payment processing has access rights to create/edit vendors. Check this through an Access Control Matrix. Request this from the IT (preferably signed by the Head of IT). Remember that even the CFO should not have access to create/edit vendor as long as he...
tracking img