I S 5 3 0 : A c c o u nti ng I n f orm at ion S y s t em s h t t p : / / w w w. c s u n . e d u / ~ d n 5 8 4 1 2 / I S 5 3 0 / I S 5 3 0 _ F 1 5 . h t m Business Process and Application Controls Lecture 5 LEARNING OBJECTIVES Control Framework and Control Matrix. Preparing Control Matrix Review Control Plans 2 IS 530 : Lecture 5 2 Elements of Control Framework Control matrix: tool designed to assist in evaluating the potential effectiveness of controls in a business process by matching control goals with relevant control plans. • Establishes the criteria to be used in evaluating the controls in a particular business process. Control goals: business process objectives that an internal control system is designed to achieve. Control plans: reflect information-processing policies and procedures that assist in accomplishing control goals. IS 530 : Lecture 5 3 Control Plans Business process control plans are applied to a particular business process, such as billing or cash receipts. Application controls are automated business process controls contained within IT application systems (i.e., computer programs). IS 530 : Lecture 5 4 Suprina Annotated Systems Flowchart IS 530 : Lecture 5 5 Suprina Control Matrix Cf. (Fig 9-1) Four elements of the control matrix • control goals • recommend control plans • cell entries • explanation of cell entries IS 530 : Lecture 5 6 Control Matrix Explanations IS 530 : Lecture 5 7 Control Matrix for Suprina Order Entry Process Control Goals IS 530 : Lecture 5 8 Control Matrix for Suprina Order Entry Process Control Plans IS 530 : Lecture 5 9 Business Process Control Goals Control goals of the operations processes • Ensure effectiveness of operations • Ensure efficient employment of resources • Ensure security of resources Control goals of the information processes • For business event inputs, ensure o Input validity, input completeness, input accuracy • For master data, ensure o Update completeness, update accuracy IS 530 : Lecture 5 10 Steps in Preparing a Control Matrix - 1 STEP I: SPECIFY CONTROL GOALS. 1. Identify the Operations Process Control Goals a. Effectiveness goals b. Efficiency goals c. Security goals 2. Identify Information Process Control Goals a. Input Goals b. Update Goals IS 530 : Lecture 5 11 Control Goals of Operations Processes IS 530 : Lecture 5 12 Operations Process Control Goals: Effectiveness Goals Describe measures of success for the operations process that are developed during an enterprise’s risk-management process. Different processes have different effectiveness goals. For the Suprina order entry process two examples are: • • A: Provide timely acknowledgement of customer orders. B: Provide assurance of customer’s creditworthiness. IS 530 : Lecture 5 13 Operations Process Control Goals: Efficiency Goals Ensure that all resources used throughout the business process are being employed in the most productive manner. For the Suprina order entry process, and for all accounting information systems, people and computers should always be included in the efficiency assessment. For other business processes, such as receiving goods and supplies, efficiency goals include the productive use of equipment. IS 530 : Lecture 5 14 Operations Process Control Goals: Security Goals Protect entity resources from loss, destruction, disclosure, copying, sale, or other misuse. Two resources of the order entry process over which security must be ensured are inventory and information (customer master data). With any business process, we are concerned with information that is added, changed, or deleted as a result of executing the process, and assets that are brought into or taken out of the organization as a result of the process. IS 530 : Lecture 5 15 Control Goals of Information Processes IS 530 : Lecture 5 16 Information Process Control Goals: Input Goals With respect to all business process data (e.g., customer orders) entering the system, ensure: • input validity (IV) • input completeness (IC) • input accuracy (IA) The input data is specifically named. With respect to other business processes, such as hiring employees, concern would be with other inputs, such as employee, payroll, and benefit plan data. IS 530 : Lecture 5 17 Information Process Control Goals: Update Goals For the business process input data ensure: • • Update completeness (UC) Update accuracy (UA) Update goals apply only when there is a periodic process. Applicable master data are listed on the control matrix. Other business processes would involve different master data, such as vendor, payroll, or accounts payable master data. IS 530 : Lecture 5 18 Steps in Preparing a Control Matrix - 2 STEP 2 : IDENTIFY RECOMMENDED CONTROL PLANS 1. Identify “Present” control plans and annotate on the systems flowchart 2. Evaluate “Present” Control Plans 3. Identify and Evaluate “Missing” Control Plans IS 530 : Lecture 5 19 Identify Present Control Plans • Start in the upper left-hand column of the systems • • • flowchart and identify controls that seem to accomplish one or more control goals. Each process symbol should be associated with one or more controls. Some controls, such as document design, are not directly associated with process symbols. Follow the sequential logic of the systems flowchart and identify all present controls. IS 530 : Lecture 5 20 Annotate Present Control Plans • When a control appears on a flowchart, the control • • plan is present as opposed to missing. Place a P- beside the control, indicating that is it present, and a 1 beside the P- reflecting the first present control plan on the flowchart. Continue reviewing the systems flowchart by following its sequential logic, annotating the flowchart with P-2, P-3, and so on until all present control plans have been accounted for. IS 530 : Lecture 5 21 Evaluate “Present” Control Plans • Write numbers (P-1, P-2, P-3 through P-n) and name • • of each control plan in the left-hand column of the control matrix. For each present control plan, look across the row and determine which control goals the plan addresses. Place a P-n (e.g., P-1) in each cell of the matrix for which the control is applicable. Simultaneously, in the section below the matrix, describe how the control plan addresses each noted control goal. IS 530 : Lecture 5 22 Identify and Evaluate “Missing” Control Plans • Determine if additional controls are needed to address missing control goal areas, strengthen present control plans, or both. • In the left-hand column of the matrix, number the first missing control plan as M-1 and label the plan. • Place M-1 in each cell in the matrix row for which the missing control is designed. • In the section below the matrix, explain how the missing control will address each noted control goal. • Annotate M-1 on the systems flowchart where the control should be inserted. IS 530 : Lecture 5 23 Identify and Evaluate “Missing” Control Plans . . . • Examine the control matrix: • If there are still control goals for which there is no control plan, develop plan (e.g., M-2) and repeat the steps. • Continue until each control goal on the matrix is addressed by at least one control plan. • Analyze the systems flowchart for further risk exposures • Look for areas where further controls are needed. • Control plans might need to be added or existing plans might need to be strengthened to reduce residual risk to an acceptable level. • Training and experience are required to identify these risks and weaknesses. IS 530 : Lecture 5 24 Systems Flowchart: Manual And Automated Data Entry IS 530 : Lecture 5 25 Control Matrix for Manual and Automated Data Entry IS 530 : Lecture 5 26 Control Plans for Manual and Automated Data Input P-1: Document design: source document is designed to make it easier to prepare the document initially and later to input data from the document into a computer or other input device. P-2: Written approvals: signature or initials on a document to indicate that someone has authorized the event. Ensures that the data input arises from a valid business event and that appropriate authorizations have been obtained. • Electronic approvals: business events are routed, using a computer system’s workflow facility, to persons authorized to approve the event. IS 530 : Lecture 5 27 Control Plans for Manual and Automated Data Input . . . P-3: Preformatted screens: define acceptable format of each data field; provide drop-down lists of data that are acceptable for a given field; cursor may automatically move to the next field on the screen; require that certain fields be completed; automatically populate certain fields with data. P-4: Online prompting: request user input or ask questions that the user must answer; also contextsensitive help. P-5: Populate input screens with master data: clerk enters identification code for an entity and system retrieves data about that entity from the master data. IS 530 : Lecture 5 28 Control Plans for Manual and Automated Data Input . . . P-6: Compare input data with master data: comparisons performed manually or by the computer to determine the accuracy and validity of input data. Includes: • Input/master data match. • Input/master data dependency check. • Input/master data validity and accuracy check. P-7: Procedures for rejected Inputs: ensure that erroneous data (i.e., data not accepted for processing) are corrected and resubmitted for processing. IS 530 : Lecture 5 29 Control Plans for Manual and Automated Data Input . . . P-8: Programmed edit checks: automatically performed by data entry programs upon entry of the input data to highlight actual or potential input errors and allow them to be corrected quickly and efficiently. Includes: • Limit checks: test whether the contents (e.g., values) of the • data entered fall within predetermined limits. Reasonableness checks: compares entered data with a calculated amount (not a predetermined amount) to discover inputs that may be incorrect. IS 530 : Lecture 5 30 Control Plans for Manual and Automated Data Input . . . P-8: Programmed edit checks (cont’d): • Document/record hash totals: summarization of any • • numeric data field within the input document or record. Calculated before and then again after entry of the document or record, this total can be used to determine that the applicable fields were entered accurately. Mathematical accuracy checks: compare calculations performed manually to those performed by the computer to determine whether a document has been entered correctly. Check digit: an extra digit added to the identification number of entities such as customers and vendors to detect those numbers that have been input incorrectly. IS 530 : Lecture 5 31 Control Plans for Manual and Automated Data Input . . . P-9: Confirm input acceptance: data entry program informs the user that the input has been accepted for processing. P-10: Automated data entry: strategy for the capture and entry of event-related data using technology such as OCR, bar codes, RFID, and EDI. IS 530 : Lecture 5 32 Control Plans for Manual and Automated Data Input . . . P-11: Enter data close to the originating source: strategy for the capture and entry of event-related data close to the place and time that an event occurs. P-12: Digital signatures: validates the identity of the sender and the integrity of an electronic message to reduce the risk that a communication was sent by an unauthorized system or user or was intercepted or modified in transit. IS 530 : Lecture 5 33 Data Entry With Batches Collecting inputs into “batches”; batched inputs are then entered into system as a group. • Results in some delay between the business event and its reflection in the system. Allows for controls for the batch, e.g., batch control totals. • Exception and summary report: report of the events—either in detail, summary, or both—that were accepted or rejected by the system. Batch control plans: regulate processing by calculating control totals at various points in a processing run and subsequently comparing these totals. IS 530 : Lecture 5 34 Batch Control Plans To be effective, batch control plans should ensure that: • All documents are included in the batch. • All batches are submitted for processing. • All batches are accepted by the computer. • All differences are disclosed, investigated and corrected on a timely basis. Batch control procedures start by grouping event data and calculating totals for the group. IS 530 : Lecture 5 35 Batch Control Plans . . . Document/record counts: Simple count of the number of documents entered in a batch. Minimum level required to control input completeness (i.e., input the document once). Item or line counts: counts of number of items or lines entered, such as a count of the number of different items on a sales document. Improves input validity, completeness, and accuracy by reducing the possibility that line items or entire documents could be added to the batch or not be input. IS 530 : Lecture 5 36 Batch Control Plans . . . Dollar totals: sum of dollar value of items in batch. By reducing the possibility that entire documents could be added to or lost from the batch or that dollar amounts were incorrectly input, this control improves input validity, completeness, and accuracy. Hash totals: sum of any numeric data existing for all documents in the batch, such as a total of customer numbers or purchase order numbers in the case of sales documents. Can determine if inputs have been altered, added, or deleted. IS 530 : Lecture 5 37 Other Data Entry Control Plans Turnaround documents: document output by the computer used to capture and input a subsequent event. Key verification: input documents are keyed by one individual and then rekeyed by a second individual to detect keying errors. Sequence checks: applied to sequentially numbered and prenumbered documents to determine that all documents have been processed (completeness) and that no extra documents have been processed (completeness, if a duplicated document, or validity, if a bogus document). IS 530 : Lecture 5 38 Other Data Entry Control Plans . . . Batch sequence check: event data within a batch are checked as follows: 1. The range of serial numbers constituting the documents in the batch is entered. 2. Each individual serially prenumbered document is entered. 3. The computer program sorts the input documents into numerical order; checks the documents against the sequence number range; and reports missing, duplicate, and out-of-range data. IS 530 : Lecture 5 39 Other Data Entry Control Plans . . . Cumulative sequence check: provides input control in those situations in which the serial numbers are assigned within the organization but are not entered in perfect serial number sequence. In this case, the matching of individual event data (picking ticket) numbers is made to a file that contains all document numbers (all sales order numbers). Periodically, reports of missing numbers are produced for manual follow-up. IS 530 : Lecture 5 40 Other Data Entry Control Plans . . . Manual reconciliation of batch totals: 1. One or more batch totals are established manually. 2. As individual event descriptions are entered the data entry program accumulates independent batch totals. 3. The computer produces reports (or displays) at the end of either the input process or the update process, or both. The report (or display) includes the relevant control totals that must be manually reconciled with the totals established prior to the particular process. 4. The person who reconciles the batch total must determine why the totals do not agree and make corrections as necessary to ensure the integrity of the input data. IS 530 : Lecture 5 41 Other Data Entry Control Plans . . . Computer agreement of batch totals: 1. First, one or more of the batch totals are established 2. Then the manually prepared total is entered into the computer and is written to the computer batch control totals data. 3. As individual source documents are entered, a computer program accumulates independent batch totals and compares these totals to the ones prepared manually and entered at the start of the processing. 4. The computer prepares a report, which usually contains details of each batch, together with an indication of whether the totals agreed or disagreed. IS 530 : Lecture 5 42 Other Data Entry Control Plans . . . Agree run-to-run totals: reconciling totals prepared before a computer process has begun to totals prepared at the completion of the computer process. Tickler file: manual file of documents, or a computer file, that contains business event data that is pending further action. One-for-one checking: detailed comparison of the individual elements of two or more data sources to determine that they agree. IS 530 : Lecture 5 43 System Flowchart : Data Entry with Batches IS 530 : Lecture 5 44 Control Matrix for Data Entry with Batches IS 530 : Lecture 5 45 Computer Agreement of Batch Totals IS 530 : Lecture 5 46 Level of Assurance Provided by Internal Controls IS 530 : Lecture 5 47