8.

1 Define the following

(a) General control
(b) Application control (L02)

8.2 You work for a business that has just established a new data processing centre. In a
conversation with one of the directors over lunch one day, you get into the topic of controls and
design of controls for the new centre. Proudly, the directors boats, We have the most hi-tech
biometric control in place. No unauthorized access to the centre is possible. The programmer are
able to get on with their day-to-day duties of developing programs and managing the
organizations data resources.

You are slightly concerned by this statement and immediately think back to appreciate controls for
implementation in the information systems environment one of which is segregation of duties

(a) What are the faults in the directors statement?

(b) Can the organization rely on biometric controls alone?
(c) How can separation of duties be applied in the information systems area?
(d) What are the critical functions that should be separated?
(e) What are the risks if these functions are not separated? (L05)

8.3

(a) What is a turnaround document?

(b) Provide five examples of turnaround documents. Discuss how turnaround documents help to
achieve the aims of input accuracy and input completeness. (L06)

8.4 Explain situations where manually performed control activities are particularly suitable. (L08)

8.5 Describe the advantages of computer-executed control activities. (L08)

8.6 Explain, using an example, why computer-executed control rely on a sound set of general
controls. (LQ8)

SELF- TEST ACTIVITIES

8.1 Example of preventive controls to prevent incorrect data entry into a sales system include

(i) validity checks, (ii) range checks, (iii) completeness checks, (iv) run-to-run total checks, (v)
redundant data checks.
(a) i, ii,iii and iv

(b) ii, iii, iv and v

(c) i, iii,iv and v

(d) i, ii, iv and v

(e) i, ii,iii and v

8.2 The use of biometric identification techniques on an entrance to the computer processing
canter is an example of a:

(a) preventive control.

(b) detective control.

(c) corrective control.

(d) application control.

(e) access control.

8.3 An organization is concerned about the possibility of sales to false and nonexistent customers
being entered into its sales system by sales staff. The best control to prevent this problem would
be:

(a) calling a random sample of customers to ensure they exist.

(b) having sales staff maintain a customer master life.

(c) having a customer master life maintained independent of sales.

(d) having a policy of making only in-store sales (e.g. having no phone or web-based orders).

(e) proper screening of sales staff before hiring them.

8.4 Select the best pair of terms to complete the following statement: The threat of collusion
among employees can be reduced by application of (i) , which entails (ii)

(a) (i) organizational policies, (ii) having clearly defined job descriptions

(b) (i) organizational policies, (ii) specifying procedures for the authorization, custody and record
keeping relating to assets

(c) (i) separation of duties, (ii) keeping employees separate from one another
(d) (i) general controls, (ii) having a clear set of organizational policies, such as job notation and
forced annual leave

(e) (i) separation of duties, (ii)keeping authorization, custody and record keeping separate

PROBLEM

8.1 The classify the following control activities as general or application and explain your
reasoning

(a) Employees have a password to gain access to the system.

(b) When sales are entered, the system retrieves customer details based on the customer number.

(c) A check is performed to identify if all cheques can be accounted for.

(d) Systems development is subject to sign off by the CIO before it can take place.

(e) Virus definitions are updated daily.

(f) The sales manager must approve all discounts for items sold below their sticker price.

8.2 A sales system for a small retail store is described in the following paragraph. Once you have
read the paragraph, identify any risks within the system, the potential consequences of these risk,
and controls that could be implemented to combat these risks.

The sale system

As a sale occurs, customer details including customer number and address, as well as the items
purchased, are written on a blank invoice form. Item descriptions, quantity sold and unit price are
also filled in, with the sales staff having some discretion in setting the unit price for situations such
as bulk purchases or repeat customers. These invoices forms are collected at the end of the day
and keyed in to the computer, with an invoice number assigned to invoices as they are keyed in.
This number is recorded on the store copy of the invoice. Any new customers are added to the
customer master list as their sales are entered and any details not gathered on the invoice are left
blank. Data are stored on a central server and this server is backed up monthly. The system is also
connected up to the organizations suppliers and used to order goods.

8.3 Explain, using an example, how batch totals can achieve the dual aims of input accuracy and
input completeness

8.4 Conduct a web search for some examples of internal controls that have failed to operate
effectively. For the cases you have identified, answer the following question.

(a) what factors led to the failure of these controls?

(b) Could the failure have been avoided? If so, how?

8.5 Turn Em Out is a fashion company that sells clothes to retail stores and individual customers,
provided that they are registered as a customer. This eliminates the need for off-the-street sales.
The organization recently received a purchase order. The steps that are subsequently followed are:

(1) Customer service representative prepares a sales order (three copies).

(2) Send the sales order to the accounts department and sales department.

(3) The accounts department and sales department will enter the order into the system.

(4) The computer will capture the data and store it in a temporary life, updating the inventory,
sales and accounts receivable files at the end of day.

(5) Print a picking slip and invoice and send it to the warehouse.

(6) Pick the goods.

(7) Attach picking slip and invoice to the goods.

(8) Send goods to the customer.

Analyze the process by breaking it up into the stages of authorization, input, processing, output,
and external data stages, as was discussed in reference to COBIT in the chapter. For each stage,
state the aims, control issues and controls that could be used by Turn Em Out.

8.6 The payments department at Slick Sales has issued a cheque for an invoice it has received
from Office Supplies Ltd. The payable clerk has three documents, (1) receipted purchase order
(figure 8.9), (2) a receiving report (figure 8.10), and (3) an invoice (figure 8.11). The clerk has
prepared the accompanying cheque and had it signed, ready for sending (figure 8.12).

Required

(a) Explain how the purchase order, receiving report and invoice play an important role in
the authorization of payments to accounts payable.
(b) Analyze the documents shown and determine if the clerk should have prepared the
cheque and if it should be sent off to the supplier. Justify your conclusion.
(c) What controls should be in place during and subsequent to cheque preparation?
(d) Discuss the use and function of the remittance advice that is contained as a part of the tax
invoice.

PURHCASE ORDER (FIGURE 8.9)

RECEIVING REPORT (FIGURE 8.10)
TAX INVOICE (8.11)
CHEQUE (8.12)

8.7 The following purchase order ( figure 8.13) was sent by Giddy Up Pty Ltd to Stable Supplies
Ltd. The second copy of the purchase order (figure 8.14) from Giddy Up was sent to the receiving
department and was stamped and signed when the goods were received.
Required
(a) Identify the control features of both documents.
(b) Discuss the functioning of the control features in both documents.
(c) What controls could have been present when the purchase requisition details (not shown)
were entered into the computer and the purchase order generated?

Purchase order sent to vendor (figure 8.13)

Copy of purchase order routed to receiving department (Figure 8.14)

8.8 For each of the following risks suggest a control that could be used to reduce it.

(a) Entering negative values for order quantity in a sales order

(b) Selling to a customer with an overdue account.

(c) Ordering from a nonexistent supplier

(d) Paying for goods that have not been received

(e) Entering an alphanumeric customer ID when the business policy is for numeric customer IDs

(f) Misappropriation of goods by receiving staff, who also maintain inventory records

(g) Ordering too much of a product

8.9 An accounts payable process is documented in the flowchart in figure 8.15. Using his
flowchart as a reference:

(a) Write a brief narrative that describes the operation of theprocess.

(b) Identify any risks that are present in the system.
(c) Identify any controls that are present in the case and explain their operation and the risks
that they address.
(d) Identify any risks that do not have relevant control activities and discuss the internal
control activity that would be appropriate to address the risk.

Flowchart of the accounts payable process

8.10 The sales and warehouse of Truly Legit, a retail company, operates as follows and is
currently under review:

Truly Legit is implementing a new credit sales approval system. Based on an analysis of their
existing sales data for credit sales in the financial year just ended the following data has been
obtained

Transaction Total value Number of transactions % of sales

value
$1 - $500 $357 950 1431 27.9
$501 - $1000 $455 845 585 35.6
$1001 - $2500 $287 675 145 22.5
>$2500 $1800 000 60 14.0
TOTAL $ 1 281 470 2221 100.0

The current system has a standard sales process whereby the sales person provides the approval
and authorization for goods to be released by signing a sales order, a copy of which goes to the
warehouse and serves the dual purpose of a picking ticket and shipping authorization. The
documents are prepared on computer by the saleperson, printed out and sent via internal mail at
the end of the day to the warehouse. If a new customer comes in off the street, then the sales
person adds them to the system immediately and gives them the default credit limit of $750.

Customer credit limits are not checkes unless the customer name appears on a credit warning list,
which is produced by the accounts receivable division at the start of each month. All sales follow
this process.

The stages of the COSO framework, as they apply to Truly Legit, are :

Control environment: The boardof directors is constantly receiving feedback from the various
functional divisions about their performance and has held numerous organization-wide workshops
and training sessions for middles-level management to reinforce the importance of proper
governance and control. The boad also has an audit committee, who monitor internal control
functionality, which is comprised wholly of non-executive directors.
Risk assessment: Management is concerned about the following risks in the sales process.

Risk

Sales to customers who have exceeded their credit limit

Large transactions taking place without proper approval
Fraudulent sales of low value entering the system
Good being shipped without proper authorization
Sales orders going missing between sales person and warehouse
Customers records containing nonexistent customers
 Control activities
Information and communication
Monitoring

Required

(a) Using the COSO framework, derive control activities that could be implemented within
the sales process to overcome the risk involved.
(b) For each control activity that you identified in (a), identify the imformation and
communication necessary as well as how monitoring can occur to assess the process performance

8.11 Refer to AIS Focus 8.6 on the Sydney power supply and answer the following questions.

(a) What issues about disaster recovery plans does this case highlight? Explain.
(b) Comment on the adequacy of the backup plans for the cuty of Sydney. What evidence is
there of strengths and weaknesses in the ddesign of the program?
(c) What could some of the consequences be from a loss of power?
(d) How well do you think the Sydney disaster plan matches to the ideas presented in the
chapter? Explain you answer.

8.12 Refer to AIS Focus 8.3 A million dollar data entry error and answer the following
questions.

(a) Explain how the data entry errors referred to in the case could have happened.
(b) Identify a control that could have been put in place to prevent the errors described.
Explain how the control would have solved the problem.
(c) Explain a control that could have been put in place to detect the errors mentioned in the
case. Explain how they could have solved the problem.
(d) Describe other internal controls that yoi would expect to see in the case described.

8.13 Below is a description of a business process.

The computer system requires all users to log on with a user identification (their first initial and
the first six letters of their surname), and a password that is assigned to users when they join that
firm (that unable to be changed). The users have access to the internet and several have installed
Windows Live Messenger and other chat programs on their machines.

The main task of John, one of the staff members, is to perform data entry. Each day he receives a
bundle of orders from the customer assistant, with Johns job being to enter the details into the
system. John first enters the customer name, address and contact number then clicks on the Next
button to enter the items and quantities ordered by the customer. If the customer name is not
provided the computer will prompt John to go back and fill in the details before proceeding to the
next screen. In addition, the computer will only accept numeric values for the quantities ordered.
Once all orders are entered John clicks the Done button and the computer displays the number of
orders entered on the screen. John usually ignores this, because by the time orders have been
entered it is usually lunchtime.

Required

(a) Identify four risks in the process.

(b) Suggest an internal control for each risk (the control may be mentioned in the case or missing
and you think it should be applied).

(c) Indicate whether the control is present or missing in the case.

(d) Classify the control as general or application.

(e) Identify the control goal that the control addresses.

(f) Classify the control as manual or computerized.

Use the template matrix shown below to document your answer.

General/ Manual/

Risk Control Present application Goal Computerized

8.14 Explain why pre-numbering source documents is a necessary but no sufficient condition for
completeness to be satisfied.

8.15 Explain how edit checks can help to achieve the assertion of accuracy.

8.16 Organisation are often subject to legal requirements, with controls put in place to
meet these. An example is the Privacy Act, which places restrictions on how data is to be
gathered, used and stored. It also addresses security of data and procedures for protecting
access to data.

Required

(a) Explain why protecting data is an increasing challenge for organisations.

(b) Suggest organisation control activities that could be implemented to protect data.
8.17 Read the article by Fiona Smith115 in figure 8.16 and answer the following
questions.

FIGURE 8.16 Make no mistake, this will save money.

Human error in business isnt as unpredictable and unavoidable as it may seem,

One day last July, Talsico International a company specialising in reducing human errors
received an urgent call from one of the worlds largest pharmaceutical groups. The group
was in dire straits. One of its plant in the US was threatened with dderegistration because
of repeated errors in paperwork. The staff at the plany were diligent, but couldnt seem to
stop themselves from making mistake when filling out the forms after performing
clearance procedures, a clearance procedure is the meticulous cleaning of an area after
workers finish making one drug and are about to start manufacturing another, says
Filomenia Sousa, CEO of Talsico, an Australian-based consultancy. "A small contaminant
could kill, or make you very sick , and the cost of someone suing could run into millions
and millions of dollars Sousa says. There were no problem with the cleaning, it was
simple a matter of the paperwork, and the Food and Drug Authority (FDA) had issued two
warning. The FDA doesnt care if it is a papaerwork error, or a process error. If you fail
three times, they can close you down Sousa says.

Sousa says the implicatiom for the pharmaceutical company which she declined to name
were enormous. The plant was risking millions of dollars in losses, a disastrous blow to
the company reputation and, at the site, 3000 jobs were on the line. Almost in desperation,
they called our office in the US, she says.

Sousa got on a plane and flew to the site and, when she took a look at the paperwork, was
immediately able to identify a number of places where staff were likely to make mistakes.
They were absolutely amazed, the thought it was some sort og black magic, she says.
There was nothing magical about it at all. The reason these poor operators were making
these paperwork errors was because the design of the form was really not good for human
brain. So, when they were tired or flustered which often happened during clearances-
they made errors. The paperwork was changed and, within two weeks, they had a 73 per
cent decrease in errors. Previously, they had made an error every time they did a clearance
procedure, which was once every three or four day.

Human error is one of those risk in business that can seem unpredictable and to an extent
to human error. And mistake are happening all the time. In manufacturing industries I
have worked with, the majority of documents would have some errors that need to be
correcnted, Sousa says
Human error has been blamed for everything from damaging client relationships, product
recalls, multi-million-dollar losses on products, plane crashes, the Chernobyl nuclear
accident and the loss of the Mars space probr. But to br honest, those spectacular errors
that happen once every few months are not the biggest cost, Sousa says. The biggest cost
cemes from the ones that are made day in day out in an organisation. They can end up
costing millions of dollars a year. In fact, for large orgernisation, it would be billions of
dollars. One of the pharmaceutical companies we work with estimated that every time an
error was made, in paperwork or process, investigating that error just investigating it
cost $5000.

What Talsico does is to examine the way things are done to find weaknesses, using an
understanding of the way the brain processes information. The types of errors are
categorised, so that the reasons can be understood and delt with. By doing this,
consultancy laims to cut documentation errors by a minimum of 73 per cent and waste and
rework by 60 per cent. Sometimes the answer is as simple as designing a system to stop
factory workers from ever so slightly over-filling detergent botles, errors that were costing
one manufactory more than $1 million a year. It is also as effective as redesigning a pure
oxygen tap behind hospital beds so that it cannot be confusedwith the adjacent tap for
clean air. The medical workers were connecting to the wrong taps least once a week and
patient safety was threatened. The hospital was already subject to an expensive lawsuit
from one patient. The cost to fix that was less than $15 per patient. It was nothing, says
Sousa.

The savings that can be made by redcuing errors rates can be enormous. In one of the
companies we work with, in just one department of branch of the orgnisation, by reducing
some of the errors they were haing, we saved $360 000 a year , Sousa says. Anther
pharmaceutical company, by reducing errors and subsequent product waste, saved
$2.6 million a year, Sousa says.

It is surprising then that there arent more companies specialising in this fiel. Sousa says
she cant think of one other such consultancy. Launched in Autralia 12 years ago

(Sousa is one of the founder), Taisico now works with 1200 compaies, up o 900 of them
overseas. Clients in this country include: Quantas, BHP Billiton, Arnotts, Colgate-
Palmolive, AstraZeneca, Mt Isa Mines and the Autralian Muclear Science and Technology
Organisation.

Sousa, a geneticist and former computer systems engineer, say that some of the measures
taken by organisations to prevent mistake actually do he opposite. One of them is to
respond to mistakes by retraining or punishing. This assumes that people who make
mistakes either dont know any better, or dont care. However, a study of 1000 people in
the US by Talsico over the course of a year discovered only 6 per cent of the errors were
due to people not knowing what to do. As for not caring, most people want to do a good
job, says Sousa.

And if you want to create an environment where people are punished for errors
particularly if it is done subconsciously it is not that theyll make fewer errors, but that
they will hide the errrors thay make. Another false measure taken by employers is to have
a rigorous checking process, but this can actually encourage people to take less
responsibility for the accuracy of their own work, says Sousa. Sousa has been mistakes
being made on medical labels after the text and layout had been checked by seven different
people. Each of them had thought: Well, Ill do a quick check and if I miss something one
of the others will get it, says Sousa. A wrong label could mean a product recall costing
millions of dollars. A better system is to give each person sole responsibility for a small
part of the task. They will then give it their full attention, Sousa says

Required

(a) What does the article suggest is the main source of the errors in a business?
(b) What are the implications of this article for the design and use of source
documents in an organisation?
(c) Explain, using this aricle as a reference, why I is preferable to deal with errors at
the input stage, rather than rely on detedtion or corrective controls that operate later in the
data processing stages.
(d) Suggest three ways that organisation could make source documents less prone to
errors.
(e) What does the article suggest about the role of checking procedures? Do you agree
with the assertion? Explain your answer.
(f) What do you think are some of the potential impacts of this article on the desgin
and implementation of an internal control system?