1Internal Controls (Part II)

Prepared by: Dr. Savanid (Nui) Vatanasakdakul

1

Aims of a computerised accounting information systems

General and application controls Limitations of controls Threats to internal controls

2

23

Identify 3 advantages of computerised application controls.

4

__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

35

Consistent execution, authorisation, and application

Enforce Completeness More difficult to avoid More timely and efficient to execute More timely reporting and feedback!! etc

Proper authorisation such as authoring valid transaction

Proper record such as input and output accuracy

Completeness Timeliness

6

4 General Control Policies/procedures relating to many applications Support the effective operation of application controls

Application Control Manual or automated Operate within a business process / application Relate to the initiation, recording, reporting and processing

of events Deal with the aims of occurrence, authorisation,

completeness and accuracy

7

Some risks apply across a number of areas of the organisation. To address these risks we have GENERAL CONTROLS.

General controls effect the overall information system. General controls are established with the aim of providing

reasonable assurance that the internal control objectives are achieved.

These controls effect all applications Seen as pervasive these controls will apply across almost all

of the information systems in an organisation. Support the effective operation of application controls

8

59

Organisational Separation of duties

Design, programming, operations, data entry, custody of documentation

Policies and procedures Recruitment Termination

Access To computer facilities To data files Authorised users

Hardware Monitor and detect

failures

Systems Development User involvement Authorisation Documentation Access to systems

software restricted Data protection

Telecommunications Transmission /

encryption techniques Other

Disaster recovery Backup/Off site storage

Physical controls Segregation of duties User access System development procedures User awareness of risks Data storage procedures

10

6 Users record transactions, authorize data to be processed, and use system output.

Systems analysis helps users determine their information needs and then design an information system to meet those needs.

Programming take the design provided by system analysts and creates an information system by writing the computer programs.

Computer operations run the software on the companys computer. They ensure that data is input properly and correctly processed and the right output is produced.

Database administration maintain and manage corporate databases and files.

11

Systems administration ensure that the different parts of an information system operate smoothly and efficiently.

Network management ensure that all applicable devices are linked to the organisations internal and external networks and that the networks operate continuously and properly.

Change management manage all changes to an organisations information system to ensure they are made smoothly and efficiently and to prevent errors and fraud.

12

7 Change management the person (usually a developer) who makes the IS change should be different from the person who makes the change available to users the process of making changes available to all users is usually called migration into production

Why do we need to segregate these functions?

13

Wireless technology Virtual private networks

Wired Networks Electronic eavesdropping Routing verification procedures Message acknowledgement procedures

Microcomputers What unique risks do microcomputers present to an

organisation? Location of computing facility Restrict employee access The use of Biometrics

14

8 Separation of duties Accounting from other sub-systems Responsibilities within IT

Programming Data management Design / Analysis Testing

Within a process Authorisation, Execution, Custody, Recording

Computer accounts / Logins / Access controls

15

Fault tolerant / Built in redundancies Disk mirroring Backups

Hierarchically performed Where to store backup data? How often to backup?

Uninterruptible power supply

16

917

DRP refers to the strategy an organisation will put into action in the event of a disaster that disrupts normal operations. The aim is business continuity, i.e. to resume operations as soon as possible with minimal loss or disruption to data and information.

This plan describes procedures to be followed in the case of an emergency as well as the role of each member of the disaster recovery team.

18

DRP Considers: Natural disasters Deliberate malicious acts Accidental destructive acts

DRP Usually covers: Staff

Employees Customers Suppliers Other Stakeholders

Physical resources Buildings Equipments Cash

Information resources Data Information

10

19

Temporary Site Hot site Cold site

Staffing Evacuating threatened staff Enabling staff to operate in DRP mode

Staff need to know their roles Restore relationships

As organisations become integrated the information asset is increasing in importance

Controls over specific systems/business processes

Relate to the initiation, recording, reporting and processing of events

Provide reasonable assurance that the events occurring in a system/process are authorisedand recorded, and are processed completely, accurately and on a timely basis and that resources in that system are protected.

Examples of systems/processes in an organisation:

Sales system, Accounts receivable system, Purchases system, Payments system, Payroll, Financial Reporting, Inventory

20

11

Authorisation Is the person authorised to execute the transaction?

Eg: Approvals for a large sale to proceed Recording

Input Validity Is the data of the correct format/type? Does the data represent a valid event?

Input Accuracy Is all data entered correct?

Completeness Has all data about an event been recorded?

Transaction level Have all events been recorded?

Business process level Timeliness

Is data captured, processed, stored and available as required by the needs of the business process?

21

Classification based on the stage in the process at which the control occurs Input controls

Designed to ensure data entering the system is valid, complete and accurate

Process controls Detect errors and irregularities in the processing of

data Output controls

Protect the outputs of a system

22

12

Observation, Recording and Transcription Feedback mechanism

Eg: Customer reviews and signs sales form Dual observation

Eg: Approval from a supervisor, more than one employee in execution of sale

Pre-designed forms Pre-numbered Layout of forms

How does a pre-designed form help?

23

Edit Tests Check validity and accuracy after data has been input

Test of content Numeric, Alphabetic, Alphanumeric

Test of reasonableness Is the input within a specified range of values

Eg Hours worked per week is between 0 and 60 Test of sign (+ive, -ive) Test of completeness Test of sequence

Has every document been input? Eg Cheques Requires pre-numbered source documents

Test of consistency Check digit calculation

Eg: Credit Card calculate security number from card number Card Number 1234 5678 9012 3456 Security Number: 687

24

13

Controls for the manipulation of data once it has been input. Batch control totals Record counts Sequence checks Run to run totals

Which aims do they achieve? Reliable financial reporting

Accuracy of data processing / updates Completeness of data processing / updates

25

26

Sale occurs and invoice prepared

Invoice 001

Invoice 002

Invoice 003

Invoice 004

Invoice 005

Invoice 006

Invoice 007

SALES DEPT DATA ENTRY CLERK

Invoice 001

Invoice 002

Invoice 003

Invoice 004

Invoice 005

Invoice 007

Missing Invoice 006

Invoices entered

Checks for gaps in the sequence of pre-numbered documents and alerts Clerk of missing documents

COMPUTER

The sequence check has identified that Invoice 006 has not been entered we do not have

completeness.

14

The computer takes the daily credit sales data and updates the accounts receivable master balances.

The new balance for the accounts receivable should equal the opening balance + credit sales

27

28

Credit Sales

A/RCalculate check total

Update Accts Receivable

Compare totals

COMPUTERSALES PERSON

SalesOrder

OrderDetails

Capture sales

15

29

They include:

Financial control total Hash total Record count

30

16

Validation of process results Activity listings

Distribution and Use Who is able to access the outputs? Where are the outputs printed to? Has the relevant user got all of the output

31

Judgement error Unexpected transaction Collusion Management override Weak internal controls Conflicting signals

32

17

Management incompetence External factors such as natural disasters Fraud Regulatory environment Information technology such as viruses, email

attacks

33

34

Blair, B and Boyce, G, 2006 (Eds), Accounting Information Systems with Social and Organisational Perspectives, John Wiley, Milton

Turner, L. & Weickgenannt, A. (2009) Accounting Information Systems: Controls and Processes, Wiley

I wish to acknowledge Dr. Chadi Aouns input and material that were incorporated into the lecture slides as well as the supplementary material and sources provided by John Wiley publishers.