Professional Documents
Culture Documents
Chapter 8: General Controls and Application Controls: Accounting Information Systems: Essential Concepts and Applications
Chapter 8: General Controls and Application Controls: Accounting Information Systems: Essential Concepts and Applications
Chapter 8: General Controls and Application Controls: Accounting Information Systems: Essential Concepts and Applications
Bhattacharya, Ph.D.
Introduction to Controls
Controls may relate to manual AISs, to
computer-based AISs, or both
Controls may be grouped into General controls,
Application controls, and Security measures
Controls may also be grouped in terms of risk
aversion: Corrective, Preventive, and Detective
Controls
These categories are intertwined and an
appropriate balance is needed for an effective
internal control structure
Control Classifications
By Setting
By Risk Aversion
General
Corrective
Application
Input
Processing
Output
Figure 8-1
Preventive
Detective
General Controls
General Controls pertain to all activities
Organizational or
Personnel Controls - I
Organizational independence, which
separates incompatible functions, is a central
control objective when designing a system
Organizational or
Personnel Controls - II
In computer-based AISs the major segregation is
between the systems development tasks, which create
systems, and the data processing tasks, which operate
systems
Within data processing, one may find segregation
between separate control (receiving & logging),
batch processing
Other personnel controls include the two-week vacation
rule
Control Section
Data
Receive
Inputs
and
Log
Data Preparation
Section
Convert
to
machine
readable
media
Computer
Operations
Data Library
Section
Files
Process
Files
Log
Outputs
and
Outputs
Distribute
Errors
to be
corrected
Figure 8-4
To users
(exception
and summary
report)
Segregation of Functions in a
Direct/Immediate Processing System
User Departments
Computer Operations
Data Inputs
Batch
Files
Displayed Outputs
Printed or
Plotted Outputs
Figure 8-6
Process
Online
Files
Documentation Controls
Documentation consists of procedures manuals and
other means of describing the AIS and its operations,
such as program flowcharts and organizational charts
In large firms, a data librarian is responsible for the
control, storage, retention and distribution of
documentation
Storing a copy of documentation in a fireproof vault,
and having proper checkout procedures are other
examples of documentation controls.
Use of CASEs
System Standards
Documentation
Systems development policy statements
Program testing policy statements
Computer operations policy statements
Security and disaster policy statements
System Application
Documentation
Program Documentation
Program flowcharts, decision tables, data structure
diagrams
Source program listings
Inputs, formats, and sample filled-in forms
Printouts of reports, listings, and other outputs
Operating instructions
Test data and testing procedures
Program change procedures
Error listings
Data Documentation
Operating Documentation
Performance instructions for executing computer
programs
Required input/output files for specific programs
Setup procedures for certain programs
List of programmed halts, including related messages, and
required operator actions for specific programs
Recovery and restart procedures for specific programs
Estimated run times of specific programs
Distribution of reports generated by specific programs
User Documentation
Procedures for entering data on source
documents
Checks of input data for accuracy and
completeness
Formats and uses of reports
Possible error messages and correction
procedures
Examples of Asset
Accountability Controls
Subsidiary ledgers provide a cross-check on the
Management Practice
Controls
Since management is responsible and thus over the
internal control structure, they pose risks to a firm
General controls include:
Examples of Computer
Facility/Information Center
Controls
Proper Supervision over computer operators
Preventive Diagnostic Programs to monitor hardware and
software functions
A Disaster Recovery Plan in the event of a man-made or
natural catastrophe
Hardware controls such as Duplicate
Circuitry, Fault Tolerance and Scheduled
Preventive Maintenance
Software checks such as a Label Check
and a Read-Write Check
Application Controls
Application controls pertain directly to
the transaction processing systems
The objectives of application controls
are to ensure that all transactions are
legitimately authorized and accurately
recorded, classified, processed, and
reported
Application controls are subdivided into
input, processing and output controls
Authorization Controls - I
Authorizations enforce managements policies
with respect to transactions flowing into the
general ledger system
They have the objectives of assuring that:
Transactions are valid and proper
Outputs are not incorrect due to invalid
inputs
Assets are better protected
Authorizations may be classified as general or
specific
Authorization Controls II
A General authorization establishes the standard
conditions for transaction approval and execution
A Specific authorization establishes specific criteria for
particular sums, events, occurrences, etc
In manual and computerized batch processing
systems, authorization is manifest through signatures,
initials, stamps, and transaction documents
In on-line computerized systems, authorization is
usually verified by the system. e.g., validation of
inventory pricing by code numbers in a general ledger
package
Input Controls
Input Controls attempt to ensure the
validity, accuracy, and completeness of the
data entered into an AIS.
Input controls may be subdivided into:
Data Observation and Recording
Data Transcription (Batching and
Converting)
Edit tests of Transaction Data
Transmission of Transaction Data
Data Transcription - I
Data Transcription refers to the preparation of data
for computerized processing and includes:
Carefully structured source documents and input screens
Batch control totals that help prevent the loss of
transactions and the erroneous posting of transaction data
The use of Batch control logs in the batch control
section
Amount control total totals the values in an amount
or quantity field
Hash total totals the values in an identification field
Record count totals the number of source documents
(transactions) in a batch
Data Transcription - II
Examples of Batch
Control Totals
Financial Control Total - totals up dollar amounts
(e.g., total of sales invoices)
Non-financial Control Total - computes non-dollar
sums (e.g., number of hours worked by employees)
Record Count - totals the number of source
documents once when batching transactions and
then again when performing the data processing
Hash Total - a sum that is meaningless except for
internal control purposes (e.g., sum of customer
account numbers)
Transmission of
Transaction Data
When data must be transmitted from the point of
origin to the processing center and data
communications facilities are used, the following
checks should also be considered:
Echo Check - transmitting data back to the
originating terminal for comparison with the
transmitted data
Redundancy Data Check - transmitting
additional data to aid in the verification
process
Completeness Check - verifying that all
required data have been entered and
transmitted.
Objectives of Processing
Controls
Processing Controls help assure that data are
processed accurately and completely, that no
unauthorized transactions are included, that
the proper files and programs are included,
and that all transactions can be easily traced
Categories of processing controls include
Manual Cross-checks, Processing
Logic Checks, Run-to-Run Controls,
File and Program Checks, and Audit
Trail Linkages
Examples of Processing
Controls
Manual Cross-Checks - include checking
the work of another employee,
reconciliations and acknowledgments
Processing Logic Checks - many of the
programmed edit checks, such as
sequence checks and reasonableness
checks (e.g., payroll records) used in the
input stage, may also be employed during
processing
Examples of Processing
Controls
Run-to-Run Totals - batched data should be controlled
during processing runs so that no records are omitted
or incorrectly inserted into a transaction file
File and Program Changes - to ensure that transactions
are posted to the proper account, master files should
be checked for correctness, and programs should be
validated
Audit Trail Linkages - a clear audit trail is needed to
enable individual transactions to be traced, to provide
support in general ledger balances, to prepare financial
reports and to correct transaction errors or lost data
Output Controls
Outputs should be complete and
reliable and should be distributed to
the proper recipients
Two major types of output controls
are:
validating processing results
regulating the distribution and
use of printed output
Validating/Reviewing
Processing Results
Activity (or proof account) listings
document processing activity and
reflect changes made to master files
Because of the high volume of
transactions, large companies may
elect to review exception reports
that highlight material changes in
master files
Regulating/Controlling
Distribution of Printed
Output
Processing
Output
Preventive
Detective
Corrective
Properly authorized
transactions
Well-designed and
controlled source
documents
Copyright 2000 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the express
written permission of the copyright owner is unlawful. Request for
further information should be addressed to the Permissions Department,
John Wiley & Sons, Inc. The purchaser may make back-up copies for
his/her own use only and not for distribution or resale. The publisher
assumes no responsibility for errors, omissions, or damages, caused by
the use of these programs or from the use of the information contained
herein.