Question

Discuss the four areas of responsibility under the IT function that should be segregated in large companies.

Answer 1

A)The accounting profession has invested significantly in separation of duties because of the understood risks accumulated over hundreds of years of accounting practice.

By contrast, many corporations in the United States found that an unexpectedly high proportion of their Sarbanes-Oxley internal control issues came from IT. Separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code or data without detection. Role based access controlis frequently used in IT systems where SoD is required. Strict control of software and data changes will require that the same person or organizations performs only one of the following roles:

• Identification of a requirement (or change request); e.g. a business person
• Authorization and approval; e.g. an IT governance board or manager
• Design and development; e.g. a developer
• Review, inspection and approval; e.g. another developer or architect.
• Implementation in production; typically a software change or system administrator.

The IT function that should be segregated in large companies:

Authorizing a transaction, receiving and maintaining custody of the asset that resulted from the transaction. Receiving checks (payment on account) and approving write-offs. Depositing cash and reconciling bank statements. Approving time cards and having custody of pay checks.

Internal controls in accounting: Purchasing, payables and payments (PPP)

This stream of transactions relates to all of the steps in the process of purchasing, including the authorization of purchases, the receipt of goods and services, and the recording of payables and payments. The following are key areas where having internal controls ensures oversight:

• Authorization for purchases: It is important that the authorization for purchasing is clearly delineated, both in terms of what types of goods a person is responsible for purchasing, as well as the maximum dollar value that they can authorize
• Receipt of incorrect shipments: This can occur if a different item (or quantity) is delivered than what was ordered. Goods that are received should be compared closely to what was ordered and invoiced
• Payment for goods not received: This may occur through error on the part of the supplier, a loss in transit, or as the result of a fictitious invoice. A control needs to be in place that ensures invoices correspond with the receiving records before they are paid (i.e., that the goods have been received). When goods are yet to be received, there needs to be a process for ensuring that they do arrive
• Errors in the amount paid: Payments should always be checked against the invoice before they are sent. For example, if a bookkeeper prepares several cheques, the person who signs them should review the related invoices (or supplier statement). Ideally, there would be a system of noting on the invoice that the goods were received for the amount invoiced

Internal controls in accounting: Payroll

The payroll stream relates to all of the actions involving payroll processing and will naturally overlap with some of your HR functions. The following are key activities where having internal controls ensures oversight:

• Preparing and reviewing timesheets: This is a key internal control for supporting all employees’ time. It is especially important for hourly employees and for supporting the amount of a salary that is allocated to a project (this information may be needed for funding purposes such as IRAP or forSR&ED tax credit claims)
• Correctly calculating employee’s wages: This includes making sure that the wages that are paid to an employee agree with the amount that was authorized for that employee. It also extends to ensuring that the payroll deductions are properly calculated. While this process can be made easier by using a payroll provider, it is important that the payments be properly reviewed
• Monitoring changes in payroll: It can be easy to base the next payroll on the last, but when there are changes, it is essential that they be properly communicated to the person in charge of payroll
• Monitoring for non-employees: Employees who leave the company and are not removed from the payroll system, or fictitious people who are added to the payroll system, are a large risk to the payroll stream. It is important that the pay register is reviewed regularly by someone other than the employee normally in charge of processing payroll, and that that person has knowledge of the current employee list

Internal controls in accounting: Sales, receipts and receivables

Similar to PPP, this stream deals with all of the transactions related to the sale of goods and services. The following are key areas where having internal controls ensures oversight:

• Incorrect/unauthorized sales prices, discounts and credits: Where prices and discounts are flexible, there should be a range of discounts that are allowed to be offered, with and without management approval. Any discounts given and any credit memos later applied should be compared to the allowable range
• Sales being incorrectly recorded or not recorded: In the case where employees manually enter sales, have a process to ensure that the sales are being recorded and that they are being recorded accurately. If invoices are not being generated from a computer system, using pre-numbered invoices (and ensuring that all invoice numbers are accounted for) is a good start
• Payments not received: There is a risk that payments will not be received. Therefore, a system is needed to ensure that receivables are being collected and credited to the correct customer’s account receivable