Oracle Purchase to Pay Internal Audit Test of Controls Work Program
1. Oracle Applications Test of Controls Work Program Page No. 1
Purchase to Payment
Client Name
Project Date
Preparation Work Completion
Prepared By Date Reviewed By Date
Approved By Date Approved By Date
2. Oracle Applications Test of Controls Work Program Page No. 2
Purchase to Pay
Step Test of Controls Audit Procedure Working paper Reference Completed By
PTP_01
Review the application security features that restrict the security access. Identify appropriate segregation of duties among transaction
processing functions, as well as controls to log/detect changes to key data.
1. Determine the procedure for setting up and maintaining
Oracle responsibilities in the client’s environment from the
System Administrator. Consider the following questions:
• Are default responsibilities used?
• Have responsibilities been customized?
• Are responsibilities typically designed to be cross-
application, or do they limit access to one application ?
• Are responsibilities split into small units, or are they job
based containing all functions necessary to perform a
job?
Document answers to these questions in a memo.
(Note: If default responsibilities are used, all ‘Superuser’
and ‘Manager’ responsibilities for Oracle applications will
have access to General Ledger setup and maintenance
functions. This is excessive access and should be removed
or restricted to those with administrative responsibility.)
2. Obtain the “Active Responsibilities” report from the System
Administrator to identify which responsibilities are being
used in the client’s environment.
3. Identify all responsibilities that are not ‘inquiry’ type
responsibilities. For these responsibilities, request a
“Function Security Menu Report” from the System
Administrator.
3. Oracle Applications Test of Controls Work Program Page No. 3
Purchase to Pay
Step Test of Controls Audit Procedure Working paper Reference Completed By
4. Review the “Function Security Menu Report” for each
responsibility identified to determine if appropriate
segregation of duties exists. The following is a sample of
key functions to identify, however others may be important
as well:
• Vendor maintenance – Suppliers, Merge Suppliers,
Supplier Lists, F4 Enter Employee, AP Employees GUI
• Item maintenance – Master Items, Organization Items,
Import Items, Templates
• Purchasing - Purchase Orders, Releases, Acceptances,
AutoCreate Documents
• Receiving – Receipts, Returns, Receiving Transactions,
Corrections, Match Unordered Receipts
• Invoicing – Invoice Actions, Invoice Approve, Invoice
Release Holds, Expense Reports, Create Recurring
Invoices, Open Interface Invoices
• Payment Processing – Payment Print Check
5. Obtain the “Active Users” report from the System
Administrator to identify if users have been assigned
incompatible responsibilities. In addition, review the report
to identify if users have been assigned only those
responsibilities needed to perform their job functions.
PTP_02
Review the internal application change control policies and procedures supporting the application security and configuration.
1. Identify if there are any formal change control policies and
procedures in place at the application level and document
them in a memo. (Note: Be sure to include any automated
or manual tools that are used to track changes. Also, include
information on how changes are identified, tested, and
migrated from testing environments to production.)
2. Based upon the above policies and procedures, obtain a
listing of changes made during the past year. Select a
sample and determine if the changes were appropriately
authorized following corporate policies and procedures.
4. Oracle Applications Test of Controls Work Program Page No. 4
Purchase to Pay
Step Test of Controls Audit Procedure Working paper Reference Completed By
PTP_03
Review the application security features that restrict access to application configuration. Identify appropriate segregation of duties between
application configuration and transaction processing functions.
1. Utilizing the information collected in steps for PTP_01
above, also review the “Function Security Menu Report” for
each responsibility identified to determine if appropriate
segregation of duties exists. The following is a sample of
key functions to identify, however others may be important
as well:
• Purchasing Setup – F4 Define Position Hierarchy,
Buyers, Approval Groups, Purchasing Options,
Receiving Options, Financials Options, F4 Define
Organization, Document Types, Units of Measure,
Units of Measure Conversions
• Payables Setup – Signing Limits, Payment Terms,
Tolerances, Invoice Approvals, Financials Options,
Payables Options
2. Using the “Function Security Menu Report” and the “Active
Responsibilities” report from PTP_01, identify all the
responsibilities and users that have application configuration
access. Verify appropriateness of these responsibilities and
users.
3. If the client is utilizing the default Oracle Purchasing and
Payables responsibilities, there is a high likelihood that these
responsibilities have access to setup General Ledger options.
Utilizing the Oracle Applications Test of Controls Work
Program - General Ledger, review the Purchasing and
Payables responsibilities for access to General Ledger
functionality.
PTP_04
Identify if application approval hierarchies are used. If so, review the approval hierarchy including spending limits.
1. Through client discussion, identify any policies and
procedures supporting the purchase order approval process.
Identify if automated approval hierarchies are being used in
the system. Document these policies and procedures in the
working papers.
2. To test if approval hierarchies are in use, navigate to the
“Financials Options” form and review “Use Approval
Hierarchies” field to determine if the approval hierarchy is
enabled. This must be performed for each Organization.
5. Oracle Applications Test of Controls Work Program Page No. 5
Purchase to Pay
Step Test of Controls Audit Procedure Working paper Reference Completed By
3. If the client if using the approval hierarchy, request and
review documentation regarding the hierarchy setup (e.g.,
account limits, amount limits). (Note: There are no
standard Oracle Purchasing reports that can give this
information.)
4. If automated approval hierarchies are used, review the
“Position Approval Hierarchy” including spending limits to
determine that approval limits reflect job function and level.
5. Review the “Financials/Purchasing Options Listing” report
for the following: the “Forwarding Method” should be set to
‘HIERARCHY’ for all Purchasing document types.
6. Review the “Financials/Purchasing Options Listing” report
for the following: the “Allow Change to Approval
Hierarchy” should be set to ‘No’ for all document types.
This option may be set to Yes when Approval/Authorization
groups are appropriately defined with Account Range
restrictions.
PTP_05
Identify what matching principles are followed in the application, and if any overrides exist.
1. Review the “Financials/Purchasing Options Listing” report
for the following: the “Receipt Required” (3-way matching)
Purchasing option should be enabled.
2. The 3-way matching option can be overridden at the vendor,
item, PO, PO line item level, etc. Perform a test of
transactions and verify that each payment, that requires a
match, has a matching invoice, receipt and purchase order.
PTP_06
Review the accrual method followed by the application for inventory and expense (non-inventory) items.
1. Review the “Financials/Purchasing Options Listing” report
for the following: “Accrue Inventory Items” should be set to
“On Receipt” This setting governs whether receipts are
accrued immediately on receipt or at the month end.
2. Review the “Financials/Purchasing Options Listing” report
for the following: “Accrue Expense Items” should be set to
“On Receipt.” This setting governs whether receipts are
accrued immediately on receipt or at the month end.
6. Oracle Applications Test of Controls Work Program Page No. 6
Purchase to Pay
Step Test of Controls Audit Procedure Working paper Reference Completed By
PTP_07
Review the default receipt date of the application.
1. Oracle Purchasing uses the current date as the default receipt
date for all transactions. However, this date may be
overridden to accommodate late or early entries. Determine
client procedure for identifying and reviewing overrides and
consider the effectiveness of these procedures in
preventing/detecting postings to incorrect periods.
PTP_08
Identify policies and procedures supporting the receiving process.
1. Through client discussion, identify any policies and
procedures regarding the receiving process. Specifically,
identify any requirements related to timeliness of transaction
entry and monitoring or expected receipt dates. Document
these policies and procedures in the working papers.
2. Identify if the client uses the “Open Purchase Orders by
Buyer,” “Open Purchase Orders by Cost Center,” or
“Purchase Order Commitment by Period” reports to monitor
expected receipts. Document the client’s procedure for
reviewing these reports.
PTP_09
Review application configuration regarding unordered receipts.
1. Through client discussion, identify if the client allows
unordered receipts. Document any policies and procedures
in the working papers.
2. Review the “Receiving Options” form and determine the
setting of the “Allow Unordered Receipts” field. Ideally,
this field should be set to “No.”
3. Review the “Unordered Receipts” report. Identify if any
unordered receipts exist.
PTP_10
Review application configuration regarding purchasing, receiving, invoicing, and payment tolerances.
1. Review the “Financials/Purchasing Options Listing” report
for reasonableness of the following: Receipt Close
Tolerance, Invoice Close Tolerance, Price Tolerance,
Quantity Received Tolerance and Enforce Price Tolerance.
7. Oracle Applications Test of Controls Work Program Page No. 7
Purchase to Pay
Step Test of Controls Audit Procedure Working paper Reference Completed By
2. Review the “Payables Options” form (i.e. Payables
tolerances) for reasonableness.
PTP_11
Review application functionality regarding the use of pre-defined vendors and items when making purchases.
1. Oracle Purchasing and Payables functionality restrict
purchase orders and invoices to pre-defined vendors. Oracle
Purchasing functionality does not restrict items to pre-
defined items.
Document client procedures around restricting purchases to
certain vendors and certain items.
PTP_12
Identify policies and procedures supporting a monthly reconciliation between the sub-ledger(s) and General Ledger.
1. Through client discussion, identify any policies and
procedures supporting General Ledger to sub-ledger
reconciliations. Document these policies and procedures in
the working papers. Be sure to include names of reports
used to perform the reconciliations.
2. Perform a walkthrough of the reconciliation process to
confirm our understanding. Include copies of one month’s
reconciliation in the working papers.
3. Select a sample of monthly General Ledger to sub-ledger
reconciliations and test to determine if they were completed
in a timely manner. Identify significant reconciling items
and obtain an explanation.
PTP_13
Review application functionality and configuration regarding the accounting for purchases and payments.
1. Although default accounting is established at the vendor and
item master levels, it can be overridden at the Requisition
and Purchase Order levels and is eventually reviewed and
approved at these levels.
Consider application set-up and document client procedure
for accounting for purchases and payments.