Accounting Information Systems:

Essential Concepts and Applications

Fourth Edition by Wilkinson, Cerullo, Raval,

and Wong-On-Wing

Chapter 8: General Controls

and Application Controls

Slides Authored by Somnath

Florida Atlantic University

Bhattacharya, Ph.D.

Introduction to Controls
Controls may relate to manual AISs, to
computer-based AISs, or both
Controls may be grouped into General controls,
Application controls, and Security measures
Controls may also be grouped in terms of risk
aversion: Corrective, Preventive, and Detective
Controls
These categories are intertwined and an
appropriate balance is needed for an effective
internal control structure

Control Classifications
By Setting

By Risk Aversion

General

Corrective

Application
Input
Processing
Output
Figure 8-1

Preventive
Detective

General Controls
General Controls pertain to all activities

involving a firms AIS and resources (assets).

They can be grouped as follows:

Organizational or Personnel Controls

Documentation Controls
Asset Accountability Controls
Management Practice Controls
Information Center Operations Controls
Authorization Controls
Access Controls

Organizational or
Personnel Controls - I
Organizational independence, which
separates incompatible functions, is a central
control objective when designing a system

Diligence of independent reviewers,

including BOD, managers, and auditors (both
internal and external)
In a manual system, authorization, recordkeeping, and custodial functions must be
kept separate. e.g., purchases, sales, cash
handling, etc

Organizational or
Personnel Controls - II
In computer-based AISs the major segregation is
between the systems development tasks, which create
systems, and the data processing tasks, which operate
systems
Within data processing, one may find segregation
between separate control (receiving & logging),

data preparation (converting to machine readable

form), computer operations, and data library -

batch processing
Other personnel controls include the two-week vacation
rule

Flow of Batched Data in

Computer-Based Processing
User Departments

Control Section

Data

Receive

Inputs

and
Log

Data Preparation
Section
Convert
to
machine
readable
media

Computer
Operations

Data Library
Section
Files

Process
Files

Log
Outputs
and

Outputs

Distribute
Errors
to be
corrected

Figure 8-4

To users
(exception
and summary
report)

Segregation of Functions in a
Direct/Immediate Processing System
User Departments

Computer Operations

Online Files (or data library

for removable disks and
backups

Data Inputs
Batch
Files

Displayed Outputs

Printed or
Plotted Outputs
Figure 8-6

Process

Online
Files

Documentation Controls
Documentation consists of procedures manuals and
other means of describing the AIS and its operations,
such as program flowcharts and organizational charts
In large firms, a data librarian is responsible for the
control, storage, retention and distribution of
documentation
Storing a copy of documentation in a fireproof vault,
and having proper checkout procedures are other
examples of documentation controls.
Use of CASEs

System Standards
Documentation
Systems development policy statements
Program testing policy statements
Computer operations policy statements
Security and disaster policy statements

System Application
Documentation

Computer system flowcharts

DFDs
Narratives
Input/output descriptions, including filled-in source documents
Formats of journals, ledgers, reports, and other outputs
Details concerning audit trails
Charts of accounts
File descriptions, including record layouts and data dictionaries
Error messages and formats
Error correction procedures
Control procedures

Program Documentation
Program flowcharts, decision tables, data structure
diagrams
Source program listings
Inputs, formats, and sample filled-in forms
Printouts of reports, listings, and other outputs
Operating instructions
Test data and testing procedures
Program change procedures
Error listings

Data Documentation

Descriptions of data elements

Relationships of specific data
elements to other data elements

Operating Documentation
Performance instructions for executing computer
programs
Required input/output files for specific programs
Setup procedures for certain programs
List of programmed halts, including related messages, and
required operator actions for specific programs
Recovery and restart procedures for specific programs
Estimated run times of specific programs
Distribution of reports generated by specific programs

User Documentation
Procedures for entering data on source
documents
Checks of input data for accuracy and
completeness
Formats and uses of reports
Possible error messages and correction
procedures

Examples of Asset
Accountability Controls
Subsidiary ledgers provide a cross-check on the

accuracy of a control account

Reconciliations compare values that have been
computed independently
Acknowledgment procedures transfer accountability
of goods to a certain person
Logs and Registers help account for the status and use
of assets
Reviews & Reassessments are used to re-evaluate
measured asset values

Management Practice
Controls
Since management is responsible and thus over the
internal control structure, they pose risks to a firm
General controls include:

Human resource Policies and Practices

Commitment to Competence
Planning Practices
Audit Practices
Management & Operational Controls

In a computerized AIS, management should instigate a

policy for:
Controls over Changes to Systems
New System Development Procedures

Examples of Computer
Facility/Information Center
Controls
Proper Supervision over computer operators
Preventive Diagnostic Programs to monitor hardware and
software functions
A Disaster Recovery Plan in the event of a man-made or
natural catastrophe
Hardware controls such as Duplicate
Circuitry, Fault Tolerance and Scheduled

Preventive Maintenance
Software checks such as a Label Check
and a Read-Write Check

Application Controls
Application controls pertain directly to
the transaction processing systems
The objectives of application controls
are to ensure that all transactions are
legitimately authorized and accurately
recorded, classified, processed, and
reported
Application controls are subdivided into
input, processing and output controls

Authorization Controls - I
Authorizations enforce managements policies
with respect to transactions flowing into the
general ledger system
They have the objectives of assuring that:
Transactions are valid and proper
Outputs are not incorrect due to invalid
inputs
Assets are better protected
Authorizations may be classified as general or
specific

Authorization Controls II
A General authorization establishes the standard
conditions for transaction approval and execution
A Specific authorization establishes specific criteria for
particular sums, events, occurrences, etc
In manual and computerized batch processing
systems, authorization is manifest through signatures,
initials, stamps, and transaction documents
In on-line computerized systems, authorization is
usually verified by the system. e.g., validation of
inventory pricing by code numbers in a general ledger
package

Input Controls
Input Controls attempt to ensure the
validity, accuracy, and completeness of the
data entered into an AIS.
Input controls may be subdivided into:
Data Observation and Recording
Data Transcription (Batching and
Converting)
Edit tests of Transaction Data
Transmission of Transaction Data

Controls for Data

Observation and
Recording

The use of pre-numbered documents

Keeping blank forms under lock and key
Online computer systems offer the following features:
Menu screens
Preformatted screens
Using scanners that read bar codes or other
preprinted documents to reduce input errors
Using feedback mechanisms such as a
confirmation slip to approve a transaction
Using echo routines

Data Transcription - I
Data Transcription refers to the preparation of data
for computerized processing and includes:
Carefully structured source documents and input screens
Batch control totals that help prevent the loss of
transactions and the erroneous posting of transaction data
The use of Batch control logs in the batch control
section
Amount control total totals the values in an amount
or quantity field
Hash total totals the values in an identification field
Record count totals the number of source documents
(transactions) in a batch

Data Transcription - II

(Conversion of Transaction Data)

Key Verification which consists of
re-keying data and comparing the
results of the two-keying
operations
Visual Verification which consists of
comparing data from original
source documents against
converted data.

Examples of Batch
Control Totals
Financial Control Total - totals up dollar amounts
(e.g., total of sales invoices)
Non-financial Control Total - computes non-dollar
sums (e.g., number of hours worked by employees)
Record Count - totals the number of source
documents once when batching transactions and
then again when performing the data processing
Hash Total - a sum that is meaningless except for
internal control purposes (e.g., sum of customer
account numbers)

Definition and Purpose of

Edit Tests
Edit Tests (programmed checks) are
most often validation routines built into
application software
The purpose of edit tests is to examine
selected fields of input data and to
reject those transactions whose data
fields do not meet the pre-established
standards of data quality

Examples of Edit Tests

(Programmed Checks)
Validity Check (e.g., M = male, F = female)
Limit Check (e.g., hours worked do not exceed 40 hours)
Reasonableness Check (e.g., increase in salary is reasonable
compared to base salary)
Field Check (e.g., numbers do not appear in fields reserved for
words)
Sequence Check (e.g., successive input data are in some prescribed
order)
Range Check (e.g., particular fields fall within specified ranges - pay
rates for hourly employees in a firm should fall between $8 and $20)
Relationship Check (logically related data elements are compatible employee rated as hourly gets paid at a rate within the range of
$8 and $20)

Transmission of
Transaction Data
When data must be transmitted from the point of
origin to the processing center and data
communications facilities are used, the following
checks should also be considered:
Echo Check - transmitting data back to the
originating terminal for comparison with the
transmitted data
Redundancy Data Check - transmitting
additional data to aid in the verification
process
Completeness Check - verifying that all
required data have been entered and
transmitted.

Objectives of Processing
Controls
Processing Controls help assure that data are
processed accurately and completely, that no
unauthorized transactions are included, that
the proper files and programs are included,
and that all transactions can be easily traced
Categories of processing controls include
Manual Cross-checks, Processing
Logic Checks, Run-to-Run Controls,
File and Program Checks, and Audit
Trail Linkages

Examples of Processing
Controls
Manual Cross-Checks - include checking
the work of another employee,
reconciliations and acknowledgments
Processing Logic Checks - many of the
programmed edit checks, such as
sequence checks and reasonableness
checks (e.g., payroll records) used in the
input stage, may also be employed during
processing

Examples of Processing
Controls
Run-to-Run Totals - batched data should be controlled
during processing runs so that no records are omitted
or incorrectly inserted into a transaction file
File and Program Changes - to ensure that transactions
are posted to the proper account, master files should
be checked for correctness, and programs should be
validated
Audit Trail Linkages - a clear audit trail is needed to
enable individual transactions to be traced, to provide
support in general ledger balances, to prepare financial
reports and to correct transaction errors or lost data

Output Controls
Outputs should be complete and
reliable and should be distributed to
the proper recipients
Two major types of output controls
are:
validating processing results
regulating the distribution and
use of printed output

Validating/Reviewing
Processing Results
Activity (or proof account) listings
document processing activity and
reflect changes made to master files
Because of the high volume of
transactions, large companies may
elect to review exception reports
that highlight material changes in
master files

Regulating/Controlling
Distribution of Printed
Output

Reports should only be

distributed to appropriate
users by reference to an
authorized distribution list
Sensitive reports should be
shredded after use instead of
discarding

Application Controls Arranged

by Two Classification Plans
Control
Purpose
Control
Stage
Input

Processing

Output

Preventive

Detective

Corrective

Properly authorized
transactions

Batch control totals

Sound error correction

procedures

Well-designed and
controlled source
documents

Adequate input edit tests

(programmed checks)
Complete audit trail

Sound conversion control

techniques
Sound file maintenance Run-to-run verifications
procedures
Adequate detective-type
Adequate preventiveprogrammed checks
type programmed checks
Distribution log of
Reconciliation of
authorized users
computed totals with
predetermined control
totals
Reviews of outputs and
tests to source
documents by users

Complete audit trail

Reviews of logs and

procedures by internal
auditors
Review of errorcorrection statistics

Accounting Information Systems:

Essential Concepts and Applications
Fourth Edition by Wilkinson, Cerullo,
Raval, and Wong-On-Wing

Copyright 2000 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the express
written permission of the copyright owner is unlawful. Request for
further information should be addressed to the Permissions Department,
John Wiley & Sons, Inc. The purchaser may make back-up copies for
his/her own use only and not for distribution or resale. The publisher
assumes no responsibility for errors, omissions, or damages, caused by
the use of these programs or from the use of the information contained
herein.