RISKS AND CONTROLS IN COMPUTER-BASED MATCHING (STUDY OBJECTIVE 6, continued)
SECURITY AND CONFIDENTIALITY RISKS
Applying automated matching processes means that people do not perform the matching and authorizing functions, because these take place within the system. Therefore, unauthorized access to the system increases the danger of fraudulent or fictitious payments. Someone who gains unauthorized access to the system's ordering and matching functions can insert fictitious vendors and invoices, and thus receive fraudulent payment. This risk can be lessened by authenticating users and limiting the access of authorized users. Passwords and user IDs should be used for any employee accessing the system. If the dollar amounts involved are extremely large or the data are sensitive, the use of biometrics, security tokens, or smart cards might be necessary to improve the strength of user authentication. In addition, authority tables should be established to limit access of authorized users to those subsystems necessary to their jobs. For example, a user who logs in to enter invoices should not be allowed to order goods. Computer logs should be maintained in order to have a complete record of users and their histories of use. The computer log will allow monitoring and identification of unauthorized accesses or uses.
PROCESSING INTEGRITY RISKS
Since the system authorizes payment of invoices, it is critical to ensure that it is programmed to correctly accomplish this matching. Errors in system logic can cause systematic and repetitive errors in matching. In simpler terms, if the system mistakenly matches documents, it will mistakenly match documents repetitively. Thus, erroneous system logic can quickly cause cash flow problems. This is also true of the logic used to find duplicate payments, where the system must be preprogrammed with the appropriate identifying criteria. If the criteria are too tightly defined, the system may not properly detect all duplicate payments. Alternatively, if the criteria are too loose, it may flag transactions that are not really duplicates. For example, if a company were to regularly and frequently order the same items at the same cost, it would become harder to determine which are duplicate invoices and which are not, because the quantities and prices would be the same. These risks of systematic errors in matching or duplicate payments can be lessened by routine tests of the system and through regular management review of reports of invoice payments.
AVAILABILITY RISKS
As is always true of IT systems, the more reliance is placed on the system, the more critical it becomes to make sure that the system is available. Any system breakdowns or interruptions can stop or slow the processing of invoices and payments. Extreme delays in paying invoices could lead to lost discounts, late fees, interest charges, or loss of a vendor. Therefore, it is important to maintain backup systems and backup files. Since the matching is done within the system rather than manually, there may not be a paper trail of transactions processed. Therefore, backup files must be maintained to ensure a complete audit trail. In addition, uninterruptible power supplies and disaster recovery plans should be in place to allow continued operations even in the event of power outages or natural disasters.