Accounting Information Systems 8e Chapter 9 Controlling Information Systems: Business Process and Application Controls Accounting Information Systems 8e Ulric J. Gelinas and Richard Dull © 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

Learning Objectives Complete the steps in the control framework and prepare a control matrix. Write explanations that describe how the business process and application controls introduced in this chapter accomplish control goals. Describe the importance of business process and application controls to organizations with enterprise systems and those engaging in e-business. 2

The Control Matrix The control matrix is a tool designed to assist in analyzing the effectiveness of controls (PCAOB Auditing Standard Number 5 – “Effectiveness of Control Design”). Establishes the criteria to be used in evaluating the controls in a particular business process.

Lenox Control Matrix

Control Matrix Explanations

Lenox Company Annotated Systems Flowchart

Steps in Preparing a Control Matrix STEP I: Specify control goals. Identify the Operations Process Goals Effectiveness goals Efficiency goals Security goals Identify Information Process Goals Input Goals Update Goals

Operations Process Goals: Effectiveness Goals Ensure the successful accomplishment of the goals set forth for the business process. Different processes have different effectiveness goals. For Lenox’s cash receipts process two examples are: A: Timely deposit of checks. B : Comply with compensating balance agreements with the depository bank. Other possible goals of a cash receipts would be shown as goals C, D, etc. and described at the bottom of the matrix (in the matrix legend). With respect to other business processes, such as production, possible effectiveness goals are : A: Maintain customer satisfaction by finishing orders on time. B: Increase market share by ensuring the highest quality of goods.

Operations Process Goals: Efficiency Goals Ensure that all resources used throughout the business process are being employed in the most productive manner. For Lenox’s cash receipts process, and for all accounting information systems, people and computers should always be included in the efficiency assessment. For other business processes, such as receiving goods and supplies, efficiency goals include the productive use of equipment.

Operations Process Goals: Security Goals Ensure that entity resources are protected from loss, destruction, disclosure, copying, sale, or other misuse. Two resources of the cash receipts process over which security must be ensured are cash and information (accounts receivable master data). With any business process, information that is added, changed, or deleted as a result of executing the process, and assets that are brought into or taken out of the organization as a result of the process are a concern. Note that the security over hard assets used to execute business processes, such as computer equipment, trucks, trailers, and loading docks, is handled through pervasive controls (discussed in Chapter 7).

Information Process Goals: Input Goals With respect to all business process data entering the system, ensure: input validity (IV) input completeness (IC) input accuracy (IA) With the cash receipts process, concern is with IV, IC and IA over cash receipts. Lenox uses remittance advices (RA). Notice that the input data of concern is specifically named. With respect to other business processes, such as hiring employees, concern would be with other inputs, such as employee, payroll, and benefit plan data.

Information Process Goals: Update Goals Update goals must consider all related information that will be affected by the input data, including master file and ledger data. Ensure: Update completeness (UC) Update accuracy (UA) With the cash receipts information process, accounts receivable data will be updated by cash receipts. Cash is debited and customer account is credited. Accounts receivable master data is listed in the control matrix. Other business processes, such as cash payments, would involve different update concerns, such as vendor, payroll, or accounts payable master data.

Steps in Preparing the Control Matrix STEP II: Identify recommend Control Plans Annotate “Present” Control Plans Evaluate “Present” Control Plans Identify and Evaluate “Missing” Control Plans

Annotate Present Control Plans Start in the upper left-hand column of the systems flowchart . Identify the first manual keying symbol, manual process symbol, or computer process symbol (process related symbols). Follow the sequential logic of the systems flowchart and identify all of the process-related symbols. Each process-related symbol reflects an internal control plan which is already present. Recognize that the current control plan may not be working as effectively as it should. Recommendations may be needed to strengthen or augment existing control plans.

Annotate the Systems Flowchart Review the flowchart and determine whether a control is present (P-) or missing (M-) Annotate the flowchart If controls are present, mark P- If controls are absent, mark M-

Annotating Present Control Plans Review the Lenox systems flowchart (Figure 9.2). The first process-related symbol is entitled “Endorse checks.” Because this process appears on the flowchart, this control plan already exists, meaning, it is present as opposed to missing. Accordingly, place a P- beside the process, indicating that is it present, and a 1 beside the P- reflecting the first present control plan on the flowchart. As a result, the systems flowchart should be annotated with a P-1.

Annotating Present Control Plans Continue reviewing the systems flowchart by following its sequential logic, annotating the flowchart with P-2, P-3, and so on until all present control plans have been accounted for.

Evaluate “Present” Control Plans Write numbers (P-1, P-2, P-3 through P-n) and name of each control plan in the left-hand column of the control matrix. Start with P-1. Look across the row and determine which control goals the plan addresses. Place a P-1 in each cell of the matrix for which P-1 is applicable. It is possible that a given control plan can attend to more than one control goal. Continue this procedure for each of the present control plans. Simultaneously, in the legend of the matrix, describe how the control plan addresses each noted control goal.

Identify and Evaluate “Missing” Control Plans Determine if additional controls are needed to address missing control goal areas, strengthen present control plans, or both. Look at the control matrix and see if there are any control goals (operations or information) for which no present control plan is addressing. If so, take the steps on the following slide.

Identify and Evaluate Missing” Control Plans In the left-hand column of the matrix, number the first missing control plan as M-1 and label or title the plan. Place M-1 in each cell in the matrix row for which the missing control is designed. In the matrix legend, explain how the missing control will address each noted control goal. Annotate M-1 on the systems flowchart where the control should be inserted. If there are other control goals which no plan has addressed, develop plan M-2 and repeat the steps. Continue until each control goal on the matrix is addressed by at least one control plan. Two missing control plans have been identified for Lenox. More might exist.

Evaluate the Systems Flowchart Look for areas where further controls are needed. Control plans might need to be added or existing plans might need to be strengthened to reduce residual risk to an acceptable level. Training and experience are required to identify these risks and weaknesses. Chapters 10 through 16 discuss how to make critical internal control assessments.

Sample Control Plans for Data Input Manual and automated data entry Data entry with batches of input data

Systems flowchart: Manual And Automated Data Entry

Control Matrix for Automated and Manual Entry

Available Control Plans for Data Input P-1: Document design P-2: Written approvals P-3: Preformatted screens P-4: Online prompting P-5: Populate input screen with master data P-6: Compare input data with master data

Available Control Plans for Data Input (Cont’d.) P-7: Procedures for rejected Inputs P-8: Programmed edit checks P-9: Confirm input acceptance P-10: Automated data entry P-11: Enter data close to the originating source P-12: Digital signatures

Data Entry with Batches Data entry with batches involves collecting inputs into work units called batches; batched inputs are then keyed into system as a group. Implies some delay between the economic event and its reflection in the system. Allows for controls focusing on the batch, e.g., batch control totals (hash or other totals from batch). Batch entry is often followed by an exception and summary report.

Batch Control Plans To be effective, batch control plans should ensure that: All documents are included in the batch. All batches are submitted for processing. All batches are accepted by the computer. All differences are disclosed, investigated and corrected on a timely basis. Batch control procedures start by grouping event data and calculating totals for the group. Several different types of batch control totals can be calculated as shown on the next two slides.

Batch Control Plans Document/record counts Simple count of the number of documents entered in a batch. Minimum level required to control input completeness. Because a document could be intentionally replaced, this control is not effective for ensuring input validity. Input accuracy is not addressed. Item or line counts Counts number of items or lines entered, such as a count of the number of invoices being paid by all customer remittances. Improves input validity, completeness, and accuracy by reducing the possibility that line items or entire documents could be added to the batch or not be input. A missing event record is a completeness error and a data set missing from an event record is an accuracy error.

Batch Control Plans Dollar totals Sum of dollar value of items in batch. By reducing the possibility that entire documents could be added to or lost from the batch or that dollar amounts were incorrectly input, this control improves input validity, completeness, and accuracy. Hash totals Summation of any numeric data existing for all documents in the batch, such as a total of customer numbers or invoice numbers in the case of remittance advices. Hash totals are a powerful control, as they can determine if inputs have been altered, added, or deleted. Batch hash totals are, for a batch, similar to document/record hash totals for individual inputs.

System Flowchart: Data Entry with Batches

Control Matrix for Data Entry with Batches

Data Entry with Batches Control Plans Present Controls P-1: Turnaround documents P-2: Manually reconcile batch totals P-3: Agree run-to-run totals (reconcile input and output batch totals) P-4: Review tickler file (file of pending shipments) P-5: One-for-one checking (compare picking tickets and packing slips) Missing Controls M-1: Sequence check M-2: Computer agreement of batch totals

Computer Agreement of Batch Totals

Public Key Cryptography and Digital Signatures