Customer credit evaluations 1313
-
Are controls surrounding evaluation and approval of a customer’s credit risk, establishment of credit limits and releasing credit holds within the scope of SOX or are they just a business process that does not need to be documented? Is it sufficient to just have adequate controls over bad debt reserves?
My practice had been to document controls in this area related to segregation of duties, audit trail for credit limit changes, management review of credit hold releases, etc. as key controls in the sales and accounts receivable process.
Appreciate any thoughts anyone has on this.
-
Management Assertions and Revenue Cycle Objectives:
Existence / Occurrence
VERIFY AR balance represents amounts actually owed as of Balance Sheet date
Establish sales represents goods shipped and/or services rendered during period of financials
Completeness
Determine all amounts owed organization are included in AR
VERIFY shipped goods, services rendered, and/or returns and allowances for period are included in financials
Accuracy
VERIFY revenue transactions are accurately computed, based on correct prices and quantities
Ensure AR subsidiary ledger, sales invoice file, remittance file are mathematically correct … And agree with GL accounts
Rights and Obligations
Determine organization has legal right to AR
VERIFY accounts sold or factored have been removed from AR
Valuation or Allocation
Determine AR balance stated in net realizable value
Establish allocation for uncollectible accounts is appropriate
Presentation and Disclosure
VERIFY AR and revenues for period are properly described and classified
Revenue Cycle Audit Objectives:
Existence / Occurrence
VERIFY AR balance represents amounts actually owed as of Balance Sheet date
Establish sales represents goods shipped and/or services rendered during period of financials
Completeness
Determine all amounts owed organization are included in AR
VERIFY shipped goods, services rendered, and/or returns and allowances for period are included in financials
Accuracy
VERIFY revenue transactions are accurately computed, based on correct prices and quantities
Ensure AR subsidiary ledger, sales invoice file, remittance file are mathematically correct … And agree with GL accounts
Rights and Obligations
Determine organization has legal right to AR
VERIFY accounts sold or factored have been removed from AR
Valuation or Allocation
Determine AR balance stated in net realizable value
Establish allocation for uncollectible accounts is appropriate
Presentation and Disclosure
VERIFY AR and revenues for period are properly described and classified
Input Controls:
Purpose
Ensure creditworthiness of customers
Control techniques vary considerably between batch systems and real-time systems
Credit authorization procedures
Credit worthiness of customer
Batch and manual systems use credit dept.
Real-time systems use programmed decision rules
Testing credit procedures
Verify effective procedures exist
Verify information is adequately communicated
Verify effectiveness of programmed decision rules (test data, ITF)
Verify that authority for making credit decisions is limited to authorized credit personnel/procedures
Perform Substantive Tests of Detail
Review credit policy periodically and revise as necessary
Data Validation Controls
To detect transcription errors in data as it is processed
Batch: after shipment of goods
Error logs
Error correction computer processes
Transaction resubmission procedures
Real-Time: Errors handled as they occur
Missing data checks presence of blank fields
Numeric-Alphabetic data checks correct form of data
Limit checks value does not exceed max for the field
Range checks data is within upper and lower limits
Validity checks compare actual values against known acceptable values
Check digit identify keystroke errors by testing internal validity
Testing Data Validation Controls
Verify controls exist and are functioning effectively
Validation of program logic can be difficult
If Controls over system development and maintenance are NOT weak, testing data editing/programming logic more efficient than substantive tests of details (test data, ITF)
Some assurance can be gained through the testing of error lists and error logs (detected errors only)
Batch controls
Manage high volumes of similar transactions
Purpose: Reconcile output produced by system with the original input
Controls continue through all computer (data) processes
Batch transmittal sheet:
Unique batch number
Batch date
Transaction code
Record count
Batch control total (amount)
Hast totals (e.g., account numbers)
Testing data validation controls
Failures of batch controls indicates data errors
Involves reviewing transmittal records of batches processed and reconcile them to the batch control log (batch transmittal sheet)
Examine out-of-balance conditions and other errors to determine cause of error
Review and reconcile transaction listings, error logs, etc.
Process Controls:
Computerized procedures for file updating
Restricting access to data
Techniques:
File update controls – Run-to-run batch control data to monitor data processing steps
Transaction code controls to process different transactions using different programming logic (e.g., transaction types)
Sequence check controls sequential files, proper sorting of transaction files required
Testing file update controls results in errorsTesting data that contains errors (incorrect transaction codes, out of sequence)
Can be performed in ITF or test data
CAATTs requires careful planning
Single audit procedure can be devised that performs all tests in one operation.
Access Controls
Prevent and detect unauthorized and illegal access to firm’s systems and/or assets
Warehouse security
Depositing cash daily
Use safe deposit box, night box, lock cash drawers and safes
Accounting records
Removal of an account from books
Unauthorized shipments of goods using blank sales orders
Removal of cash, covered by adjustments to cash account
Theft of products/inventory, covered by adjustments to inventory or cash accounts
Testing access controls heart of accounting information integrity
Absence thereof allows manipulation of invoices (i.e., fraud)
Access controls are system-wide and application-specific
Access controls are dependent on effective controls in O/S, networks, and databases
Physical Controls:
Segregation of duties
Rule 1: Transaction authorization separate from transaction processing
Rule 2: Asset custody separate from record-keeping tasks
Rule 3: Organization structured such that fraud requires collusion between two or more people
Supervision
Necessary for employees who perform incompatible functions
Compensates for inherent exposure from incompatible functions
Can be supplement when duties are properly segregated
Prevention vs. detection of fraud and crime is objective: supervision can be effective preventive control
Independent verification
Review the work of others at critical points in business processes
Purpose: Identify errors or possible fraud
Examples:
Shipping dept. verifies goods sent from warehouse dept. are correct in type and quantity
Billing dept. reconciles shipping notice with sales notice to ensure customers billed correctly
Testing physical controls
Review organizational structure for incompatible tasks
Tasks normally segregated in manual systems get consolidated in DP systems.
Duties of design, maintenance, and operations for computers need to be separated
Programmers should not be responsible for subsequent program changes.
Output Controls:
PURPOSE: Information is not lost, misdirected, or corrupted; that the system output processes function properly
Controls are designed to identify potential problems
Reconciling GL to subsidiary ledgers
Maintenance of the audit trail that is the primary way to trace the source of detected errors
Details of transactions processed at intermediate points
AR change report
Transaction logs: permanent record of valid transactions
Transaction listings successfully posted transactions
Log of automatic transactions
Unique transaction identifiers
Error listings
Testing output controls
Reviewing summary reports for accuracy, completeness,timeliness, and relevance for decisions
Trace sample transactions through audit trails; including transaction listings, error logs, and logs of resubmitted records
-
Generally credit would be outside the scope of SOX. In some respects SOX doesn’t care if businesses make bad commercial decisions provided that they are recorded correctly in the financial statements.
You would be expected to be able to demonstrate that the process for bad debt provision was able to adequately capture any problems that result from poor credit management.