Accounting Information Systems:

Essential Concepts and Applications

Fourth Edition by Wilkinson, Cerullo, Raval,
and Wong-On-Wing

Chapter 8: General Controls

and Application Controls

Slides Authored by Somnath Bhattacharya, Ph.D.

Florida Atlantic University
Introduction to Controls
 Controls may relate to manual AISs, to computer-
based AISs, or both
 Controls may be grouped into General controls,
Application controls, and Security measures
 Controls may also be grouped in terms of risk
aversion: Corrective, Preventive, and Detective
Controls
 These categories are intertwined and an appropriate
balance is needed for an effective internal control
structure
 Control Classifications

By Setting By Risk Aversion

 General  Corrective

 Preventive

}
 Application
 Input
 Processing  Detective
 Output

Figure 8-1
General Controls
General Controls pertain to all activities involving a
firm’s AIS and resources (assets). They can be
grouped as follows:
 Organizational or Personnel Controls
 Documentation Controls
 Asset Accountability Controls
 Management Practice Controls
 Information Center Operations Controls
 Authorization Controls
 Access Controls
Organizational or
Personnel Controls - I

 Organizational independence, which separates

incompatible functions, is a central control objective
when designing a system
 Diligence of independent reviewers, including
BOD, managers, and auditors (both internal and
external)
 In a manual system, authorization, record-
keeping, and custodial functions must be kept
separate. e.g., purchases, sales, cash handling, etc
Organizational or
Personnel Controls - II
 In computer-based AISs the major segregation is
between the systems development tasks, which create
systems, and the data processing tasks, which operate
systems
 Within data processing, one may find segregation
between separate control (receiving & logging),
data preparation (converting to machine readable
form), computer operations, and data library -
batch processing
 Other personnel controls include the two-week vacation
rule
Flow of Batched Data in
Computer-Based Processing Data Library
Data Preparation Section
User Departments Control Section Computer
Section
Operations Files
Receive Convert
Data
to
and machine Process
Inputs
readable
Log media
Files
Log
Outputs Outputs
and

Distribute

Errors To users
to be (exception
corrected and summary
report)

Figure 8-4
Segregation of Functions in a
Direct/Immediate Processing System
Online Files (or data library
User Departments Computer Operations for removable disks and
backups

Data Inputs
Batch
Files

Displayed Outputs Process

Online
Printed or Files
Plotted Outputs

Figure 8-6
Documentation Controls

 Documentation consists of procedures manuals and

other means of describing the AIS and its operations,
such as program flowcharts and organizational charts
 In large firms, a data librarian is responsible for the
control, storage, retention and distribution of
documentation
 Storing a copy of documentation in a fireproof vault,
and having proper checkout procedures are other
examples of documentation controls.
 Use of CASEs
System Standards
Documentation

 Systems development policy statements

 Program testing policy statements
 Computer operations policy statements
 Security and disaster policy statements
System Application
Documentation
 Computer system flowcharts
 DFDs
 Narratives
 Input/output descriptions, including filled-in source documents
 Formats of journals, ledgers, reports, and other outputs
 Details concerning audit trails
 Charts of accounts
 File descriptions, including record layouts and data dictionaries
 Error messages and formats
 Error correction procedures
 Control procedures
Program Documentation

 Program flowcharts, decision tables, data structure

diagrams
 Source program listings
 Inputs, formats, and sample filled-in forms
 Printouts of reports, listings, and other outputs
 Operating instructions
 Test data and testing procedures
 Program change procedures
 Error listings
Data Documentation

 Descriptions of data elements

 Relationships of specific data
elements to other data elements
Operating Documentation

 Performance instructions for executing computer

programs
 Required input/output files for specific programs
 Setup procedures for certain programs
 List of programmed halts, including related messages, and
required operator actions for specific programs
 Recovery and restart procedures for specific programs
 Estimated run times of specific programs
 Distribution of reports generated by specific programs
User Documentation

 Procedures for entering data on source

documents
 Checks of input data for accuracy and
completeness
 Formats and uses of reports
 Possible error messages and correction
procedures
Examples of Asset
Accountability Controls
 Subsidiary ledgers provide a cross-check on the
accuracy of a control account
 Reconciliations compare values that have been
computed independently
 Acknowledgment procedures transfer accountability
of goods to a certain person
 Logs and Registers help account for the status and use
of assets
 Reviews & Reassessments are used to re-evaluate
measured asset values
Management Practice
Controls
 Since management is responsible and thus “over” the
internal control structure, they pose risks to a firm
 General controls include:
 Human resource Policies and Practices
 Commitment to Competence
 Planning Practices
 Audit Practices
 Management & Operational Controls
 In a computerized AIS, management should instigate a
policy for:
 Controls over Changes to Systems
 New System Development Procedures
Examples of Computer
Facility/Information Center Controls

 Proper Supervision over computer operators

 Preventive Diagnostic Programs to monitor hardware and
software functions
 A Disaster Recovery Plan in the event of a man-made or
natural catastrophe
 Hardware controls such as Duplicate
Circuitry, Fault Tolerance and Scheduled
Preventive Maintenance
 Software checks such as a Label Check
and a Read-Write Check
Application Controls

 Application controls pertain directly to the

transaction processing systems
 The objectives of application controls are to
ensure that all transactions are legitimately
authorized and accurately recorded,
classified, processed, and reported
 Application controls are subdivided into input,
processing and output controls
Authorization Controls - I

 Authorizations enforce management’s policies

with respect to transactions flowing into the
general ledger system
 They have the objectives of assuring that:
 Transactions are valid and proper
 Outputs are not incorrect due to invalid inputs
 Assets are better protected
 Authorizations may be classified as general or
specific
Authorization Controls - II

 A General authorization establishes the standard

conditions for transaction approval and execution
 A Specific authorization establishes specific criteria for
particular sums, events, occurrences, etc
 In manual and computerized batch processing systems,
authorization is manifest through signatures, initials,
stamps, and transaction documents
 In on-line computerized systems, authorization is usually
verified by the system. e.g., validation of inventory
pricing by code numbers in a general ledger package
Input Controls

 Input Controls attempt to ensure the validity,

accuracy, and completeness of the data
entered into an AIS.
 Input controls may be subdivided into:
 Data Observation and Recording
 Data Transcription (Batching and Converting)
 Edit tests of Transaction Data
 Transmission of Transaction Data
Controls for Data
Observation and Recording

 The use of pre-numbered documents

 Keeping blank forms under lock and key
 Online computer systems offer the following features:
 Menu screens
 Preformatted screens
 Using scanners that read bar codes or other
preprinted documents to reduce input errors
 Using feedback mechanisms such as a confirmation
slip to approve a transaction
 Using echo routines
Data Transcription - I

 Data Transcription refers to the preparation of data for

computerized processing and includes:
 Carefully structured source documents and input screens
 Batch control totals that help prevent the loss of transactions
and the erroneous posting of transaction data
 The use of Batch control logs in the batch control section
 Amount control total totals the values in an amount or
quantity field
 Hash total totals the values in an identification field
 Record count totals the number of source documents
(transactions) in a batch
Data Transcription - II
(Conversion of Transaction Data)

 Key Verification which consists of re-

keying data and comparing the results
of the two-keying operations
 Visual Verification which consists of
comparing data from original source
documents against converted data.
Examples of Batch Control
Totals

 Financial Control Total - totals up dollar amounts (e.g.,

total of sales invoices)
 Non-financial Control Total - computes non-dollar sums
(e.g., number of hours worked by employees)
 Record Count - totals the number of source documents
once when batching transactions and then again when
performing the data processing
 Hash Total - a sum that is meaningless except for
internal control purposes (e.g., sum of customer
account numbers)
Definition and Purpose of
Edit Tests

 Edit Tests (programmed checks) are most

often validation routines built into application
software
 The purpose of edit tests is to examine
selected fields of input data and to reject
those transactions whose data fields do not
meet the pre-established standards of data
quality
Examples of Edit Tests
(Programmed Checks)
 Validity Check (e.g., M = male, F = female)
 Limit Check (e.g., hours worked do not exceed 40 hours)
 Reasonableness Check (e.g., increase in salary is reasonable
compared to base salary)
 Field Check (e.g., numbers do not appear in fields reserved for words)
 Sequence Check (e.g., successive input data are in some prescribed
order)
 Range Check (e.g., particular fields fall within specified ranges - pay
rates for hourly employees in a firm should fall between $8 and $20)
 Relationship Check (logically related data elements are compatible -
employee rated as “hourly” gets paid at a rate within the range of $8
and $20)
Transmission of
Transaction Data
When data must be transmitted from the point of origin
to the processing center and data communications
facilities are used, the following checks should also be
considered:
 Echo Check - transmitting data back to the
originating terminal for comparison with the
transmitted data
 Redundancy Data Check - transmitting
additional data to aid in the verification
process
 Completeness Check - verifying that all required
data have been entered and transmitted.
Objectives of Processing
Controls

 Processing Controls help assure that data are

processed accurately and completely, that no
unauthorized transactions are included, that the
proper files and programs are included, and that all
transactions can be easily traced
 Categories of processing controls include
Manual Cross-checks, Processing
Logic Checks, Run-to-Run Controls,
File and Program Checks, and Audit
Trail Linkages
 Examples of Processing
Controls
 Manual Cross-Checks - include checking the work
of another employee, reconciliations and
acknowledgments
 Processing Logic Checks - many of the
programmed edit checks, such as sequence
checks and reasonableness checks (e.g., payroll
records) used in the input stage, may also be
employed during processing
Examples of Processing
Controls
 Run-to-Run Totals - batched data should be controlled
during processing runs so that no records are omitted or
incorrectly inserted into a transaction file
 File and Program Changes - to ensure that transactions
are posted to the proper account, master files should be
checked for correctness, and programs should be
validated
 Audit Trail Linkages - a clear audit trail is needed to
enable individual transactions to be traced, to provide
support in general ledger balances, to prepare financial
reports and to correct transaction errors or lost data
Output Controls

 Outputs should be complete and reliable

and should be distributed to the proper
recipients
 Two major types of output controls are:
 validating processing results
 regulating the distribution and
use of printed output
Validating/Reviewing
Processing Results

 Activity (or proof account) listings

document processing activity and reflect
changes made to master files
 Because of the high volume of
transactions, large companies may elect
to review exception reports that
highlight material changes in master
files
Regulating/Controlling
Distribution of Printed Output

 Reports should only be distributed

to appropriate users by reference
to an authorized distribution list
 Sensitive reports should be
shredded after use instead of
discarding
Application Controls Arranged
by Two Classification Plans
Control
Purpose
Preventive Detective Corrective

Control
Stage Properly authorized Batch control totals Sound error correction
transactions procedures
Adequate input edit tests
Well-designed and (programmed checks) Complete audit trail
controlled source
Input documents

Sound conversion control

techniques
Sound file maintenance Run-to-run verifications Complete audit trail
procedures
Processing Adequate detective-type
Adequate preventive- programmed checks
type programmed checks
Distribution log of Reconciliation of Reviews of logs and
authorized users computed totals with procedures by internal
predetermined control auditors
totals
Output Review of error-
Reviews of outputs and correction statistics
tests to source
documents by users
 Accounting Information Systems:
Essential Concepts and Applications
Fourth Edition by Wilkinson, Cerullo,
Raval, and Wong-On-Wing

Copyright © 2000 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the express
written permission of the copyright owner is unlawful. Request for
further information should be addressed to the Permissions Department,
John Wiley & Sons, Inc. The purchaser may make back-up copies for
his/her own use only and not for distribution or resale. The publisher
assumes no responsibility for errors, omissions, or damages, caused by
the use of these programs or from the use of the information contained
herein.