Risks and Controls in Finance Business Processes
advertisement
Risks and Controls in Finance Business Processes Risks and Controls in Finance Business Processes Impact: The impact of these risks is very serious, if left unaddressed, as it exposes the company to fraud, which could result in loss of revenue. In addition, it can result in Financial misstatement, resulting in non-compliance of SOX regulation in US. Serial No. Risk Amount posted to prior period resulting in financial irregularities 1 or misstatements 2 Top side Journal Entries Non routine Journal Entries - egadjustment and correction to 3 Journal Entries. By Bala Krishnan, CISA, CIPP/IT Recommended Control Monitoring control needs to be established to review the GL for any prior period postings. Any entry found would need to be investigated to determine if there was any valid business justification for doing so. [ Note that back posting settings in Logistics can also be configured to allow posting to prior periods. Both these areas need to be reviewed in IMG] Since there is a great potential for misuse of these type of JE, all top side journal entries need to be closely reviewed to verify its accuracy. [ A valid use of top-side journal entries is to allocate income or expenses from a parent company to its subsidiaries. However, top-side adjustments can also be used to improperly reduce liability accounts and increase revenue or decrease expenses. Companies undergoing mergers, acquisitions or restructuring are particularly susceptible to the fraudulent misuse of top-side journal entries. ] All the Non routine Journal Entries for the period need to be reviewed and must be approved by a person other than the person who posts to the General Ledger. Only accounting personnel should be able to create non-routine journal entries. [ A Recurring Journal Entry - Entry with the same amt every month. Routine - amt may vary, but the form and nature is the same every month. Non routine Journal Entry- Everything else - any unique entry ] Page 1 Risks and Controls in Finance Business Processes Invalid and erroneous journal entries resulting in financial 4 irregularities or misstatements. JE must be reviewed at the line item level to ensure that every entry is accurate. Top side, non routine journal entries and those exceeding a preestablished threshold need to be examined even more closely. Unexpected recurring journal entry including complex 5 intercomany transactions This is a area of high risk for all industries. It needs to be mitigated with a monitoring control. Recurring entry schedule changes, If there are any changes to the Run schedule of the resulting in erroneous or skipped recurring journal entry postings, they need to be 6 postings. closely examined. Unauthorized changes to document types, resulting in 7 financial misstatement Document types are used to categorize transactions appropriately. Hence, all changes to these document types need to be examined very closely to record the details of each change and the number of changes in that accounting period. Invalid or unapproved changes to configuration settings related to intercompany postings and 8 authorization groups. Need a monitoring control to validate these types of config changes. Unapproved changes to exchange rates can significantly impact transaction processing, including intercompany transactions, customer invoices and vendor 9 disbursements All changes made to master currency rate table need to be reviewed. Unathorized changes to Chart of 10 accounts Need to monitor additions and changes to chart of accounts filtered by account range. Long posting period - this could override the period end closing procedures, resulting in financial 11 irregularities or misstatements. Any posting period open for a longer than usual timeframe has to be closely examined. Unauthorized changes to account document types that allows or denies GL account posting by 12 document types. All changes made to posting configurations need to be closely examined. Invalid or unapproved changes to posting period and fiscal year 13 period configurations. Monitoring control needs to be setup to review all changes of this type. By Bala Krishnan, CISA, CIPP/IT Page 2 Risks and Controls in Finance Business Processes SAP Specific Application Controls Serial No. Risk Recommended Control Verify that valid company codes are set to 'Productive' to prevent the deletion of transactional data in t-code OBR3. [This prevents deletion programs from resetting data in this company code by mistake. For example OBR1, OKC3 etc will delete complete transaction in FI & CO, So Using this transaction in a production system would be bad. I Deletion of transactional data II Unauthorized changes to Chart of accounts The production system indicator prevents this from happening. Need to monitor additions and changes to chart of accounts filtered by account range. Changes can be viewed in report RFSABL00 in SA38. III Unauthorized changes to GL Accounts SAP Functions that enable users to create, modify or delete GL Accounts must be restricted and based on business need. This includes transactions in table B with auth objects F_SKA1_KTP and F_SKA1_BUK and activity levels 01 (Create), 02(change), 05 (block) and 06 (marked for deletion). IV Incorrect 'Document types' and 'Posting keys' can introduce significant errors in Journal Entry postings in GL Accounts Validate the Document types (tcode: OBA7) and the Posting Keys (OB41) configuration V Incorrect monetary limit and tolerence limits for certain users opens up the potential for fraud in GL postings Tolerence limits for GL postings need to be reviewed periodically, preferably every quarter via the following transactions: OBA4 (Tolerence limit by company code) and OB57 (tolerence limit by user) VI Inconsistencies in the JE process due to unbalanced Journal Entries. Avoid unbalanced (balance of credits with debits) JE by setting the JRN_BALANCE parameter to 1 in BPS or by blocking unbalanced Journal Entries. By Bala Krishnan, CISA, CIPP/IT Page 3 Risks and Controls in Finance Business Processes Security: Security risks due to access to sensitive JE transactions to create, change, reverse and delete journal entries. Verify that access to the aforementioned sensitive tcodes are only given to authorized employees with a valid business need. VIII Security: Security risks in Period end close process Period end open and close process transactions like OB52- open and close FI posting periods and OBBP along with the others in the list need to be controlled and provided only to authorized users IX Risk of acquiring assests in excess of the budgeted amounts. Availability controls should block asset acquisitions in excess of budget [ Tcode: OPS9 ] X Risks of Foreign currency transaction errors Verify that accurate values of foreign currency transactions are being used. [ Related tcodes: OBBS, OB08, OB59, OBA1, OB90 ] XI Risks in Intercompany transaction reconciliation. Intercompany clearing accounts must be clearly identified (using tcode OBYA) and should only post to a dedicated intercompany account. XII Inconsistencies in cash transactions and bank reconciliation process could be signs of abuse/fraud Tcodes like FF.6, FF67, FF7A and FF68 should be reviewed regularly to monitor cash transactions and ensure bank deposits and payments are reflected in the relevant GL accounts. Risk of unauthorized Bank Master data changes. Changes to banking master data changes must be identified through transaction FI04 or report RFBKABL0 and traced to supporting documents to test for authorization, accuracy and completeness. VII XIII By Bala Krishnan, CISA, CIPP/IT Page 4
