Are Your Desktop Computers a Breeding Ground for Errors or Disbursement Fraud?
Author: Bob Lovallo
New systems and upgrades are typically tested before a company goes live with them. Similarly, the controls surrounding these applications as well as general accounts payable policies and procedures have come under closer scrutiny in light of Sarbanes Oxley. But what about your desktop applications, what testing and reviews goes on around those functions? We're talking about those small processes or workarounds that crop up in many organizations. Let me give you an example and then show you want went very wrong in one organization. I'll share tips that your organization can use to ensure you have the proper controls on all your desktop applications.
Real Life Example
Some firms track their escheatable items on an Excel spreadsheet. When bank accounts are closed, as they inevitably are, outstanding checks have to be dealt with Some organizations leave the accounts open until all the checks clear. Typically a few checks are never cashed. After proper research they may be deemed escheatable. In this case, at the organization in question, the appropriate information was entered onto an Excel spreadsheet, the accounting entries made, and at the appropriate time, the items were turned over to the state. “So, what's the problem?” you ask.
At the firm in question someone was changing the entries on the Excel spreadsheets. The change did not cost the company a red cent so its financial records were never affected. What some crafty individual was doing was changing the name of the company to whom the funds were owed to the name of an individual. If this ‘adjustment' had not been detected, the individual would then have been able to collect the funds free and clear from the state and no one would have been the wiser.
Could this happen at your company? This is just one example of a transaction that would typically fly under the radar in many organizations. Clearly, a process to ensure the quality and accuracy of the data in your desktop applications should be a high priority.
Overview
Normally disbursement data is entered in and resides on an Accounts Payable application where formal and applicable disbursement controls are in place. When the AP data source does not contain essential business controls then there is a real exposure to fraud. Here are some of the issues every manger needs to consider.
1) Are your critical disbursement sensitive data and files residing on desk top computer secure?
2) Are the data and files protected to prevent fraud?
3) Is there an audit trail that supports data and file additions, changes or deletions?
4) Do you have an inventory list of such disbursement sensitive files?
5) If you do have an inventory, have you performed an ongoing security check and audit for data integrity?
6) Do you have desk procedures in place to ensure that control and auditability is maintained?
7) Do your procedures also address and maintain appropriate segregation of duties?
It is important that information at every step of the process have the appropriate controls in place. You will need to verify the input, the calculations and the output.
Recommendation
To get the fraud-prevention ball rolling on your desktop applications, a formal audit review process should take place on a periodic basis. Its purpose is to verify that “desk top applications” have met control assessment criteria by inspection and certifies the application output provides accurate data to AP. This will better protect the company against fraud.
The inspection or review should contain a formal rating for the controls and audibility found in the application, so management can be made aware of any control problems as well as their severity. The bottom line is that a structured application review and post review audit report process needs to be adopted. It should assess the adequacies of desk top application control points and audit trails to confirm that the application is doing what it is supposed to do.
If the reviewers identify specific control problems they should recommend what corrective actions the application owner must take to eliminate application control weaknesses. Often, the authority to implement this type of review lies outside the accounts payable department. Only at the Controller, CFO level or an authorized designee with that high level of authority can add and enforce these additional controls to the applications. If management is willing to take these actions they can better protect themselves and the company against fraud because in most companies these small desk top applications receive little or no financial management visibility.
Bob Lovallo is President of Pinpoint Profit Recovery Services. He has spent over eight years successfully managing AP recovery audits of all sizes. Prior to establishing Pinpoint, Bob's 30 year career in Fortune 500 environments spanned controllership and management positions in areas of internal audit, payables, financial systems, finance and accounting.
Real Life Example
Some firms track their escheatable items on an Excel spreadsheet. When bank accounts are closed, as they inevitably are, outstanding checks have to be dealt with Some organizations leave the accounts open until all the checks clear. Typically a few checks are never cashed. After proper research they may be deemed escheatable. In this case, at the organization in question, the appropriate information was entered onto an Excel spreadsheet, the accounting entries made, and at the appropriate time, the items were turned over to the state. “So, what's the problem?” you ask.
At the firm in question someone was changing the entries on the Excel spreadsheets. The change did not cost the company a red cent so its financial records were never affected. What some crafty individual was doing was changing the name of the company to whom the funds were owed to the name of an individual. If this ‘adjustment' had not been detected, the individual would then have been able to collect the funds free and clear from the state and no one would have been the wiser.
Could this happen at your company? This is just one example of a transaction that would typically fly under the radar in many organizations. Clearly, a process to ensure the quality and accuracy of the data in your desktop applications should be a high priority.
Overview
Normally disbursement data is entered in and resides on an Accounts Payable application where formal and applicable disbursement controls are in place. When the AP data source does not contain essential business controls then there is a real exposure to fraud. Here are some of the issues every manger needs to consider.
1) Are your critical disbursement sensitive data and files residing on desk top computer secure?
2) Are the data and files protected to prevent fraud?
3) Is there an audit trail that supports data and file additions, changes or deletions?
4) Do you have an inventory list of such disbursement sensitive files?
5) If you do have an inventory, have you performed an ongoing security check and audit for data integrity?
6) Do you have desk procedures in place to ensure that control and auditability is maintained?
7) Do your procedures also address and maintain appropriate segregation of duties?
It is important that information at every step of the process have the appropriate controls in place. You will need to verify the input, the calculations and the output.
Recommendation
To get the fraud-prevention ball rolling on your desktop applications, a formal audit review process should take place on a periodic basis. Its purpose is to verify that “desk top applications” have met control assessment criteria by inspection and certifies the application output provides accurate data to AP. This will better protect the company against fraud.
The inspection or review should contain a formal rating for the controls and audibility found in the application, so management can be made aware of any control problems as well as their severity. The bottom line is that a structured application review and post review audit report process needs to be adopted. It should assess the adequacies of desk top application control points and audit trails to confirm that the application is doing what it is supposed to do.
If the reviewers identify specific control problems they should recommend what corrective actions the application owner must take to eliminate application control weaknesses. Often, the authority to implement this type of review lies outside the accounts payable department. Only at the Controller, CFO level or an authorized designee with that high level of authority can add and enforce these additional controls to the applications. If management is willing to take these actions they can better protect themselves and the company against fraud because in most companies these small desk top applications receive little or no financial management visibility.
Bob Lovallo is President of Pinpoint Profit Recovery Services. He has spent over eight years successfully managing AP recovery audits of all sizes. Prior to establishing Pinpoint, Bob's 30 year career in Fortune 500 environments spanned controllership and management positions in areas of internal audit, payables, financial systems, finance and accounting.
Article Source: http://www.a1articles.com/article_833206_19.html