EDI Invoicing Risk 2204



  • Our A/P department is wanting to implement EDI invoicing for FedEx and FedEx freight charges. There would be no approval for the charges prior to payment. The approval would come in the form of management’s monthly variance analysis and ad hoc reporting requests. Internal Audit/SOX understands the benefits of EDI; however, I am looking for guidance in regards to best practices specifically addressing the risk of possible lack of visibility into the detailed charges?



  • Hi and welcome to the forums 🙂
    As SOX centers around controlling major material and IT risks for financial systems, I feel the approach as shared is feasible and could fit into a SOX framework. SOX controls are based on management oversight with external audit playing a role in ensuring key guidelines are met.
    With that said, folks don’t have to implement rigorous and buearucratic approval systems. (esp. in our era of electronic transactions and where we need to gain efficiency and productivity everywhere possible). Post-review controls can work as long as they are well thought out and provide good techniques to identify errors or potential fraud.
    Some suggestions include:

    1. Examine the new EDI approach from both a workflow and technical perspective. Ensure that no one can reasonably create start-to-finish transactions unchecked (e.g., eliminate all possibilities of fraud).
    2. For any e-commerce application, ensure sound IT security is present everywhere, (as you want secure transactions, confidentiality in reporting information, and protection of customer information).
    3. Setup a review process to look for extraordinary or questionable transactions on an ‘after the fact’ basis. Maybe some exception reports could be created for all large money transactions and reviewed periodically to ensure no errorenous or potentially fraudulent charges take place.
    4. As external SOX auditors most likely have experience with EDI based systems, you can share any concerns or ideas there as well.
      While I’m more of an IT person than SOX expert, some of our more knowledgable members may offer comments (and where I may be incorrect, please defer to their opinions)


  • Our A/P department is wanting to implement EDI invoicing for FedEx and FedEx freight charges. There would be no approval for the charges prior to payment. The approval would come in the form of management’s monthly variance analysis and ad hoc reporting requests. Internal Audit/SOX understands the benefits of EDI; however, I am looking for guidance in regards to best practices specifically addressing the risk of possible lack of visibility into the detailed charges?
    What do you mean by no approval?
    If you mean no seperate approval for the payment then that is probably OK, however, I would expect to see some form of authorisation over a) orders and b) receipt of services. If a and b match with the ultimate charge then this seems OK otherwise you run the risk of payments going through that won’t be properly checked as you are going to be talking about a large number of low value transactions.


Log in to reply