Transaction Processing and the Internal Control Process
advertisement
Transaction Processing and the Internal Control Process Small Business Information Systems Professor Barry Floyd Agenda Necessity for controls Risks Current thinking …. Cycles Segregation of duties Necessity for controls Reduce exposures Exposure consists of the potential financial effect multiplied by the probability of occurrence (risk) Common exposures Excessive costs, Deficient Revenues, Loss of assets, Inaccurate accounting, Business interruption, Statutory Sanctions, Competitive Disadvantage, Fraud and embezzlement Internal Control Process Used to provide reasonable assurance regarding achievement of objectives in following categories: Reliability of financial reporting, Effectiveness and efficiency of operations, Compliance with applicable laws and regulations Current thinking … Control frameworks COBIT (Control Objectives for Information and Related Technology) Addresses the issue of control from 3 vantage points: Business Objectives – Information must conform to criteria: Effectiveness, Efficiency, Confidentiality, Integrity, Availability, Compliance with legal requirements and Reliability IT Resources – People, Apps, technology, Facilities, and data IT Processes – Planning and organization, acquisition and implementation, delivery and support, and monitoring COSO (Committee of Sponsoring Organizations Internal Control – Integrated Framework Defines internal controls and provides guidance for evaluating and enhancing internal control systems Cycles Revenue cycle Expenditure cycle events related to the acquisition of goods and services from other entities and the settlement of related obligations Production cycle events related to the distribution of goods and services to other entities and the collection of related payments events related to the transformation of resource into goods and services Finance cycle events related to the acquisition and management of capital funds, including cash REFERENCE: Introduction to MS GP 8.0 Focus on Internal Controls by Brundson, Romney, and Steinbart Segregation of Duties For example, we do not want an employee to be able to enter an order, approve the order, fulfill the order, and receive payment for the order. Why? Segregation of duties Three major duties Authorization: Approving transactions and decisions Recording: preparing source documents; entering data into online systems; maintaining journals, files or databases; preparing reconciliations, and preparing performance reports Custody: handling cash, tools, inventory, or fixed assets; receiving incoming customer checks; writing checks on the organization’s bank account. Separation Separating Custodial functions from Recording functions prevents employees from falsifying records in order to conceal theft of assets entrusted to them. Separating Recording functions from Authorization functions prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized. Separating Authorization functions from Custodial functions prevents authorization of a fictitious or inaccurate transaction as a means of concealing asset theft. Segregation of Duties - GP Category Great Plains Activity Examples Authorization Create or delete master records Add customer, delete vendor, create general ledger account, etc Implement security Create/delete users and assign permissions Approve transactions Approve batches, perform write-offs, enter a discount, etc. Field Controls Establish customer credit limits, payment terms, override pricing, permit sales exceeding credit limit, etc. Enter and post transactions Enter sales orders, change purchase orders, post transaction, etc. Change non-critical master file data Update customer addresses, employee address,etc Reconcile Prepare bank reconciliations, perform comparisons of aging reports to control account, etc Print information Print company checks, preprinted purchase orders, etc Recording Custody Enter a Sales Order First let’s create a ‘batch’ with transaction and control totals Transactions > Sales > Sales Batches Now create two sales orders Check out sales batch WHO POSTS THIS? SHOULD SOMEONE APPROVE THIS? Setup Posting Defaults Tools > Setup > Posting > Posting Setting Up Users Tools>Setup>System>Advanced Security Activity Tracking Tools>Setup>System>Activity Tracking The Audit Trail Audit trails are an important component of internal controls. The audit trail documents the source of general ledger postings. Accountants and auditors use the audit trail to trace transactions from the point of origin to the general ledger and vice versa. In GP, the audit trail functions automatically The Audit Trail Source document codes are first component of GP’s audit trail Codes identify point of origin Tools>Setup>Posting>Source Document Source Document Codes Audit Trail Codes Setup Tools>Setup>Posting>Audit Trail Codes SJ Code for sales Transactions are assigned SLSTE prefix Review Audit Trail Inquiry>Financial>Detail Choose 0000-1200-00 Select first transaction and Click on Journal Entry Review Audit Trail SJ code identifying Document entered through Receivables in the Sales Series. SLSTE audit trail meaning Document posted as Sales Transaction. Five Elements of Internal Control Process Control environment Risk assessment Control activities Information and communication Monitoring Five Elements of Internal Control Process Control environment Risk assessment Control activities Information and communication Monitoring Control Environment Integrity and ethical values Commitment to competence Management philosophy and operating style Organizational structure Attention and direction provided by the board of directors and its committees Manner of assigning authority and responsibility Human resource policies and procedures Five Elements of Internal Control Process Control environment Risk assessment Control activities Information and communication Monitoring Risk Assessment Process of identifying, analyzing, and managing risks that affect the company’s objectives Five Elements of Internal Control Process Control environment Risk assessment Control activities Information and communication Monitoring Control Activities Policies and procedures established to help ensure that management directives are carried out. Plans of organization (segregation of duties) authorizing vs. recording vs. maintaining custody Procedures w/ control docs Restricted Access Independent checks Info processing controls Transaction processing controls Transaction processing controls – procedures, techniques, etc. to achieve goals of organization in reducing risk General controls Designed to make sure an organization’s control environment is stable and well-managed. Application controls Prevent, detect, and correct transaction errors and fraud. Concerned with accuracy, completeness, validity, and authorization. General Controls Definition of responsibilities Prenumbered forms Preprinted forms Labeling Documentation Backup and recovery Transaction trail Error-source statistics Reliable Personnel Training of personnel Rotation of duties Forms design Application controls Input controls are designed to prevent or detect errors in the input stage of data processing Input Authorization Approval Formatted input Cancellation Exception Input Passwords Amount control total Hash total Reasonable checks Overflow checks Format checks Check digit Dating Expiration checks Application Controls Processing controls are designed to provide assurances that processing has occurred according to intended specifications and that no transactions have been lost or incorrectly entered. Processing Controls Mechanization Standardization Defaults Batch Balancing Clearing account Tickler file Matching Application Controls Output controls are designed to check that input and processing resulted in valid output and that outputs are properly distributed. Output Controls Reconciliation Aging Suspense file Periodic audit Discrepancy reports Summary Controls are an important part of your information system … think about what you would do in your organization?
