1. การควบคุมในระบบบัญชีที่ใช้คอมพิวเตอร์

2. Control Activities - I
Control Activities as related to Financial Reporting may be classified according to their intended uses in a system:
Preventive Controls block adverse events, such as errors or losses, from occurring
Detective Controls discover the occurrence of adverse events such as operational inefficiency
Corrective controls are designed to remedy problems discovered through detective controls
Security Measures are intended to provide adequate safeguards over access to and use of assets and data records

3. Control Activities - II
Control Activities relating to Information Processing may also be classified according to where they will be applied within the system
General controls are those controls that pertain to all activities involving a firm’s AIS and assets
Application controls relate to specific accounting tasks or transactions
The overall trend seems to be going from specific application controls to more global general controls

4. Control Activities - III
Performance Reviews
Comparing Budgets to Actual Values
Relating Different Sets of Data-Operating or Financial-to one another, together with Analyses of the relationships and Investigative and Corrective Actions
Reviewing Functional Performance such as a bank’s consumer loan manager’s review of reports by branch, region, and loan type for loan approvals and collections

5. General Controls and Application Controls

6. Introduction to Controls
Controls may relate to manual AISs, to computer-based AISs, or both
Controls may be grouped into General controls, Application controls, and Security measures
Controls may also be grouped in terms of risk aversion: Corrective, Preventive, and Detective Controls
These categories are intertwined and an appropriate balance is needed for an effective internal control structure

7. Control Classifications
By Setting
General
Application
Input
Processing
Output
By Risk Aversion
Corrective
Preventive
Detective }

8. General Controls
General Controls pertain to all activities involving a firm’s AIS and resources (assets). They can be grouped as follows:
Organizational or Personnel Controls
Documentation Controls
Asset Accountability Controls
Management Practice Controls
Information Center Operations Controls
Authorization Controls
Access Controls

9. Organizational or Personnel Controls - I
Organizational independence, which separates incompatible functions, is a central control objective when designing a system
Diligence of independent reviewers, including BOD, managers, and auditors (both internal and external)
In a manual system, authorization, record-keeping, and custodial functions must be kept separate. e.g., purchases, sales, cash handling, etc

10. Organizational or Personnel Controls - II
In computer-based AISs the major segregation is between the systems development tasks, which create systems, and the data processing tasks, which operate systems
Within data processing, one may find segregation between separate control (receiving & logging), data preparation (converting to machine readable form), computer operations, and data library - batch processing
Other personnel controls include the two-week vacation rule

11. Flow of Batched Data in Computer-Based Processing
Data Library
Section
Files
Data Inputs
Outputs
Errors to be
corrected
User Departments
Receive
and
Log
Distribute
Control Section
Convert to
machine
readable
media
Data Preparation
Section
Process
Outputs
To users (exception
and summary
report)
Computer
Operations

12. Segregation of Functions in a Direct/Immediate Processing System
Batch
Files
Online
Online Files (or data library
for removable disks and
backups
Data Inputs
Displayed Outputs
Printed or
Plotted Outputs
User Departments
Process
Computer Operations

13. Documentation Controls
Documentation consists of procedures manuals and other means of describing the AIS and its operations, such as program flowcharts and organizational charts
In large firms, a data librarian is responsible for the control, storage, retention and distribution of documentation
Storing a copy of documentation in a fireproof vault, and having proper checkout procedures are other examples of documentation controls.
Use of CASEs

14. Systems Standard Documentation
Systems development policy statements
Program testing policy statements
Computer operations policy statements
Security and disaster policy statements

15. System Application Documentation
Computer system flowcharts
DFDs
Narratives
Input/output descriptions, including filled-in source documents
Formats of journals, ledgers, reports, and other outputs
Details concerning audit trails
Charts of accounts
File descriptions, including record layouts and data dictionaries
Error messages and formats
Error correction procedures
Control procedures

16. Program Documentation
Program flowcharts, decision tables, data structure diagrams
Source program listings
Inputs, formats, and sample filled-in forms
Printouts of reports, listings, and other outputs
Operating instructions
Test data and testing procedures
Program change procedures
Error listings

17. Data Documentation Descriptions of data elements
Relationships of specific data elements to other data elements

18. Operating Documentation
Performance instructions for executing computer programs
Required input/output files for specific programs
Setup procedures for certain programs
List of programmed halts, including related messages, and required operator actions for specific programs
Recovery and restart procedures for specific programs
Estimated run times of specific programs
Distribution of reports generated by specific programs

19. User Documentation Procedures for entering data on source documents
Checks of input data for accuracy and completeness
Formats and uses of reports
Possible error messages and correction procedures

20. Examples of Asset Accountability Controls
Subsidiary ledgers provide a cross-check on the accuracy of a control account
Reconciliations compare values that have been computed independently
Acknowledgment procedures transfer accountability of goods to a certain person
Logs and Registers help account for the status and use of assets
Reviews & Reassessments are used to re-evaluate measured asset values

21. Management Practice Controls
Since management is responsible and thus “over” the internal control structure, they pose risks to a firm
General controls include:
Human resource Policies and Practices
Commitment to Competence
Planning Practices
Audit Practices
Management & Operational Controls
In a computerized AIS, management should instigate a policy for:
Controls over Changes to Systems
New System Development Procedures

22. Examples of Computer Facility/Information Center Controls
Proper Supervision over computer operators
Preventive Diagnostic Programs to monitor hardware and software functions
A Disaster Recovery Plan in the event of a man-made or natural catastrophe
Hardware controls such as Duplicate Circuitry, Fault Tolerance and Scheduled Preventive Maintenance
Software checks such as a Label Check and a Read-Write Check

23. Application Controls
Application controls pertain directly to the transaction processing systems
The objectives of application controls are to ensure that all transactions are legitimately authorized and accurately recorded, classified, processed, and reported
Application controls are subdivided into input, processing and output controls

24. Authorization Controls - I
Authorizations enforce management’s policies with respect to transactions flowing into the general ledger system
They have the objectives of assuring that:
Transactions are valid and proper
Outputs are not incorrect due to invalid inputs
Assets are better protected
Authorizations may be classified as general or specific

25. Authorization Controls - II
A General authorization establishes the standard conditions for transaction approval and execution
A Specific authorization establishes specific criteria for particular sums, events, occurrences, etc
In manual and computerized batch processing systems, authorization is manifest through signatures, initials, stamps, and transaction documents
In on-line computerized systems, authorization is usually verified by the system. e.g., validation of inventory pricing by code numbers in a general ledger package

26. Input Controls
Input Controls attempt to ensure the validity, accuracy, and completeness of the data entered into an AIS.
Input controls may be subdivided into:
Data Observation and Recording
Data Transcription (Batching and Converting)
Edit tests of Transaction Data
Transmission of Transaction Data

27. Controls for Data Observation and Recording
The use of pre-numbered documents
Keeping blank forms under lock and key
Online computer systems offer the following features:
Menu screens
Preformatted screens
Using scanners that read bar codes or other preprinted documents to reduce input errors
Using feedback mechanisms such as a confirmation slip to approve a transaction
Using echo routines

28. Data Transcription - I
Data Transcription refers to the preparation of data for computerized processing and includes:
Carefully structured source documents and input screens
Batch control totals that help prevent the loss of transactions and the erroneous posting of transaction data
The use of Batch control logs in the batch control section
Amount control total totals the values in an amount or quantity field
Hash total totals the values in an identification field
Record count totals the number of source documents (transactions) in a batch

29. Data Transcription - II (Conversion of Transaction Data)
Key Verification which consists of re-keying data and comparing the results of the two-keying operations
Visual Verification which consists of comparing data from original source documents against converted data.

30. Examples of Batch Control Totals
Financial Control Total - totals up dollar amounts (e.g., total of sales invoices)
Non-financial Control Total - computes non-dollar sums (e.g., number of hours worked by employees)
Record Count - totals the number of source documents once when batching transactions and then again when performing the data processing
Hash Total - a sum that is meaningless except for internal control purposes (e.g., sum of customer account numbers)

31. Definition and Purpose of Edit Tests
Edit Tests (programmed checks) are most often validation routines built into application software
The purpose of edit tests is to examine selected fields of input data and to reject those transactions whose data fields do not meet the pre-established standards of data quality

32. Examples of Edit Tests (Programmed Checks)
Validity Check (e.g., M = male, F = female)
Limit Check (e.g., hours worked do not exceed 40 hours)
Reasonableness Check (e.g., increase in salary is reasonable compared to base salary)
Field Check (e.g., numbers do not appear in fields reserved for words)
Sequence Check (e.g., successive input data are in some prescribed order)
Range Check (e.g., particular fields fall within specified ranges - pay rates for hourly employees in a firm should fall between $8 and $20)
Relationship Check (logically related data elements are compatible - employee rated as “hourly” gets paid at a rate within the range of $8 and $20)

33. Transmission of Transaction Data
When data must be transmitted from the point of origin to the processing center and data communications facilities are used, the following checks should also be considered:
Echo Check - transmitting data back to the originating terminal for comparison with the transmitted data
Redundancy Data Check - transmitting additional data to aid in the verification process
Completeness Check - verifying that all required data have been entered and transmitted.

34. Objectives of Processing Controls
Processing Controls help assure that data are processed accurately and completely, that no unauthorized transactions are included, that the proper files and programs are included, and that all transactions can be easily traced
Categories of processing controls include Manual Cross-checks, Processing Logic Checks, Run-to-Run Controls, File and Program Checks, and Audit Trail Linkages

35. Examples of Processing Controls
Manual Cross-Checks - include checking the work of another employee, reconciliations and acknowledgments
Processing Logic Checks - many of the programmed edit checks, such as sequence checks and reasonableness checks (e.g., payroll records) used in the input stage, may also be employed during processing

36. Examples of Processing Controls
Run-to-Run Totals - batched data should be controlled during processing runs so that no records are omitted or incorrectly inserted into a transaction file
File and Program Changes - to ensure that transactions are posted to the proper account, master files should be checked for correctness, and programs should be validated
Audit Trail Linkages - a clear audit trail is needed to enable individual transactions to be traced, to provide support in general ledger balances, to prepare financial reports and to correct transaction errors or lost data

37. Output Controls
Outputs should be complete and reliable and should be distributed to the proper recipients
Two major types of output controls are:
validating processing results
regulating the distribution and use of printed output

38. Validating/Reviewing Processing Results
Activity (or proof account) listings document processing activity and reflect changes made to master files
Because of the high volume of transactions, large companies may elect to review exception reports that highlight material changes in master files

39. Regulating/Controlling Distribution of Printed Output
Reports should only be distributed to appropriate users by reference to an authorized distribution list
Sensitive reports should be shredded after use instead of discarding

40. Application Controls Arranged by Two Classification Plans
Input
Processing
Output
Control Stage
Control Purpose