I S 5 3 0 : A c c o u nti ng I n f orm at ion S y s t em s
h t t p : / / w w w. c s u n . e d u / ~ d n 5 8 4 1 2 / I S 5 3 0 / I S 5 3 0 _ F 1 5 . h t m
Business Process and
Application Controls
Lecture 5
LEARNING OBJECTIVES
 Control Framework and Control Matrix.
 Preparing Control Matrix
 Review Control Plans
2
IS 530 : Lecture 5
2
Elements of Control Framework
 Control matrix: tool designed to assist in evaluating
the potential effectiveness of controls in a business
process by matching control goals with relevant
control plans.
• Establishes the criteria to be used in evaluating the controls
in a particular business process.
 Control goals: business process objectives that an
internal control system is designed to achieve.
 Control plans: reflect information-processing policies
and procedures that assist in accomplishing control
goals.
IS 530 : Lecture 5
3
Control Plans
 Business process control plans are applied to a
particular business process, such as billing or cash
receipts.
 Application controls are automated business
process controls contained within IT application
systems (i.e., computer programs).
IS 530 : Lecture 5
4
Suprina Annotated Systems Flowchart
IS 530 : Lecture 5
5
Suprina Control Matrix
 Cf. (Fig 9-1)
Four elements of
the control matrix
• control goals
• recommend
control plans
• cell entries
• explanation of
cell entries
IS 530 : Lecture 5
6
Control Matrix Explanations
IS 530 : Lecture 5
7
Control Matrix for Suprina Order Entry Process
Control Goals
IS 530 : Lecture 5
8
Control Matrix for Suprina Order Entry Process
Control Plans
IS 530 : Lecture 5
9
Business Process Control Goals
 Control goals of the operations processes
• Ensure effectiveness of operations
• Ensure efficient employment of resources
• Ensure security of resources
 Control goals of the information processes
• For business event inputs, ensure
o Input validity, input completeness, input accuracy
• For master data, ensure
o Update completeness, update accuracy
IS 530 : Lecture 5
10
Steps in Preparing a Control Matrix - 1
STEP I: SPECIFY CONTROL GOALS.
1. Identify the Operations Process Control Goals
a. Effectiveness goals
b. Efficiency goals
c. Security goals
2. Identify Information Process Control Goals
a. Input Goals
b. Update Goals
IS 530 : Lecture 5
11
Control Goals of Operations Processes
IS 530 : Lecture 5
12
Operations Process Control Goals:
Effectiveness Goals
 Describe measures of success for the operations
process that are developed during an enterprise’s
risk-management process.
 Different processes have different effectiveness
goals. For the Suprina order entry process two
examples are:
•
•
A: Provide timely acknowledgement of customer
orders.
B: Provide assurance of customer’s creditworthiness.
IS 530 : Lecture 5
13
Operations Process Control Goals:
Efficiency Goals
 Ensure that all resources used throughout the
business process are being employed in the most
productive manner.
 For the Suprina order entry process, and for all
accounting information systems, people and
computers should always be included in the
efficiency assessment.
 For other business processes, such as receiving
goods and supplies, efficiency goals include the
productive use of equipment.
IS 530 : Lecture 5
14
Operations Process Control Goals:
Security Goals
 Protect entity resources from loss, destruction,
disclosure, copying, sale, or other misuse.
 Two resources of the order entry process over which
security must be ensured are inventory and
information (customer master data).
 With any business process, we are concerned with
information that is added, changed, or deleted as
a result of executing the process, and assets that
are brought into or taken out of the organization as
a result of the process.
IS 530 : Lecture 5
15
Control Goals of Information Processes
IS 530 : Lecture 5
16
Information Process Control Goals:
Input Goals
 With respect to all business process data (e.g.,
customer orders) entering the system, ensure:
• input validity (IV)
• input completeness (IC)
• input accuracy (IA)
 The input data is specifically named.
 With respect to other business processes, such as
hiring employees, concern would be with other
inputs, such as employee, payroll, and benefit plan
data.
IS 530 : Lecture 5
17
Information Process Control Goals:
Update Goals
 For the business process input data ensure:
•
•
Update completeness (UC)
Update accuracy (UA)
 Update goals apply only when there is a periodic
process.
 Applicable master data are listed on the control
matrix.
 Other business processes would involve different
master data, such as vendor, payroll, or accounts
payable master data.
IS 530 : Lecture 5
18
Steps in Preparing a Control Matrix - 2
STEP 2 : IDENTIFY RECOMMENDED CONTROL PLANS
1. Identify “Present” control plans and annotate on
the systems flowchart
2. Evaluate “Present” Control Plans
3. Identify and Evaluate “Missing” Control Plans
IS 530 : Lecture 5
19
Identify Present Control Plans
• Start in the upper left-hand column of the systems
•
•
•
flowchart and identify controls that seem to
accomplish one or more control goals.
Each process symbol should be associated with one
or more controls.
Some controls, such as document design, are not
directly associated with process symbols.
Follow the sequential logic of the systems flowchart
and identify all present controls.
IS 530 : Lecture 5
20
Annotate Present Control Plans
• When a control appears on a flowchart, the control
•
•
plan is present as opposed to missing.
Place a P- beside the control, indicating that is it
present, and a 1 beside the P- reflecting the first
present control plan on the flowchart.
Continue reviewing the systems flowchart by
following its sequential logic, annotating the
flowchart with P-2, P-3, and so on until all present
control plans have been accounted for.
IS 530 : Lecture 5
21
Evaluate “Present” Control Plans
• Write numbers (P-1, P-2, P-3 through P-n) and name
•
•
of each control plan in the left-hand column of the
control matrix.
For each present control plan, look across the row
and determine which control goals the plan
addresses. Place a P-n (e.g., P-1) in each cell of the
matrix for which the control is applicable.
Simultaneously, in the section below the matrix,
describe how the control plan addresses each
noted control goal.
IS 530 : Lecture 5
22
Identify and Evaluate “Missing” Control Plans
• Determine if additional controls are needed to
address missing control goal areas, strengthen
present control plans, or both.
• In the left-hand column of the matrix, number the first
missing control plan as M-1 and label the plan.
• Place M-1 in each cell in the matrix row for which the
missing control is designed.
• In the section below the matrix, explain how the
missing control will address each noted control goal.
• Annotate M-1 on the systems flowchart where the
control should be inserted.
IS 530 : Lecture 5
23
Identify and Evaluate “Missing” Control Plans . . .
• Examine the control matrix:
• If there are still control goals for which there is no control
plan, develop plan (e.g., M-2) and repeat the steps.
• Continue until each control goal on the matrix is addressed
by at least one control plan.
• Analyze the systems flowchart for further risk
exposures
• Look for areas where further controls are needed.
• Control plans might need to be added or existing plans
might need to be strengthened to reduce residual risk to an
acceptable level.
• Training and experience are required to identify these risks
and weaknesses.
IS 530 : Lecture 5
24
Systems Flowchart:
Manual And Automated Data Entry
IS 530 : Lecture 5
25
Control Matrix
for Manual and Automated Data Entry
IS 530 : Lecture 5
26
Control Plans
for Manual and Automated Data Input
 P-1: Document design: source document is
designed to make it easier to prepare the
document initially and later to input data from the
document into a computer or other input device.
 P-2: Written approvals: signature or initials on a
document to indicate that someone has authorized
the event. Ensures that the data input arises from a
valid business event and that appropriate
authorizations have been obtained.
• Electronic approvals: business events are routed, using a
computer system’s workflow facility, to persons authorized
to approve the event.
IS 530 : Lecture 5
27
Control Plans
for Manual and Automated Data Input . . .
 P-3: Preformatted screens: define acceptable format
of each data field; provide drop-down lists of data
that are acceptable for a given field; cursor may
automatically move to the next field on the screen;
require that certain fields be completed;
automatically populate certain fields with data.
 P-4: Online prompting: request user input or ask
questions that the user must answer; also contextsensitive help.
 P-5: Populate input screens with master data: clerk
enters identification code for an entity and system
retrieves data about that entity from the master data.
IS 530 : Lecture 5
28
Control Plans
for Manual and Automated Data Input . . .
 P-6: Compare input data with master data:
comparisons performed manually or by the
computer to determine the accuracy and validity
of input data. Includes:
• Input/master data match.
• Input/master data dependency check.
• Input/master data validity and accuracy check.
 P-7: Procedures for rejected Inputs: ensure that
erroneous data (i.e., data not accepted for
processing) are corrected and resubmitted for
processing.
IS 530 : Lecture 5
29
Control Plans
for Manual and Automated Data Input . . .
 P-8: Programmed edit checks: automatically
performed by data entry programs upon entry of
the input data to highlight actual or potential input
errors and allow them to be corrected quickly and
efficiently. Includes:
• Limit checks: test whether the contents (e.g., values) of the
•
data entered fall within predetermined limits.
Reasonableness checks: compares entered data with a
calculated amount (not a predetermined amount) to
discover inputs that may be incorrect.
IS 530 : Lecture 5
30
Control Plans
for Manual and Automated Data Input . . .
 P-8: Programmed edit checks (cont’d):
• Document/record hash totals: summarization of any
•
•
numeric data field within the input document or record.
Calculated before and then again after entry of the
document or record, this total can be used to determine
that the applicable fields were entered accurately.
Mathematical accuracy checks: compare calculations
performed manually to those performed by the computer
to determine whether a document has been entered
correctly.
Check digit: an extra digit added to the identification
number of entities such as customers and vendors to detect
those numbers that have been input incorrectly.
IS 530 : Lecture 5
31
Control Plans
for Manual and Automated Data Input . . .
 P-9: Confirm input acceptance: data entry program
informs the user that the input has been accepted
for processing.
 P-10: Automated data entry: strategy for the
capture and entry of event-related data using
technology such as OCR, bar codes, RFID, and EDI.
IS 530 : Lecture 5
32
Control Plans
for Manual and Automated Data Input . . .
 P-11: Enter data close to the originating source:
strategy for the capture and entry of event-related
data close to the place and time that an event
occurs.
 P-12: Digital signatures: validates the identity of the
sender and the integrity of an electronic message
to reduce the risk that a communication was sent
by an unauthorized system or user or was
intercepted or modified in transit.
IS 530 : Lecture 5
33
Data Entry With Batches
 Collecting inputs into “batches”; batched inputs are
then entered into system as a group.
• Results in some delay between the business event and its
reflection in the system.
Allows for controls for the batch, e.g., batch control totals.
•
 Exception and summary report: report of the
events—either in detail, summary, or both—that
were accepted or rejected by the system.
 Batch control plans: regulate processing by
calculating control totals at various points in a
processing run and subsequently comparing these
totals.
IS 530 : Lecture 5
34
Batch Control Plans
 To be effective, batch control plans should ensure
that:
• All documents are included in the batch.
• All batches are submitted for processing.
• All batches are accepted by the computer.
• All differences are disclosed, investigated and corrected on
a timely basis.
 Batch control procedures start by grouping event
data and calculating totals for the group.
IS 530 : Lecture 5
35
Batch Control Plans . . .
 Document/record counts: Simple count of the
number of documents entered in a batch. Minimum
level required to control input completeness (i.e.,
input the document once).
 Item or line counts: counts of number of items or
lines entered, such as a count of the number of
different items on a sales document. Improves input
validity, completeness, and accuracy by reducing
the possibility that line items or entire documents
could be added to the batch or not be input.
IS 530 : Lecture 5
36
Batch Control Plans . . .
 Dollar totals: sum of dollar value of items in batch.
By reducing the possibility that entire documents
could be added to or lost from the batch or that
dollar amounts were incorrectly input, this control
improves input validity, completeness, and
accuracy.
 Hash totals: sum of any numeric data existing for all
documents in the batch, such as a total of
customer numbers or purchase order numbers in
the case of sales documents. Can determine if
inputs have been altered, added, or deleted.
IS 530 : Lecture 5
37
Other Data Entry Control Plans
 Turnaround documents: document output by the
computer used to capture and input a subsequent
event.
 Key verification: input documents are keyed by one
individual and then rekeyed by a second individual
to detect keying errors.
 Sequence checks: applied to sequentially numbered
and prenumbered documents to determine that all
documents have been processed (completeness)
and that no extra documents have been processed
(completeness, if a duplicated document, or validity,
if a bogus document).
IS 530 : Lecture 5
38
Other Data Entry Control Plans . . .
 Batch sequence check: event data within a batch
are checked as follows:
1. The range of serial numbers constituting the documents in
the batch is entered.
2. Each individual serially prenumbered document is
entered.
3. The computer program sorts the input documents into
numerical order; checks the documents against the
sequence number range; and reports missing, duplicate,
and out-of-range data.
IS 530 : Lecture 5
39
Other Data Entry Control Plans . . .
 Cumulative sequence check: provides input control
in those situations in which the serial numbers are
assigned within the organization but are not
entered in perfect serial number sequence. In this
case, the matching of individual event data
(picking ticket) numbers is made to a file that
contains all document numbers (all sales order
numbers). Periodically, reports of missing numbers
are produced for manual follow-up.
IS 530 : Lecture 5
40
Other Data Entry Control Plans . . .
 Manual reconciliation of batch totals:
1. One or more batch totals are established manually.
2. As individual event descriptions are entered the data
entry program accumulates independent batch totals.
3. The computer produces reports (or displays) at the end of
either the input process or the update process, or both.
The report (or display) includes the relevant control totals
that must be manually reconciled with the totals
established prior to the particular process.
4. The person who reconciles the batch total must
determine why the totals do not agree and make
corrections as necessary to ensure the integrity of the
input data.
IS 530 : Lecture 5
41
Other Data Entry Control Plans . . .
 Computer agreement of batch totals:
1. First, one or more of the batch totals are established
2. Then the manually prepared total is entered into the
computer and is written to the computer batch control
totals data.
3. As individual source documents are entered, a computer
program accumulates independent batch totals and
compares these totals to the ones prepared manually
and entered at the start of the processing.
4. The computer prepares a report, which usually contains
details of each batch, together with an indication of
whether the totals agreed or disagreed.
IS 530 : Lecture 5
42
Other Data Entry Control Plans . . .
 Agree run-to-run totals: reconciling totals prepared
before a computer process has begun to totals
prepared at the completion of the computer
process.
 Tickler file: manual file of documents, or a
computer file, that contains business event data
that is pending further action.
 One-for-one checking: detailed comparison of the
individual elements of two or more data sources to
determine that they agree.
IS 530 : Lecture 5
43
System Flowchart :
Data Entry with Batches
IS 530 : Lecture 5
44
Control Matrix
for Data Entry with Batches
IS 530 : Lecture 5
45
Computer Agreement
of Batch Totals
IS 530 : Lecture 5
46
Level of Assurance Provided
by Internal Controls
IS 530 : Lecture 5
47