RIAM:SPECIALREVIEWS:Payment Systems Implementation Audits

From RiskWiki
Jump to: navigation, search


Payment Systems Post Implamentation Reviews


Most jurisdictions and corporations have some form of policy requiring a post implementation audit for payment systems. For example the Australian Federal Government used to have what was known as a Reg45A review. Finance Regulation 45A(3) stated that no money could be spent except for:

"Payments in respect of which the secretary or an authorised officer has indicated in writing, or in such other manner as approved in writing by the secretary,

(b)(ii) That in the preparation of that data, system controls and accounting procedures approved by the minister have been employed; "

The Audit Act Sect. 34(2) (referenced by Regulation 45A) imposed a legislative obligation to certify that both the appropriate delegates are authorising the payments and that they were made in accordance with the relevant Minister's written approved procedures.

The key assertions for a Reg.45A(3)(b)(ii) review were therefore derived from two sources:

1. The need comply with the Department's purchasing guidelines applicable to any purpose. In particular this is the need to certify that the computer system for which payment is being made has been delivered in good working order and is both the requested system and of a satisfactory standard. Certifying that goods have been delivered in good working order, is a requirement of the purchasing system;

2. The need to certify that a system (including both computer based and manual components) to be used for payments will support the certification needs of future payments once it is being relied upon by certifying officers claiming the adherence to the Minister's prescribed purchasing/payments procedures. This source implies assertions similar to those of a purchasing and creditors system review.

This dual focus of a post implementation review is important note:

  1. We are confirming that the controls over systems specificaton, implementation and acceptance are in place and actually operated for the system that is the subject of the review; AND
  2. We are confirming that the system as implemented, with both its in computer and around the computer controls will allow the exec & board to attest to the accuracy of reported payment information.

The Assertions

The assertions are broadly:

1. That the computer system and the implemented control system (including the automated and manual environment) support audit assertions that:

a. Payment and expense data are bona fide, relating to transactions that actually exist;
b. Transaction and payment data reported/processed is :

  • Attributed to the proper period,
  • Accurately calculated,
  • Correctly accumulated,
  • Accurately recorded,
  • Correctly and completely disclosed,
  • Properly authorised with respect to transactions,
  • Providing benefits to which The Department and suppliers are eligible,
  • Complete;

c. Payments are made to the correct recipient (from Finance Reg. 68);
d. Payments are supported by a claim that identifies the head of expenditure to which the payment is chargeable (from Finance Directions, Sect 8)
e. The relevant legislation is observed;
f. The assets of The Department are appropriately protected and applied.
g. The system is implemented in accordance with the requirements specification and is fit for the purpose intended;
h. The system and application security is sufficient to sustain the assertions in (b) and minimise the risk of system loss;
2. The implementation is sustainable regarding maintenance and operations for the anticipated life of the system.

Regulation 45A(3)(B)(ii) Controls

In order to conform with the requirements of Regulation 45A(3)(b)(ii), controls must be designed into payment systems or be present to ensure that:

Access Security

  1. . Environmental controls such as physical security, continuity assurance (including data recovery, etc) and logical security are operating appropriately.
  2. . Application access is restricted to authorised users and the functions within the application are properly segregated.


  1. . All stages of the approved control system have been correctly and completely carried out, and the performance is witnessed by audit trails.
  2. . The output has been reconciled, or is reconcilable to the input and/or source records and documents.


  1. . Payment is authorised.
  2. . Individual transactions can be matched to individual users.

Data Integrity

  1. . The payee is the correct and entitled recipient (Reg 68).
  2. . Payment is for the correct amount.

Process Integrity

  1. . Duplicate payments are not made.
  2. . Rejected data is properly and completely corrected.


  1. . Environmental controls such as continuity assurance (including data recovery, etc) are operating appropriately.


  1. . The system supports payments in a timely manner ensuring bills are paid by the due dates.

In satisfying these requirements the controls may be either:

  • built in to the application system itself (ie. computerised);
  • present in the manual procedures under which the application or computer system is operated; or
  • part of the computerised environment of the application (ie. the systems or environment level of the computer).

The controls appropriate will vary depending on the particular requirements of the application system.

The control objectives above focus primarily on the certification requirements for future payments (the second source in 12.1) rather than the issues surrounding whether a system is in good working order. This latter is examined in the following discussion.

User management should be formally advised of the Follow Up Audit and date of entry interview. The entry interview should focus on the objectives in that the status of recommendations is to be ascertained and whether user management has adequately addressed audit recommendations from a control perspective. Outcomes from the above should be touched on at this point and user management given the opportunity to respond.

Audit should then proceed to verify if user management has implemented whatever recommendations it has advised audit of being taken up. The adequacy and control features need to be substantiated, tested and documented.

An assessment of the adverse impact or potential exposures for failure to implement a recommendation should be undertaken and subsequently documented. The working papers should be updated to reflect any significant change in operating procedures and policies. Included of course, is the effect of implementation of recommendations and respective controls.

The last step is to draft a report on findings and arrange for an exit interview to discuss the draft report with user management. Responses to the draft should be noted and incorporated in the final report for presentation to user management.

Before release of the final report, there should be a quality assurance of the working papers to ensure they have been updated accordingly and the findings in the report can be substantiated.