Scribd
Upload
22 views

SCR - Risk & Control in P2P Process

The document discusses risks and controls in the purchase-to-pay (P2P) process. It outlines the key steps in the P2P process from material request to payment. Risks arise at each step from misappropriation, fraud, or concealment of facts. Controls are needed to mitigate these risks, such as segregation of duties, approval processes, and checks that purchase orders, goods receipts, and invoices match. While processes may differ between organizations, general controls discussed include restricting purchase requests to approved departments, verifying purchase orders match requests, checks on new vendor creation, verifying goods match documentation, and invoice matching before payment. Automated systems can help flag issues, but controls still need regular testing

Uploaded by

shuklaniranjan320
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
22 views

SCR - Risk & Control in P2P Process

The document discusses risks and controls in the purchase-to-pay (P2P) process. It outlines the key steps in the P2P process from material request to payment. Risks arise at each step from misappropriation, fraud, or concealment of facts. Controls are needed to mitigate these risks, such as segregation of duties, approval processes, and checks that purchase orders, goods receipts, and invoices match. While processes may differ between organizations, general controls discussed include restricting purchase requests to approved departments, verifying purchase orders match requests, checks on new vendor creation, verifying goods match documentation, and invoice matching before payment. Automated systems can help flag issues, but controls still need regular testing

Uploaded by

shuklaniranjan320
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

Risk & Control In P2P Process

Purchase or procurement to pay or p2p is a process where an organization purchases the required
material for manufacturing goods or for its own use from selected vendor on some pre-requisite
criteria and this process complete when final payment is made to the vendor. This entire process is
simple for a small organisation where few people works or having limited activities. Owner himself is
associated with the activities of organization and he himself takes decision what is good for business
and ultimately investor (Himself). But as the business grows manifold or for that matter any big
organization listed or unlisted, where n number of stakeholder involve (like owner, management,
shareholder, investor or tax authority) where multiple process are independent and large enough for
a separate department, control required as various Risk associated with each process cropped-up
and that’s how this term derived and process created. Whether it is SOX compliances for businesses
based in USA or USA based businesses doing business in other countries for whom SOX
compliance is mandatory, they need to ensure that all other businesses in other jurisdiction are also
SOX complied as business has to present consolidated financial statements at headquarter.
Whether it is Quarterly filling of 10Q or annual filling of 10K, CEO, CFO, management and Auditor of
the organization need to certify and verify that internal control has been implemented and working
effectively. Similarly, in India every listed company has to report on Internal Financial Control (IFC)
on his board report that they have laid down adequate and efficient IFC system. In addition, Auditor
also need to present his opinion on IFC system and operating effectiveness of such control as per
Section 134(5) (e) of companies Act, 2013. Even, unlisted companies director has to comment on
internal control effectiveness. Report by such executive can only be given when there is effective
internal control working throughout the year within the framework of organization.

Let’s come to our specific topic of P2P, where we will discuss, what is the risk associated with each
of the intermediate process and relevant control for mitigation of such risk. Let’s see the step
involved first to understand the process in P2P- Material Request———Purchase Order Created
———Goods Receiving———Invoice Processing——–Payments (Process Initiated)—- (Order
Creation) ———- (Goods Received) ——– (3way matching done) —- (Completed) As discussed
above, risk is associated with every step involved and each organisation need to have appropriate
control to mitigate such risk. No two organizations are same similarly no two organizations have
similar activities and ideally similar control. Risk is associated with misappropriation of assets,
frauds, wilful concealments of facts or some other or any direct and indirect benefits of person
involved. Risk also varies whether above discussed processed are followed manually or automatic.
In automated control one need to ensure that ERP is correctly implemented and there is proper
segregation of duties (SOD) for creation and approval of vendor, payment and GL, then one may
safely assume that control is working appropriately. However, in manual control one need to actually
observe, re-verify, re-calculate or inquire to actually see the entire process and accordingly adjust
auditing process to verify that control is working appropriately. Let’s discuss few apparent risk
associated with P2P process and relevant control associated with the risk- 1) Purchase request may
be created by any user —— Approval process should be at department head that has authority to
approve or reject the request. 2) PO is created based on approved purchase request ——– There
should be proper mechanism to check and verify that PO should match with purchase request. 3)
New Vendor Creation — There should be appropriate check & balances in place while creation of
new vendor in system. There should be proper segregation of duties (SOD) while creation and
approval of vendor in automated system. Manually, at least 3 quotations should be sought from
random vendor before selecting one who meets demand in terms of quality, quantity and price. If it’s
a regular supply then order is from approved vendor and at approved price. 4) Goods Receiving
———- Goods received should thoroughly match with PO and finally checked for quality, quantity
before approving GRN. Any deficiency/ surplus should be adjusted with Debit/ credit note. 5) Invoice
processing ———- Before processing invoice and making payment to the vendor. Matching should
be done to ensure that PO, GRN and Invoice match in terms of price and quantity. 6) Payment —
Once invoice is approved payment is done to the specific Vendor and approved invoice and GL
entry. As discussed not all above process is standard and applicable everywhere. It thoroughly
depends on organization and the way it conduct business. However, these are general control and it
gives fair amount of idea that how each step in a process gives rise to a RISK and how control
should be created to mitigate the same. In addition, now day’s most large companies have
customised ERP system where most of the processes are automated and any deficiency
automatically flagged-up. However, one needs to regularly test ERP system itself for the control
implemented and its actual working. Also, any new risk identified, gives rise to a new control that
need to be implemented, accordingly.

******

You might also like