Controlling

1

• Controlling
• Information Systems
• Business Process Controls

2
Learning Objectives

• Understand steps in control framework
• Know how to prepare control matrix
• Comprehend the generic business process control
  plans introduced in this chapter
• Be able to describe how the business process
  controls accomplish control goals
• Appreciate the importance of controls to
  organizations with enterprise systems
• Appreciate the importance of controls to
  organizations engaging in e-Business

Business Process Controls
3
Process Controls Hub of the AIS Wheel

• In this chapter, we spotlight one layer of
  controlsprocess controlsas indicated by the AIS
  Wheel.
• First, you will learn how to assess the nature
  and extent of process control goals by
  decomposing them into operation process goals and
  information process goals.
• Further, operations process goals are subdivided
  into effectiveness, efficiency, and security
  goals and information process goals are split
  into input and update goals.
• For each category of control goals, you will
  recommend effective control plans.
• When control goals and plans are combined, you
  will understand how to develop the control
  matrix, which will serve as the basis for
  evaluating process controls in later chapters.

4
The Control Matrix

• The control matrix is a tool designed to assist
  you in analyzing a systems flowchart and related
  narrative.
• It establishes the criteria to be used in
  evaluating the controls in a particular business
  process.

5
Sample Control Matrix
6
Steps in Preparing Control Matrix

• Specifying control goals represents the first
  step in building a control matrix. The goals are
  listed across the top row of the matrix.
• Identify the operations process goals
• Effectiveness goals
• Efficiency goals
• Security goals
• Identify Information Process Goals
• Input Goals
• Update Goals

7
Operations Process Goals

• Effectiveness Goal
• Ensure the successful accomplishment of the goals
  set forth for the business process
• Labeled A - zzz
• Efficiency Goal
• to ensure that all resources used throughout the
  business process are being employed in the most
  productive manner
• Parenthetically (list resources for which
  efficiency is applicable)
• People Computers Always, others depending on
  Process/Goal
• Security Goal
• to ensure that entity resources are protected
  from loss, destruction, disclosure, copying,
  sale, or other misuse.
• Parenthetically (list resources needed to be
  secured)

8
Information Process Goals

• Input Goals
• Ensure input validity (IV)
• Ensure input completeness (IC) and
• Ensure input accuracy (IA)
• Name the Input data ()
• Update Goals
• Ensure update completeness (UC) and
• Ensure update accuracy (UA)
• Name the Update data ()

9
Steps in Preparing the Control Matrix

• Recommending Control Plans
• Annotating Present Control Plans
• Evaluating Present Control Plans
• Identifying and Evaluating Missing Control Plans

10
Causeway Annotated Systems Flowchart
11
Annotating Present Control Plans

• Start on the upper left-hand column of the
  systems flowchart and spot the first manual
  keying symbol, manual process symbol, or computer
  process symbol (process related symbols)
• Then, follow the sequential logic of the systems
  flowchart and identify all of the process-related
  symbols.
• Each process-related symbol reflects an internal
  control plan which is already present.
• It is important to recognize that while a control
  plan may be present, it may not be working as
  effectively as it should thus, you might
  recommend ways to strengthen or augment existing
  control plans

12
Annotate the Process Flow Chart

• Review the flowchart and determine whether a
  control is present (P-) or missing (M-)
• Annotate the flowchart
• If controls are present, mark P-
• If controls are absent, mark M-

13
Annotating Present Control Plans

• Reviewing the Causeway systems flowchart (Figure
  9.2), you will find that the first
  process-related symbol is entitled Endorse
  checks.
• Because this process appears on the flowchart,
  this control plan already exists, meaning, it is
  present as opposed to missing.
• Accordingly, place a P- beside the process,
  indicating that is it present, and a 1 beside the
  P- reflecting the first present control plan on
  the flowchart.
• As a result, you should have annotated the
  systems flowchart with a P-1.

14
Annotating Present Control Plans

• Continue reviewing the systems flowchart by
  following its sequential logic, annotating the
  flowchart with P-2, P-3, and so on until you have
  accounted for all present control plans.
• Notice on the Flowchart (Figure 9-2), that nine
  control plans (P-1P-9) are already present at
  Causeway.

15
Evaluating Present Control Plans

• Write number (P-1, P-2, P-3 through P-n) and name
  of each control plan in the left-hand column of
  the control matrix.
• Then, starting with P-1, look across the row and
  determine which control goals the plan addresses
  and place a P-1 in each cell of the matrix for
  which P-1 is applicable.
• It is possible that a given control plan can
  attend to more than one control goal.
• Continue this procedure for each of the present
  control plans.
• Simultaneously, in the legend of the matrix,
  describe how the control plan addresses each
  noted control goal.

16
Causeway Annotated Systems Flowchart
17
Identifying and Evaluating Missing Control
Plans

• The next step in recommending control plans is to
  determine if additional controls are needed to
  address missing control goal areas, strengthen
  present control plans, or both.

18
Identifying and Evaluating Missing Control
Plans

• Examining the controls matrix The first place to
  start is to look at the control matrix and see if
  there are any control goals (operations or
  information) for which no present control plan is
  addressing.
• If so, you need to do the following
• In the left-hand column of the matrix, number the
  first missing control plan as M-1 and label or
  title the plan.
• Across the matrix row, place M-1 in each cell for
  which the missing control is designed.
• In the legend of the matrix, explain how the
  missing control will address each noted control
  goal.
• On the systems flowchart, annotate M-1 where the
  control should be inserted.
• If there are still control goals for which no
  control plan has addressed, develop another plan
  (M-2) and repeat the four previous steps (i
  through iv). Continue this procedure until each
  control goal on the matrix is addressed by at
  least one control plan.
• With regard to Causeway, we have noted two
  missing control plans in the sample control
  matrix for the Cash Receipts Business Process
• M-1 and M-2, although more might exist

19
Evaluating the systems flowchart

• Even though all of the control goals on the
  matrix are now addressed, closely review the
  systems flowchart one more time.
• Look for areas where further controls are needed.
  
• Just because all control goals on the matrix have
  one or more associated control plans, we might
  have to to add more control plans or strengthen
  existing plans to reduce residual risk to an
  acceptable level in certain areas.
• It takes training and experience to spot risks
  and weaknesses of this nature
• In Chapters 10 through 16 you will learn more
  about how to make such critical internal control
  assessments.

20
Sample Control Plans for Data Input

• Processing input data without access to master
  data
• Processing input data with access to master data
• Batch input

21
Processing input data without access to master
data

• Because systems without master data require
  manual keying of data (an error prone process),
  special controls are necessary to ensure control
  goals are met
• Entry w/o master data implies that a database
  does not exist or is unavailable to verify data
• This makes controls over entry of data more
  important

22
Data Entry Without Master Data
23
Available Control Plans for Data Input

• Note that the first process-related symbol
  appears as key document in the first column
  (data entry clerk 1).
• P-1 Document Designsource document is designed
  to easily complete and key data
• P-2 Written Approvalssignature or initials
  indicating approval of event processing
• P-3 Preformatted Screensdefines acceptable
  format for each data field (e.g., 9 numeric
  characters for SSN)
• P-4 Online Promptingrequests user input or asks
  questions, e.g., message box

24
Available Control Plans for Data Input, Contd.

• The next process-related symbol (edit input)
  appears in the second column (data entry
  devices).
• P-5 Programmed Edit Checks
• Automatically performed by data entry programs
  upon entry of data
• Reasonableness checks (limit checks)tests input
  for values within predetermined limits
• Document/record hash totalscompares computer
  total to manually calculated total
• Mathematical accuracy checkscompare calculations
  performed manually to computer calculations,
  e.g., compare invoice total to manually entered
  to computer calculated total
• Check Digit verification a functionally
  dependent extra digit is appended to a number if
  miskeying occurs, a check digit mismatch occurs
  and the system rejects the input

25
Available Control Plans for Data Input

• P-6 Procedures for rejected inputrejected
  inputs are corrected and resubmitted for
  processing
• P-7 Keying correctionsclerk corrects inputs
• P-8 Interactive feedback checkscomputer informs
  clerk that input has been accepted/rejected
• P-9 Record inputrecord is recorded in
  transaction data rather than being re-keyed at
  another time
• M-1 Key verificationdata is keyed by two
  different individuals then compared by the
  computer

26
Control Matrix w/o Master Data
27
Control Plans for Data Entry With Master Data

• When standing (master) data is present, data
  entered can be verified by existing data
  providing additional data-entry controls
• Data entry with master data implies the presence
  of an existing database populated with data
• Data in the database is used to populate entry
  forms or is compared to data entered
• If we have available the actual customer master
  data, we can use the customer number to call up
  the stored customer master data and determine if
  the customer number has been entered correctly,
  if the customer exists, the customers correct
  address, and so forth.
• In the next section we describe the additional
  controls available to us when master data is
  available during data entry.

28
Systems Flowchart Data Entry With Master Data
29
Recommended Control Plans with Master Data

• P-1 Enter data close to originating source
• Input data is entered directly and immediately it
  reduces input costs, inputs are less likely to be
  lost, errors are less likely and can more easily
  corrected
• Online transaction entry (OLTE), online real-time
  processing (OLRT), and online transaction
  processing (OLTP) are all examples of this
  processing strategy.
• P-2 Digital signatures
• Authenticate that the sender of the message has
  the authority to send it and detects messages
  that have been altered in transit
• an application of public key cryptography
  involving the use of a private encryption key to
  sign the data transmitted

30
Recommended Control Plans with Master Data

• P-3 Populate input with master data
• User enters an entitys ID code and the system
  then retrieves certain data about that entity
  from existing master data.
• User might be prompted to enter the customer ID
  (code).
• By accessing the customer master data, the system
  automatically provides data such as the
  customers name and address, the salespersons
  name, and the sales terms.
• This reduces the number of keystrokes required,
  making data entry quicker, more accurate, and
  more efficient.
• Therefore, the system automatically populates
  input fields with existing data

31
Recommended Control Plans with Master Data

• P-4 Compare input data with master datathe
  system compares inputs with standing (master)
  data to ensure their accuracy and validity
• Input/master data dependency checks
• These edits test whether the contents of two or
  more data elements or fields on an event
  description bear the correct logical
  relationship.
• For example, input sales events can be tested to
  determine whether the salesperson works in the
  customers territory.
• If these two items dont match, there is some
  evidence that the customer number or the
  salesperson identification was input erroneously.
• Input/master data validity and accuracy checks
• These edits test whether master data supports the
  validity and accuracy of the input. For example,
  this edit
• might prevent the input of a shipment when no
  record of a corresponding customer order exists.
• If no match is made, we may have input some data
  incorrectly, or the shipment might simply be
  invalid.
• We might also compare elements within the input
  and master data.

32
Recommended Control Plans with Master Data

• P-5 Procedures for rejected inputs
• After processing the input, the user compares the
  input with the master data to determine whether
  the input either is acceptable or contains
  errors, and that any errors are corrected and
  resubmitted
• P-6 Key Corrections
• The clerk completes the procedures for rejected
  inputs by keying the corrections into the
  computer thus ensuring that the input is
  accurate.
• P-7 Record Input
• Once all necessary corrections are made, the user
  accepts the input.
• This action triggers the computer to
  simultaneously record the input in the
  transaction file and inform the user that the
  input data has been accepted.
• P-8 Interactive Feedback Checks
• These interactive programmed features inform the
  user that the input has been accepted and
  recorded or rejected for processing.

33
Control Matrix Data Entry with Master Data
34
Data Entry with Batches

• Data entry with batches involves collecting
  inputs into work units called batches batched
  inputs are then keyed into system as a batch
• Implies some delay between the economic event and
  its reflection in the system
• Allows for controls focusing on the batch, e.g.,
  batch control totals (hash or other totals from
  batch)
• Batch entry is often followed by an exception and
  summary report

35
Data Entry With Batches
36
Batch Control Plans

• Batch control plans, to be effective, should
  ensure that
• All documents are included in batch
• All batches are submitted for processing
• All batches are accepted by computer
• All differences are disclosed, investigated and
  corrected on a timely basis

37
Batch Control Plans

• Batch control procedures start by grouping event
  data and calculating totals for the group
  Several different types of batch control totals
  can be calculated
• Document/record counts are simple counts of the
  number of documents entered in a batch
• This procedure represents the minimum level
  required to control input completeness.
• Because one document could be intentionally
  replaced with another, this control is not
  effective for ensuring input validity and says
  nothing about input accuracy.
• Item or line counts
• Counts number of items or lines entered, such as
  a count of the number of invoices being paid by
  all the customer remittances.
• By reducing the possibility that line items or
  entire documents could be added to the batch or
  not be input, this control improves input
  validity, completeness, and accuracy.
• Remember, a missing event record is a
  completeness error and a data set missing from an
  event record is an accuracy error.
• Dollar totals
• Sum of dollar value of items in batch
• By reducing the possibility that entire documents
  could be added to or lost from the batch or that
  dollar amounts were incorrectly input, this
  control improves input validity, completeness,
  and accuracy.
• Hash totals
• Are a summation of any numeric data existing for
  all documents in the batch, such as a total of
  customer numbers or invoice numbers in the case
  of remittance advices.
• Unlike dollar totals, hash totals normally serve
  no purpose other than control.
• Hash totals can be a powerful batch control
  because they can determine if inputs have been
  altered, added, or deleted.
• These batch hash totals operate for a batch in a
  manner similar to the operation of
  document/record hash totals for individual
  inputs.

38
P-1 Receive turnaround documents

• Turnaround documents are used to capture and
  input a subsequent event.
• Picking tickets, inventory count cards,
  remittance advice stubs attached to customer
  invoices, and payroll time cards are all examples
  of turnaround documents.
• For example, we have seen picking tickets that
  are printed by the computer, used to pick the
  goods, and sent to shipping where the bar code on
  the picking ticket is scanned to trigger the
  recording of the shipment.

39
P-2 Calculate batch totals

• Calculation of batch totals ensures that the data
  input arises from legitimate events (input
  validity) and that all events in the batch are
  captured (input completeness).
• However, batch totals in isolation do not
  necessarily ensure input accuracythat takes
  place in the reconciliation, which is discussed
  in P-4.

40
P-3 Record picking tickets

• The picking tickets are automatically scanned
  into the computer using a bar code.
• This process stores the accurate, valid input
  data onto digital media for subsequent updating
  in a timely manner with minimal use of resources.
  
• The automatic calculation of the batch totals
  will ensure an efficient and effective subsequent
  reconciliation of the inputs.

41
P-4 Manually Reconcile Batch Totals

• The manual reconciliation of batch totals control
  plan operates in the following manner
• a. First, one or more of the batch totals are
  established manually
• b. As individual event descriptions are scanned,
  the data entry program accumulates independent
  batch totals.
• c. The computer produces reports (or displays)
  with the relevant control totals that must be
  manually reconciled to the totals established
  prior to the particular process.
• d. The person who reconciles the batch total must
  determine why the totals do not agree and make
  corrections as necessary to ensure the integrity
  of the input data

42
P-5 Record Shipments

• Picking ticket data and accounts receivable
  master data are used to record shipments, which
  in turn updates the sales transaction data.
• Automatic recording stores the accurate, valid
  input data onto digital media in a timely manner
  with minimal use of resources.

43
P-6 Reconcile input and output batch totals
(agreement of run-to-run totals)

• This is a variation of the agreement of batch
  totals controls.
• With agreement of run-to-run totals, totals
  prepared before a computer process has begun are
  compared, manually or by the computer, to totals
  prepared at the completion of the computer
  process.
• These post-process controls are often found on an
  error and summary report.
• When totals agree, we have evidence that the
  input and the update took place correctly.
• This control is especially useful when there are
  several intermediate steps between the beginning
  and the end of the process and we want to be
  assured of the integrity of each process.

44
P-7 Compare picking tickets (from a tickler
file) and packing slips (one-for-one checking)

• This has two purposes
• One is to ensure that all picking tickets are
  linked to an associated packing slip,
• The other is to ensure that all items on related
  picking tickets and packing slips match.
• We regularly review a tickler file, to clear
  items from that file.
• Tickler files may be digitized reflecting events
  that need to be completed, such as open sales
  orders, open purchase orders, and so forth.
• Should tickler file documents remain in the file
  too long, the person or computer monitoring will
  determine the nature and extent of the delay.
• Picking tickets are compared to their associated
  packing slips using one-for-one checking to
  determine that they agree.
• Differences may indicate errors in input or
  update.
• This procedure provides us detail as to what is
  incorrect within a batch.
• Being very expensive to perform, one-for-one
  checking should be reserved for low-volume,
  high-value events.

45
M-1 Automated Sequence Checks

• Whenever documents are numbered sequentially, a
  sequence check can be automatically applied to
  those documents.
• Batch sequence checks work best when we can
  control the input process and the serial numbers
  of the input data, such as payroll checks.
• In a batch sequence check, the event data within
  a batch are checked as follows
• a. The range of serial numbers constituting the
  batch is entered.
• b. Each individual, serially pre-numbered event
  data is entered.
• c. The computer program sorts the event data into
  numerical order checks the documents against the
  sequence number range and reports missing,
  duplicate, and out-of-range event data.
• Cumulative sequence check provides input control
  when the serial numbers are not entered in
  sequence (i.e., picking tickets might contain
  broken sets of numbers).
• Matching of individual event data (picking ticket
  s) is made to a file that contains all document
  numbers (all sales order numbers).
• Periodically, reports of missing numbers are
  produced for manual follow-up.
• Reconciling a checkbook is another example of a
  situation where the check numbers are issued in
  sequence.
• However, the bank statement we receive may not
  contain a complete sequence of checks.
• Our check register assists us in performing a
  cumulative sequence check to make sure that all
  checks are eventually cleared.

46
M-2 Computer Agreement of Batch Totals

• This control plan does not exist in Figure 9.7
  and therefore is shown as a missing plan.
• The computer agreement of batch totals plan is
  pictured in Figure 9.9 and works in the following
  manner
• a. First, one or more of the batch totals are
  established manually (i.e., in the user
  department in Figure 9.9).
• b. Then, the manually prepared total is entered
  into the computer and is written to the computer
  batch control totals data.
• c. As individual event descriptions are entered,
  a computer program accumulates independent batch
  totals and compares these totals to the ones
  prepared manually and entered at the start of the
  processing.
• d. The computer prepares a report, which usually
  contains details of each batch, together with an
  indication of whether the totals agreed or
  disagreed.
• Batches that do not balance are normally
  rejected, and discrepancies are manually
  investigated and included in a summary report

47
Computer Agreement of Batch Total Control Plan
48
Control Matrix Data Entry with Batches