SAP R/3 Accounts Payable Application Controls

Audit Program
Contributed August 29, 2001 by julia.bird@phoenix.gov

VENDOR MASTER TESTING (VM)

Detailed Testing - VM - Vendor Master

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Using a valid selection method, test items to verify that controls/
procedures are in place and functioning properly.

If procedures are not occurring as documented, perform sufficient testing to

determine actual procedures being performed & document them.

Scope:
Select transactions from the most recent months.

Detailed Testing - 1. VM create walk-through

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Select a sample of vendor master records created by both Finance and Housing
and:
* trace information to vendor master form
* verify proper authorization
* search for duplicate vendor records
* verify the user that made the change has the appropriate SAP user profile
* verify that all required information was input

Detailed Testing - 2. VM user profile analysis

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Obtain list of Citywide user profiles with Vendor Master access. Review the
list for:
* reasonableness of access related to job duties
* employees that no longer need access (i.e. chg of duties, left City)
* conflicting access (i.e. Create vendor & AP duties)
* proper approval of authorization

Detailed Testing - 3. VM input observation

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Observe a user creating a Vendor Master Record and verify:
* mandatory fields are required
-name
-address
-grace days due date
-cash discount terms displayed
-amount
-percentage
-cash discount adjusted to
-specifications for posting residual items from payment differences
-payment advice tolerances for outstanding payables
-tolerance group
* the vendor's 1099 is used for input
* the user checks for same name/duplicate record
* invalid information is not accepted
* override authorization (if any)
* error/warning appears when erroneous information is entered, or when
required information is omitted
* naming conventions are used
* vendor is blocked for payment if information is missing
* vendor coding form is used as source document

Detailed Testing - 4. VM vendor master change report

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Verify that the AP staff reviews report RFKABL00 to review modifications to
vendor information

Detailed Testing - 5. VM alternative payee

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Obtain a list of all Vendor Master Records with an alternative payee. Select
a sample from the list and review supporting documentation for accuracy and
proper approval.

INVOICE PROCESSING

Detailed Testing - IP - Invoice Processing

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Using a valid selection method, test items to verify that controls/
procedures are in place and functioning properly.

If procedures are not occurring as documented, perform sufficient testing to

determine actual procedures being performed & document them.
Scope:
Select transactions from the most recent 6 months.

Detailed Testing - 1. IP create walk-through

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Select a sample of invoices and:
* verify proper dept approval
* verify proper AP approval
* trace information to supporting documentation
* verify that the posting to the vendor account agrees to the g/l posting
* verify documents were stored properly
* verify the RF was properly reduced (if applicable)
* verify mathematical accuracy of the invoice
* invoice is stamped "Paid"

Detailed Testing - 2. IP user profile analysis

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Obtain list of Central AP user profiles with Invoice create/change/approve
access. Review the list for:
* reasonableness of access related to job duties
* employees that no longer need access (i.e. chg of duties, left City)
* conflicting access (i.e. Invoice create & warrant distribution)
* proper approval of authorization

Detailed Testing - 3. IP input observation

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Observe users creating, changing and approving an Invoice and verify:
* posting keys are limited to document type
* SAP automatically selects posting keys
* SAP requires debit and credit entries to net to zero before posting
* payee or amount cannot be changed after supervisor has released PCD
* each line is being reviewed by Finance AP staff
* mandatory fields are required
* invalid information is not accepted
* AP staff checks for a PO before approving
* AP staff checks commodity invoices for a PO, COR or DPO
* AP staff checks for an RF# before approving
* SAP does not allow the same invoice to be entered if the following are the
same:
-Invoice number
-Vendor number
 -Invoice date
* Finance AP staff can not change a payee or amount after the invoice is
posted
* SAP gives a warning if Business Area and Cost Center are not compatible

Detailed Testing - 4. IP duplicate invoice testing

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Document and review the system checks for identifying duplicate invoices.

Review copies of the duplicate invoice report from SAP, and verify that
Finance staff is taking appropriate action.

Use ACL to verify SAP does not allow duplicate invoices to be entered if the
following information is the same:
* invoice number
* vendor number
* invoice date

Detailed Testing - 5. IP timeliness

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
A. Review cycle time information kept by the Finance Dept on the timeliness
of invoice input.

B. Obtain a report for invoices entered for a period of time, and determine
the percent of invoices paid late.

C. Review the dept's use of the following reports:

* Vendor Account Balance (RFKSLD00)
* Vendor Line Items (RFKEPL00)
* Vendor Purchase List (RFKUML00)
* invoices parked or held

Detailed Testing - 6. IP reversal entries

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Verify that only Finance AP Supervisors have access to reverse a document.

Document and test AP staff controls to detect reversal entries.

Detailed Testing - 7. IP MM documents keyed in FI

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Obtain the most recent reconciliation of g/l account 291000, and verify AP
staff review of outstanding items

Detailed Testing - 8. IP invoices against RFs

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Obtain a list of documents with RF numbers referred to in the user-defined
field.

Select a sample of documents, and verify that the RF was properly reduced.

INVOICE VERIFICATION

Detailed Testing - IV - Invoice Verification

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Using a valid selection method, test items to verify that controls/
procedures are in place and functioning properly.

If procedures are not occurring as documented, perform sufficient testing to

determine actual procedures being performed & document them.

Scope:
Select transactions from the most recent 6 months.

Detailed Testing - 1. IV create walk-through

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Rely on Observation and GR/IR reconciliation tests (items IV 3&4)

Detailed Testing - 2. IV user profile analysis

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Obtain list of Central AP user profiles with Invoice Verification
change/approve access. Review the list for:
* reasonableness of access related to job duties
* employees that no longer need access (i.e. chg of duties, left City)
* conflicting access (i.e. Invoice Verification & Goods Receipt create)
* proper approval of authorization

Detailed Testing - 3. IV input observation

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Observe users changing and approving invoices and verify:
* each line is being reviewed by Finance AP staff
* mandatory fields are required
* invalid information is not accepted
* SAP displays PO line items automatically
* SAP gives a warning if the tolerance limit is exceeded
* AP clerk notifies Purchasing of exceptions
* SAP automatically (or AP clerk manually) blocks the invoice if tolerance is
exceeded
* AP clerk checks invoice for a PO reference
* AP clerk looks for PO, COR, and DPO for commodities invoices

Detailed Testing - 4. IV GR/IR reconciliation

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
1. Run the tolerance limit report to verify SAP MM/FI-AP tolerance limits.

2. Review the GR/IR g/l account (#291000), and discuss with AP staff

(GR = Goods Receipt; IR = Invoice)

DISBURSEMENT

Detailed Testing - D - Disbursement

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Using a valid selection method, test items to verify that controls/
procedures are in place and functioning properly.

If procedures are not occurring as documented, perform sufficient testing to

determine actual procedures being performed & document them.

Scope:
Select transactions from the most recent 6 months.

Detailed Testing - 1. D pmt run walk-through

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Select a sample payment run and:
* verify any changes were made by authorized users
* verify supervisory approval of the payment run
* verify all invoices due for that day were included in the payment run
* document procedures to review Payment Proposal List and Exception List
* verify that each invoice paid is assigned a clearing document number, date
and check number
* verify that no cleared items were paid
* verify that the print file disappears after it is printed
* document any "check print restart" events, and verify spoiled checks were
retained and checks were completed
* verify blocked payments were not paid
* verify invoices were properly posted in FI-GL, using g/l account 220000
* verify check register includes all check numbers
* verify check register is reconciled with the Job Run
* verify all voided checks are included on the print report
* verify checks are mailed out or secure after printing
* verify Admin Accounts review of checks => $100,000
* verify Collections review of checks

Detailed Testing - 2. D manual check walk-through

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Inventory all manual checks and verify that missing check numbers are in SAP

Verify blank checks are secure

Verify that the City Controller requires SAP Check List prior to signing the
manual checks

Verify independent review of the manual check log

Verify that the signature stamp is secure

Select a sample of invoices paid via manual check, and trace the manual check
number to the clearing document in SAP

Verify manual checks are pre-numbered

Detailed Testing - 3. D user profile analysis

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Obtain list of Citywide user profiles with disbursement-related access.
Review the list for:
* reasonableness of access related to job duties
* employees that no longer need access (i.e. chg of duties, left City)
* conflicting access (i.e. disbursement preparation & disbursement approval)
* proper approval of authorization

Obtain a list of Citywide user profiles with Payment Output authorization,

and review the list for:
* reasonableness of access related to job duties
* employees that no longer need access (i.e. chg of duties, left City)
* conflicting access (i.e. disbursement preparation & disbursement approval)
* proper approval of authorization

Detailed Testing - 4. D input observation

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Observe the entire payment run process and verify:
* the AP Supervisor reviews the Payment Proposal List and Exception List
* SAP automatically assigns sequential check numbers
* AP Supervisor reconciles the number of checks in the register to the number
recorded in the SAP Job Log
* voided and spoiled checks were properly handled
* Accounts Admin reviews all checks => $100,000
* Collections reviews all checks for PLT customers owing the City money

Detailed Testing - 5. D discounts

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Calculate the amount of discounts lost due to late payments.

Verify that SAP is properly calculating discounts at the time of payment.

Detailed Testing - 6. D duplicate payment testing

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Select a sample payment run and verify that:
* invoices were assigned a clearing document
* no cleared invoices were paid
* no blocked invoices were paid
* the print file disappears after the checks are printed

Detailed Testing - 7. D payment of credit memos

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Document the process for payment of credit memos

Detailed Testing - 8. D pmts to employees

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Select a sample of payments made to employees, and verify proper
authorization.

If possible, use ACL to subtotal checks to employees by employee name, and

review the results.

Detailed Testing - 9. D bank reconciliation review

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Document segregation of duties between disbursements and bank reconciliation.

Select a sample of reconciliations and review unreconciled items.

Detailed Testing - 10. D pmts > $100,000

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Select a sample check run, and:
* verify Admin Accounts review of checks => $100,000
* verify Treasury review of checks => $100,000

Detailed Testing - 11. D reissued check review

Purpose/Objective:
To determine that controls/ procedures are functioning as documented.

Detailed Step:
Select a sample of re-issued checks and verify that the original warrant was
never cashed

Agree check information to supporting documentation

Verify supervisor approval on all re-issued checks.

Detailed Testing - Lost/stolen checks

Purpose/Objective:
To review checks listed as lost/stolen for proper documentation

Detailed Step:
Obtain a list of all checks listed as lost/stolen, and determine the reason.