Controlling Information Systems:

Business Process and Application

Controls
 This chapter presents a conceptual framework for the analysis of controls in
business systems. We apply the control framework by describing business process
and application controls that my be found in any information system. These
controls will help us prevent (or detect or correct) the data quality issues plaguing
organizations throughout the world
THE CONTROL FRAMEWORK

Provides you with a structure for analysing the internal controls of

business organizations. To make the framework functional, you need to
become familiar with, and comfortable in using the tools for
implementing the framework
 The Control Matrix
• The control matrix is a tool designed to assist in analyzing the
effectiveness of controls (PCAOB Auditing Standard Number 5 –
“Effectiveness of Control Design”).

• Establishes the criteria to be used in evaluating the controls in a particular

business process.
Steps in Preparing a Control Matrix
STEP I: Specify control goals.
1. Identify the Operations Process Goals
a. Effectiveness goals
b. Efficiency goals
c. Security goals

2. Identify Information Process Goals

a. Input Goals
b. Update Goals
 Operations Process Goals:
Effectiveness Goals
• Ensure the successful accomplishment of the goals set forth for the business
process.
• Different processes have different effectiveness goals. For Lenox’s cash receipts
process two examples are:
− A: Timely deposit of checks.
− B : Comply with compensating balance agreements with the depository
bank.
• With respect to other business processes, such as production, possible
effectiveness goals are :
− A: Maintain customer satisfaction by finishing orders on time.
− B: Increase market share by ensuring the highest quality of goods.
 Operations Process Goals:
Efficiency Goals
• Ensure that all resources used throughout the business process are being
employed in the most productive manner.
• For Lenox’s cash receipts process, and for all accounting information
systems, people and computers should always be included in the
efficiency assessment.
• For other business processes, such as receiving goods and supplies,
efficiency goals include the productive use of equipment.
 Operations Process Goals:
Security Goals
• Ensure that entity resources are protected from loss, destruction,
disclosure, copying, sale, or other misuse.

• Two resources of the cash receipts process over which security must be
ensured are cash and information (accounts receivable master data).

• With any business process, information that is added, changed, or deleted

as a result of executing the process, and assets that are brought into or
taken out of the organization as a result of the process are a concern.

• Note that the security over hard assets used to execute business
processes, such as computer equipment, trucks, trailers, and loading
docks, is handled through pervasive controls (discussed in Chapter 7).
Information Process Goals: Input Goals
• With respect to all business process data entering the system, ensure:
− input validity (IV)
− input completeness (IC)
− input accuracy (IA)
• With the cash receipts process, concern is with IV, IC and IA over cash
receipts. Lenox uses remittance advices (RA). Notice that the input data
of concern is specifically named.
• With respect to other business processes, such as hiring employees,
concern would be with other inputs, such as employee, payroll, and
benefit plan data.
 Information Process Goals: Update
Goals
• Update goals must consider all related information that will be
affected by the input data, including master file and ledger data.
• Ensure:
− Update completeness (UC)
− Update accuracy (UA)
• With the cash receipts information process, accounts receivable
data will be updated by cash receipts.
− Cash is debited and customer account is credited.
− Accounts receivable master data is listed in the control
matrix.
• Other business processes, such as cash payments, would involve
different update concerns, such as vendor, payroll, or accounts
payable master data.
 Steps in Preparing the Control Matrix
STEP II: Identify recommend Control Plans
1. Annotate “Present” Control Plans
2. Evaluate “Present” Control Plans
3. Identify and Evaluate “Missing” Control Plans
 Applying the Control Framework
• Document design is a control plan in which a source document is designed
in such as way to make it easier to prepare initially and to input data from
later.
• A written approval takes the form of a signature or initials on a document
to indicate that a person has authorized the event.
• Preformatted screens control the entry of data by defining the acceptable
format of each data field.
• Online prompting asks the user for input or asks questions that the user
must answer.
• Populate inputs with master data. Numeric, alphabetic, and other
designators are usually assigned to entities such as customers, vendors,
and employees.
 Applying the Control Framework
• Compare input data with master data. A data entry program can be designed to compare the
input data to data that have been previously recorded. When we compare input data with
master data we can determine the accuracy and validity of the input data.
• Programmed edit checks are edits automatically performed by data entry programs upon
entry of the input data.
1. Reasonableness checks. Reasonableness checks, also known as limit checks, test
whether the contents (e.g., values) of the data entered fall within predetermined limits.
2. Document/record hash totals are a summary of any numeric data field within the input
document or record, such as item numbers or quantities on a customer order.
3. Mathematical accuracy checks. This edit compares calculations performed manually to
those performed by the computer to determine if a document has been entered
correctly.
4. Check digit verification. In many processes, an extra digit—a check digit—is included in
the identification number of entities such as customers and vendors.
 Applying the Control Framework
• An interactive feedback check is a control in which the data entry program informs
the user that the input has been accepted and recorded.

• Enter data close to the originating source. This is a strategy for capture and entry
of event-related data close to the place (and probably time) that an event occurs.

• Digital signatures authenticate that the sender of the message has authority to
send it and thus prevents the unauthorized diversion of resources.
 Data Entry with Batches
• Data entry with batches involves collecting inputs into work units called
batches; batched inputs are then keyed into system as a group.
– Implies some delay between the economic event and its reflection in the
system.
– Allows for controls focusing on the batch, e.g., batch control totals (hash or
other totals from batch).
– Batch entry is often followed by an exception and summary report.
 Batch Control Plans
• To be effective, batch control plans should ensure that:
– All documents are included in the batch.
– All batches are submitted for processing.
– All batches are accepted by the computer.
– All differences are disclosed, investigated and corrected on
a timely basis.
• Batch control procedures start by grouping event data and
calculating totals for the group. Several different types of
batch control totals can be calculated as shown on the next
two slides.
 Batch Control Plans
– Document/record counts
• Simple count of the number of documents entered in a batch.
• Minimum level required to control input completeness.
• Because a document could be intentionally replaced, this control is
not effective for ensuring input validity.
• Input accuracy is not addressed.
– Item or line counts
• Counts number of items or lines entered, such as a count of the
number of invoices being paid by all customer remittances.
• Improves input validity, completeness, and accuracy by reducing the
possibility that line items or entire documents could be added to the
batch or not be input.
• A missing event record is a completeness error and a data set missing
from an event record is an accuracy error.
 Batch Control Plans
– Dollar totals
• Sum of dollar value of items in batch.
• By reducing the possibility that entire documents could be added to or
lost from the batch or that dollar amounts were incorrectly input, this
control improves input validity, completeness, and accuracy.
– Hash totals
• Summation of any numeric data existing for all documents in the batch,
such as a total of customer numbers or invoice numbers in the case of
remittance advices.
• Hash totals are a powerful control, as they can determine if inputs have
been altered, added, or deleted.
• Batch hash totals are, for a batch, similar to document/record hash
totals for individual inputs.
Data Entry with Batches Control Plans
Present Controls
• Turnaround documents
• Key verification
• Sequence check
• Manually reconcile batch totals
• Computer agreement of batch totals
• Agree run-to-run totals (reconcile input and output batch totals) -
• Review tickler file (file of pending shipments)
• One-for-one checking (compare picking tickets and packing slips)