Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
6
ITAC 100 roles and main responsibilities ............................................................................................................ 7
How to implement ITAC 100................................................................................................................................. 8
Definitions.............................................................................................................................................................. 8
ITAC 100 naming convention ............................................................................................................................... 9
Main changes performed prior publication ........................................................................................................ 10
ICRF 04: Sales & customer services .................................................................................................................. 12
Control 4.3: Review of user profiles and access to the sales management system .................................................... 13
I04.A01 Access review to Customer master data ........................................................................................................................... 14
I04.A02 Access review to cash receipts ......................................................................................................................................... 15
I04.A03 Access review to create or maintain deliveries ................................................................................................................ 16
I04.A04 Access review to create or maintain credit memos .......................................................................................................... 17
I04.A05 Access review to create or maintain invoices................................................................................................................... 18
Control 4.21: Confirming a client’s credit balance upon placing an order ............................................................... 33
I04.C05 Block sales orders when credit limit is exceeded ............................................................................................................. 34
I04.A07 Access review to unblock sales document ....................................................................................................................... 35
Control 4.32: Managing invoices for deliveries and stock outgoings ......................................................................... 40
I04.C09 Sales billing are automatically transferred to accounting ................................................................................................. 41
I04.C10 Coherence between Sales order, delivery and invoice ..................................................................................................... 42
SG ITAC100 Manual 2
Control 4.37: Revenue recognition ................................................................................................................................ 49
I04.T03 Billing due list is cleared before end of the accounting period ......................................................................................... 50
I04.C12 Procedure of account allocation to sales billing documents ............................................................................................. 51
I04.T04 Reconciliation between sales management system and general ledger ............................................................................ 52
Control 5.4: Review of user profiles and access to the stock management system ................................................... 58
I05.A01 Access review to inventory movements ........................................................................................................................... 58
Control 5.7: Creating/editing/deleting entries from the stock master file ................................................................. 63
I05.A03 Access review to material master data ............................................................................................................................. 64
I05.R01 Review modifications of material master data ................................................................................................................. 65
Control 5.8: Annual review of the structure of the article master file ....................................................................... 66
I05.R02 Review of article master file ............................................................................................................................................ 66
Control 5.19: Reconciliation between the finance module and the stock management module .............................. 69
I05.C04 Stock movements generate automatic posting in accounting system .............................................................................. 69
Control 5.20: Approving the parameters for stock levels management .................................................................... 70
I05.T03 Acceptable level of stock is configured ............................................................................................................................ 71
I05.R03 Review of replenishment strategy .................................................................................................................................... 72
Control 5.27: Reconciliation between the stock in accounting, the stock management system and the physical
stock ................................................................................................................................................................................. 78
I05.R05 Report of stock values ...................................................................................................................................................... 78
SG ITAC100 Manual 3
I06.A03 Access review to create supplier agreement or contract................................................................................................... 87
Control 6.7: Review of profiles, other than purchasers with access permission to the purchase management
system ............................................................................................................................................................................... 88
I06.A04 Access review to create purchase orders .......................................................................................................................... 89
I06.A05 Access review to approve purchase orders ....................................................................................................................... 90
I06.A06 Access review to process goods receipts .......................................................................................................................... 91
I06.A07 Access review to perform service receipts ....................................................................................................................... 92
I06.A08 Access review to record supplier invoices ....................................................................................................................... 93
Control 6.19: Approval of new/modified supplier tariffs and purchasing terms ...................................................... 99
I06.R02 Supplier's tariffs and purchasing terms are reviewed ....................................................................................................... 99
Control 6.30: Handling variances between the invoice and the order ..................................................................... 107
I06.C07 Definition of tolerances limits between invoices and orders .......................................................................................... 107
Control 6.33: Monitoring prepaid invoices received and not invoiced .................................................................... 108
I06.C08 GRNI are automatically posted ...................................................................................................................................... 109
I06.T04 Monitor unmatched invoices and receptions .................................................................................................................. 110
Control 15.6: Review of users profiles and access to the cash management system ............................................... 116
I15.A01 Access review to payment preparation ........................................................................................................................... 117
I15.A02 Access review to payment execution ............................................................................................................................. 118
Control 15.35: Verifying the valuation of foreign currency accounts ...................................................................... 122
I15.C04 Foreign Exchange reevaluations are automatically posted by the system during the closing process ........................... 122
SG ITAC100 Manual 4
Control 16.2: Management of users profiles and access permissions to the modules of the accounting system .. 125
I06.A01 Access review to maintain supplier master data............................................................................................................. 125
Control 16.6: Formalization of the Chart of accounts and of the rules for allocation ........................................... 126
I16.C01 Each business transaction posted in accounting system should have a booking scheme ............................................... 126
Control 16.10: Review of the access rights for modification of the Chart of accounts ........................................... 132
I16.A02 Access review to maintain chart of accounts ................................................................................................................. 132
Control 16.20: Control of the general ledger balances/sub-ledger balances ........................................................... 143
I16.R05 AP and AR reconciled to GL.......................................................................................................................................... 144
I16.R06 Control of the general ledger balances/sub-ledger balances ........................................................................................... 145
SG ITAC100 Manual 5
Introduction
The Internal Control Reference Framework (ICRF) is a guide for implementing internal control in the Group.
It describes internal control general principles, highlights the way Internal Control is to be implemented in the
subsidiaries of the Saint-Gobain Group, explains the controls and describes the monitoring process of the
Internal Control system. The ICRF is structured by process. All 17 processes cover the main operations run at
all Group levels.
At the core of the information systems, Enterprise Resource Planning (ERP) applications support the
operations of business activities, especially in Sales, Stocks, Purchasing and Accounting. Among the controls
described in the ICRF for these 4 processes, some of them can be automated or semi-automated in IT
Automated Controls (ITAC).
In that perspective, the enclosed document ITAC 100 constitutes a support tool to implement the hundred
minimum IT Automated Controls in ERP environment and in particular in SAP for the modules SD, MM and FI
that support Sales, Stocks, Purchasing and Accounting processes. These controls could/should be extended
locally by other ITACs in order to improve the ICRF automation compliancy.
Therefore, the distribution of the ITAC 100 with the ICRF Controls is as follow:
Sales 43 14 29
Stocks 35 14 20
Purchasing 36 11 22
Accounting* 41 15 29
155 54 100
*4 ICRF and 7 itacs controls on Treasury process
SG ITAC100 Manual 6
ITAC 100 roles and main responsibilities
Main ITAC 100 actors are:
- IT Application competency centers (CC): Any team in charge of the design, implementation and
maintenance of the application. Mainly CC will be responsible to customize the system and support the
business. They will be also responsible to customize reports, transactions, etc…
- Business (Functional Departments): As described in the ICRF, Functional departments are responsible
for the internal control system in place. Functional departments will be able to use ITAC 100 to
Improve effectiveness and efficiency of Internal Control.
- Group:
o DSI Security Group: In charge of publishing and updating this framework aligned with the
Internal Control Department. Security department will support mainly IT Application
competency centers and follow up ITAC 100 implementation.
o Internal Control Department: In charge of the design of the Group’s internal control system
and coordinating its deployment. It will mainly support the Functional Departments.
IT Define roles
Configures the ERP Provide reports
(Application considering each Deliver integrated
according to according to business
competency sensitive action, solution
centers)
business needs organization and needs
provide reports
Execute
Business Define Business Review and use report
Review and validate transactions to
(Functional Processes and to comply with ICRF
user access comply with ICRF
Departments) Organization controls
controls
Group Design of the Group’s internal control system (ICRF) and frameworks (ITAC100)
SG ITAC100 Manual 7
How to implement ITAC 100
The implementation of ITAC 100 is a project involving the IT function (Competency Centers) and Business
functions (Sales, Purchasing, Stock&Logistic, Accounting).
There are two major contexts of implementation:
1. At the time of implementing a new Information System or doing a major up-grade
2. or after the system has been implemented.
In this context, ITAC 100 should be used at the different phases of the project:
1. Specification: include the ITAC 100 requirements in the functional and technical specifications
(Business requirements and organization, access restriction, master data management, reports,
transactions).
2. General and detailed Design
3. Implementation, acceptance tests and roll out: ITAC 100 shall be tested
Definitions
ICRF: Internal Control Reference Framework
Control Description and Risk: Description of the activity of control and the related risk described in the ICRF
ITAC: Information Technology Automated Control
ITAC objective: Internal control objective addressed by ITAC.
ITAC description: description of how to implement and to use the ITAC. It generally describes the
responsibility of the Business (functional requirements), the responsibility of the Competency Center
(technical implementation), and the use of the ITAC depending on the ITAC category (see infra.).
ITAC 100 technical implementation: Step by step process to implement the ITAC in an SAP environment.
Itac: ITAC described in this framework.
SG ITAC100 Manual 8
ITAC 100 Category
(A) Access review: Report of users with granted access to specific transactions and
authorization objects related to critical business process.
(C) Customizing: Configuration of SAP designed in SPRO (master data structure, workflow,
threshold…).
(T) Transaction: Build-in function to process the data (master data management, automatic
process).
- I is ITAC,
- PP is process number according to ICRF,
- C is control category letter, see ITAC 100 category above,
- NN is incremental number.
SG ITAC100 Manual 9
Main changes performed prior publication
In the following table it is possible to get a track change compared with previous version where:
- Changed: Indicates if there is any kind of changes in the itac. The change can be identified in the
columns “New”, “Deleted” and “Type of Change”.
- New: Indicates if the control is new compared with previous version.
- Deleted - Reason of deletion: Indicates if the control has been deleted compare with previous version
and its reason.
- Type of change:
o Information update: Changes on any of the itac section that could impact the itac
implementation but not the control objective.
o Typology of control: Changes where the itac has suffered a category change (A, C, T or R)
o ICRF covered: Changes where the itac covers another ICRF control. It will show the previous
ICRF covered.
- # control: Change on itac control number. (It is not taken into account for the “Changed” column).
Versus v1 (Pilot)
50 8 3 38 1 6 26
Type of change
Deleted?
itac Itac Description Changed New
Reason of deletion Information
Typology of ICRF # control
control controlled
I04.A01 Access Review to customer master data Yes x -
I04.A02 Access Review to Cash Receipts Yes x -
I04.A03 Access Review to create or maintain deliveries Yes x -
I04.A04 Access Review to create or maintain credit memos Yes x -
I04.A05 Access Review to create or maintain invoices Yes x -
I04.A06 Access Review to maintain prices Yes x -
I04.C01 Use of articles categories No -
I04.C02 Manual pricing in Sales Order No -
Payment terms are set up in accounting and sales
I04.R01 Yes x X 4.18 I04.T01
management systems
I04.C03 Credit limits areas are correctly set up Yes 4.20 I04.C04
I04.C04 Key information for customer master data Yes x I04.C03
I04.R02 Review customer master data changes No I04.R01
I04.T01 Blocking customer process Yes x I04.T02
I04.R03 Review of missing and changed credit limit Yes x I04.R02
I04.R04 Credit limits Early warning Yes x New
I04.C05 Block sales orders when credit limit is exceeded No -
I04.A07 Access review to unblock sales document Yes x -
I04.C06 Key information is required in sales orders Yes x New
I04.C07 Sales credit note are automatically transferred to accounting No I04.C06
Returns and credit memos relate to valid sales orders or I04.C07
I04.C08 Yes x
billing documents
I04.C09 Sales billing are automatically transferred to accounting No I04.C08
I04.C10 Coherence between sales order, delivery and invoice No I04.C09
I04.T02 Define specific process for free goods No I04.T03
I04.R05 Review free goods Yes x I04.R03
I04.C11 Validation of credit memos before they are issued No I04.C10
I04.A08 Access review to release credit memos Yes x -
I04.T03 Billing due list cleared before end of the accounting period No I04.T04
Account determination procedure allocation to sales billing
I04.C12 No I04.C11
documents
Covered in control
xI04.C12x Reconcile account receivable Yes Deleted
I04.C03
Reconciliation between sales management system and
I04.T04 Yes x New
general ledger
Physical storage areas must be recorded in the stock
I05.C01 No -
management system
Stock quantities must be calculated in the stock
I05.T01 No -
management system
I05.A01 Access review to inventory movements Yes x -
Sensitive articles (value, riskof theft, hazardous) are
I05.C02 No -
identified
I05.A02 Access review to sensitive material inventory movements Yes x -
I05.A03 Access review to material master data Yes x -
I05.R01 Review modifications of material master data No -
I05.R02 Review of article master file No -
Purchase orders not delivered on time are identified by the
I05.T02 No -
inventory management system
I05.C03 Any discrepancy in delivery relies on a level of tolerance No -
Stock movements generate automatic posting in accounting
I05.C04 No -
system
I05.T03 Acceptable level of stock is configured No -
I05.R03 Review of replenishment strategy Yes x -
I05.T04 Off-site and consignment stocks are managed by inventory No -
SG ITAC100 Manual 10
Versus v1 (Pilot)
50 8 3 38 1 6 26
Type of change
Deleted?
itac Itac Description Changed New
Reason of deletion Information
Typology of ICRF # control
control controlled
management system
I05.C05 Define tolerance limits for inventory difference postings Yes x New
I05.R04 Stock adjustments review No -
Configure inventory management system to forbid negative
I05.C06 Yes x 5.20 I05.C05
quantity in stock
I05.R05 Report of stock values No -
I05.A04 Access review to register scrapped stocks Yes x -
I05.R06 Review scraping and destructions No -
I06.A01 Access review to maintain supplier master data Yes x -
Access review to approve supplier
I06.A02 Yes x -
creation/modification/deletion
I06.A03 Access review to create supplier agreement or contract Yes x -
I06.A04 Access review to create purchase orders Yes x -
I06.A05 Access review to approve purchase orders Yes x -
I06.A06 Access review to process good receipts Yes x -
I06.A07 Access review to perform service receipts Yes x -
I06.A08 Access review to record supplier invoices Yes x -
I06.T01 Maintain alternative payee No -
I06.C01 Key information is required for supplier master data Yes x -
I06.R01 Review supplier master data changes No -
I06.T02 Blocking supplier process Yes x -
I06.R02 Supplier's tariffs and purchasing terms are reviewed Yes x -
I06.C02 Key information is required in purchase orders No -
Key information is required in scheduling
I06.C03 Yes x New
agreements/contracts
I06.C04 Purchase price is defined for supplier/material No I06.C03
I06.C05 Purchase orders need approval No I06.C04
I06.T03 Follow up of open purchase orders No -
Risk covered with other
xI06.C05x Supplier invoices are blocked for payment when recorded Yes Deleted
controls
I06.C06 Set duplicate invoice criteria No -
I06.C07 Define acceptable variance between invoices and reception Yes x -
I06.C08 GRNI are automatically posted No -
I06.T04 Monitor unmatched invoices and receptions No -
I15.C01 Bank accounts are identified as such in accounting system No -
I15.R01 List of bank accounts is reviewed No -
I15.A01 Access review to payment preparation Yes x 6.7 I06.A09
I15.A02 Access review to payment execution Yes x 6.7 I06.A10
Definition of tolerances limits between incoming/outgoing
I15.C02 Yes x 4.39 I04.C13
payments and invoices
Define sensitive fields for dual control before
I15.C03 Yes x New
incoming/outgoing payment release
Foreign Exchange reevaluations are automatically posted by
I15.C04 No I15.C02
the system during the closing process
I16.A01 Access review to closing/open accounting period parameters Yes x New
Risk covered by controls
xI16.R01x Chart of accounts is reviewed Yes Deleted
I16.T01,I16.R02
Each business transaction posted in accounting system
I16.C01 No -
should have a booking scheme
I16.C02 System is configured to map local accounts to SIF No -
I16.R01 Review SIF accounts G/L accounts mapping No I16.R02
Risk covered by controls
xI16.R03x Review open accounts Yes Deleted
I16.T01,I16.R02
I16.T01 Block unused accounts No -
I16.R02 Changes made to the chart of accounts are reviewed Yes x -
I16.A02 Access review to maintain chart of accounts Yes x -
I16.C03 Ensure the number ranges of documents is correct No -
I16.R03 Review manual entries on automatic journalised process No I16.R05
I16.C04 Modification of automatic posting is restricted No -
Reversal posting of all logistic transaction must be defined
I16.C05 No -
into accounting system
Restrict manual entries on accounts only impacted by
I16.C06 No -
automatic postings
Define specific document type for non-standard manaual
I16.C07 No -
entries
I16.R04 Non-standard manual entries are reviewed No I16.R06
I16.R05 AP and AR reconciled to GL No I16.R07
I16.R06 Control of the general ledger balances/sub-ledger balances No I16.R08
Set Saint-Gobain as intercompany group in accounting
I16.C08 No -
system
I16.C09 Intercompany process in the same accounting system No -
I16.T02 Identify trading partners No -
I16.R07 Intercompany reconciliation No I16.R09
I16.C10 Fiscal Year Variant Posting periods Yes x New
I16.C11 Posting period configuration Yes x New
SG ITAC100 Manual 11
ICRF 04: Sales & customer services
SG ITAC100 Manual 12
Control 4.3: Review of user profiles and access to the sales management system
ICRF
Control Description:
Access permissions to the sales management system and the modules of the accounting system shall be in accordance with the
allocation of functions and responsibilities.
Access permissions to perform sensitive transactions (creating, editing, deleting information from client files etc.) shall only be
given to users who require it.
The relevant IT department shall be informed of any changes (changes of position, departures, transfers etc.) by the department
managers.
The Sales Department and the Finance Department shall, no less than once a year, perform a review of all user profiles and
access permissions to the sales management system and the modules of the accounting system.
Risks:
Risk 4.5 - Theft, misuse of assets, laundering and collusion
Risk 4.6 - Differences between the order, the delivery and the invoice
APPLICATION CONTROLS
SG ITAC100 Manual 13
I04.A01 Access review to Customer master data
SG ITAC100 Manual 14
I04.A02 Access review to cash receipts
SG ITAC100 Manual 15
I04.A03 Access review to create or maintain deliveries
SG ITAC100 Manual 16
I04.A04 Access review to create or maintain credit memos
SG ITAC100 Manual 17
I04.A05 Access review to create or maintain invoices
SG ITAC100 Manual 18
Control 4.6: Check on creating and editing prices
ICRF
Control Description:
Access permission to update prices in the information systems is limited to authorized people.
Any creation or modification of details shall be checked by a person who does not have price-editing access in order to identify
any incorrect or unauthorized changes (using a computer print-out for example).
Risks:
Risk 4.3 - Offers, contracts, contract amendments or orders that do not comply with the company’s commercial policy
Risk 4.5 - Theft, misuse of assets, laundering and collusion
APPLICATION CONTROLS
SG ITAC100 Manual 19
I04.A06 Access review to maintain prices
SG ITAC100 Manual 20
I04.C01 Use of article categories
SG ITAC100 Manual 21
Control 4.7: Approving Discount and special terms of sales
ICRF
Control Description:
The granting of discounts, preferential rates or special terms of sale must be systematically approved by a suitable level of
management, in accordance with the delegation of powers.
A system shall be put in place to track cases in which such special terms have been granted.
Risks:
Risk 4.3 - Offers, contracts, contract amendments or orders that do not comply with the company’s commercial policy
Risk 4.5 - Theft, misuse of assets, laundering and collusion
APPLICATION CONTROL
SG ITAC100 Manual 22
Control 4.9: Approving a new client
ICRF
Control Description:
Every new client shall be assessed before an account is opened and any orders are processed in their name. In particular,
the assessment shall confirm/assess the following points:
- The legal existence of the client,
- The financial stability of the client,
- The sales prospects,
- The client’s reputation in the light of his practice.
Credit limits must be set up for all clients, with the help of the Finance Department. Whenever a potential recovery risk is
identified for a new client, strict payment terms (deposit, full payment in advance for example) may be applied..
Risks:
Risk 4.4 - Receivables not being collected
Risk 4.5 - Theft, misuse of assets, laundering and collusion
APPLICATION CONTROLS
SG ITAC100 Manual 23
I04.R01 Payment terms are set up in accounting and sales management
systems
SG ITAC100 Manual 24
I04.C03 Credit Limits areas are correctly set-up
ITAC objective: New customers must be created with a 1) Set "Data for updating SD"
credit block, requiring credit management to approve a Update variant must be either "00012" or "00018."
credit limit before processing can continue.
2) Include in "Default data for automatically creating new
ITAC description: Competency Center must implement customers" appropriate data for each field:
the Credit limit customizing based on Business - Risk category
Requirement (Risk category, Business organization…). - Credit limit
- Credit representative group
ITAC 100 Transactions
OB45: SPRO:IMG > SAP Customizing Implementation
Guide > Enterprise Structure > Definition > Financial
Accounting > Define Credit Control Area
SG ITAC100 Manual 25
Control 4.18: Approving creations/modifications in the customers master file
ICRF
Control Description:
Any creation/editing/deletion of a client account or client details must be correctly documented, justified and authorised.
The request form for the creation/modification of a client account and all documents sent by the client must be stored and
archived in a specific file.
At least once a month, the Sales Department shall review any sensitive details (payment terms for example) that have been
added or changed in the customer master file in order to ensure that there have been no unauthorised creations/changes.
Risks:
Risk 4.4 - Receivables not being collected
Risk 4.5 - Theft, misuse of assets, laundering and collusion
APPLICATION CONTROLS
SG ITAC100 Manual 26
I04.C04 Key information for customer master data
SG ITAC100 Manual 27
I04.R02 Review customer master data changes
SG ITAC100 Manual 28
Control 4.19: Checking account closures/deactivations
ICRF
Control Description:
The Commercial Department shall ensure that all legitimate decisions to close or deactivate a client account are entered into the
sales management system.
Risks:
Risk 4.4 - Receivables not being collected
Risk 4.5 - Theft, misuse of assets, laundering and collusion
APPLICATION CONTROL
ITAC 100 Transactions Competency Center must ensure that there is at least a role
XD05 - Block Customer with the ability to use these transactions and that the role
XD06 – Flag for deletion has been assigned to the users selected by the business.
SG ITAC100 Manual 29
Control 4.20: Annual review of credit limits
ICRF
Control Description:
Every client shall be given a credit limit.
At least once a year, the Finance Department and the Sales Department shall review and update client credit limits based on
activity, financial information and their commercial relationship.
Risks:
Risk 4.1 - Failure to respect legal obligations regarding commercial matters
Risk 4.4 - Receivables not being collected
Risk 4.5 - Theft, misuse of assets, laundering and collusion
APPLICATION CONTROLS
SG ITAC100 Manual 30
I04.R03 Review of missing & changed credit limit
SG ITAC100 Manual 31
I04.R04 Credit limits early warning
SG ITAC100 Manual 32
Control 4.21: Confirming a client’s credit balance upon placing an order
ICRF
Control Description:
An order shall be blocked if it means that the credit limits would be exceeded.
An order can be unblocked by a suitable level of management, if the special payment terms (account, cash payment etc.) defined
to limit the risk of non-collection, are met.
Risks:
Risk 4.4 - Receivables not being collected
APPLICATION CONTROLS
SG ITAC100 Manual 33
I04.C05 Block sales orders when credit limit is exceeded
SG ITAC100 Manual 34
I04.A07 Access review to unblock sales document
ITAC description: Competency Center must provide the 1) the following transactions:
report that lists the users with the ability to unblock sales - VKM1 - Blocked SD document or
orders. - VKM4 - Blocked SD document
The report can be split according to the Business - Custom Transactions (Z*) if applicable
organization.
Sales and/or Finance department shall review at least 2) at least the following authorization objects:
once a year this report. - V_KNKK_FRE, attribute ACTVT, value 23
- V_VBUK_FRE, attribute ACTVT, value 23
ITAC 100 Transactions
S_BCE_68002111 report – with critical authorizations 3) the appropriate Organizational data for each
(New version). company in the scope of the Competency Center (if
applicable).
SG ITAC100 Manual 35
Control 4.22: Reviewing customer orders
ICRF
Control Description:
Every customer order must be correctly documented (purchase order, contract, amendment).
Any customer orders that are placed over the telephone must be confirmed to the client in writing (article, price, amount,
address etc).
Any large customer orders (amount and duration to be defined by the entity) must be systematically reviewed and signed by a
suitable level of management, before being processed and confirmed to the client in writing.
Risk:
Risk 4.3 - Offers, contracts, contract amendments or orders that do not comply with the company’s commercial policy
Risk 4.4 - Receivables not being collected
APPLICATION CONTROL
SG ITAC100 Manual 36
Control 4.27: Accepting returns
ICRF
Control Description:
The quantities and article codes for any returned goods must be checked and then entered into the stock management system.
Any return of goods must be documented and approved by the adequate level of management.
Accounting must be informed of all accepted returns as soon as possible, so that credit notes can be issued.
Risks:
Risk 4.2 - Loss of clients
Risk 4.5 - Theft, misuse of assets, laundering and collusion
Risk 4.8 - Missing or incorrect accounting entries
APPLICATION CONTROLS
I04.C08 Returns and credit memos relate to valid sales orders or billing
documents and they are properly documented
SG ITAC100 Manual 37
I04.C07 Sales credit notes are automatically transferred to accounting
SG ITAC100 Manual 38
I04.C08 Returns and credit memos relate to valid sales orders
or billing documents and they are properly documented.
SG ITAC100 Manual 39
Control 4.32: Managing invoices for deliveries and stock outgoings
ICRF
Control Description:
The entity has put in place a procedure in order to ensure that:
• All despatches are invoiced,
• All invoices are issued in accordance with the contractual terms and conditions,
• All invoices have a corresponding delivery note (and related documents) and customer order.
The monitoring of non-invoiced deliveries and invoices issued before delivery is formalised by the Accounting Department
according to a formalised procedure.
Risks:
Risk 4.1 - Failure to respect legal obligations regarding commercial matters
Risk 4.5 - Theft, misuse of assets, laundering and collusion
Risk 4.6 - Differences between the order, the delivery and the invoice
APPLICATION CONTROLS
SG ITAC100 Manual 40
I04.C09 Sales billing are automatically transferred to accounting
SG ITAC100 Manual 41
I04.C10 Coherence between Sales order, delivery and invoice
VTFL (SPRO > Sales and Distribution > Billing > Billing
Documents > Maintain Copying Control For Billing
Documents > Copying control: Delivery document to
billing document)
SG ITAC100 Manual 42
Control 4.34: Monitoring zero balance invoices
ICRF
Control Description:
All outflows of goods/finished products at the destination of third party shall be recorded in an invoice.
A report of stock outgoings that are invoiced at zero is reviewed at least once a month by the suitable level of management in
order to detect any incomplete or incorrect entries..
Risks:
Risk 4.5 - Theft, misuse of assets, laundering and collusion
Risk 4.6 - Differences between the order, the delivery and the invoice
APPLICATION CONTROLS
SG ITAC100 Manual 43
I04.T02 Define specific process for free goods
SG ITAC100 Manual 44
I04.R05 Review free goods
SG ITAC100 Manual 45
Control 4.35: Monitoring credit notes
ICRF
Control Description:
A report of all credit notes issued shall be revised on a monthly basis by the Finance Department in order
- To ensure that all the notes issued have been recorded and that all the notes recorded have been authorised,
- To detect eventual mistakes.
Risk:
Risk 4.5 - Theft, misuse of assets, laundering and collusion
APPLICATION CONTROLS
SG ITAC100 Manual 46
I04.C11 Validation of credit memos before they are issued
SG ITAC100 Manual 47
I04.A08 Access review to release credit memos
SG ITAC100 Manual 48
Control 4.37: Revenue recognition
ICRF
Control Description:
The turnover must be recorded in accordance with the Group rules, and respect the separation of accounting periods.
The Accounting Department shall reconcile the recorded turnover with the information from the sales management system.
It shall ensure that the turnover has been correctly broken down (Group, non-Group, sundry income).
Risk:
Risk 4.8 - Missing or incorrect accounting entries
APPLICATION CONTROLS
I04.T03 Billing due list is cleared before end of the accounting period
SG ITAC100 Manual 49
I04.T03 Billing due list is cleared before end of the accounting period
ITAC objective: All deliveries should result in the Competency Center must ensure that there is at least a role
recognition of revenue or a receivable in the appropriate with the ability to use this transaction and that the role has
period been assigned to the users selected by the business.
SG ITAC100 Manual 50
I04.C12 Procedure of account allocation to sales billing documents
ITAC 100 Transactions If exception are request for business purpose (ex: pro-forma),
OV33 (SPRO Sales and Distribution > Basic Functions > maintain rationalization of billing document type not being
Account Assignment/Costing > Revenue Account assigned to Assign Account Determination Procedures.
Determination > Define And Assign Account
Determination Procedures > Define Account
Determination Procedure)
SG ITAC100 Manual 51
I04.T04 Reconciliation between sales management system and general
ledger
ITAC objective: All invoice and credit notes generate Competency Center must ensure that there is at least a role
accounting revenue/negative revenue. with the ability to use this transaction and that the role has
been assigned to the users selected by the business.
ITAC description: Finance department must ensure that
there are no billing documents blocked in the sales
module and not transferred to accounting.
SG ITAC100 Manual 52
ITAC in Risks & Controls Matrix (ICRF 04)
SG ITAC100 Manual 53
ICRF 05: Stock & Logistics
SG ITAC100 Manual 54
Control 5.2: Organization of storage
ICRF
Control description:
The way in which storage areas are to be organized is specified in a procedure that reiterates the following points:
• The reception, delivery and storage areas must be kept separate. If this is not possible, compensatory controls must be put in
place.
• All storage areas must be recorded in the stock management system.
• The exact physical location of a reference in stock must be known.
• The following stock categories must be identified and listed (physically and/or in the system):
- Products/goods of insufficient quality,
- Obsolete stock,
- Reserved orders.
- Bills on hold sales.
• The following stock must be identified and stored in a special area:
- Articles received, which are not in accordance with the order and that need to be returned to the supplier or collected by the
carrier,
- Client returns,
- Stock on consignment,
- Hazardous products.
Risks:
Risk 5.1 - Incorrect knowledge of the quantities in the stock
Risk 5.2 - Stock shortfalls
Risk 5.3 - Surplus stock and excess of reserved stock
Risk 5.4 - Obsolete stock incorrectly identified and controlled
Risk 5.5 - Acceptance of non-compliant stock
Risk 5.6 - Stock theft
APPLICATION CONTROLS
SG ITAC100 Manual 55
I05.C01 Physical storage areas must be recorded in the
stock management system
SG ITAC100 Manual 56
I05.T01 Stock quantities must be calculated in the stock management
system
SG ITAC100 Manual 57
Control 5.4: Review of user profiles and access to the stock management system
ICRF
Control description:
Access permissions to the stock management system and to the accounting system must comply with the rules for segregation
of duties, as described in Control 5.3.
At least once a year, the Stock Manager shall review all user profiles and access permissions to the stock management system
and shall inform the IT Department of any changes required (departures, transfers etc.).
Risks:
Risk 5.6 - Stock theft
Risk 5.8 - Stock incorrectly valued due to poor identification of net realisable value
APPLICATION CONTROL
Control 5.4: Review of user profiles and access to the Competency centers must provide to the business a report
stock management system variant (using a batch at least once per year for example) to
Risks addressed by ITAC: R5.6 and R5.8 identify those users with the ability to post goods movements
(receipt, issue, transfer posting).
ITAC objective: Review user list to detect userid that
should not be granted access to inventory movements. Use standard report S_BCE_68002111 (SAP Menu: Tools
-> Administration -> User Maintenance -> Information
ITAC description: The Competency Center shall provide System -> User -> and generate a variant for Critical
the reports according to the Business Organization. Authorizations with:
Stock Manager and finance manager shall review the list
of the users with the help of the report and request the 1) the following transactions:
necessary changes. - MIGO, MB1A, MB1B, MB1C: Goods movements
- CO11N: Production confirmation
- MFBF: Production booking
- VL01, VL01N, VL02, VL02N: Outbound Delivery
ITAC 100 Transactions - MI07, MI10: Post Inventory Differences
S_BCE_68002111 report – with critical authorizations - Custom Transactions (Z*) if applicable
(New version).
2) at least the following authorization objects
- B_USERSTAT, attribute ACTVT, value 01
- M_MSEG_BMB, attribute ACTVT, value 01
- M_MSEG_BWA, attributes ACTVT, value 01
- M_MSEG_BWE, attribute ACTVT, value 01
- M_MSEG_BWF, attribute ACTVT, value 01
- M_MSEG_LGO, attribute ACTVT, value 01
- M_MSEG_WMB, attribute ACTVT, value 01
- M_MSEG_WWA, attribute ACTVT, value 01
- M_MSEG_WWE, attribute ACTVT, value 01
SG ITAC100 Manual 58
can also run the report with the appropriate variant for
further revisions.
SG ITAC100 Manual 59
Control 5.6: Storage of sensitive articles
ICRF
Control description:
Sensitive articles (value, risk of theft, hazardous) shall be identified and stored appropriately.
A list of sensitive stock articles is kept up to date. Access must be restricted to authorised people. The quantities of these stocks
shall be controlled every month.
The Site Manager shall ensure that all products are stored in accordance with the Group’s EHS policies. Access permissions to the
stock management system and to the accounting system must comply with the rules for segregation of duties, as described in
Control 5.3.
At least once a year, the Stock Manager shall review all user profiles and access permissions to the stock management system
and shall inform the IT Department of any changes required (departures, transfers etc.).
Risks:
Risk 5.1 - Incorrect knowledge of the quantities in the stock
Risk 5.5 - Acceptance of non-compliant stock
Risk 5.6 - Stock theft
APPLICATION CONTROLS
SG ITAC100 Manual 60
I05.C02 Sensitive articles (value, risk of theft, hazardous) are
identified
SG ITAC100 Manual 61
I05.A02 Access review to sensitive material inventory movements
SG ITAC100 Manual 62
Control 5.7: Creating/editing/deleting entries from the stock master file
ICRF
Control description:
Access permissions to create/edit/delete any entries from the stock master file must be restricted to authorised people. The
process for creating/editing/deleting entries from the stock master file must be documented and approved.
The stock manager shall carry out, at least once a year, a review of all users and access permissions to the article master file, and
inform the IT Department of any changes required (departures, transfers etc.)
An independent person shall conduct a monthly review of any critical modifications (the Marketing Manager for example).
Risks:
Risk 5.1 - Incorrect knowledge of the quantities in the stock
Risk 5.2 - Stock shortfalls
Risk 5.3 - Surplus stock and excess of reserved stock
Risk 5.4 - Obsolete stock incorrectly identified and controlled
Risk 5.6 - Stock theft
Risk 5.8 - Stock incorrectly valued due to poor identification of net realisable value
APPLICATION CONTROLS
SG ITAC100 Manual 63
I05.A03 Access review to material master data
SG ITAC100 Manual 64
I05.R01 Review modifications of material master data
SG ITAC100 Manual 65
Control 5.8: Annual review of the structure of the article master file
ICRF
Control description:
The structure of the article master file is reviewed annually in order to ensure that the number of references is appropriate and
that all generic codes are cleared.
Risks:
Risk 5.1 - Incorrect knowledge of the quantities in the stock
Risk 5.2 - Stock shortfalls
Risk 5.3 - Surplus stock and excess of reserved stock
APPLICATION CONTROL
SG ITAC100 Manual 66
Control 5.11: Monitoring supplies
ICRF
Control description:
The entity has set up a system to identify any orders that are not delivered on the expected date (early or late).
This monitoring system can in particular be supported by a delivery schedule that sets out the suppliers’ delivery dates and the
expected quantities.
Risks:
Risk 5.2 - Stock shortfalls
Risk 5.3 - Surplus stock and excess of reserved stock
APPLICATION CONTROL
SG ITAC100 Manual 67
Control 5.13: Management of discrepancies in delivery
ICRF
Control description:
All received goods must be recorded with an associated order number.
Any discrepancies in delivery must be approved by the Stock Manager before being accepted.
Deliveries received without a purchase order must remain an exception and be signed off by an authorised person. They shall be
regularly checked by a person independent from the stock management.
Risks:
Risk 5.2 - Stock shortfalls
Risk 5.3 - Surplus stock and excess of reserved stock
Risk 5.5 - Acceptance of non-compliant stock
Risk 5.6 - Stock theft
APPLICATION CONTROL
SG ITAC100 Manual 68
Control 5.19: Reconciliation between the finance module and the stock
management module
ICRF
Control description:
Any physical movements of stock must as soon as possible lead to an accounting entry.
At least once a month, the Accounting Department shall reconcile the stock management system (or the stock management
module) and the accounting system (or the finance module) in order to validate any recorded changes in stock.
The identified errors shall be investigated and resolved timely.
Risk:
Risk 5.1 - Incorrect knowledge of the quantities in the stock
APPLICATION CONTROL
SG ITAC100 Manual 69
Control 5.20: Approving the parameters for stock levels management
ICRF
Control description:
The entity has put in place a system to optimise stock levels and to steer supplies in order to avoid any shortfalls and to limit
surplus stock and obsolescence.
The parameters for this system (minimums, maximums, back-up stock, re-supplying levels etc.) must be reviewed and approved
by the Stock/Logistics Manager at least once a year.
Any changes to the parameters must be authorised by the Logistics Manager.
Risks:
Risk 5.2 - Stock shortfalls
Risk 5.3 - Surplus stock and excess of reserved stock
Risk 5.4 - Obsolete stock incorrectly identified and controlled
APPLICATION CONTROLS
SG ITAC100 Manual 70
I05.T03 Acceptable level of stock is configured
SG ITAC100 Manual 71
I05.R03 Review of replenishment strategy
SG ITAC100 Manual 72
Control 5.22: Monitoring off-site stock and goods on consignment
ICRF
Control description:
There is a procedure for recording and managing off-site stock and stock on consignment.
This procedure in particular contains:
• The use of independent tracking reports in order to identify stock quantities and values,
• The frequency of stock counting for goods on consignment (at least once a year),
• The methods for reconciling the results obtained, and for investigating and solving any differences that are identified.
Risks:
Risk 5.1 - Incorrect knowledge of the quantities in the stock
Risk 5.4 - Obsolete stock incorrectly identified and controlled
Risk 5.6 - Stock theft
APPLICATION CONTROL
SG ITAC100 Manual 73
Control 5.23: Approving stock adjustments following a stock counting
ICRF
Control description:
The Stock Manager shall justify, document and keep track of any significant inventory differences.
The Finance Department shall authorise and approve any adjustments (globally, by product family, or by article).
Accounting entries shall be documented and kept track of.
Risks:
Risk 5.1 - Incorrect knowledge of the quantities in the stock
Risk 5.6 - Stock theft
Risk 5.8 - Stock incorrectly valued due to poor identification of net realisable value
APPLICATION CONTROLS
SG ITAC100 Manual 74
I05.C05 Define tolerance limits for inventory difference postings
SG ITAC100 Manual 75
I05.R04 Stock adjustments review
SG ITAC100 Manual 76
Control 5.26: Review of anomalies
ICRF
Control description:
Any quantities without a value, any values without a quantity, and any negative values or quantities must be investigated,
monitored or corrected at least once a month.
Risks:
Risk 5.1 - Incorrect knowledge of the quantities in the stock
Risk 5.2 - Stock shortfalls
Risk 5.3 - Surplus stock and an excess of reserved stock
Risk 5.4 - Obsolete stock incorrectly identified and controlled
Risk 5.6 - Stock theft
Risk 5.8 - Stock incorrectly valued due to poor identification of net realisable value
APPLICATION CONTROL
SG ITAC100 Manual 77
Control 5.27: Reconciliation between the stock in accounting, the stock
management system and the physical stock
ICRF
Control description:
The Accounting Department shall justify the stock accounts on a monthly basis, reconciling:
• The accounting system (or the finance module),
• The stock management system (or the stock module),
• The results of the stock counting, when available.
The identified differences must be investigated and resolved within the month.
Risks:
Risk 5.1 - Incorrect knowledge of the quantities in the stock
Risk 5.8 - Stock incorrectly valued due to poor identification of net realisable value
APPLICATION CONTROL
SG ITAC100 Manual 78
Control 5.30: Approving the scrapping and destruction of stock
ICRF
Control description:
Any scrappings or destructions of stock must be performed in accordance with local legislation.
The Stock Manager shall systematically review and approve the list of the articles to be scrapped, using the procedure approved
by the Finance Department.
The Accounting Department shall reconcile:
• The scrapping report, the list of articles to be scraped and the stock variation recorded in the stock management system,
• The amount of stock destroyed and written off, in accordance with Group rules.
Risks:
Risk 5.1 - Incorrect knowledge of the quantities in the stock
Risk 5.4 - Obsolete stock incorrectly identified and controlled
Risk 5.6 - Stock theft
Risk 5.8 - Stock incorrectly valued due to poor identification of net realisable value
APPLICATION CONTROLS
SG ITAC100 Manual 79
I05.A04 Access review to register scrapped stocks
SG ITAC100 Manual 80
I05.R06 Review scrapping and destructions
SG ITAC100 Manual 81
ITAC in Risks & Controls Matrix (ICRF 5)
SG ITAC100 Manual 82
ICRF 06: Purchasing
SG ITAC100 Manual 83
Control 6.6: Review of purchaser profiles and access permissions to the purchase
management system
ICRF
Control Description:
Purchasers access to the purchase management system and to the accounting system (account payables) must comply with
segregation of duties (see control 5).
Using the control tools provided by the IT Department, the Purchasing Department shall each year review and validate users
profiles within the Purchasing Department.
Risks:
Risk 6.1 - Theft or misuse of assets
Risk 6.12 - Acceptance and payment of goods and services that do not comply with the order, or were not ordered nor received
Risk 6.13 - Poor valuation and recording of supplier invoices
APPLICATION CONTROLS
SG ITAC100 Manual 84
I06.A01 Access review to maintain supplier master data
SG ITAC100 Manual 85
I06.A02 Access review to approve supplier creation/ modification/
deletion
ITAC objective: Review user list to detect userid that Use standard report S_BCE_68002111 (SAP Menu: Tools
should not be granted access to approve supplier -> Administration -> User Maintenance -> Information
creation/modification/deletion. System -> User -> and generate a variant for Critical
Authorizations with:
ITAC description: Competency Centers provide reports
according to the Business requirements and 1) the following transactions:
organization. Accounting Department uses the reports to - FK08 vendor individual confirmation
perform the review, no less than once a year. - FK09 vendor collective confirmation
- Custom Transactions (Z*) if applicable
ITAC 100 Transactions
S_BCE_68002111 report – with critical authorizations 2) at least the following authorization objects:
(New version). - F_LFA1_APP, attribute ACTVT, value 08
- F_LFA1_BEK, attribute ACTVT, value 08
- F_LFA1_BUK, attribute ACTVT, value 08
- F_LFA1_GEN, attribute ACTVT, value 08
- F_LFA1_GRP, attribute ACTVT, value 08
SG ITAC100 Manual 86
I06.A03 Access review to create supplier agreement or contract
SG ITAC100 Manual 87
Control 6.7: Review of profiles, other than purchasers with
access permission to the purchase management system
ICRF
Control Description:
Access to the purchase management system and to the accounting system (account payables) must comply with segregation of
duties (see control 5).
Using the control tools provided by the IT Department, the Functional Departments shall check users profiles within their
department. It shall be done on an annual basis and in collaboration with the Purchasing Department.
Risks:
Risk 6.1 - Theft or misuse of assets
Risk 6.12 - Acceptance and payment of goods and services that do not comply with the order, or were not ordered nor received
Risk 6.13 - Poor valuation and recording of supplier invoices
APPLICATION CONTROLS
SG ITAC100 Manual 88
I06.A04 Access review to create purchase orders
SG ITAC100 Manual 89
I06.A05 Access review to approve purchase orders
SG ITAC100 Manual 90
I06.A06 Access review to process goods receipts
SG ITAC100 Manual 91
I06.A07 Access review to perform service receipts
SG ITAC100 Manual 92
I06.A08 Access review to record supplier invoices
SG ITAC100 Manual 93
Control 6.17: Approving the creation/modification/deletion of supplier accounts
ICRF
Control Description:
The Accounting Department may only create/modify/delete a supplier account if it has received prior official permission from
the Purchasing Department. This permission shall be set forth in a creation/modification/deletion application form that contains
proof and documentation confirming approval has been given.
Only original bank details (IBAN) will be accepted. They must correspond to accounts in the name of the legal entity and located
in the registered country of the supplier.
Any additions or sensitive changes (IBAN, payment terms, delivery address etc.) must undergo an independent monthly review
(by a person who does not have access permission to create/edit such details), in order to ensure that no unauthorized
creations/modifications/deletions have taken place.
Risks:
Risk 6.1 - Theft or misuse of assets
Risk 6.4 - Damage to the Group’s image due to illegal practices and irresponsible behaviour of suppliers
APPLICATION CONTROLS
SG ITAC100 Manual 94
I06.T01 Maintain alternative payee
SG ITAC100 Manual 95
I06.C01 Key information is required for supplier master data
SG ITAC100 Manual 96
I06.R01 Review supplier master data changes
SG ITAC100 Manual 97
Control 6.18: Closing the accounts of delisted suppliers
ICRF
Control Description:
Purchasers must officially and systematically notify the Accounting Manager of any delisted supplier so that the corresponding
supplier account can be closed.
Confirmation of the closure shall be sent to the purchaser.
Risks:
Risk 6.1 - Theft or misuse of assets
Risk 6.4 - Damage to the Group’s image due to illegal practices and irresponsible behaviour of suppliers
APPLICATION CONTROL
SG ITAC100 Manual 98
Control 6.19: Approval of new/modified supplier tariffs and purchasing terms
ICRF
Control Description:
If a supplier’s tariffs or other purchasing terms are recorded in the purchasing management system, a report tracking all
additions/modifications to these tariffs and purchasing terms shall be reviewed, at least once each month, by the purchaser’s
line manager (independent control).
Risks:
Risk 6.1 - Theft or misuse of assets
Risk 6.11 - Faults in the purchase order process
Risk 6.12 - Acceptance and payment of goods and services that do not comply with the order, or were not ordered nor received
APPLICATION CONTROL
SG ITAC100 Manual 99
Control 6.22: Reliability of purchase orders
ICRF
Control Description:
All orders that are issued must contain all the necessary details for proper processing:
• Sequential and unique order number,
• Supplier name,
• Required quantities and references,
• Applicable tariffs, discounts and purchasing terms,
• Deadline and method for delivery/providing the service,
• Payment terms.
All open orders must specify a closing date.
Risks:
Risk 6.1 - Theft or misuse of assets
Risk 6.9 - Failure to respect contractual obligations with suppliers
Risk 6.10 - Poor management of returns and litigation with suppliers and service providers
Risk 6.11 - Faults in the purchase order process
Risk 6.12 - Acceptance and payment of goods and services that do not comply with the order, or were not ordered nor received
APPLICATION CONTROLS
ICRF
Control Description:
All orders must be approved.
Purchase orders may only be issued by authorized people, and they must be approved in accordance with the official delegation
of powers and authorized signatory list.
Any alteration to an existing order must be formalized. Depending on the new amount, an additional purchase requisition must
be issued.
Any request for a change in the payment deadline must be approved by the Finance Department.
Risks:
Risk 6.1 - Theft or misuse of assets
Risk 6.3 - Purchases not made through the Purchasing Department
Risk 6.9 - Failure to respect contractual obligations with suppliers
Risk 6.12 - Acceptance and payment of goods and services that do not comply with the order, or were not ordered nor received
APPLICATION CONTROL
ICRF
Control Description:
The people in charge of purchasing must review all purchase orders recorded in the system -for the categories they are
responsible for and on a relevant basis to be defined (daily, weekly, monthly etc.)- in order to identify and explain any order that
have not been received within the agreed deadline and to “clean up” any unjustified open orders.
At least once a quarter, the Purchasing Department shall ensure that this review has been performed correctly.
Risks:
Risk 6.1 - Theft or misuse of assets
Risk 6.7 - Poor organisation of the purchasing process and lack of coordination with the other departments
Risk 6.12 - Acceptance and payment of goods and services that do not comply with the order, or were not ordered nor received
Risk 6.13 - Poor valuation and recording of supplier invoices
APPLICATION CONTROL
ICRF
Control Description:
Before their transfer to the operational department for validation (ok to pay), all supplier invoices shall be systematically
received by the Accounting Department and recorded into accounting with a block for payment
A stamp “posted” must be put on the original invoice as soon it is posted into accounting.
Risks:
Risk 6.12 - Acceptance and payment of goods and services that do not comply with the order, or were not ordered nor received
Risk 6.13 - Poor valuation and recording of supplier invoices
APPLICATION CONTROL
ICRF
Control Description:
The entity has put in place a procedure, approved by the Financial Director, defining:
• The acceptable levels of variance between the invoice and the original order for the price and the quantity.
• The people authorized to accept the variances.
Risks:
Risk 6.10 - Poor management of returns and litigation with suppliers and service providers
Risk 6.11 - Faults in the purchase order process
Risk 6.12 - Acceptance and payment of goods and services that do not comply with the order, or were not ordered nor received
APPLICATION CONTROL
ICRF
Control Description:
Any delivery received and not invoiced shall be recorded as GRNI (Goods Received Not Invoiced).
The entity shall put in place a tool or an organization allowing monthly identification, listing, valuation and recording of prepaid
invoices and of goods and services received and not invoiced.
Accounting must perform a monthly review of items received and not invoiced with the Purchasing Department.
Risk:
Risk 6.13 - Poor valuation and recording of supplier invoices
APPLICATION CONTROLS
OBYC: SAP menu: Tools -> Customizing -> IMG -> Execute
Control 6.33: Monitoring prepaid invoices and goods
Project; SAP Reference IMG: SAP Customizing
and services received and not invoiced
Implementation Guide -> Material Management -> Logistic
Risk addressed by ITAC: R6.13
Invoice Verification -> Configure Automatic Posting
ITAC objective: Post automatically Goods received not
Execute the transaction code OBYC. Click on the "Account
invoiced in accounting.
Assignment" button. For the materials management postings
group, double click on the GR/IR (transaction key WRX)
ITAC description: Any delivery received and not invoiced
clearing account and select the company’s chart of accounts.
shall be automatically recorded as GRNI (Goods Received
Set the account assignment.
Not Invoiced).
In FI with FS00 transaction, set these accounts to be "Post
ITAC 100 Transactions Automatically Only"
OBYC: SAP menu: Tools -> Customizing -> IMG -> Execute
Project; SAP Reference IMG: SAP Customizing
Implementation Guide -> Material Management ->
Logistic Invoice Verification -> Configure Automatic
Posting.
FS00: Edit G/L account centrally
ICRF
Control description:
On a yearly basis, the Finance Department shall perform an inventory of the bank accounts in order to make sure that:
• All bank accounts have been clearly identified and recorded in the accounting,
• The number of accounts is consistent with needs,
• The signatures known for using the accounts are always up to date,
• Only banks that have been approved by the delegation/Treasury and Financing Department (DTF) are used.
Risks:
Risk 15.1 - Theft or embezzlement of funds
Risk 15.3 - Unjustified or unauthorized granting and taking out of loans
Risk 15.4 - Undertakings towards third parties of which the Group is not aware
Risk 15.5 - Unmanaged hedging transactions leading to fluctuating results
APPLICATION CONTROLS
Set house bank accounts for each paying company code using
Control 15.4: Bank account inventory
FI12. Within SAP, “house banks” are associated to each
Risks addressed by ITAC: R15.1, R15.3, R15.4 and R15.5
paying company code to represent the bank accounts that
can be used for payments. House banks are selected from
ITAC objective: The Bank accounts are set in the
the bank directory within SAP.
accounting system to avoid any payment error or cash
problem.
After creating a house bank for a company code a bank
account is defined that associates the bank account number
ITAC description: SSC Finance, Entities, Treasury
to a GL account number. The bank account currency and the
department (Delegation) sould put in place a procedure
GL account currency must match.
to validate the Bank accounts. Then, SSC Finance
Department provides the list of appropriate and
In addition, using FS00, the house bank must be indicated for
authorized bank accounts. Competency center define all
the GL account.
these bank accounts and no more into the accounting
system.
ICRF
Control description:
Access to the cash management system, to the modules of electronic banking and to the modules of the accounting system shall
comply with the segregation of duties described in control 5.
The relevant IT support team shall be informed of any changes (changes in the delegation of authorities, departures, transfers
etc.). At least once a year, the Financial Director shall perform a review of all user profiles and access permissions to the cash
management system, the modules of electronic banking and the modules of the accounting system.
Risks:
Risk 15.1 - Theft or embezzlement of funds
Risk 15.6 - Erroneous or unjustified payments
APPLICATION CONTROLS
ICRF
Control Description:
The preparation of payments is limited to transactions that have been authorised by an “ok to pay”.
The accounting Department ensures that all elements which have been proposed for payment have been confirmed as “ok to
pay” before being transferred to the signatories.
As soon as the payment form has been signed it should not be possible to modify it.
Risks:
Risk 15.1 - Theft or embezzlement of funds
Risk 15.6 - Erroneous or unjustified payments
APPLICATION CONTROLS
ICRF
Control description:
Each month the Accounting Manager shall check that the foreign currency accounts have been valued in the SIF report in
accordance with the Group’s policy.
Risk:
Risk 15.7 - Incorrect assessment and/or recording
APPLICATION CONTROL
ICRF
Control description:
Access permissions to the modules of the accounting system are consistent with the segregation of duties.
Access permissions to the Accounting Department’s sensitive transactions (recording cash flow movements, write-offs of assets
and manual general entries) are restricted to relevant users and respect the rules for the segregation of duties.
The Financial Manager reviews regularly and at least once a year, all user profiles and access permissions to the modules of the
accounting system and shall inform the IT Department of any update requirements (departure, transfers etc.).
Risks:
Risk 16.2 - Misappropriation of assets and fraud
Risk 16.5 - Interim financial statements purposefully or unknowingly incorrect
Risk 16.6 – Intragroup irregularities
Risk 16.8 - Tax adjustments due to tax returns calculations based on inaccurate and incomplete accounting data
APPLICATION CONTROL
ICRF
Control description:
There is a formal Chart of accounts that is available to all accountants. It specifies, in particular:
• The content of the accounts and clearly defined rules about their functioning,
• Documentation about the complex accounting entries including automatic entries or entries from integrated systems.
Once a year, the Accounting Manager verifies that the Chart of accounts and the rules for allocation are updated and that they
allow him/her to comply with regulatory requirements (both local and Group, if applicable).
Risks:
Risk 16.2 - Misappropriation of assets and fraud
Risk 16.3 - Incorrect Group accounts
Risk 16.4 - Failure to meet commitments to issue financial reporting information
Risk 16.5 - Interim financial statements purposefully or unknowingly incorrect
Risk 16.8 - Tax adjustments due to tax returns calculations based on inaccurate and incomplete accounting data
APPLICATION CONTROL
ICRF
Control description:
A correspondence table between the general ledger accounts and the SIF columns is kept updated.
The Financial Manager shall ensures that all elements needed to prepare the SIF are included in the correspondence table, and
in particular all accounts that operate a Group/non-Group distinction (in particular the accounts for invoices or credit notes to
issue, invoices or credit notes to be received).
At least once a year, the Accounting Manager checks that all the changes to the SIF accounts or to the general ledger accounts
have been correctly recorded and dealt with.
Risks:
Risk 16.1 - Incorrect decisions
Risk 16.3 - Incorrect Group accounts
Risk 16.4 - Failure to meet commitments to issue financial reporting information
Risk 16.5 - Interim financial statements purposefully or unknowingly incorrect
APPLICATION CONTROLS
ICRF
Control description:
The Finance Department shall perform an annual review of all open accounts and of their description in order to deactivate any
unnecessary or redundant accounts.
The Finance Department ensures that all inactive accounts cannot be used.
Risks:
Risk 16.2 - Misappropriation of assets and fraud
Risk 16.6 - Intragroup irregularities
APPLICATION CONTROL
For all the G/L unused accounts identified, use FS05 Block
Control 16.8: Review of open accounts
master record to block them.
Risks addressed by ITAC: R16.2 and R16.6
After the blocking, the Finance department shall extract the
ITAC objective: Unnecessary and redundant accounts are
up-to-date version of the G/L master record using FSP0 and
deactivated in order to maintain the system clean.
approve it.
ITAC description: After review of open accounts, SSC
Competency Center must ensure that there is at least a role
finance requests Competency Center to deactivate any
with the ability to use these transactions and that the role
unnecessary or redundant accounts.
has been assigned to the users selected by the business.
ICRF
Control description:
Any creation or modification of the Chart of accounts shall be formally requested and approved by the Financial Manager.
Each request contains the accounting line reference, the corresponding SIF code as well as the journal entry model.
An annual review of the accounting Chart shall be performed.
Risks:
Risk 16.2 - Misappropriation of assets and fraud
Risk 16.3 - Incorrect Group accounts
Risk 16.5 - Interim financial statements purposefully or unknowingly incorrect
Risk 16.6 - Intragroup irregularities
Risk 16.7 - Off-balance-sheet commitments not identified
APPLICATION CONTROL
ICRF
Control description:
Access permissions to the master files of the Chart of accounts are restricted to authorized persons.
The Financial Manager performs an annual review of access rights for creation, modification or deletion of accounts in the Chart
of accounts.
Risks:
Risk 16.2 - Misappropriation of assets and fraud
Risk 16.3 - Incorrect Group accounts
Risk 16.5 - Interim financial statements purposefully or unknowingly incorrect
APPLICATION CONTROL
ICRF
Control description:
All entries must be recorded in journals that are identified and numbered sequentially. Each entry must be justified and
documented.
The entity has set up a procedure ensuring the traceability of the entry of accounting documents (sequential numbering of the
accounting documents, journal code, date of entry, person who has made the journal entry, archiving).
The Accounting Manager regularly checks that all journals are used correctly.
Risks:
Risk 16.2 - Misappropriation of assets and fraud
Risk 16.8 - Tax adjustments due to tax returns calculations based on inaccurate and incomplete accounting data
APPLICATION CONTROLS
ICRF
Control description:
All manual entries shall be supported by documentary evidence.
The Accounting Manager ensures that all manual entries are appropriately justified and documented.
The Financial Manager reviews each non-standard manual entry, as well as those that have a significant impact on the accounts.
Risks:
Risk 16.2 - Misappropriation of assets and fraud
Risk 16.5 - Interim financial statements purposefully or unknowingly incorrect
APPLICATION CONTROLS
ICRF
Control description:
The data from the sub-ledger accounting or other management systems shall be reconciled each month with the general
accounting (balance, total debits, total credits). Any differences that are identified must be explained and corrected.
Risks:
Risk 16.2 - Misappropriation of assets and fraud
Risk 16.3 - Incorrect Group accounts
Risk 16.5 - Interim financial statements purposefully or unknowingly incorrect
Risk 16.6 - Intragroup irregularities
Risk 16.8 - Tax adjustments due to tax returns calculations based on inaccurate and incomplete accounting data
APPLICATION CONTROLS
ICRF
Control description:
Intercompany invoices shall be accounted or provided for as soon as the goods are received and the services are performed. Any
occurring disputes shall be corrected once they have been accounted for and terms of payment shall be strictly respected.
Rebates on invoices and partial payments are strictly prohibited.
Electronic invoicing for intercompany flows is to be used in priority.
Each month the entity shall confirm all intercompany payables and receivables with its partners (clients, suppliers, invoices and
credit notes to be received, accrued interests, foreign currency accounts etc.). The details of the accounts shall be sent within
the specified deadlines.
The Accounting Manager ensures that any discrepancies for the month in progress are cleared by no later than the following
month.
Risks:
Risk 16.3 - Incorrect Group accounts
Risk 16.5 - Interim financial statements purposefully or unknowingly incorrect
Risk 16.6 - Intragroup irregularities
APPLICATION CONTROLS
ICRF
Control description:
The procedure for accounting closing and for preparing financial information is formalised, validated by the Financial Manager and
distributed. It specifies, in particular:
- A schedule of transactions to carry out,
- The allocation of responsibilities for performing, supervising and checking each transaction (by account or by category),
- A check list of tasks and entries to book, in particular for non recurring movements,
- A list of elements used to ensure that the cut-off is respected.
The Financial Manager regularly verifies the respect of the closing procedure.
Risks:
R 16.2 – Misappropriation of assets and fraud
R 16.4 - Failure to meet commitments to issue financial reporting information
R 16.6 - Intragroup irregularities
R 16.7 - Off-balance-sheet commitments not identified or granted without authorisations.
APPLICATION CONTROLS
Assign the posting period variant to the company code via the
Control 16.26: Procedure for period end accounting
transaction OBBP.
Risks addressed by ITAC: R16.2, R16.6 and R16.7
Create a posting period variant and specify open accounting
ITAC objective: Accounting period configuration is
periods via the transaction OB52.
defined to support the business during the closing
process.