Page 242 - COSO Guidance Book
P. 242
All inventory counts (cabinet display and safe inventories) are recorded and reviewed daily by the
owner-manager, who takes appropriate action if there is a difference between the count and the
amount recorded on the books. The placement of jewelry in locked glass cabinets and a safe that
can be accessed only by authorized individuals are physical preventive controls against employee
theft or robbery.
This example also illustrates that the same control activity need not be applied to the entire
population. In the jewelry store example, different controls were established for inventory items
based on a risk assessment. All high-value inventory is accessible only by the owner-manager
and the owner-manager’s close relatives and stored in a time lock safe. Other lower-value jewelry
items were displayed in glass cabinets only during normal business hours.
– Controls over standing data — Standing data, such as the vendor master file, is often used to
support transaction processing. Control activities over the processes to populate, update, and
maintain the accuracy, completeness, and validity of this data are put in place by the organization.
For example, a common billing fraud scheme is for an unscrupulous employee to access the
vendor master file and add a fictitious vendor. This employee might be the “trusted” bookkeeper
who has incompatible functions (for example, bookkeeping, access to assets [checks], and
independent reconciliation because this “trusted” bookkeeper also reconciles the bank account).
This employee can populate the vendor master file with fraudulent information, such as a
fictitious vendor’s name and address. The employee will then submit fictitious invoices in this
vendor’s name along with other supporting documentation needed to generate a fraudulent
check. The bookkeeper will then intercept the check and this embezzlement will most likely not be
detected by the owner-manager because of both the trust that the owner-manager has in the
bookkeeper and because of the bookkeeper’s inadequate segregation of duties (access to assets,
bookkeeping, and independent reconciliation).
Even if the payables system had the previously noted automated control that any disbursement
greater than $5,000 needs the owner-manager’s approval, the bookkeeper could circumvent this
control by generating fraudulent checks in amounts less than the threshold that requires an
additional control procedure (as in, all fraudulent checks would be equal to or less than $5,000).
Controls over standing data should include a requirement that, based on risk, certain changes to
standing data, such as vendor address, would require an additional approval by an appropriate
employee (preventive control). The system might also have an automated control such that
changes to the vendor master file require the user to enter the information for a data item twice. If
the information that is entered twice is not the same, then an automated error routine is initiated
that notifies the user of the error and of the need to reenter the information. This automated
control helps ensure that the recorded information is both accurate and complete.
Another possible control over standing data could be that a member of management might be
assigned the responsibility to review changes daily in certain critical fields (vendor address or
discount terms) and take appropriate action for any noted anomalies (manual and detective
control).
© 2020 Association of International Certified Professional Accountants. All rights reserved. 5-8
