ch 09 revised
TRANSCRIPT
-
8/12/2019 Ch 09 Revised
1/19
Controlling
Information
Systems:
Business Process
Controls
-
8/12/2019 Ch 09 Revised
2/19
Learning Objectives Understand steps in control
framework
Know how to prepare controlmatrix
Comprehend the generic
business process control plansintroduced in this chapter
Be able to describe how thebusiness process controlsaccomplish control goals
Appreciate the importance ofcontrols to organizations withenterprise systems
Appreciate the importance ofcontrols to organizationsengaging in e-Business
BusinessProcess
Controls
-
8/12/2019 Ch 09 Revised
3/19
3
The Control Matrix
The control matrix is a tool designed to
assist you in analyzing a systems
flowchart and related narrative. It establishes the criteria to be used in
evaluating the controls in a particular
business process.
-
8/12/2019 Ch 09 Revised
4/19
4
Sample
Control
Matrix
-
8/12/2019 Ch 09 Revised
5/19
5
Available Control Plans for Data
Input 1: Document Designsource document is
designed to easily complete and key data
2: Written Approvalssignature or initialsindicating approval of event processing
3: Preformatted Screensdefinesacceptable format for each data field (e.g.,
9 numeric characters for SSN) 4: Online Promptingrequests user input
or asks questions, e.g., message box
-
8/12/2019 Ch 09 Revised
6/19
6
Available Control Plans for Data
Input, Contd.
5: Programmed Edit Checks Automatically performed by data entry programs upon
entry of data Reasonableness checks (limit checks)tests input for values
within predetermined limits
Document/record hash totalscompares computer total tomanually calculated total
Mathematical accuracy checkscompare calculations
performed manually to computer calculations, e.g., compareinvoice total to manually entered to computer calculated total
Check Digit verificationa functionally dependent extra digit isappended to a number; if miskeying occurs, a check digitmismatch occurs and the system rejects the input
-
8/12/2019 Ch 09 Revised
7/19
7
Available Control Plans for Data Input
6: Procedures for rejected inputrejected inputs
are corrected and resubmitted for processing
7: Keying correctionsclerk corrects inputs
8: Interactive feedback checkscomputer informs
clerk that input has been accepted/rejected 9: Record inputrecord is recorded in transaction
data rather than being re-keyed at another time
10: Key verificationdata is keyed by two differentindividuals then compared by the computer
-
8/12/2019 Ch 09 Revised
8/19
8
Recommended Control Plans with
Master Data
11: Enter data close to originating source Input data is entered directly and immediately it reduces
input costs, inputs are less likely to be lost, errors areless likely and can more easily corrected
Online transaction entry (OLTE), online real-timeprocessing (OLRT), and online transaction processing(OLTP) are all examples of this processing strategy.
12: Digital signatures Authenticate that the sender of the message has the
authority to send it and detects messages that havebeen altered in transit
an application of public key cryptography involving theuse of a private encryption key to sign the datatransmitted
-
8/12/2019 Ch 09 Revised
9/19
9
Recommended Control Plans with
Master Data
13: Populate input with master data User enters an entitys ID code and the system then
retrieves certain data about that entity from existingmaster data.
User might be prompted to enter the customer ID (code). By accessing the customer master data, the system
automatically provides data such as the customersname and address, the salespersons name, and thesales terms.
This reduces the number of keystrokes required, makingdata entry quicker, more accurate, and more efficient.
Therefore, the system automatically populates inputfields with existing data
-
8/12/2019 Ch 09 Revised
10/19
10
Recommended Control Plans with Master Data 14: Compare input data with master datathe system compares inputs with
standing (master) data to ensure their accuracy and validity
Input/master data dependency checks
These edits test whether the contents of two or more data elementsor fields on an event description bear the correct logical relationship.
For example, input sales events can be tested to determine whetherthe salesperson works in the customers territory.
If these two items dont match, there is some evidence that thecustomer number or the salesperson identification was input
erroneously. Input/master data validity and accuracy checks
These edits test whether master
data supports the validity and accuracy of the input. For example, thisedit
might prevent the input of a shipment when no record of acorresponding customer
order exists. If no match is made, we may have input some dataincorrectly,
or the shipment might simply be invalid. We might also compareelements
within the input and master data.
-
8/12/2019 Ch 09 Revised
11/19
11
Data Entry with Batches
Data entry with batches involves collectinginputs into work units called batches; batchedinputs are then keyed into system as a batch Implies some delay between the economic event
and its reflection in the system
Allows for controls focusing on the batch, e.g.,batch control totals (hash or other totals from
batch) Batch entry is often followed by an exception and
summary report
-
8/12/2019 Ch 09 Revised
12/19
12
Batch Control Plans Batch control procedures start by grouping event data and calculating totals for
the group: Several different types of batch control totals can be calculated Document/record countsare simple counts of the number of documents entered in a
batch This procedure represents the minimum level required to control input completeness.
Because one document could be intentionally replaced with another, this control is noteffective for ensuring input validity and says nothing about input accuracy.
Item or line counts Counts number of items or lines entered, such as a count of the number of invoices being
paid by all the customer remittances.
By reducing the possibility that line items or entire documents could be added to the batch
or not be input, this control improves input validity, completeness, and accuracy. Remember, a missing event record is a completeness error and a data set missing from an
event record is an accuracy error.
Dollar totals Sum of dollar value of items in batch
By reducing the possibility that entire documents could be added to or lost from the batch orthat dollar amounts were incorrectly input, this control improves input validity,completeness, and accuracy.
Hash totals Are a summation of any numeric data existing for all documents in the batch, such as a total
of customer numbers or invoice numbers in the case of remittance advices.
Unlike dollar totals, hash totals normally serve no purpose other than control.
Hash totals can be a powerful batch control because they can determine if inputs havebeen altered, added, or deleted.
These batch hash totals operate for a batch in a manner similar to the operation ofdocument/record hash totals for individual inputs.
-
8/12/2019 Ch 09 Revised
13/19
13
P-1: use of turnaround
documents Turnaround documents are used to capture and
input a subsequent event.
Picking tickets, inventory count cards, remittance
advice stubs attached to customer invoices, andpayroll time cards are all examples of turnarounddocuments.
For example, we have seen picking tickets that are
printed by the computer, used to pick the goods,and sent to shipping where the bar code on thepicking ticket is scanned to trigger the recording ofthe shipment.
-
8/12/2019 Ch 09 Revised
14/19
14
P-2: batch totals control Calculation of batch totals ensures that the
data input arises from legitimate events
(input validity) and that all events in the
batch are captured (input completeness).
-
8/12/2019 Ch 09 Revised
15/19
15
P-3: Reconciliation of Batch Totals
The manual reconciliation of batch totals control
plan operates in the following manner:
a. First, one or more of the batch totals are established
manually
b. As individual event descriptions are scanned, the data
entry program accumulates independent batch totals.
c. The computer produces reports (or displays) with the
relevant control totals that must be manually reconciled to
the totals established prior to the particular process.
d. The person who reconciles the batch total must determine
why the totals do not agree and make corrections as
necessary to ensure the integrity of the input data
-
8/12/2019 Ch 09 Revised
16/19
16
P-4: Reconcile input and output batch totals
(agreement of run-to-run totals) This is a variation of the agreement of batch totals controls.
With agreement of run-to-run totals, totals prepared before acomputer process has begun are compared, manually or by thecomputer, to totals prepared at the completion of the computerprocess.
These post-process controls are often found on an error andsummary report.
When totals agree, we have evidence that the input and theupdate took place correctly.
This control is especially useful when there are several
intermediate steps between the beginning and the end of theprocess and we want to be assured of the integrity of eachprocess.
-
8/12/2019 Ch 09 Revised
17/19
17
P-5: use of tickler file and one-for-one checking
This has two purposes:
1. One is to ensure that all picking tickets are linked to an associatedpacking slip,
2. The other is to ensure that all items on related picking tickets andpacking slips match.
We regularly review a tickler file, to clear items from that file. Tickler files may be digitized reflecting events that need to be completed,
such as open sales orders, open purchase orders, and so forth. Should tickler file documents remain in the file too long, the person or
computer monitoring will determine the nature and extent of the delay.
Picking tickets are compared to their associated packing slipsusing one-for-one checking to determine that they agree.
Differences may indicate errors in input or update. This procedure provides us detail as to what is incorrect within a batch.
Being very expensive to perform, one-for-one checking should bereserved for low-volume, high-value events.
-
8/12/2019 Ch 09 Revised
18/19
18
P-6: Automated Sequence Checks Whenever documents are numbered sequentially, a sequence check can
be automatically applied to those documents.
Batch sequence checkswork best when we can control the input process
and the serial numbers of the input data, such as payroll checks. In a batch sequence check, the event data within a batch are checked as follows:
a. The range of serial numbers constituting the batch is entered.
b. Each individual, serially pre-numbered event data is entered.
c. The computer program sorts the event data into numerical order; checks thedocuments against the sequence number range; and reports missing, duplicate, andout-of-range event data.
Cumulative sequence check provides input control when the serialnumbers are not entered in sequence (i.e., picking tickets might containbroken sets of numbers). Matching of individual event data (picking ticket #s) is made to a file that contains
all document numbers (all sales order numbers). Periodically, reports of missing numbers are produced for manual follow-up.
Reconciling a checkbook is another example of a situation where the checknumbers are issued in sequence.
However, the bank statement we receive may not contain a complete sequence ofchecks.
Our check register assists us in performing a cumulative sequence check to make surethat all checks are eventually cleared.
-
8/12/2019 Ch 09 Revised
19/19
19
P-7: Computer Agreement of Batch Totals
The computer agreement of batch totals plan works in the
following manner: a. First, one or more of the batch totals are established manually (i.e., in
the user department in Figure 9.9).
b. Then, the manually prepared total is entered into the computer and iswritten to the computer batch control totals data.
c. As individual event descriptions are entered, a computer programaccumulates independent batch totals and compares these totals to theones prepared manually and entered at the start of the processing.
d. The computer prepares a report, which usually contains details ofeach batch, together with an indication of whether the totals agreed ordisagreed.
Batches that do not balance are normally rejected, and discrepancies aremanually investigated and included in a summary report