Title: Control Activities I
1?????????????????????????????????????
2Control Activities - I
- Control Activities as related to Financial
Reporting may be classified according to their
intended uses in a system - Preventive Controls block adverse events, such as
errors or losses, from occurring - Detective Controls discover the occurrence of
adverse events such as operational inefficiency - Corrective controls are designed to remedy
problems discovered through detective controls - Security Measures are intended to provide
adequate safeguards over access to and use of
assets and data records
3Control Activities - II
- Control Activities relating to Information
Processing may also be classified according to
where they will be applied within the system - General controls are those controls that pertain
to all activities involving a firms AIS and
assets - Application controls relate to specific
accounting tasks or transactions - The overall trend seems to be going from specific
application controls to more global general
controls
4Control Activities - III
- Performance Reviews
- Comparing Budgets to Actual Values
- Relating Different Sets of Data-Operating or
Financial-to one another, together with Analyses
of the relationships and Investigative and
Corrective Actions - Reviewing Functional Performance such as a banks
consumer loan managers review of reports by
branch, region, and loan type for loan approvals
and collections
5- General Controls and Application Controls
6Introduction to Controls
- Controls may relate to manual AISs, to
computer-based AISs, or both - Controls may be grouped into General controls,
Application controls, and Security measures - Controls may also be grouped in terms of risk
aversion Corrective, Preventive, and Detective
Controls - These categories are intertwined and an
appropriate balance is needed for an effective
internal control structure
7Control Classifications
- By Setting
- General
- Application
- Input
- Processing
- Output
- By Risk Aversion
- Corrective
- Preventive
- Detective
8General Controls
- General Controls pertain to all activities
involving a firms AIS and resources (assets).
They can be grouped as follows - Organizational or Personnel Controls
- Documentation Controls
- Asset Accountability Controls
- Management Practice Controls
- Information Center Operations Controls
- Authorization Controls
- Access Controls
9Organizational or Personnel Controls - I
- Organizational independence, which separates
incompatible functions, is a central control
objective when designing a system - Diligence of independent reviewers, including
BOD, managers, and auditors (both internal and
external) - In a manual system, authorization,
record-keeping, and custodial functions must be
kept separate. e.g., purchases, sales, cash
handling, etc
10Organizational or Personnel Controls - II
- In computer-based AISs the major segregation is
between the systems development tasks, which
create systems, and the data processing tasks,
which operate systems - Within data processing, one may find segregation
between separate control (receiving logging),
data preparation (converting to machine readable
form), computer operations, and data library -
batch processing - Other personnel controls include the two-week
vacation rule
11Flow of Batched Data in Computer-Based Processing
12Segregation of Functions in a Direct/Immediate
Processing System
13Documentation Controls
- Documentation consists of procedures manuals and
other means of describing the AIS and its
operations, such as program flowcharts and
organizational charts - In large firms, a data librarian is responsible
for the control, storage, retention and
distribution of documentation - Storing a copy of documentation in a fireproof
vault, and having proper checkout procedures are
other examples of documentation controls. - Use of CASEs
14Systems Standard Documentation
- Systems development policy statements
- Program testing policy statements
- Computer operations policy statements
- Security and disaster policy statements
15System Application Documentation
- Computer system flowcharts
- DFDs
- Narratives
- Input/output descriptions, including filled-in
source documents - Formats of journals, ledgers, reports, and other
outputs - Details concerning audit trails
- Charts of accounts
- File descriptions, including record layouts and
data dictionaries - Error messages and formats
- Error correction procedures
- Control procedures
16Program Documentation
- Program flowcharts, decision tables, data
structure diagrams - Source program listings
- Inputs, formats, and sample filled-in forms
- Printouts of reports, listings, and other outputs
- Operating instructions
- Test data and testing procedures
- Program change procedures
- Error listings
17Data Documentation
- Descriptions of data elements
- Relationships of specific data elements to other
data elements
18Operating Documentation
- Performance instructions for executing computer
programs - Required input/output files for specific programs
- Setup procedures for certain programs
- List of programmed halts, including related
messages, and required operator actions for
specific programs - Recovery and restart procedures for specific
programs - Estimated run times of specific programs
- Distribution of reports generated by specific
programs
19User Documentation
- Procedures for entering data on source documents
- Checks of input data for accuracy and
completeness - Formats and uses of reports
- Possible error messages and correction procedures
20Examples of Asset Accountability Controls
- Subsidiary ledgers provide a cross-check on the
accuracy of a control account - Reconciliations compare values that have been
computed independently - Acknowledgment procedures transfer accountability
of goods to a certain person - Logs and Registers help account for the status
and use of assets - Reviews Reassessments are used to re-evaluate
measured asset values
21Management Practice Controls
- Since management is responsible and thus over
the internal control structure, they pose risks
to a firm - General controls include
- Human resource Policies and Practices
- Commitment to Competence
- Planning Practices
- Audit Practices
- Management Operational Controls
- In a computerized AIS, management should
instigate a policy for - Controls over Changes to Systems
- New System Development Procedures
22Examples of Computer Facility/Information Center
Controls
- Proper Supervision over computer operators
- Preventive Diagnostic Programs to monitor
hardware and software functions - A Disaster Recovery Plan in the event of a
man-made or natural catastrophe - Hardware controls such as Duplicate
Circuitry, Fault Tolerance and
Scheduled Preventive
Maintenance - Software checks such as a Label Check
and a Read-Write
Check
23Application Controls
- Application controls pertain directly to the
transaction processing systems - The objectives of application controls are to
ensure that all transactions are legitimately
authorized and accurately recorded, classified,
processed, and reported - Application controls are subdivided into input,
processing and output controls
24Authorization Controls - I
- Authorizations enforce managements policies with
respect to transactions flowing into the general
ledger system - They have the objectives of assuring that
- Transactions are valid and proper
- Outputs are not incorrect due to invalid inputs
- Assets are better protected
- Authorizations may be classified as general or
specific
25Authorization Controls - II
- A General authorization establishes the standard
conditions for transaction approval and execution - A Specific authorization establishes specific
criteria for particular sums, events,
occurrences, etc - In manual and computerized batch processing
systems, authorization is manifest through
signatures, initials, stamps, and transaction
documents - In on-line computerized systems, authorization is
usually verified by the system. e.g., validation
of inventory pricing by code numbers in a general
ledger package
26Input Controls
- Input Controls attempt to ensure the validity,
accuracy, and completeness of the data entered
into an AIS. - Input controls may be subdivided into
- Data Observation and Recording
- Data Transcription (Batching and Converting)
- Edit tests of Transaction Data
- Transmission of Transaction Data
27Controls for Data Observation and Recording
- The use of pre-numbered documents
- Keeping blank forms under lock and key
- Online computer systems offer the following
features - Menu screens
- Preformatted screens
- Using scanners that read bar codes or other
preprinted documents to reduce input errors - Using feedback mechanisms such as a confirmation
slip to approve a transaction - Using echo routines
28Data Transcription - I
- Data Transcription refers to the preparation of
data for computerized processing and includes - Carefully structured source documents and input
screens - Batch control totals that help prevent the loss
of transactions and the erroneous posting of
transaction data - The use of Batch control logs in the batch
control section - Amount control total totals the values in an
amount or quantity field - Hash total totals the values in an identification
field - Record count totals the number of source
documents (transactions) in a batch
29Data Transcription - II(Conversion of
Transaction Data)
- Key Verification which consists of re-keying data
and comparing the results of the two-keying
operations - Visual Verification which consists of comparing
data from original source documents against
converted data.
30Examples of Batch Control Totals
- Financial Control Total - totals up dollar
amounts (e.g., total of sales invoices) - Non-financial Control Total - computes non-dollar
sums (e.g., number of hours worked by employees) - Record Count - totals the number of source
documents once when batching transactions and
then again when performing the data processing - Hash Total - a sum that is meaningless except for
internal control purposes (e.g., sum of customer
account numbers)
31Definition and Purpose of Edit Tests
- Edit Tests (programmed checks) are most often
validation routines built into application
software - The purpose of edit tests is to examine selected
fields of input data and to reject those
transactions whose data fields do not meet the
pre-established standards of data quality
32Examples of Edit Tests (Programmed Checks)
- Validity Check (e.g., M male, F female)
- Limit Check (e.g., hours worked do not exceed 40
hours) - Reasonableness Check (e.g., increase in salary is
reasonable compared to base salary) - Field Check (e.g., numbers do not appear in
fields reserved for words) - Sequence Check (e.g., successive input data are
in some prescribed order) - Range Check (e.g., particular fields fall within
specified ranges - pay rates for hourly employees
in a firm should fall between 8 and 20) - Relationship Check (logically related data
elements are compatible - employee rated as
hourly gets paid at a rate within the range of
8 and 20)
33Transmission of Transaction Data
- When data must be transmitted from the point
of origin to the processing center and data
communications facilities are used, the following
checks should also be considered - Echo Check - transmitting data back to the
originating terminal for comparison with the
transmitted data - Redundancy Data Check - transmitting additional
data to aid in the verification process - Completeness Check - verifying that all required
data have been entered and transmitted.
34Objectives of Processing Controls
- Processing Controls help assure that data are
processed accurately and completely, that no
unauthorized transactions are included, that the
proper files and programs are included, and that
all transactions can be easily traced - Categories of processing controls include
Manual Cross-checks, ProcessingLogic Checks,
Run-to-Run Controls,File and Program Checks, and
AuditTrail Linkages
35Examples of Processing Controls
- Manual Cross-Checks - include checking the work
of another employee, reconciliations and
acknowledgments - Processing Logic Checks - many of the programmed
edit checks, such as sequence checks and
reasonableness checks (e.g., payroll records)
used in the input stage, may also be employed
during processing
36Examples of Processing Controls
- Run-to-Run Totals - batched data should be
controlled during processing runs so that no
records are omitted or incorrectly inserted into
a transaction file - File and Program Changes - to ensure that
transactions are posted to the proper account,
master files should be checked for correctness,
and programs should be validated - Audit Trail Linkages - a clear audit trail is
needed to enable individual transactions to be
traced, to provide support in general ledger
balances, to prepare financial reports and to
correct transaction errors or lost data
37Output Controls
- Outputs should be complete and reliable and
should be distributed to the proper recipients - Two major types of output controls are
- validating processing results
- regulating the distribution and use of printed
output
38Validating/Reviewing Processing Results
- Activity (or proof account) listings document
processing activity and reflect changes made to
master files - Because of the high volume of transactions, large
companies may elect to review exception reports
that highlight material changes in master files
39Regulating/Controlling Distribution of Printed
Output
- Reports should only be distributed to appropriate
users by reference to an authorized distribution
list - Sensitive reports should be shredded after use
instead of discarding
40Application Controls Arranged by Two
Classification Plans