© 2013 Grant Thornton Consulting Limited, Uganda | Business Process Audit | 30/10/2013

Section 6 Test of controls

01. Executive summary02. Organisation Structure – Steel and Tube Industries Limited03. Business process flow chart and documentation04. SWOT Analysis05. Stores management06. Test of controls

63

© 2013 Grant Thornton Consulting Limited, Uganda | Business Process Audit | 30/10/2013

IT general and business activity test of controlsThe company is using SAP – Business once for administering its business processes across the organisation. The importance of having controls of system shall protect the financials, assign accountability and responsibility for work assigned and reported

Process Head Sub-ProcessControl parametertested Detailedreport Risk Rating GT observations Management actions required

User Access Control Access log-ins done by users

1. Access to systemby different users on a user id

1. Some users pc names are created with personal names, some with designations, difficult to trace the department and their users

2. More than one action users accessed by multiple clients

3. Frequent password changes are not seen

4. Users often do not log off each time they log into the SAP.

5. There is also an over ride of user rights even when a user is on leave

1. Creating department wise ids and all pc names should be with department works assigned – Sales executive 1, Sales executive 2, Accounts 1, Accounts 2 etc

2. Inquiry by IT on a weekly basis if any other pc access the other user id from their pc.

Cash control 1. There are transactions that were identified to be with no user signature appended to them

Test of controls

Key: High Medium Low

Notes: This data has been extracted from 1-01-2013 to 309-09-2013Sources: 1. Grant Thornton Consulting Limited data analysis 2. SAP- Business one software

User access log

cash control_user signature

64

© 2013 Grant Thornton Consulting Limited, Uganda | Business Process Audit | 30/10/2013

Duplicate names/numbers test of controlsThe company is using SAP – Business once for administering its business processes across the organisation. The importance of having controls of system shall protect the financials, assign accountability and responsibility for work assigned and reported

Process Head Sub-ProcessControl parametertested Detailedreport Risk Rating GT observations Management actions required

Sales Sales order Missing sales order numbers

No risk detected

Sales Sales invoices &reserve invoices

Missing sales invoice and reserve invoice number

1. There is a serial number break as the invoice no's attached are dated back in 2012 yet Invoice no’s before them are dated as those of the current year2. Also some of the invoices are missing in the invoice no series specifically for outlet sales

Sales Credit notes 1. There is a serial number break as the credit memo no's attached are dated back in 2012

2. Credit memo No. 1939 has been raised and approved with 1% discount without mapping to the related invoice No.41917

Sales Delivery Notes No risk detected

Test of controls

Key: High Medium Low

Notes: This data has been extracted from 1-01-2013 to 309-09-2013Sources: 1. Grant Thornton Consulting Limited data analysis 2. SAP- Business one software

Missing sales credit memos

Missing Sales invoices

65

© 2013 Grant Thornton Consulting Limited, Uganda | Business Process Audit | 30/10/2013

Duplicate names/numbers test of controlsThe company is using SAP – Business once for administering its business processes across the organisation. The importance of having controls of system shall protect the financials, assign accountability and responsibility for work assigned and reported

Process Head Sub-ProcessControl parametertested Detailedreport Risk Rating GT observations Management actions required

Purchases Purchase order No risk detected

Purchases Purchase invoices &reserve invoices

1. These were identified as missing in the series of the current year

2. Some are traced back to the previous year

Purchases Purchase Credit Memos

1. There is a serial number break as the credit memo No's attached are dated back in 2012

Purchases Goods receipt PO 1. There is a serial number break as the Receipt No's attached are dated back in 2012

Test of controls

Key: High Medium Low

Notes: This data has been extracted from 1-01-2013 to 309-09-2013Sources: 1. Grant Thornton Consulting Limited data analysis 2. SAP- Business one software

Goods Reciept PO

Missing purchase credit memos

Missing purchase invoices

66

© 2013 Grant Thornton Consulting Limited, Uganda | Business Process Audit | 30/10/2013

Duplicate names/numbers test of controlsThe company is using SAP – Business once for administering its business processes across the organisation. The importance of having controls of system shall protect the financials, assign accountability and responsibility for work assigned and reported

Process Head Sub-ProcessControl parametertested Detailedreport Risk Rating GT observations Management actions required

Production Production order Missing production order series from the system

There is a serial number break as the Production Order No's attached are dated back in 2012 There is also an issue with the user signature as in the attached

Production Receipt from production

Missing receiptnumbers as aligned with production orders raised in system

These were identified as missing in the series of the current year but some are found to belong to the previous year

Production Issue for production Missing productionseries for items issued for production

These were identified as missing in the series of the current year but some are found to belong to the previous year

Test of controls

Key: High Medium Low

Notes: This data has been extracted from 1-01-2013 to 309-09-2013Sources: 1. Grant Thornton Consulting Limited data analysis 2. SAP- Business one software

Production orders

Missing reciepts from production

Missing issues for production

67

© 2013 Grant Thornton Consulting Limited, Uganda | Business Process Audit | 30/10/2013

HR Activity – Biometric time registration test of controlsThe company is using SAP – Business once for administering its business processes across the organisation. The importance of having controls of system shall protect the financials, assign accountability and responsibility for work assigned and reported

Process Head Sub-ProcessControl parametertested Detailedreport Risk Rating GT observations Management actions required

Human resource activity

Leaves 1. Leaves as per details captured from bio metric system against actual leave applications or leave roaster updates

1. According to the HR policy, there should be a leave roster to be maintained for each division. From the records it is identified for most cases the leave rosters are not utilized or are not followed rigorously

2. Only a few employees fill in delegation of authority forms

1. Define strict policies for leave management and to ensure that the payrolls are accurately processed against the leaves taken

2. Every employee and department heads to be trained and informed on the STIL's policy of leave approvals and their impact of not following strictly on their payrolls

Human resource activity

1. Biometric attendance

1. User signature2. Authorisation

status1. There are many absenteeism as per the attached report from system and we could not trace any actions taken against the same2. Employees at times do not swipe out on the biometric scan at the end of the day

1. Swipe in and swipe out should be mandatory to adhere strong control on their attendance as well as knowing their overtime in organisation

2. Absents should be strictly be addressed for knowing the leave status or the actual status

Test of controls

Key: High Medium Low

Notes: This data has been extracted from 1-01-2013 to 309-09-2013Sources: 1. Grant Thornton Consulting Limited data analysis 2. SAP- Business one software

Leave_sample_August

biometric scan_august

68