Controls for Supplier Initiated Address Changes 296



  • Hello,
    I work for a manufacturing company that, authough is small, is owned by a publicly traded company. We have developed a Web Application that allows our Suppliers, Dealers, and Distributors to have a user account to access extranet applications. This application also allows these entities (with the proper access), to change their company information such as Address, phone number, etc.
    Currently those changes only take place in our Web Application and does not directly effect our business (accounting) system. However, we are now looking at this application to be the central point for customer profiles and will be updating our business systems with these addresses. So now when a customer changes their address info, that change will also update the business system.
    We have controls over who can ‘Create’ a new Entitity, but was was wondering what sort of controls we need to allow them to change their address.
    Thanks for your help on this and let me know if you have any additional questions.
    Bob



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • Is there a financial statements impact? I suspect not.



  • Could be an impact if the address affects delivery destinations/ where you are sending invoices to.
    If just anyone can change delivery destinations you may end up with an uncollectable debt.
    Also you may have people coming through your firewall to change this data - need to make sure they can’t access anything else.
    It all depends on your business though… You need to make your own assessment of how this could impact your financials.



  • If just anyone can change delivery destinations you may end up with an uncollectable debt.

    Which is not a SOx problem if your provision is sufficient :roll:



  • Operational risk - YES
    Commercial risk - YES
    Financial Statements Risk - Probably not
    SOx issue - probably not



  • Hey,
    This is all very helpful information, but let me just answer some questions you have asked and see if it changes any responses.
    Yes, this information that a Supplier or Customer can change, will also be updated in the business systems for invoicing, payment and stuff like that.
    We do have a firewall and we have security measures in place to prevent unauthorized access, etc.
    I guess the question comes that comes to my mind is although this company isn’t selling stuff online, I see a place like Amazon allowing customers changing their address information (without approval from anyone that I am aware of), and I’m assuming they passed this SOx Audit. Am I in the same boat here, or is there something different that would prevent me from doing this?
    Thanks again for your responses, this is an extremely helpful forum and I’m glad I found it. I’ve already passed it to other contacts that are going this with SOx Audit.
    Thanks,
    Bob



  • Remember that SOx is about Financial Statements.
    If you send an invoice to the wrong address will your revenue be wrong? Will that cause you to not follow up unpaid receivables? If the commercial risk - that you fail to collect - arises then you should have a process for bad debt provision anyway.
    Similarly, as you are a manufacturing comapny what is the risk that a change is made and physical proiduct goes to a non-commercial address that is nothing to do with your customer? Again this is primarily a commercial risk, you will still have invoiced the right amount for something that you produced - it will just be uncolectable - which is where bad debt provision comes in again.
    However, even if you believe there is a valid financial statements risk there should be some easy control procedures. Is there a log createdof changes made to customer data - and is this verified? Alternatively, can the system accept the change but not process it until a member of your sales team has OK’d it?



  • Yes, this information that a Supplier or Customer can change, will also be updated in the business systems for invoicing, payment and stuff like that.
    I would think that unless supplier banking information can be changed externally, this would not apply for SOx


Log in to reply