This document discusses internal controls for computerized accounting information systems. It describes general controls that apply across systems, such as policies for access, backup procedures, and segregation of duties. It also discusses application controls that operate within specific systems or processes to ensure proper authorization, recording, completeness and accuracy of transactions. Examples provided include input and output edit checks, sequence checks, and comparison of control totals. Threats to internal controls like fraud or system errors are also mentioned.
Accounting System Design and Development-Internal Controls
1. Aims of a computerised accounting
information systems
General and application controls
Limitations of controls
Threats to internal controls
Internal Controls (Part II)
Accounting System
Design and Development
2. Identify 3 advantages of computerised
application controls.
3. Proper authorisation such as authoring valid
transaction
Proper record such as input and output
accuracy
Completeness
Timeliness
Consistent execution, authorisation, and
application
Enforce Completeness
More difficult to avoid
More timely and efficient to execute
More timely reporting and feedback!!
…etc
4. Some risks apply across a number of areas of the
organisation. To address these risks we have GENERAL
CONTROLS.
General controls effect the overall information system.
General controls are established with the aim of providing
reasonable assurance that the internal control objectives are
achieved.
These controls effect all applications
Seen as pervasive – these controls will apply across almost all
of the information systems in an organisation.
Support the effective operation of application controls
General Control
◦ Policies/procedures relating to many applications
◦ Support the effective operation of application controls
Application Control
◦ Manual or automated
◦ Operate within a business process / application
◦ Relate to the initiation, recording, reporting and processing
of events
◦ Deal with the aims of occurrence, authorisation,
completeness and accuracy
5. custody of ◦ Access to systems
◦ Policies and procedures ◦ Data protection
Telecommunications
Access encryption techniques
To data files ◦ Disaster recovery
Hardware
Physical controls
Segregation of duties
User access
System development procedures
User awareness of risks
Data storage procedures
Organisational Systems Development
◦ Separation of duties ◦ User involvement
Design, programming, ◦ Authorisation
operations, data entry, ◦ Documentation
documentation software restricted
Recruitment
Termination ◦ Transmission /
To computer facilities Other
Authorised users ◦ Backup/Off site storage
◦ Monitor and detect
failures
6. processed, and use system output.
information needs and then design an information
analysts and creates an information system by
company’s computer. They ensure that data is
right output is produced.
corporate databases and files.
Systems administration – ensure that the different
parts of an information system operate smoothly
and efficiently.
Network management – ensure that all applicable
devices are linked to the organisation’s internal
and external networks and that the networks
operate continuously and properly.
Change management – manage all changes to an
organisation’s information system to ensure they
are made smoothly and efficiently and to prevent
errors and fraud.
Users – record transactions, authorize data to be
Systems analysis – helps users determine their
system to meet those needs.
Programming – take the design provided by system
writing the computer programs.
Computer operations – run the software on the
input properly and correctly processed and the
Database administration – maintain and manage
7. ◦ Virtual private networks
◦ Electronic eavesdropping
◦ Message acknowledgement procedures
◦ What unique risks do microcomputers present to an
Wireless technology
Wired Networks
◦ Routing verification procedures
Microcomputers
organisation?
Location of computing facility
Restrict employee access
The use of Biometrics
Change management – the person (usually a
developer) who makes the IS change should
be different from the person who makes the
change available to users – the process of
making changes available to all users is
usually called “migration into production”
Why do we need to segregate these
functions?
8. Fault tolerant / Built in redundancies
Disk mirroring
Backups
◦ Hierarchically performed
◦ Where to store backup data?
◦ How often to backup?
Uninterruptible power supply
Separation of duties
◦ Accounting from other sub-systems
◦ Responsibilities within IT
Programming
Data management
Design / Analysis
Testing
◦ Within a process
Authorisation, Execution, Custody, Recording
Computer accounts / Logins / Access controls
9. DRP Considers:
◦ Natural disasters
◦ Deliberate malicious acts
◦ Accidental destructive acts…
DRP Usually covers:
◦ Staff
Employees
Customers
Suppliers
Other Stakeholders…
◦ Physical resources
Buildings
Equipments
Cash…
◦ Information resources
Data
Information…
DRP refers to the strategy an organisation
will put into action in the event of a disaster
that disrupts normal operations. The aim is
business continuity, i.e. to resume
operations as soon as possible with minimal
loss or disruption to data and information.
This plan describes procedures to be
followed in the case of an emergency as
well as the role of each member of the
disaster recovery team.
10. Controls over specific systems/business
processes
◦ Relate to the initiation, recording, reporting and
processing of events
Provide reasonable assurance that the events
occurring in a system/process are
authorised
and recorded, and are processed completely,
accurately and on a timely basis and that
resources in that system are protected.
Examples of systems/processes in an
organisation:
◦ Sales system, Accounts receivable system, Purchases
system, Payments system, Payroll, Financial
Reporting, Inventory…
Temporary Site
◦ Hot site
◦ Cold site
Staffing
◦ Evacuating threatened staff
◦ Enabling staff to operate in DRP mode
Staff need to know their roles
Restore relationships
◦ As organisations become integrated the
information asset is increasing in importance
11. required by the needs of the business process?
Classification based on the stage in the
process at which the control occurs
◦ Input controls
Designed to ensure data entering the system is valid,
complete and accurate
◦ Process controls
Detect errors and irregularities in the processing of
data
◦ Output controls
Protect the outputs of a system
Authorisation
◦ Is the person authorised to execute the transaction?
Eg: Approvals for a large sale to proceed
Recording
◦ Input Validity
Is the data of the correct format/type?
Does the data represent a valid event?
◦ Input Accuracy
Is all data entered correct?
Completeness
◦ Has all data about an event been recorded?
Transaction level
◦ Have all events been recorded?
Business process level
Timeliness
◦ Is data captured, processed, stored and available as
12. Edit Tests
◦ Check validity and accuracy after data has been input
Test of content
Numeric, Alphabetic, Alphanumeric
Test of reasonableness
Is the input within a specified range of values
Eg Hours worked per week is between 0 and 60
Test of sign (+ive, -ive)
Test of completeness
Test of sequence
Has every document been input? Eg Cheques
Requires pre-numbered source documents
Test of consistency
Check digit calculation
Eg: Credit Card – calculate security number from card number
Card Number 1234 5678 9012 3456
Security Number: 687
Observation, Recording and Transcription
◦ Feedback mechanism
Eg: Customer reviews and signs sales form
◦ Dual observation
Eg: Approval from a supervisor, more than one employee in
execution of sale
◦ Pre-designed forms
Pre-numbered
Layout of forms
How does a pre-designed form help?
13. Invoice 001
Invoice 002
Invoice 007
Invoice 002
Invoice 003
Invoice 004
numbered documents
missing documents
SALES DEPT DATA ENTRY CLERK COMPUTER
Invoice 001
Sale occurs and
invoice prepared Invoices Missing
entered Invoice
006
Invoice 003 Invoice 005
Invoice 004 Invoice 007
Invoice 005
Checks for gaps in the
Invoice 006 sequence of pre-
The sequence check and alerts Clerk of
has identified that
Invoice 006 has not been
entered – we do not have
completeness.
Controls for the manipulation of data once it
has been input.
◦ Batch control totals
◦ Record counts
◦ Sequence checks
◦ Run to run totals
Which aims do they achieve?
◦ Reliable financial reporting
Accuracy of data processing / updates
Completeness of data processing / updates
14. SALES PERSON COMPUTER
Sales
Order
Order
Details
Capture sales
Calculate
A/R check total
Credit
Update Accts Sales
Receivable
Compare
totals
The computer takes the daily credit sales data
and updates the accounts receivable master
balances.
The new balance for the accounts receivable
should equal the opening balance + credit
sales
16. Judgement error
Unexpected transaction
Collusion
Management override
Weak internal controls
Conflicting signals
Validation of process results
◦ Activity listings
Distribution and Use
◦ Who is able to access the outputs?
◦ Where are the outputs printed to?
◦ Has the relevant user got all of the output
17. Blair, B and Boyce, G, 2006 (Eds), Accounting Information
Systems with Social and Organisational Perspectives, John
Wiley, Milton
Turner, L. & Weickgenannt, A. (2009) Accounting Information
Systems: Controls and Processes, Wiley
I wish to acknowledge Dr. Chadi Aoun’s input and material that were
incorporated into the lecture slides as well as the supplementary
material and sources provided by John Wiley publishers.
Management incompetence
External factors such as natural disasters
Fraud
Regulatory environment
Information technology such as viruses, email
attacks
18. For more details on Assignment Help/ Homework Help/
Online Tuitions visit our website at
http://www.helpwithassignment.com
Thank You