Add to collection(s) Add to saved
  1. Business
  2. Management

Internal Control Deliverables For System Development Projects

advertisement 
DIVISION OF AUDIT SERVICES
Internal Control Deliverables
For
System Development Projects
Table of Contents
Introduction ..................................................................................................................................... 3 Process Flow ................................................................................................................................... 3 Controls Objectives ......................................................................................................................... 4 Environmental and General IT Controls ......................................................................................... 6 Appendix A – Process Flow Chart.................................................................................................. 7 Appendix B – Vendor Payment Narrative Description .................................................................. 8 Appendix C – Control Objective Cross Reference ....................................................................... 10 Appendix D – Reference Material ................................................................................................ 11 Internal Control Deliverables For System Development Project
-2-
INTRODUCTION
Internal controls are the processes and procedures used to provide assurance that business
functions are carried out in a controlled and effective manner. They are implemented through an
organization's structure, workflows, people, and information systems. Internal controls govern,
direct, manage and monitor the various activities of an organization in order to ensure that the
entity’s objectives are achieved.
The best time to develop and implement a set of controls is during initial process deployment.
When dealing with automated application controls, it can be a costly exercise to implement new
controls after an application has been moved into production. Therefore, it is essential that
internal control issues are properly addressed at the time of system development and
implementation. The intent of this document is to provide a framework for identifying required
internal controls that need to be implemented during the systems development and
implementation process.
Project managers will need to work with both business and IT primes in order to successfully
address internal controls. The business has ultimate responsibility for defining what application
controls are to be implemented for their processes. This assessment should be based on a review
of the entire supported business process, not just the components that are to be automated
through the system development initiative. The business will decide on what controls are
required and whether they should be implemented through manual or automated processes.
The system development team will be responsible for the design and implementation of
automated application controls, based on requirements established by the business. The project
team also needs to give consideration to environmental and general IT controls. These represent
the controls that are embedded in the IT processes and services that support the system being
designed (e.g. security, change management, backups, etc.).
PROCESS FLOW
The first step in identifying required internal controls is to document the end to end business
processes that are impacted by the project. A process flow provides a narrative on how
information moves through the application (including related processes, interfaces, and reports).
A graphical representation of the flow will help to provide context to the narrative description.
Depending on the complexity of the system or process being designed, it may be necessary to
document multiple process flows. Appendix A provides an example of a graphical process flow
and Appendix B provides the corresponding narrative description.
Each component of the process flow needs to be categorized into either inputs, data
transformations (changes and deletes), or outputs. These identified components represent the
points within the process where internal controls may be required.
Internal Control Deliverables For System Development Project
-3-
Inputs: Any place where information enters into the system. Each inputs should be labeled A1
through A## in the process flow documentation. Inputs include, but are not limited to:
- Interfaces from other processes
- User data entry
- Dedicated devices (e.g. bar code readers, scanners, etc.)
Data Transformations: All processes that cause changes to process data (calculations, updates,
and deletes). Transformation processes should be labeled B1 through B## in the process flow
documentation.
Outputs: Any place where information is extracted from the process. Each output should be
labeled C1 through C## in the process flow documentation. Outputs include, but are not limited
to:
- Online queries
- Interfaces to other processes
- Reports
- Deliverables (e.g. cheques, invoices, products, etc.)
CONTROLS OBJECTIVES
Each control point identified in the process flow documentation should be assessed against a set
of relevant control objectives. By mapping the control points with the relevant control
objectives, a clear understanding is obtained as to what internal controls already exist within the
process and those that need to be defined and implemented. The process flow documentation
should be updated to include any new internal controls that are created.
There is a different set of control objectives that needs to be applied based on the type of control
point being reviewed. The relevant control objective groups are listed below along with the
associated control point category:
1. Segregation of Duties (all control points)
2. Source Data Preparation, and Authorization (input control points)
3. Source Data Collection and Entry (input control points)
4. Processing Integrity and Validity (data transformation control points)
5. Output Review, Reconciliation and Error Handling (output control points)
1. Segregation of Duties
Segregation of duties focuses on ensuring that individuals are only able to execute authorized
processes that are relevant to their role and responsibilities. It reduces the possibility for a single
individual to be able to compromise a critical process. Proper segregation of duties provides a
means for detecting potential control failures and can help to prevent conflicts of interest, fraud,
abuse and errors.
The following activities should be segregated from each other:
- Data Entry
- Transaction Authorization
Internal Control Deliverables For System Development Project
-4-
-
Transaction Reconciliation
Systems development, acquisition and maintenance
System Administration
Database Administration
2. Source Data Preparation and Authorization
Controls designed to ensure the authenticity, accuracy, and validity of source documents
(including interfaces) used as input into the system or process.
a. Authorization procedures exist for source documents prior to data entry
b. Authorized data remains complete, accurate and valid throughout life of source document
c. Erroneous source documents are properly handled
d. Confirmation receipts are sent to source document originators
e. Control over sensitive information exists for source documents
f. Source documents are securely stored and maintained in order to facilitate transaction
reconstruction, review and audit, litigation inquiries and regulatory requirements
3. Source Data Collection and Entry
Controls designed to ensure that data inputs are accurate, complete and authorized.
a. Processes are in place to ensure timely data entry and error correction
b. Data entry processes are limited to authorized and uniquely identified individuals
c. System data can be traced back to originating source documentation and the individual
who inputted the data
d. Verification and edit checks exist for inputted data
e. All authorized transactions are accurately recorded, once and only once
f. Incomplete or incorrect transactions are rejected
g. Transactions are assigned unique and sequential identifiers
4. Processing Integrity and Validity
Controls designed to maintain the integrity and validity of data throughout the system or process.
a. Access to data processing routines are limited to authorized and identifiable individuals
b. Logs are maintained of programs executed and transactions processed or rejected
c. Data changes can be traced back to the changing process and authorized individual
d. Multiple versions or repositories of the same data are kept in sync
e. Data processing routines include error prevention/detection checks
f. Processes are in place to ensure reporting and timely correction of errors
g. Correction and resubmission of errors is approved by the original submitting function
h. Resubmitted transactions follow the exact processes as the original transaction
i. Data updates only occur through fully tested and approved routines
j. Controls are in place to ensure the integrity of interdependent routines
k. Deleted information is retained for audit purposes and flagged to prevent inclusion in
standard reporting
l. Recovery processes exist to automatically maintain the integrity of data during
unexpected interruptions.
Internal Control Deliverables For System Development Project
-5-
5. Output Review, Reconciliation and Error Handling
Controls designed to ensure the accuracy and security of output generated by the system or
process.
a. Access to output data is restricted physically and logically to authorized individuals
b. Ad-hoc reporting capabilities are restricted to authorized individuals
c. Query and reporting functions do not provide data update capabilities
d. Output requirements and needs are periodically reviewed
e. System output contains all, and only, the requested information
f. Verification checks exist for outputted data
g. Origination and content of output should be independently verifiable
h. Process and responsibility for output disposal is clearly defined
Appendix C provides a cross reference of control objectives with the control points identified in
Appendix A and B.
ENVIRONMENTAL AND GENERAL IT CONTROLS
As part of the system development and implementation process, consideration needs to be given
to the IT processes required to support the new system. Similar to the internal controls within an
application, if required environmental and general IT controls are not identified during the
development and implementation of the system, then it may become a more costly initiative to
implement them once the system is in production.
For each of the following environmental control issues an explanation needs to be provided
describing the actual processes that will be implemented to minimize risk exposure.
a. Physical Security
b. Logical Security
c. System Management and Administration
d. Database Administration
e. Backup and Recovery
f. Contingency Planning and Disaster Recovery
g. Program Change Control
h. Application system support and maintenance
i. Capacity Management
Internal Control Deliverables For System Development Project
-6-
UniFi
Information
Technology
Accounts Payable Clerk
Director
Purchasing
APPENDIX A – PROCESS FLOW CHART
Internal Control Deliverables For System Development Project
-7-
APPENDIX B – VENDOR PAYMENT NARRATIVE DESCRIPTION
The purpose of the vendor payment process is to ensure that after a vendor provides goods
or services that the invoice relating to the goods or services received are paid in an efficient
and effective manner.
Input A1: Invoices received from vendors are forwarded to the Director for review.
Transformation B1: The Director reviews each invoice for appropriateness. Approved invoices
are stamped, signed, and forwarded to the Accounts Payable (AP) clerk for processing.
Input A2: Before entering invoice details into the local financial application, the Accounts Payable
clerk must first create a batch record that is used for the consolidation of invoice details. Multiple
invoices can be entered into a single batch. The local financial application requires that a separate
batch be created for credit memos. Invoice batches are created using the function ‘Purchase
Batch’ while credit memo batches are created using the ‘Returns Batch’ function. Typical process
is to use the same name for the invoice and returns batch so that the transactions can be
consolidated in downstream processes.
Input A3: Approved invoices and credit memos are entered into the local financial application by
the AP clerk, using the ‘Receiving Transaction Entry’ and ‘Returns Transaction Entry’ functions
respectively.
Output C1: There is no set limit on the number of invoices that can be entered into a single batch.
The AP clerk arbitrarily decides when a batch is ready to be submitted for payment processing.
Using the internally developed Transfer tool, the AP clerk generates a batch summary report
showing the payment total for each invoice contained in the batch.
Transformation B2: The batch report is then provided to the Director along with the corresponding
invoices. The Director then ensures that his stamp and signature are on each of the invoices and
that the invoice total matches the amount shown on the batch report. The Director then initials
each invoice and checks off the amount on the batch report.
Transformation B3: Once the batch report has been approved by the Director, the AP clerk then
posts the batch within the local financial application. Posting the batch prevents any further
changes to be made to the invoice details.
Transformation B4: Within the Transfer tool, the AP clerk uses the ‘Transfer Batch’ function to
copy posted invoice details from the local financial application database into an intermediary
oracle database.
Output C2: A script is run nightly that checks the oracle database for new invoices. The job then
creates an interface file containing the new invoice records that need to be transferred to UniFi.
The interface file is saved in a secure drop box on the server Shelf.
Output C3: The interface file creation process (C2) creates a notification email that is sent to
Systems Support and Development in the Financial Services Division (FSD). The email provides
a record count and total dollar amount for the interface file that was posted on Shelf.
Internal Control Deliverables For System Development Project
-8-
Input A4: A process is run nightly on Shelf that reads the interface file and loads the data into
UniFi. A Load confirmation email is sent to a pre-defined distribution list that reports the number
of invoices loaded in to UniFi and the total dollar value.
Output C4: The AP clerk prints out the UniFi Load Confirmation email and consolidates it with
the corresponding batch report and vendor invoices. The consolidated package is then filed
together to support future reviews.
Internal Control Deliverables For System Development Project
-9-
APPENDIX C – CONTROL OBJECTIVE CROSS REFERENCE
√ Control Exists
CONTROL OBJECTIVE CROSS REFERENCE
X Control Missing
N/A Control Deemed Not Applicable
Inputs
#
A1
A2
A3
A4
A5
#
B1
B2
B3
B4
B5
Control Points
Description
Invoice
Create Batch
Transaction Entry
UniFi Load Confirmation
Control Points
Description
Review Invoice
Review Batch Report
Post Batch
Transfer Batch
Review UniFi Load Confirmation
1
√
√
√
√
Control Objectives
2a
2b
2c
2d 2e
2f
3a
3b
3c
3d 3e
3f
3g
√
√
√ N/A N/A √
X N/A N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A N/A N/A X
X
X N/A N/A √
√
√
X N/A N/A √
X
X
X
√
√
√
√
X
√
X N/A N/A √
X N/A X
X
√ N/A N/A
1
√
√
X
√
4a
√
√
X
X
X
X
Data Transformations
Control Objectives
4b
4c
4d 4e
4f
4g
N/A N/A N/A √
X
√
√ N/A N/A √
X
√
√
X
X N/A N/A √
√
X
X
√
√
X
X
X
X
X
X
4h
√
√
X
X
4i
√
√
√
X
X
X
X
5g
√
√
√
√
5h
X
X
X
X
4j
4k
4l
N/A N/A N/A
N/A N/A N/A
√ N/A √
X
X
X
X
X
X
B6
Outputs
#
C1
C2
C3
C4
C5
Control Points
Description
Batch Report
UniFi Interface File
Trasfer Notification email
Hardcopy Filing
1
√
N/A
√
N/A
5a
X
X
√
√
Control Objectives
5b
5c
5d 5e
5f
N/A N/A √
√
√
N/A X
X
X
X
N/A N/A X
√
X
N/A N/A N/A √ N/A
Notes:
A1-3a: No processes are in place to ensure timely data entry
A2-3b: Use of common login id prevents the identification of unique users
⁞
B5: Process does not exist. It represents a new process to be created to address an identified control weakness.
Once the process has been defined, and documented in the process flow, it would then be assessed against relevant
control objectives and the above chart updated.
⁞
C4-5h: Food Services has not defined any data archiving and disposal processes
Internal Control Deliverables For System Development Project
- 10 -
APPENDIX D – REFERENCE MATERIAL
Accounting Information Systems, Fourth Edition, James A. Hall
Auditing and Other Assurance Services, Canadian Eighth Edition,
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
Control Objectives for Information and related Technology (COBIT) 4.1, IT Governance Institute
Control Objectives for Information and related Technology (COBIT) 4.0, IT Governance Institute
Control Objectives for Information and related Technology (COBIT) 3rd Edition, Audit Guidelines, IT Governance Institute
Global Technology Audit Guide (GTAG) – Auditing Application Controls
Information Technology Guidelines, 3rd Edition, Canadian Institute of Chartered Accountants
IT Assurance Guide: Using COBIT, IT Governance Institute
Statement on Auditing Standards (SAS) No. 78
Internal Control Deliverables For System Development Project
- 11 -
Related documents
Automated computation and batch processing for remote sensing
Automated computation and batch processing for remote sensing
CSC Theater Usher - Connecticut Science Center
CSC Theater Usher - Connecticut Science Center
Study Sheet for Final Exam on Internal Accounting Control
Study Sheet for Final Exam on Internal Accounting Control
Case Study *OAF Forms Project
Case Study *OAF Forms Project
Complete a Delivery Note and Invoice
Complete a Delivery Note and Invoice
Official release of a batch
Official release of a batch
Exam Style Questions
Exam Style Questions
registration form
registration form
Quiz – Chapter 3
Quiz – Chapter 3
Download
advertisement