Many organizations devote large amounts of time, money, and resources to internal controls testing. Yet in spite of these stringent tests, most businesses suffer from a multitude of controls errors — and many don’t even realize that these errors are occurring.
Whether it’s due to user mistakes or intentional misuse, there are a dozen hidden issues that could arise even in well-monitored environments. These issues could undermine the integrity of your controls and cause major problems when audit season comes around.
So what are these hidden issues that you need to watch out for? Below, we explore the twelve most common internal controls problems that may be happening right under your nose.
Issue 1: The Split
Many companies have authorization limits in place — limits that can be somewhat inconvenient to employees. In order to circumvent those authorization limits, many employees will ask a vendor to split their invoice into separate, smaller invoices. Suddenly, the company is spending more than intended without issuing any extra approvals.
Issue 2: The Right Place at the Wrong Time
SAP financial systems tend to enforce a three-way match — the purchase order (PO), invoice, and receipt must all contain the same data. If this isn’t the case, the discrepancy needs to be addressed. To avoid addressing the issue, though, employees will occasionally create the PO after the invoice or receipt comes in, compromising financial accuracy for the sake of simplicity.
Issue 3: The Expediter
SAP systems offer a standard functionality that, for very specific scenarios, automatically generates a PO after a receipt comes in, ensuring that a three-way match always occurs. While this can be convenient in some situations, it can often be used inappropriately and undermine the strength of your internal controls.
Issue 4: Timeless
POs are, in general, always approved before purchases can be made. But to a business user on a deadline, that can be a bit inconvenient. Rather than creating a new PO for new purchases, therefore, business users will occasionally add new items to old, already-approved POs instead.
Issue 5: “Whatever”
SAP financial systems will automatically block transactions that exist outside of defined tolerances. This control is put in place to prompt users to resolve whatever issue is causing the block. Occasionally, however, users will simply delete the PO that is causing the block and allow the issue to remain unresolved.
Issue 6: The Flip-Flop
SAP systems can be configured to prevent certain actions from being taken. For example, an organization could configure its SAP system to prevent manual postings to a general ledger account. When this does not align with a business user’s needs, the user will sometimes simply remove that configuration long enough to make their manual posting and put the configuration back in place when it is complete.
Issue 7: The Workaround
All SAP systems restrict the abilities of certain users to perform certain actions. However, all SAP systems also allow for standard workarounds in the case of very specific scenarios. For example, the sundry invoicing functionality allows users to pay for certain items without a PO (such as building utilities or taxes). The problem arises when users take advantage of these workarounds in unintended ways, such as using the sundry invoicing feature to avoid having to make the standard three-way match.
Issue 8: The Dependent Relationship
There are many controls standard to SAP systems that may not actually be enacted when organizations think they are. Controls in SAP systems are often dependent on other settings within that system. If those settings are not properly configured, the control may not be operating how you think it is operating.
Issue 9: The Share
This issue is one of the most prevalent issues facing enterprise compliance — sharing user IDs. Most organizations have firm rules in place limiting who can do what in their SAP systems. But that means nothing when end users are giving out their credentials to unauthorized colleagues.
Issue 10: The Addition
Businesses using SAP GRC solutions have a proven tool for monitoring access control and other GRC concerns. But in order for SAP GRC solutions to do their job, organizations need to remember to update it when customizations are made to other systems. Often, these customizations allow issues to occur unnoticed by SAP GRC solutions.
Issue 11: The Buried Item of Interest
Change logs are a vital part of monitoring controls and managing processes. But change logs are often inundated with useless data. Trying to spot items of interest in these lengthy logs can be nearly impossible.
Issue 12: The Unauthenticated User
The recent rise of cybercrime has created a whole new realm of internal controls issues. Implementers of SAP systems need to be very careful that they complete the implementation process properly and keep the system patched. Otherwise, hackers can find free tools over the Internet that will allow them to enter your SAP system and change the data without your knowledge.
Each of these issues can pose serious threats to the integrity of your internal audits. It’s essential that organizations become aware of these hidden problems and take steps to rectify them.
For expert advice on uncovering and mitigating these internal controls issues, view the video “How to Identify and Tack the 12 Most Common Hidden Control Problems Using Standard SAP Functionality” from the SAPinsider GRC 2016 event in Las Vegas.