1

Internal Controls (Part II)

Prepared by: Dr. Savanid (Nui) Vatanasakdakul
1
Aims of a computerised accounting
information systems
General and application controls
Limitations of controls
Threats to internal controls
2
2
3
Identify 3 advantages of computerised
application controls.
4
____________________________________________
____________________________________________
____________________________________________
____________________________________________
____________________________________________
____________________________________________
__________________________________________
3
5
Consistent execution, authorisation, and
application
Enforce Completeness
More difficult to avoid
More timely and efficient to execute
More timely reporting and feedback!!
etc
Proper authorisation such as authoring valid
transaction
Proper record such as input and output
accuracy
Completeness
Timeliness
6
4
General Control
Policies/procedures relating to many applications
Support the effective operation of application controls
Application Control
Manual or automated
Operate within a business process / application
Relate to the initiation, recording, reporting and processing
of events
Deal with the aims of occurrence, authorisation,
completeness and accuracy
7
Some risks apply across a number of areas of the
organisation. To address these risks we have GENERAL
CONTROLS.
General controls effect the overall information system.
General controls are established with the aim of providing
reasonable assurance that the internal control objectives are
achieved.
These controls effect all applications
Seen as pervasive these controls will apply across almost all
of the information systems in an organisation.
Support the effective operation of application controls
8
5
9
Organisational
Separation of duties
Design, programming,
operations, data entry,
custody of
documentation
Policies and procedures
Recruitment
Termination
Access
To computer facilities
To data files
Authorised users
Hardware
Monitor and detect
failures
Systems Development
User involvement
Authorisation
Documentation
Access to systems
software restricted
Data protection
Telecommunications
Transmission /
encryption techniques
Other
Disaster recovery
Backup/Off site storage
Physical controls
Segregation of duties
User access
System development procedures
User awareness of risks
Data storage procedures
10
6
Users record transactions, authorize data to be
processed, and use system output.
Systems analysis helps users determine their
information needs and then design an information
system to meet those needs.
Programming take the design provided by system
analysts and creates an information system by
writing the computer programs.
Computer operations run the software on the
companys computer. They ensure that data is
input properly and correctly processed and the
right output is produced.
Database administration maintain and manage
corporate databases and files.
11
Systems administration ensure that the different
parts of an information system operate smoothly
and efficiently.
Network management ensure that all applicable
devices are linked to the organisations internal
and external networks and that the networks
operate continuously and properly.
Change management manage all changes to an
organisations information system to ensure they
are made smoothly and efficiently and to prevent
errors and fraud.
12
7
Change management the person (usually a
developer) who makes the IS change should
be different from the person who makes the
change available to users the process of
making changes available to all users is
usually called migration into production
Why do we need to segregate these
functions?
13
Wireless technology
Virtual private networks
Wired Networks
Electronic eavesdropping
Routing verification procedures
Message acknowledgement procedures
Microcomputers
What unique risks do microcomputers present to an
organisation?
Location of computing facility
Restrict employee access
The use of Biometrics
14
8
Separation of duties
Accounting from other sub-systems
Responsibilities within IT
Programming
Data management
Design / Analysis
Testing
Within a process
Authorisation, Execution, Custody, Recording
Computer accounts / Logins / Access controls
15
Fault tolerant / Built in redundancies
Disk mirroring
Backups
Hierarchically performed
Where to store backup data?
How often to backup?
Uninterruptible power supply
16
9
17
DRP refers to the strategy an organisation
will put into action in the event of a disaster
that disrupts normal operations. The aim is
business continuity, i.e. to resume
operations as soon as possible with minimal
loss or disruption to data and information.
This plan describes procedures to be
followed in the case of an emergency as
well as the role of each member of the
disaster recovery team.
18
DRP Considers:
Natural disasters
Deliberate malicious acts
Accidental destructive acts
DRP Usually covers:
Staff
Employees
Customers
Suppliers
Other Stakeholders
Physical resources
Buildings
Equipments
Cash
Information resources
Data
Information
10
19
Temporary Site
Hot site
Cold site
Staffing
Evacuating threatened staff
Enabling staff to operate in DRP mode
Staff need to know their roles
Restore relationships
As organisations become integrated the
information asset is increasing in importance
Controls over specific systems/business
processes
Relate to the initiation, recording, reporting and
processing of events
Provide reasonable assurance that the events
occurring in a system/process are authorised
and recorded, and are processed completely,
accurately and on a timely basis and that
resources in that system are protected.
Examples of systems/processes in an
organisation:
Sales system, Accounts receivable system, Purchases
system, Payments system, Payroll, Financial
Reporting, Inventory
20
11
Authorisation
Is the person authorised to execute the transaction?
Eg: Approvals for a large sale to proceed
Recording
Input Validity
Is the data of the correct format/type?
Does the data represent a valid event?
Input Accuracy
Is all data entered correct?
Completeness
Has all data about an event been recorded?
Transaction level
Have all events been recorded?
Business process level
Timeliness
Is data captured, processed, stored and available as
required by the needs of the business process?
21
Classification based on the stage in the
process at which the control occurs
Input controls
Designed to ensure data entering the system is valid,
complete and accurate
Process controls
Detect errors and irregularities in the processing of
data
Output controls
Protect the outputs of a system
22
12
Observation, Recording and Transcription
Feedback mechanism
Eg: Customer reviews and signs sales form
Dual observation
Eg: Approval from a supervisor, more than one employee in
execution of sale
Pre-designed forms
Pre-numbered
Layout of forms
How does a pre-designed form help?
23
Edit Tests
Check validity and accuracy after data has been input
Test of content
Numeric, Alphabetic, Alphanumeric
Test of reasonableness
Is the input within a specified range of values
Eg Hours worked per week is between 0 and 60
Test of sign (+ive, -ive)
Test of completeness
Test of sequence
Has every document been input? Eg Cheques
Requires pre-numbered source documents
Test of consistency
Check digit calculation
Eg: Credit Card calculate security number from card number
Card Number 1234 5678 9012 3456
Security Number: 687
24
13
Controls for the manipulation of data once it
has been input.
Batch control totals
Record counts
Sequence checks
Run to run totals
Which aims do they achieve?
Reliable financial reporting
Accuracy of data processing / updates
Completeness of data processing / updates
25
26
Sale occurs and
invoice prepared
I nvoice 001
I nvoice 002
I nvoice 003
I nvoice 004
I nvoice 005
I nvoice 006
I nvoice 007
SALES DEPT DATA ENTRY CLERK
I nvoice 001
I nvoice 002
I nvoice 003
I nvoice 004
I nvoice 005
I nvoice 007
Missing
I nvoice
006
Invoices
entered
Checks for gaps in the
sequence of pre-
numbered documents
and alerts Clerk of
missing documents
COMPUTER
The sequence check
has identified that
I nvoice 006 has not been
entered we do not have
completeness.
14
The computer takes the daily credit sales data
and updates the accounts receivable master
balances.
The new balance for the accounts receivable
should equal the opening balance + credit
sales
27
28
Credit
Sales
A/R
Calculate
check total
Update Accts
Receivable
Compare
totals
COMPUTER SALES PERSON
Sales
Order
Order
Details
Capture sales
15
29
They include:
Financial control total
Hash total
Record count
30
16
Validation of process results
Activity listings
Distribution and Use
Who is able to access the outputs?
Where are the outputs printed to?
Has the relevant user got all of the output
31
Judgement error
Unexpected transaction
Collusion
Management override
Weak internal controls
Conflicting signals
32
17
Management incompetence
External factors such as natural disasters
Fraud
Regulatory environment
Information technology such as viruses, email
attacks
33
34
Blair, B and Boyce, G, 2006 (Eds), Accounting Information
Systems with Social and Organisational Perspectives, John
Wiley, Milton
Turner, L. & Weickgenannt, A. (2009) Accounting Information
Systems: Controls and Processes, Wiley
I wish to acknowledge Dr. Chadi Aouns input and material that were
incorporated into the lecture slides as well as the supplementary
material and sources provided by John Wiley publishers.