Purchase, Payments, Payables – CSOX Tests

//Purchase, Payments, Payables – CSOX Tests

The Purchase, Payments and Payables (otherwise known as PPP), is one of the most important C-SOX processes to review as it pertains to  cash disbursements controls. For any organization, strong controls need to be in place to ensure that all disbursements are properly authorized and approved. Cash disbursements and payables are particularly vulnerable to fraudulent transactions. Furthermore, the volume and dollar amount of transactions from the PPP process are likely to be very significant, and therefore they will have a material impact on financial reporting.

Key controls in PPP will typically include the following:

• Purchase Order system – including specific approval authorizations that have been granted and documented within an approved PO policy, also known as Delegation of Authority or Authorization Levels. The PO Policy should detail the types of expenditures (Capital, Operating, Project etc), and the level of signing authority granted to each position with the organization. In most organizations, the PO system is computerized, and ideally the PO Policy will be imbedded within it, so that the ability to request and approve PO’s will be automatically restricted based on policy. Prior to a PO being prepared and sent to a supplier, it should be supported in advance by a PO Requisition, which details support analysis such as quotes and other particulars. Approval of the PO Requisition is the basis of approval. The PO is the “contract” that the organization then sends to the supplier to confirm the order. The PO Requisition may sound redundant, but it is best practice that ensures that PO’s are not sent out to bind the company, in error, or without proper authorization. Pre-numbered PO’s allow the organization to track outstanding orders and obligations, which may impact the financial statements.
• Payments – invoices should be matched against Purchase Orders and a Receiving Report, in the case of manufacturing / distribution companies. This is also known as the 3-way match, to ensure that there are no discrepancies in pricing, quantities, and in case of the Receiving document, that there is independent verification that the goods have actually been delivered. In a computerized system, the 3-way match is done automatically, so that if all documents are aligned properly, the invoice is approved within the system for payment. This provides companies with efficiencies. However, this is an area that requires strong IT system access controls, to ensure the integrity of the 3-way match. Furthermore, hard copy and soft copy invoices need to be properly identified as to the status of payment – therefore subsequent filing and notation is critical to allow for audit purposes, and avoidance of duplicate payments. It is also important that the organization properly recognize (accrue) for the liability based on the receipt of goods or performance of service. This relates to the organization’s specific accounting policy, but normally the receipt should result in a charge to the appropriate Balance Sheet or Expense account, with an offset to Accounts Payable – the impact on financial reporting can be significant!
• Payables – the final process involves payment of the invoice. Disbursements usually take the form of cheques issued, or electronic transfer of funds. In a computerized system, invoices will have been recorded as approved and available for payment. It is critical in this system that segregation of duties are in place, to ensure that there are restrictions in the Accounts Payable function to release invoices for payment. Within a manual system, best practices would require a presentation of the original invoice, PO, and receiving report as support for the cheque payment. Cheques should require 2 authorized signers, and many companies have dollar limits in place where a manual signature is required for cheques in excess of a specified limit. It is also very important that cheques not be returned to the person that has approved the payment or otherwise requested the payment – opportunity for fraud. Of course there should be controls on the physical custody of blank cheques if applicable.

Based on the review of Key controls within the organization, C-SOX Tests should be designed to verify that the controls are performing as expected throughout the year. Typically the tests would include the following:
• Delegation of Authority / Authorization limits – ensure that a document is in place and current.
• System Access controls to ensure that only authorized personnel have the ability to approve PO’s, Receiving Reports, approve invoices for payment. The importance of this cannot be understated.
• Sample audit of 3 way match (in other words a selection of invoices and comparison to supporting PO and Receiving Report). As part of the test, the cheque payment and trace to the appropriate general ledger accounts should also be performed. It should also include a review to ensure that goods received, but not paid at the end of the period, are properly accrued.

Sample size – that depends on the number of transactions, and other factors but the PPP process is usually very significant, so a sample of 25 throughout the year should be sufficient in most cases. Focus the sample on transactions that represent the bulk of the business (based on risk assessment). Make it a point for the test to be very thorough on a precise, select sample – even a small sample of high volume transactions can often provide a good feel for whether the controls are working or not.

Hope this helps. Please contact Edelkoort Smethurst Schein CPA’s LLP if you have any questions or comments.

Edelkoort | Smethurst | Schein CPAs LLP is located in Burlington Ontario servicing the Golden Horseshoe and Greater Toronto Area and beyond. The firm is fully licensed with CPA Ontario to provide assurance, tax and accounting services as well as registered as tax preparers with the Canada Revenue Agency (CRA) & Internal Revenue Service (IRS). The firm is also registered as an IRS Certified Acceptance Agent.

All blog posts published on this site are for informational purposes only and do not constitute professional advice. Readers should contact a professional to discuss their individual situation. Neither the author or the accounting firm shall accept any liability for any reliance placed on the information posted.


Leave A Comment