RISKS AND CONTROLS IN EVALUATED RECEIPT SETTLEMENT (STUDY OBJECTIVE 7, continued)

Unfortunately, eliminating parts of a manual matching process also eliminates some of the internal controls inherent in a three-document match of purchase order, receiving report, and invoice. Since some internal controls are eliminated, it becomes necessary to compensate for this loss of controls by strengthening other controls or implementing additional controls. First, the receiving procedures must be established to ensure that goods are accepted only when part numbers and quantities match exactly. There is no reconciliation process later for substitutions, overshipments, or partial shipments. Thus, an organization that wishes to institute an invoice-less matching process must also establish close working relationships with vendors and negotiate firm prices prior to ordering. Since goods are accepted only when quantities match, the vendors must under stand that receiving personnel will not accept a shipment unless it matches exactly. Payment is based on those prior negotiated prices, not on an invoice. This speeds the entire receiving and paying process and eliminates much time and cost in processing payments. The organization and the vendor must work together to minimize exceptions such as substitutions of product, damaged products, and partial shipments. The organization should also have established procedures to handle the few exceptions quickly.

There are also IT risks inherent in an invoiceless system. These risks are in the categories of security, confidentiality, processing integrity, and availability.

SECURITY AND CONFIDENTIALITY

It is necessary to authenticate user controls in order to prevent unauthorized access to purchase-related files and to prevent fraudulent or fictitious vendor payments. User IDs and passwords should be required of all users of the purchasing and payment systems. Authority tables establish the access levels of authorized users. This prevents unauthorized users from initiating purchase transactions. Computer logs can assist management in monitoring user access and in detecting unauthorized access or misuse of purchase and payment systems.

PROCESSING INTEGRITY

As described in the previous discussion on automated matching system risks, errors in system logic can lead to repetitive errors in authorizing payments. Therefore, the system must be monitored and tested to ensure the accuracy and completeness of the matching and payment approvals. This monitoring and testing should also include tests to ensure that duplicate payments are appropriately avoided.

AVAILABILITY

Since the system relies heavily on an IT system that can quickly access online purchase-order files, a system interruption or slowdown can halt all receiving activity. Receiving processes could not operate without the ability to view online purchase-order files. Therefore, backup systems and backup data are crucial to ensuring availability of the system at all times. The general controls should also include uninterruptible power supplies and extensive disaster recovery plans to allow continued operations without interruptions.