Accounting Information Systems: Essential Concepts and Applications Fourth Edition by Wilkinson, Cerullo, Raval, and Wong-On-Wing

Chapter 8: General Controls and Application Controls

Slides Authored by Somnath Bhattacharya, Ph.D.Florida Atlantic University

Introduction to Controls

Controls may relate to manual AISs, to computer-based AISs, or both

Controls may be grouped into General controls, Application controls, and Security measures

Controls may also be grouped in terms of risk aversion: Corrective, Preventive, and Detective Controls

These categories are intertwined and an appropriate balance is needed for an effective internal control structure

Control Classifications

By Setting

General

ApplicationInputProcessingOutput

By Risk Aversion

Corrective

Preventive

Detective}Figure 8-1

General Controls

General Controls pertain to all activities involving a firm’s AIS and resources (assets). They can be grouped as follows: Organizational or Personnel Controls Documentation Controls Asset Accountability Controls Management Practice Controls Information Center Operations Controls Authorization Controls Access Controls

Organizational or Personnel Controls - I

Organizational independence, which separates incompatible functions, is a central control objective when designing a system

Diligence of independent reviewers, including BOD, managers, and auditors (both internal and external)

In a manual system, authorization, record-keeping, and custodial functions must be kept separate. e.g., purchases, sales, cash handling, etc

Organizational or Personnel Controls - II

In computer-based AISs the major segregation is between the systems development tasks, which create systems, and the data processing tasks, which operate systems

Within data processing, one may find segregation between separate control (receiving & logging), data preparation (converting to machine readable form), computer operations, and data library - batch processing

Other personnel controls include the two-week vacation rule

Convert to

machinereadable

media

Data PreparationSection

Receive

and

Log

Log

and

Distribute

Control Section

Process

Outputs

To users (exception

and summaryreport)

Computer Operations

Data

Inputs

Outputs

Errorsto be

corrected

User Departments

Flow of Batched Data in Computer-Based Processing

Data LibrarySection

Files

Files

Figure 8-4

BatchFiles

OnlineFiles

Online Files (or data libraryfor removable disks and

backups

Process

Computer Operations

Data Inputs

Displayed Outputs

Printed orPlotted Outputs

User Departments

Segregation of Functions in a Direct/Immediate Processing System

Figure 8-6

Documentation Controls

Documentation consists of procedures manuals and other means of describing the AIS and its operations, such as program flowcharts and organizational charts

In large firms, a data librarian is responsible for the control, storage, retention and distribution of documentation

Storing a copy of documentation in a fireproof vault, and having proper checkout procedures are other examples of documentation controls.

Use of CASEs

System Standards Documentation

Systems development policy statements

Program testing policy statements

Computer operations policy statements

Security and disaster policy statements

System Application Documentation

Computer system flowcharts DFDs Narratives Input/output descriptions, including filled-in source

documents Formats of journals, ledgers, reports, and other outputs Details concerning audit trails Charts of accounts File descriptions, including record layouts and data

dictionaries Error messages and formats Error correction procedures Control procedures

Program Documentation

Program flowcharts, decision tables, data structure diagrams

Source program listingsInputs, formats, and sample filled-in formsPrintouts of reports, listings, and other outputsOperating instructionsTest data and testing proceduresProgram change proceduresError listings

Data Documentation

Descriptions of data elementsRelationships of specific data

elements to other data elements

Operating Documentation

Performance instructions for executing computer programs

Required input/output files for specific programsSetup procedures for certain programsList of programmed halts, including related

messages, and required operator actions for specific programs

Recovery and restart procedures for specific programs

Estimated run times of specific programsDistribution of reports generated by specific

programs

User Documentation

Procedures for entering data on source documents

Checks of input data for accuracy and completeness

Formats and uses of reportsPossible error messages and correction

procedures

Examples of Asset Accountability Controls

Subsidiary ledgers provide a cross-check on the accuracy of a control account

Reconciliations compare values that have been computed independently

Acknowledgment procedures transfer accountability of goods to a certain person

Logs and Registers help account for the status and use of assets

Reviews & Reassessments are used to re-evaluate measured asset values

Management Practice Controls

Since management is responsible and thus “over” the internal control structure, they pose risks to a firm

General controls include: Human resource Policies and Practices Commitment to Competence Planning Practices Audit Practices Management & Operational Controls

In a computerized AIS, management should instigate a policy for: Controls over Changes to Systems New System Development Procedures

Examples of Computer Facility/Information Center Controls

Proper Supervision over computer operators

Preventive Diagnostic Programs to monitor hardware and software functions

A Disaster Recovery Plan in the event of a man-made or natural catastrophe

Hardware controls such as Duplicate Circuitry, Fault Tolerance and Scheduled Preventive Maintenance

Software checks such as a Label Check

and a Read-Write Check

Application Controls

Application controls pertain directly to the transaction processing systems

The objectives of application controls are to ensure that all transactions are legitimately authorized and accurately recorded, classified, processed, and reported

Application controls are subdivided into input, processing and output controls

Authorization Controls - I

Authorizations enforce management’s policies with respect to transactions flowing into the general ledger system

They have the objectives of assuring that: Transactions are valid and proper Outputs are not incorrect due to

invalid inputs Assets are better protected

Authorizations may be classified as general or specific

A General authorization establishes the standard conditions for transaction approval and execution

A Specific authorization establishes specific criteria for particular sums, events, occurrences, etc

In manual and computerized batch processing systems, authorization is manifest through signatures, initials, stamps, and transaction documents

In on-line computerized systems, authorization is usually verified by the system. e.g., validation of inventory pricing by code numbers in a general ledger package

Authorization Controls - II

Input Controls

Input Controls attempt to ensure the validity, accuracy, and completeness of the data entered into an AIS.

Input controls may be subdivided into: Data Observation and Recording Data Transcription (Batching and

Converting) Edit tests of Transaction Data Transmission of Transaction Data

Controls for Data Observation and Recording

The use of pre-numbered documents Keeping blank forms under lock and key Online computer systems offer the following

features: Menu screens Preformatted screens Using scanners that read bar codes or other

preprinted documents to reduce input errors Using feedback mechanisms such as a

confirmation slip to approve a transaction Using echo routines

Data Transcription - I

Data Transcription refers to the preparation of data for computerized processing and includes: Carefully structured source documents and input

screens Batch control totals that help prevent the loss of

transactions and the erroneous posting of transaction data

The use of Batch control logs in the batch control section

Amount control total totals the values in an amount or quantity field

Hash total totals the values in an identification fieldRecord count totals the number of source

documents (transactions) in a batch

Data Transcription - II(Conversion of Transaction Data)

Key Verification which consists of re-keying data and comparing the results of the two-keying operations

Visual Verification which consists of comparing data from original source documents against converted data.

Examples of Batch Control Totals

Financial Control Total - totals up dollar amounts (e.g., total of sales invoices)

Non-financial Control Total - computes non-dollar sums (e.g., number of hours worked by employees)

Record Count - totals the number of source documents once when batching transactions and then again when performing the data processing

Hash Total - a sum that is meaningless except for internal control purposes (e.g., sum of customer account numbers)

Definition and Purpose of Edit Tests

Edit Tests (programmed checks) are most often validation routines built into application software

The purpose of edit tests is to examine selected fields of input data and to reject those transactions whose data fields do not meet the pre-established standards of data quality

Examples of Edit Tests (Programmed Checks)

Validity Check (e.g., M = male, F = female) Limit Check (e.g., hours worked do not exceed 40 hours) Reasonableness Check (e.g., increase in salary is

reasonable compared to base salary) Field Check (e.g., numbers do not appear in fields reserved

for words) Sequence Check (e.g., successive input data are in some

prescribed order) Range Check (e.g., particular fields fall within specified

ranges - pay rates for hourly employees in a firm should fall between $8 and $20)

Relationship Check (logically related data elements are compatible - employee rated as “hourly” gets paid at a rate within the range of $8 and $20)

Transmission of Transaction Data

When data must be transmitted from the point of origin to the processing center and data communications facilities are used, the following checks should also be considered: Echo Check - transmitting data back to the

originating terminal for comparison with the transmitted data

Redundancy Data Check - transmitting additional data to aid in the verification process

Completeness Check - verifying that all required data have been entered and transmitted.

Objectives of Processing Controls

Processing Controls help assure that data are processed accurately and completely, that no unauthorized transactions are included, that the proper files and programs are included, and that all transactions can be easily traced

Categories of processing controls include Manual Cross-checks, ProcessingLogic Checks, Run-to-Run Controls,File and Program Checks, and AuditTrail Linkages

Examples of Processing Controls

Manual Cross-Checks - include checking the work of another employee, reconciliations and acknowledgments

Processing Logic Checks - many of the programmed edit checks, such as sequence checks and reasonableness checks (e.g., payroll records) used in the input stage, may also be employed during processing

Examples of Processing Controls

Run-to-Run Totals - batched data should be controlled during processing runs so that no records are omitted or incorrectly inserted into a transaction file

File and Program Changes - to ensure that transactions are posted to the proper account, master files should be checked for correctness, and programs should be validated

Audit Trail Linkages - a clear audit trail is needed to enable individual transactions to be traced, to provide support in general ledger balances, to prepare financial reports and to correct transaction errors or lost data

Output Controls

Outputs should be complete and reliable and should be distributed to the proper recipients

Two major types of output controls are: validating processing results regulating the distribution and

use of printed output

Validating/Reviewing Processing Results

Activity (or proof account) listings document processing activity and reflect changes made to master files

Because of the high volume of transactions, large companies may elect to review exception reports that highlight material changes in master files

Regulating/Controlling Distribution of Printed Output

Reports should only be distributed to appropriate users by reference to an authorized distribution list

Sensitive reports should be shredded after use instead of discarding

Application Controls Arranged by Two Classification Plans

Preventive Detective Corrective

Properly authorizedtransactions

Well-designed andcontrolled sourcedocuments

Sound conversion controltechniques

Batch control totals

Adequate input edit tests(programmed checks)

Sound error correctionprocedures

Complete audit trail

Sound file maintenanceprocedures

Adequate preventive-type programmed checks

Run-to-run verifications

Adequate detective-typeprogrammed checks

Complete audit trail

Distribution log ofauthorized users

Reconciliation ofcomputed totals withpredetermined controltotals

Reviews of outputs andtests to sourcedocuments by users

Reviews of logs andprocedures by internalauditors

Review of error-correction statistics

Input

Processing

Output

Control Stage

Control Purpose

Copyright © 2000 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

Accounting Information Systems: Essential Concepts and Applications Fourth Edition by Wilkinson, Cerullo,Raval, and Wong-On-Wing