Customer credit evaluations 1313



  • Are controls surrounding evaluation and approval of a customer’s credit risk, establishment of credit limits and releasing credit holds within the scope of SOX or are they just a business process that does not need to be documented? Is it sufficient to just have adequate controls over bad debt reserves?
    My practice had been to document controls in this area related to segregation of duties, audit trail for credit limit changes, management review of credit hold releases, etc. as key controls in the sales and accounts receivable process.
    Appreciate any thoughts anyone has on this.



  • Management Assertions and Revenue Cycle Objectives:
    Existence / Occurrence
    VERIFY AR balance represents amounts actually owed as of Balance Sheet date
    Establish sales represents goods shipped and/or services rendered during period of financials
    Completeness
    Determine all amounts owed organization are included in AR
    VERIFY shipped goods, services rendered, and/or returns and allowances for period are included in financials
    Accuracy
    VERIFY revenue transactions are accurately computed, based on correct prices and quantities
    Ensure AR subsidiary ledger, sales invoice file, remittance file are mathematically correct … And agree with GL accounts
    Rights and Obligations
    Determine organization has legal right to AR
    VERIFY accounts sold or factored have been removed from AR
    Valuation or Allocation
    Determine AR balance stated in net realizable value
    Establish allocation for uncollectible accounts is appropriate
    Presentation and Disclosure
    VERIFY AR and revenues for period are properly described and classified
    Revenue Cycle Audit Objectives:
    Existence / Occurrence
    VERIFY AR balance represents amounts actually owed as of Balance Sheet date
    Establish sales represents goods shipped and/or services rendered during period of financials
    Completeness
    Determine all amounts owed organization are included in AR
    VERIFY shipped goods, services rendered, and/or returns and allowances for period are included in financials
    Accuracy
    VERIFY revenue transactions are accurately computed, based on correct prices and quantities
    Ensure AR subsidiary ledger, sales invoice file, remittance file are mathematically correct … And agree with GL accounts
    Rights and Obligations
    Determine organization has legal right to AR
    VERIFY accounts sold or factored have been removed from AR
    Valuation or Allocation
    Determine AR balance stated in net realizable value
    Establish allocation for uncollectible accounts is appropriate
    Presentation and Disclosure
    VERIFY AR and revenues for period are properly described and classified
    Input Controls:
    Purpose
    Ensure creditworthiness of customers
    Control techniques vary considerably between batch systems and real-time systems
    Credit authorization procedures
    Credit worthiness of customer
    Batch and manual systems use credit dept.
    Real-time systems use programmed decision rules
    Testing credit procedures
    Verify effective procedures exist
    Verify information is adequately communicated
    Verify effectiveness of programmed decision rules (test data, ITF)
    Verify that authority for making credit decisions is limited to authorized credit personnel/procedures
    Perform Substantive Tests of Detail
    Review credit policy periodically and revise as necessary
    Data Validation Controls
    To detect transcription errors in data as it is processed
    Batch: after shipment of goods
    Error logs
    Error correction computer processes
    Transaction resubmission procedures
    Real-Time: Errors handled as they occur
    Missing data checks presence of blank fields
    Numeric-Alphabetic data checks correct form of data
    Limit checks value does not exceed max for the field
    Range checks data is within upper and lower limits
    Validity checks compare actual values against known acceptable values
    Check digit identify keystroke errors by testing internal validity
    Testing Data Validation Controls
    Verify controls exist and are functioning effectively
    Validation of program logic can be difficult
    If Controls over system development and maintenance are NOT weak, testing data editing/programming logic more efficient than substantive tests of details (test data, ITF)
    Some assurance can be gained through the testing of error lists and error logs (detected errors only)
    Batch controls
    Manage high volumes of similar transactions
    Purpose: Reconcile output produced by system with the original input
    Controls continue through all computer (data) processes
    Batch transmittal sheet:
    Unique batch number
    Batch date
    Transaction code
    Record count
    Batch control total (amount)
    Hast totals (e.g., account numbers)
    Testing data validation controls
    Failures of batch controls indicates data errors
    Involves reviewing transmittal records of batches processed and reconcile them to the batch control log (batch transmittal sheet)
    Examine out-of-balance conditions and other errors to determine cause of error
    Review and reconcile transaction listings, error logs, etc.
    Process Controls:
    Computerized procedures for file updating
    Restricting access to data
    Techniques:
    File update controls – Run-to-run batch control data to monitor data processing steps
    Transaction code controls to process different transactions using different programming logic (e.g., transaction types)
    Sequence check controls sequential files, proper sorting of transaction files required
    Testing file update controls results in errors

    Testing data that contains errors (incorrect transaction codes, out of sequence)
    Can be performed in ITF or test data
    CAATTs requires careful planning
    Single audit procedure can be devised that performs all tests in one operation.
    Access Controls
    Prevent and detect unauthorized and illegal access to firm’s systems and/or assets
    Warehouse security
    Depositing cash daily
    Use safe deposit box, night box, lock cash drawers and safes
    Accounting records
    Removal of an account from books
    Unauthorized shipments of goods using blank sales orders
    Removal of cash, covered by adjustments to cash account
    Theft of products/inventory, covered by adjustments to inventory or cash accounts
    Testing access controls heart of accounting information integrity
    Absence thereof allows manipulation of invoices (i.e., fraud)
    Access controls are system-wide and application-specific
    Access controls are dependent on effective controls in O/S, networks, and databases
    Physical Controls:
    Segregation of duties
    Rule 1: Transaction authorization separate from transaction processing
    Rule 2: Asset custody separate from record-keeping tasks
    Rule 3: Organization structured such that fraud requires collusion between two or more people
    Supervision
    Necessary for employees who perform incompatible functions
    Compensates for inherent exposure from incompatible functions
    Can be supplement when duties are properly segregated
    Prevention vs. detection of fraud and crime is objective: supervision can be effective preventive control
    Independent verification
    Review the work of others at critical points in business processes
    Purpose: Identify errors or possible fraud
    Examples:
    Shipping dept. verifies goods sent from warehouse dept. are correct in type and quantity
    Billing dept. reconciles shipping notice with sales notice to ensure customers billed correctly
    Testing physical controls
    Review organizational structure for incompatible tasks
    Tasks normally segregated in manual systems get consolidated in DP systems.
    Duties of design, maintenance, and operations for computers need to be separated
    Programmers should not be responsible for subsequent program changes.
    Output Controls:
    PURPOSE: Information is not lost, misdirected, or corrupted; that the system output processes function properly
    Controls are designed to identify potential problems
    Reconciling GL to subsidiary ledgers
    Maintenance of the audit trail that is the primary way to trace the source of detected errors
    Details of transactions processed at intermediate points
    AR change report
    Transaction logs: permanent record of valid transactions
    Transaction listings successfully posted transactions
    Log of automatic transactions
    Unique transaction identifiers
    Error listings
    Testing output controls
    Reviewing summary reports for accuracy, completeness,timeliness, and relevance for decisions
    Trace sample transactions through audit trails; including transaction listings, error logs, and logs of resubmitted records



  • Generally credit would be outside the scope of SOX. In some respects SOX doesn’t care if businesses make bad commercial decisions provided that they are recorded correctly in the financial statements.
    You would be expected to be able to demonstrate that the process for bad debt provision was able to adequately capture any problems that result from poor credit management.


Log in to reply