Controlling

Information Systems:

Business Process Controls

Learning Objectives• Understand steps in control

framework• Know how to prepare control

matrix• Comprehend the generic

business process control plans introduced in this chapter

• Be able to describe how the business process controls accomplish control goals

• Appreciate the importance of controls to organizations with enterprise systems

• Appreciate the importance of controls to organizations engaging in e-Business

Business ProcessControls

3

Process Controls Hub of the AIS Wheel

• In this chapter, we spotlight one layer of controls—process controls—as indicated by the AIS Wheel.

• First, you will learn how to assess the nature and extent of process control goals by decomposing them into operation process goals and information process goals.

• Further, operations process goals are subdivided into effectiveness, efficiency, and security goals; and information process goals are split into input and update goals.

• For each category of control goals, you will recommend effective control plans.

• When control goals and plans are combined, you will understand how to develop the control matrix, which will serve as the basis for evaluating process controls in later chapters.

4

The Control Matrix

• The control matrix is a tool designed to assist you in analyzing a systems flowchart and related narrative.

• It establishes the criteria to be used in evaluating the controls in a particular business process.

5

Sample Control Matrix

6

Steps in Preparing Control MatrixI. Specifying control goals represents

the first step in building a control matrix. The goals are listed across the top row of the matrix.

1. Identify the operations process goalsa. Effectiveness goalsb. Efficiency goalsc. Security goals

2. Identify Information Process Goalsa. Input Goalsb. Update Goals

7

Operations Process Goals: Effectiveness Goals

i. Ensure the successful accomplishment of the goals set forth for the business process

ii. Different processes have different effectiveness goals. For Causeway’s cash receipts process we include only two examples here:

– Goal A—to accelerate cash flow by promptly depositing cash receipts.– Goal B—to ensure compliance with compensating balance agreements

with the depository bank.– Other possible goals of a cash receipts would be shown as goals C, D,

and so forth, and described at the bottom of the matrix (in the matrix legend).

iii. With respect to other business processes, such as production, we might be concerned with effectiveness goals related to the following:

– Goal A—to maintain customer satisfaction by finishing production orders on time.

– Goal B—to increase market share by ensuring the highest quality of finished goods.

8

Operations Process Goals: Efficiency Goals

i. The purpose of efficiency control goals of the operations process is to ensure that all resources used throughout the business process are being employed in the most productive manner

ii. In parentheses, notice that we have listed two resources of the cash receipts process for which efficiency is applicable—people and computers.

• In fact, people and computers would always be considered in the efficiency assessments related to accounting information systems.

iii. In other business processes, such as receiving goods and supplies, we might also be concerned with the productive use of equipment such as trucks, forklifts, and hand-held scanners.

9

Operations Process Goals: Security Goals

i. The purpose of security control goals of the operations process is to ensure that entity resources are protected from loss, destruction, disclosure, copying, sale, or other misuse.

ii. In parentheses, we have included two resources of the cash receipts process over which security must be ensured—cash and information (accounts receivable master data). • With any business process, we are concerned with information that is

added, changed, or deleted as a result of executing the process, as well as assets that are brought into or taken out of the organization as a result of the process, such as cash, inventory, and fixed assets.

iii. With regard to other business processes, such as shipping, we might include customer master data and shipping data. • Note: The security over hard assets used to execute business

processes, such as computer equipment, trucks, trailers, and loading docks, is handled through pervasive controls (discussed in Chapter 7).

10

Information Process Goals: Input Goals

i. With respect to all business process data entering the system, the purpose of input goals of the information process is to ensure:

• input validity (IV)• input completeness (IC) and • input accuracy (IA).

ii. With the cash receipts process, we are concerned with input validity, accuracy, and completeness over cash receipts

• Here, they are in the form of remittance advices• Notice that we specifically name the input data of concern in

parentheses.

iii. With respect to other business processes, such as hiring employees, we would be concerned with other inputs, such as employee, payroll, and benefit plan data.

11

Information Process Goals: Update Goals

i. Update goals must consider all related information that will be affected by the input data, including master file data and ledger data. For the business process input data, the purpose of update control goals of the information process is to ensure:• The update completeness (UC) and • Update accuracy (UA)

ii. With regard to the cash receipts information process, we recognize that the accounts receivable data will be updated by cash receipts • Cash received reflects the debit and customer account reflects the

credit). • Notice that we list accounts receivable master data in the control

matrix.

iii. Other business processes, such as cash payments, would involve different update concerns, such as vendor, payroll, or accounts payable master data.

12

Steps in Preparing the Control Matrix

II. Recommending Control Plans1. Annotating “Present” Control Plans

2. Evaluating “Present” Control Plans

3. Identifying and Evaluating “Missing” Control Plans

13

Causeway Annotated Systems Flowchart

14

Annotating Present Control Plans

• Start on the upper left-hand column of the systems flowchart and spot the first manual keying symbol, manual process symbol, or computer process symbol (process related symbols)

• Then, follow the sequential logic of the systems flowchart and identify all of the process-related symbols.

• Each process-related symbol reflects an internal control plan which is already present.

• It is important to recognize that while a control plan may be present, it may not be working as effectively as it should; thus, you might recommend ways to strengthen or augment existing control plans

15

Annotate the Process Flow Chart

• Review the flowchart and determine whether a control is present (P-) or missing (M-)

• Annotate the flowchart– If controls are present, mark P-– If controls are absent, mark M-

16

Annotating Present Control Plans

a. Reviewing the Causeway systems flowchart (Figure 9.2), you will find that the first process-related symbol is entitled “Endorse checks.” – Because this process appears on the flowchart, this

control plan already exists, meaning, it is present as opposed to missing.

– Accordingly, place a P- beside the process, indicating that is it present, and a 1 beside the P- reflecting the first present control plan on the flowchart.

– As a result, you should have annotated the systems flowchart with a P-1.

17

Annotating Present Control Plansb. Continue reviewing the systems

flowchart by following its sequential logic, annotating the flowchart with P-2, P-3, and so on until you have accounted for all present control plans.

- Notice on the Flowchart (Figure 9-2), that eight control plans (P-1–P-8) are already present at Causeway.

18

Evaluating “Present” Control Plans:• Write number (P-1, P-2, P-3 through P-n) and name of

each control plan in the left-hand column of the control matrix.

• Then, starting with P-1, look across the row and determine which control goals the plan addresses and place a P-1 in each cell of the matrix for which P-1 is applicable.

• It is possible that a given control plan can attend to more than one control goal.

• Continue this procedure for each of the present control plans.

• Simultaneously, in the legend of the matrix, describe how the control plan addresses each noted control goal.

19

Identifying and Evaluating “Missing” Control Plans:

• The next step in recommending control plans is to determine if additional controls are needed to address missing control goal areas, strengthen present control plans, or both.

20

Identifying and Evaluating “Missing” Control Plans:

• Examining the controls matrix: The first place to start is to look at the control matrix and see if there are any control goals (operations or information) for which no present control plan is addressing.

• If so, you need to do the following:i. In the left-hand column of the matrix, number the first missing control plan

as M-1 and label or title the plan.ii. Across the matrix row, place M-1 in each cell for which the missing control

is designed.iii. In the legend of the matrix, explain how the missing control will address

each noted control goal.iv. On the systems flowchart, annotate M-1 where the control should be

inserted.v. If there are still control goals for which no control plan has addressed,

develop another plan (M-2) and repeat the four previous steps (i through iv). Continue this procedure until each control goal on the matrix is addressed by at least one control plan.

• With regard to Causeway, we have noted two missing control plans in the sample control matrix for the Cash Receipts Business Process

• M-1 and M-2, although more might exist

21

Evaluating the systems flowchart: • Even though all of the control goals on the matrix are now

addressed, closely review the systems flowchart one more time.

• Look for areas where further controls are needed. • Just because all control goals on the matrix have one or

more associated control plans, we might have to to add more control plans or strengthen existing plans to reduce residual risk to an acceptable level in certain areas.

• It takes training and experience to spot risks and weaknesses of this nature

• In Chapters 10 through 16 you will learn more about how to make such critical internal control assessments.

22

Sample Control Plans for Data Input

1. Processing input data without access to master data

2. Processing input data with access to master data

3. Batch input

23

Processing input data without access to master data

• Because systems without master data require manual keying of data (an error prone process), special controls are necessary to ensure control goals are met– Entry w/o master data implies that a database

does not exist or is unavailable to verify data– This makes controls over entry of data more

important

24

Data Entry

Without Master Data

25

Available Control Plans for Data Input

• Note that the first process-related symbol appears as “key document” in the first column (data entry clerk 1).– P-1: Document Design—source document is

designed to easily complete and key data– P-2: Written Approvals—signature or initials

indicating approval of event processing– P-3: Preformatted Screens—defines acceptable

format for each data field (e.g., 9 numeric characters for SSN)

– P-4: Online Prompting—requests user input or asks questions, e.g., message box

26

Available Control Plans for Data Input, Cont’d.

• The next process-related symbol (edit input) appears in the second column (data entry devices).

• P-5: Programmed Edit Checks – Automatically performed by data entry programs upon

entry of data• Reasonableness checks (limit checks)—tests input for values

within predetermined limits• Document/record hash totals—compares computer total to

manually calculated total• Mathematical accuracy checks—compare calculations

performed manually to computer calculations, e.g., compare invoice total to manually entered to computer calculated total

• Check Digit verification – a functionally dependent extra digit is appended to a number; if miskeying occurs, a check digit mismatch occurs and the system rejects the input

27

Available Control Plans for Data Input• P-6: Procedures for rejected input—rejected inputs

are corrected and resubmitted for processing• P-7: Keying corrections—clerk corrects inputs• P-8: Interactive feedback checks—computer

informs clerk that input has been accepted/rejected• P-9: Record input—record is recorded in

transaction data rather than being re-keyed at another time

• M-1: Key verification—data is keyed by two different individuals then compared by the computer

28

Control Matrix w/o

Master Data

29

Control Plans for Data Entry With Master Data

• When standing (master) data is present, data entered can be verified by existing data providing additional data-entry controls– Data entry with master data implies the presence of an existing

database populated with data– Data in the database is used to populate entry forms or is compared

to data entered• If we have available the actual customer master data, we

can use the customer number to call up the stored customer master data and determine if the customer number has been entered correctly, if the customer exists, the customer’s correct address, and so forth.

• In the next section we describe the additional controls available to us when master data is available during data entry.

30

Systems Flowchart: Data Entry With Master Data

31

Control Matrix Data Entry with

Master Data

32

Recommended Control Plans with Master Data

• P-1: Enter data close to originating source– Input data is entered directly and immediately it reduces

input costs, inputs are less likely to be lost, errors are less likely and can more easily corrected

– Online transaction entry (OLTE), online real-time processing (OLRT), and online transaction processing (OLTP) are all examples of this processing strategy.

• P-2: Digital signatures– Authenticate that the sender of the message has the

authority to send it and detects messages that have been altered in transit

– an application of public key cryptography involving the use of a private encryption key to “sign” the data transmitted

33

Recommended Control Plans with Master Data

• P-3: Populate input with master data– User enters an entity’s ID code and the system then

retrieves certain data about that entity from existing master data.

– User might be prompted to enter the customer ID (code). – By accessing the customer master data, the system

automatically provides data such as the customer’s name and address, the salesperson’s name, and the sales terms.

– This reduces the number of keystrokes required, making data entry quicker, more accurate, and more efficient.

– Therefore, the system automatically populates input fields with existing data

34

Recommended Control Plans with Master Data• P-4: Compare input data with master data—the system compares inputs

with standing (master) data to ensure their accuracy and validity– Input/master data dependency checks

• These edits test whether the contents of two or more data elements or fields on an event description bear the correct logical relationship.

• For example, input sales events can be tested to determine whether the salesperson works in the customer’s territory.

• If these two items don’t match, there is some evidence that the customer number or the salesperson identification was input erroneously.

– Input/master data validity and accuracy checks• These edits test whether master• data supports the validity and accuracy of the input. For example,

this edit• might prevent the input of a shipment when no record of a

corresponding customer• order exists. If no match is made, we may have input some data

incorrectly,• or the shipment might simply be invalid. We might also compare

elements• within the input and master data.

35

Recommended Control Plans with Master Data

• P-5: Procedures for rejected inputs– After processing the input, the user compares the input with the master data

to determine whether the input either is acceptable or contains errors, and that any errors are corrected and resubmitted

• P-6: Key Corrections – The clerk completes the procedures for rejected inputs by keying the

corrections into the computer thus ensuring that the input is accurate.• P-7: Record Input

– Once all necessary corrections are made, the user accepts the input.– This action triggers the computer to simultaneously record the input in the

transaction file and inform the user that the input data has been accepted.• P-8: Interactive Feedback Checks

– These interactive programmed features inform the user that the input has been accepted and recorded or rejected for processing.

36

Data Entry with Batches

• Data entry with batches involves collecting inputs into work units called batches; batched inputs are then keyed into system as a batch– Implies some delay between the economic event and its

reflection in the system– Allows for controls focusing on the batch, e.g., batch control

totals (hash or other totals from batch)– Batch entry is often followed by an exception and summary

report

• Figure 9.7 on page 322 is the Systems Flowchart for Data Entry with Batches

37

Batch Control Plans

• Batch control plans, to be effective, should ensure that:– All documents are included in batch– All batches are submitted for processing– All batches are accepted by computer– All differences are disclosed, investigated

and corrected on a timely basis

38

Batch Control Plans• Batch control procedures start by grouping event data and calculating totals for

the group: Several different types of batch control totals can be calculated– Document/record counts are simple counts of the number of documents entered in a

batch• This procedure represents the minimum level required to control input completeness. • Because one document could be intentionally replaced with another, this control is not

effective for ensuring input validity and says nothing about input accuracy.– Item or line counts

• Counts number of items or lines entered, such as a count of the number of invoices being paid by all the customer remittances.

• By reducing the possibility that line items or entire documents could be added to the batch or not be input, this control improves input validity, completeness, and accuracy.

• Remember, a missing event record is a completeness error and a data set missing from an event record is an accuracy error.

– Dollar totals• Sum of dollar value of items in batch• By reducing the possibility that entire documents could be added to or lost from the batch

or that dollar amounts were incorrectly input, this control improves input validity, completeness, and accuracy.

– Hash totals• Are a summation of any numeric data existing for all documents in the batch, such as a

total of customer numbers or invoice numbers in the case of remittance advices. • Unlike dollar totals, hash totals normally serve no purpose other than control.• Hash totals can be a powerful batch control because they can determine if inputs have

been altered, added, or deleted. • These batch hash totals operate for a batch in a manner similar to the operation of

document/record hash totals for individual inputs.

39

Control Matrix Data Entry with

Batches

40

P-1: Receive turnaround documents

• Turnaround documents are used to capture and input a subsequent event.

• Picking tickets, inventory count cards, remittance advice stubs attached to customer invoices, and payroll time cards are all examples of turnaround documents.

• For example, we have seen picking tickets that are printed by the computer, used to pick the goods, and sent to shipping where the bar code on the picking ticket is scanned to trigger the recording of the shipment.

41

P-2: Calculate batch totals • Calculation of batch totals ensures that the

data input arises from legitimate events (input validity) and that all events in the batch are captured (input completeness).

• However, batch totals in isolation do not necessarily ensure input accuracy—that takes place in the reconciliation, which is discussed in P-4.

42

P-3: Record picking tickets• The picking tickets are automatically

scanned into the computer using a bar code. • This process stores the accurate, valid input

data onto digital media for subsequent updating in a timely manner with minimal use of resources.

• The automatic calculation of the batch totals will ensure an efficient and effective subsequent reconciliation of the inputs.

43

Data Entry With Batches

44

P-4: Manually Reconcile Batch Totals• The manual reconciliation of batch totals control

plan operates in the following manner:– a. First, one or more of the batch totals are established

manually – b. As individual event descriptions are scanned, the data

entry program accumulates independent batch totals.– c. The computer produces reports (or displays) with the

relevant control totals that must be manually reconciled to the totals established prior to the particular process.

– d. The person who reconciles the batch total must determine why the totals do not agree and make corrections as necessary to ensure the integrity of the input data

45

P-5: Record Shipments

• Picking ticket data and accounts receivable master data are used to record shipments, which in turn updates the sales transaction data.

• Automatic recording stores the accurate, valid input data onto digital media in a timely manner with minimal use of resources.

46

P-6: Reconcile input and output batch totals (agreement of run-to-run totals)

• This is a variation of the agreement of batch totals controls. • With agreement of run-to-run totals, totals prepared before a

computer process has begun are compared, manually or by the computer, to totals prepared at the completion of the computer process.

• These post-process controls are often found on an error and summary report.

• When totals agree, we have evidence that the input and the update took place correctly.

• This control is especially useful when there are several intermediate steps between the beginning and the end of the process and we want to be assured of the integrity of each process.

47

P-7: Compare picking tickets (from a tickler file) and packing slips (one-for-one checking)

• This has two purposes: 1. One is to ensure that all picking tickets are linked to an associated

packing slip, 2. The other is to ensure that all items on related picking tickets and

packing slips match. • We regularly review a tickler file, to clear items from that file.

– Tickler files may be digitized reflecting events that need to be completed, such as open sales orders, open purchase orders, and so forth.

– Should tickler file documents remain in the file too long, the person or computer monitoring will determine the nature and extent of the delay.

• Picking tickets are compared to their associated packing slips using one-for-one checking to determine that they agree. – Differences may indicate errors in input or update. – This procedure provides us detail as to what is incorrect within a batch. – Being very expensive to perform, one-for-one checking should be

reserved for low-volume, high-value events.

48

M-1: Automated Sequence Checks• Whenever documents are numbered sequentially, a sequence check can

be automatically applied to those documents. • Batch sequence checks work best when we can control the input process

and the serial numbers of the input data, such as payroll checks. – In a batch sequence check, the event data within a batch are checked as follows:

• a. The range of serial numbers constituting the batch is entered.• b. Each individual, serially pre-numbered event data is entered.• c. The computer program sorts the event data into numerical order; checks the

documents against the sequence number range; and reports missing, duplicate, and out-of-range event data.

• Cumulative sequence check provides input control when the serial numbers are not entered in sequence (i.e., picking tickets might contain broken sets of numbers).– Matching of individual event data (picking ticket #s) is made to a file that contains

all document numbers (all sales order numbers). • Periodically, reports of missing numbers are produced for manual follow-up.

– Reconciling a checkbook is another example of a situation where the check numbers are issued in sequence.

• However, the bank statement we receive may not contain a complete sequence of checks.

• Our check register assists us in performing a cumulative sequence check to make sure that all checks are eventually cleared.

49

M-2: Computer Agreement of Batch Totals

• This control plan does not exist in Figure 9.7 and therefore is shown as a missing plan.

• The computer agreement of batch totals plan is pictured in Figure 9.9 and works in the following manner: – a. First, one or more of the batch totals are established manually (i.e., in

the user department in Figure 9.9).– b. Then, the manually prepared total is entered into the computer and is

written to the computer batch control totals data.– c. As individual event descriptions are entered, a computer program

accumulates independent batch totals and compares these totals to the ones prepared manually and entered at the start of the processing.

– d. The computer prepares a report, which usually contains details of each batch, together with an indication of whether the totals agreed or disagreed.

– Batches that do not balance are normally rejected, and discrepancies are manually investigated and included in a summary report

50

Computer Agreement of Batch Total Control Plan