PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 9 Controlling Information Systems: Process Controls Controlling Information Systems: Process Controls

Copyright © 2004 South-Western. All rights reserved.9–2 Learning Objectives To be able to prepare a control matrix To describe the generic process control plans introduced in this chapter To describe how these process controls accomplish control goals To describe why these generic process controls are important to organizations with enterprise systems and those that are engaged in e- business

Copyright © 2004 South-Western. All rights reserved.9–3 Elements of the Control Matrix FIGURE 9.1

Copyright © 2004 South-Western. All rights reserved.9–4 Causeway Company Annotated Systems Flowchart FIGURE 9.2

Copyright © 2004 South-Western. All rights reserved.9–5 Steps in Preparing the Control Matrix Review system flowchart and related narrative  Identify business process  Important resources  Input, output, storage  Master data being updated List goals germane to process List set of recommended control plans

Copyright © 2004 South-Western. All rights reserved.9–6 Steps in Preparing the Control Matrix (cont’d) Examine flowchart and narrative  For implemented control plan, enter “P-x”  For missing control plan, enter “M-x” At bottom of control matrix  Provide short statement about how each existing control plan satisfies related control goal.  Provide statement about the significance of each missing control plan.

Copyright © 2004 South-Western. All rights reserved.9–7 Systems Flowchart Data Entry Without Master Data Available FIGURE 9.3

Copyright © 2004 South-Western. All rights reserved.9–8 FIGURE 9.4 Control Matrix for Data Entry Without Master Data KEY: Possible operations process goals include: A = To ensure timely processing of (blank) event data B = (describe) IV = input validity IC = input completeness IA = input accuracy UC = update completeness UA = update accuracy

Copyright © 2004 South-Western. All rights reserved.9–9 Online Processing Control Plans P-1: Document design  Source document is designed in such a way that makes it easier to prepare initially and later to input data from the document. P-2: Written approvals  Requiring a signature or initials on a document to indicate that a person has authorized the event.

Copyright © 2004 South-Western. All rights reserved.9–10 Online Processing Control Plans (cont.) P-3: Preformatted screens  Help guide entry of data.  May fix length of fields, “case” of field entered.  Cursor moves to fields. P-4: Online prompting  Program prompts user to work in sequence and asks questions that control operations.

Copyright © 2004 South-Western. All rights reserved.9–11 Online Processing Control Plans (cont.) P-5: Programmed edit checks  Automatically performed when data entered.  Reasonableness (limit checks): tests whether data fall within predetermined limits (e.g.,< $5,000/week pay).  Dependency: logic of data entered to other data entered.  Math accuracy: does math independently; checks user’s calculations.

Copyright © 2004 South-Western. All rights reserved.9–12 Online Processing Control Plans (cont’d) P-5: Programmed edit checks (cont’d)  Format checks—tests format on input  Missing data  Alpha in alpha fields; numbers in numeric fields  Input field proper size  Input field within set range (example: customer gender) P-6: Interactive feedback checks  Feedback to user that entry is accepted/rejected.

Copyright © 2004 South-Western. All rights reserved.9–13 Online Processing Control Plans (cont’d) M-1: Key verification  Documents keyed by one individual and rekeyed by another individual.  Very expensive technique P-7: Procedures for rejected inputs  Designed to ensure that rejected data (not accepted for processing) are corrected and resubmitted for processing.

Copyright © 2004 South-Western. All rights reserved.9–14 Systems Flowchart Data Entry with Master Data Available FIGURE 9.5

Copyright © 2004 South-Western. All rights reserved.9–15 Control Matrix for Data Entry with Master Data FIGURE 9.6 IV = Input validity IC = Input completeness IA = Input accuracy UC = Update completeness UA = Update accuracy Key: Operations Process Possible operations include: A = Ensure timely processing of order event data B = (describe)

Copyright © 2004 South-Western. All rights reserved.9–16 Systems Flowchart Data Entry with Batches FIGURE 9.7

Copyright © 2004 South-Western. All rights reserved.9–17 Control Matrix for Data Entry with Batches FIGURE 9.8 KEY: Operations process Possible operations process include: A = To ensure timely processing of shipping event data B = (describe) IV = input validity IC = input completeness IA = input accuracy UC = update completeness UA = update accuracy

Copyright © 2004 South-Western. All rights reserved.9–18 Control Plans: Batch Calculate batch totals -  Document/record counts  Item or line counts  Dollar totals  Hash totals - total of fields not normally totaled  Example: invoices, parts, and social security numbers. Computer agreement of batch totals  Batch total calculated manually and entered with batch.  Computer accumulates batch total during processing.  Computer generates report comparing totals.

Copyright © 2004 South-Western. All rights reserved.9–19 Control Plans: Batch (cont.) Manual agreement of batch totals  Similar to above except manually calculated batch totals not submitted to computer.  Computer produces report with batch total.  Person compares two and takes appropriate action. Sequence checks  Controlling sequentially numbered documents  Accounting for all numbers in sequence to find missing documents.  Applies to sequentially numbered batches of documents to ensure they are in order.

Copyright © 2004 South-Western. All rights reserved.9–20 Control Plans: Batch (cont’d) Key verification  Extremely expensive control plan where a second data entry person keys in source data to compare with data already entered. Rarely used in practice. Written approvals  A requirement that handwritten signatures be affixed to documents indicating approval/authorization. Computer preparation of business documents  Part of output of computer process  More efficient (and legible) than manual processes

Copyright © 2004 South-Western. All rights reserved.9–21 Control Plans - Batch (cont’d) Rejection procedures  Establish procedures to be followed when errors are entered and erroneous records rejected by computer.  Rejected records may written to a suspense file and require periodic follow-up. Prerecorded data  Examples: serial numbers, MICR a/c #s, dept. #s  Printed on forms so that manual entry is not required.  Turnaround documents  Prerecorded data to capture input on subsequent processing. Example: RA stub attached to invoice.

Copyright © 2004 South-Western. All rights reserved.9–22 Computer Agreement of Batch Totals Control Plan FIGURE 9.9

Copyright © 2004 South-Western. All rights reserved.9–23 Example of Data Encryption FIGURE 9.10

Copyright © 2004 South-Western. All rights reserved.9–24 Illustration of Public-Key Cryptography and Digital Signatures FIGURE 9.11 (a) Encrypting the MESSAGE

Copyright © 2004 South-Western. All rights reserved.9–25 Causeway Company Systems Flowchart to Accompany Problem 9-1 FIGURE 9.12