Chapter six

Control & Accounting Information System

6.1. Overview of control concepts
The internal control system of organization comprises policies, practices, and procedures to achieve the
following four broad objectives:
1. To safeguard assets of the firm.
2. To ensure the accuracy and reliability of accounting records and information.
3. To promote efficiency in the firm’s operations.
4. To measure compliance with management’s prescribed policies and procedures.
Inherent in these control objectives, there are four assumptions that guide designers and auditors of
internal controls.
1. Management Responsibility: This concept holds that the establishment and maintenance of a system of
internal control is a management responsibility.
2. Reasonable Assurance: The internal control system should provide reasonable assurance that the four
broad objectives of internal control are met in a cost-effective manner. This means that no system of
internal control is perfect and the cost of achieving improved control should not outweigh its benefits.
3. Methods of Data Processing: Internal controls should achieve the four broad objectives regardless of
the data processing method used. The control techniques used to achieve these objectives will, however,
vary with different types of technology.
4. Limitations: Every system of internal control has limitations on its effectiveness. These include (1) the
possibility of error no system is perfect, (2) circumvention personnel may circumvent the system through
collusion or other means, (3) management override management is in a position to override control
procedures by personally distorting transactions or by directing a subordinate to do so, and (4) changing
conditions may change over time so that existing controls may become ineffectual.
The internal control system protects the firm’s assets from numerous undesirable events. These include
attempts at unauthorized access to the firm’s assets (including information); fraud perpetrated by persons
both inside and outside the firm; errors due to employee incompetence, faulty computer programs, and
corrupted input data; and mischievous acts, such as unauthorized access by computer hackers and threats
from computer viruses that destroy programs and databases.

6.1.1. The Preventive–Detective–Corrective Internal Control Model

 Preventive Controls: Prevention is the first line of defense in the control structure. Preventive
controls are passive techniques designed to reduce the frequency of occurrence of undesirable
events. Preventive controls force compliance with prescribed or desired actions and thus screen
out abnormal events. When designing internal control systems, an ounce of prevention is most
certainly worth a pound of cure. Preventing errors and fraud is far more cost-effective than
detecting and correcting problems after they occur. The vast majority of undesirable events can
be blocked at this first level. For example, a well-designed source document is an example of a
 preventive control. The logical layout of the document into zones that contain specific data, such
as customer name, address, items sold, and quantity, forces the clerk to enter the necessary data.
The source documents can therefore prevent necessary data from being omitted. However, not all
problems can be anticipated and prevented.
 Detective Controls: Detective controls form the second line of defense. These are devices,
techniques, and procedures designed to identify and expose undesirable events that elude
preventive controls. Detective controls reveal specific types of errors by comparing actual
occurrences to pre-established standards. When the detective control identifies a departure from
standard, it sounds an alarm to attract attention to the problem. For example, assume a clerk
entered the following data on a customer sales order:
Quantity Price Total
. 10 $10 $1,000
Before processing this transaction and posting to the accounts, a detective control should
recalculate the total value using the price and quantity (i.e. $100). Thus the error in total price
would be detected.
 Corrective Controls: Corrective controls are actions taken to reverse the effects of errors
detected in the previous step. There is an important distinction between detective controls and
corrective controls. Detective controls identify anomalies and draw attention to them; corrective
controls actually fix the problem. For any detected error, however, there may be more than one
feasible corrective action, but the best course of action may not always be obvious. For example,
in viewing the error above, your first inclination may have been to change the total value from
$1,000 to $100 to correct the problem. This presumes that the quantity and price values on the
document are correct; they may not be for instance the quantity could be 100 units. At this point,
we cannot determine the real cause of the problem; we know only that one exists. Linking a
corrective action to a detected error, as an automatic response, may result in an incorrect action
that causes a worse problem than the original error. For this reason, error correction should be
viewed as a separate control step that should be taken cautiously.

6.1.2. SAS Internal Control Framework

The current authoritative document for specifying internal control objectives and techniques is
Statement on Auditing Standards (SAS). The SAS framework consists of five components: the
control environment, risk assessment, information and communication, monitoring, and control
activities.
 The Control Environment: The control environment is the foundation for the other four control
components. The control environment sets the tone for the organization and influences the
control awareness of its management and employees. Important elements of the control
environment are:
 The integrity and ethical values of management.
 The structure of the organization.
 The participation of the organization’s board of directors and the audit committee, if
one exists.
 Management’s philosophy and operating style.
 The procedures for delegating responsibility and authority.
 Management’s methods for assessing performance.
 External influences, such as examinations by regulatory agencies.
 The organization’s policies and practices for managing its human resources.
 Risk Assessment: Organizations must perform a risk assessment to identify, analyze, and
manage risks relevant to financial reporting. Risks can arise or change from circumstances such
as:
 Changes in the operating environment that impose new or changed competitive
pressures on the firm.
 New personnel who have a different or inadequate understanding of internal control.
 New or reengineered information systems that affect transaction processing.
 Significant and rapid growth that strains existing internal controls.
 The implementation of new technology into the production process or information
system that impacts transaction processing.
 The introduction of new product lines or activities with which the organization has little
experience.
 Organizational restructuring resulting in the reduction and/or reallocation of personnel
such that business operations and transaction processing are affected.
 Entering into foreign markets that may impact operations (that is, the risks associated
with foreign currency transactions).
 Adoption of a new accounting principle that impacts the preparation of financial
statements.
 Information and Communication: The accounting information system (AIS) consists of the
records and methods used to initiate, identify, analyze, classify, and record the organization’s
transactions and to account for the related assets, liabilities, equities, revenues, and/or expenses.
The quality of information the AIS generates impacts management’s ability to take actions and
make decisions in connection with the organization’s operations and to prepare reliable financial
statements. An effective accounting information system will:
 Identify and record all valid financial transactions.
 Provide timely information about transactions in sufficient detail to permit proper
classification and financial reporting.
 Accurately measure the financial value of transactions so their effects can be recorded in
financial statements.
 Accurately record transactions in the time period in which they occurred.
 Monitoring: Monitoring is the process by which the quality of internal control design and
operation can be assessed. This may be accomplished by separate procedures or by ongoing
activities. An organization’s internal auditors may monitor the entity’s activities in separate
procedures. They gather evidence of control adequacy by testing controls and then communicate
control strengths and weaknesses to management. As part of this process, internal auditors make
specific recommendations for improvements to controls. Ongoing monitoring may be achieved
by integrating special computer modules into the information system that capture key data and/or
permit tests of controls to be conducted as part of routine operations. Embedded modules thus
allow management and auditors to maintain constant surveillance over the functioning of internal
controls.
 Control Activities: Control activities are the policies and procedures used to ensure that
appropriate actions are taken to deal with the organization’s identified risks. Control activities
can be grouped into two distinct categories: IT controls and physical controls.
IT Controls: IT controls relate specifically to the computer environment. They fall into two broad
groups: general controls and application controls. General controls pertain to entity-wide
concerns such as controls over the data center, organization databases, systems development, and
program maintenance. Application controls ensure the integrity of specific systems such as sales
order processing, accounts payable, and payroll applications
Physical Controls: This class of controls relates primarily to the human activities employed in
accounting systems. These activities may be purely manual, such as the physical custody of
assets, or they may involve the physical use of computers to record transactions or update
accounts. Physical controls do not relate to the computer logic that actually performs accounting
tasks. There are six categories of physical control activities: transaction authorization,
segregation of duties, supervision, accounting records, access control, and independent
verification.
A. Transaction Authorization: The purpose of transaction authorization is to ensure that all
material transactions processed by the information system are valid and in accordance with
management’s objectives. Authorizations may be general or specific. General authority is
granted to operations personnel to perform day to-day operations. An example of general
authorization is the procedure to authorize the purchase of inventories from a designated
vendor only when inventory levels fall to their predetermined reorder points. On the other
hand, specific authorizations deal with case-by-case decisions associated with non-routine
transactions. An example of this is the decision to extend a particular customer’s credit limit
beyond the normal amount. Specific authority is usually a management responsibility.
B. Segregation of Duties: One of the most important control activities is the segregation of
employee duties to minimize incompatible functions. Segregation of duties can take many
forms, depending on the specific duties to be controlled.
C. Supervision: Implementing adequate segregation of duties requires firms to employ a
sufficiently large number of employees. Obviously, it is impossible to separate five
incompatible tasks among three employees. Therefore, in small organizations that lack
sufficient personnel, management must compensate for the absence of segregation controls
with close supervision. For this reason, supervision is often called a compensating control.
D. Accounting Records: The accounting records of an organization consist of source
documents, journals, and ledgers. These records capture the economic essence of
transactions and provide an audit trail of economic events. The audit trail enables the auditor
to trace any transaction through all phases of its processing from the initiation of the event to
the financial statements
E. Access Control: The purpose of access controls is to ensure that only authorized personnel
have access to the firm’s assets. Unauthorized access exposes assets to misappropriation,
damage, and theft. Therefore, access controls play an important role in safeguarding assets.
Access to assets can be direct or indirect. Physical security devices, such as locks, safes,
fences, and electronic and infrared alarm systems, control against direct access. Indirect
access to assets is achieved by gaining access to the records and documents that control the
use, ownership, and disposition of the asset.
F. Independent Verification: Verification differs from supervision because it takes place
after the fact, by an individual who is not directly involved with the transaction or task being
verified. Supervision takes place while the activity is being performed. Through independent
verification procedures, management can assess (1) the performance of individuals, (2) the
integrity of the transaction processing system, and (3) the correctness of data contained in
accounting records.
6.2. Information System Control
Information technology drives the financial reporting processes of modern organizations. Automated
systems initiate, authorize, record, and report the effects of financial transactions. As such, they are
inextricable elements of the financial reporting processes that SOX considers and must be controlled.
COSO identifies two broad groupings of information system controls: application controls and general
controls.

6.2.1 Application Controls: The objectives of application controls are to ensure the validity,
completeness, and accuracy of financial transactions. These controls are designed to be
application-specific. Examples include: A cash disbursements batch balancing routine that
verifies that the total payments to vendors reconciles with the total postings to the accounts
payable subsidiary ledger. An account receivable check digits procedure that validates customer
account numbers on sales transactions. A payroll system limit check that identifies employee time
card records with reported hours worked in excess of the predetermined normal limit. Application
controls are associated with specific applications, such as payroll, purchases and cash
disbursements systems. These fall into three broad categories: input controls, processing controls,
and output controls.
6.2.1.1 Input Controls: Input controls are programmed procedures (routines) that perform tests on
transaction data to ensure that they are free from errors. Input control routines should be designed
into the system at different points, depending on whether transaction processing is real time or
batch. Input controls in real-time systems are placed at the data collection stage to monitor data as
they are entered from terminals. Batch systems often collect data in transaction files, where they
are temporarily held for subsequent processing. In this case, input control tests are performed as a
separate procedure (or run) prior to the master file update process
6.2.1.2 Processing Controls: After passing through the data input stage, transactions enter the
processing stage of the system. Processing controls are programmed procedures and may be
divided into three categories: batch controls, run-to-run controls, and audit trail controls.
6.2.1.3 Output Controls: Output controls are a combination of programmed routines and other
procedures to ensure that system output is not lost, misdirected, or corrupted and that privacy is
not violated. Exposures of this sort can cause serious disruptions to operations and may result in
financial losses to a firm. For example, if the checks a firm’s cash disbursements system produces
are lost, misdirected, or destroyed, trade accounts and other bills may go unpaid. This could
damage the firm’s credit rating and result in lost discounts, interest, or penalty charges. If the
privacy of certain types of output is violated, a firm could have its business objectives
compromised or could become exposed to litigation.
6.2.2 General controls: The second broad group of controls that COSO identifies is general controls.
They are so named because they are not application-specific but, rather, apply to all systems.
General controls have other names in other frameworks, including general computer controls and
information technology controls. Whatever name is used, they include controls over IT
governance, IT infrastructure, security and access to operating systems and databases, application
acquisition and development, and program changes. Whereas general controls do not control
specific transactions, they have an effect on transaction integrity. For example, consider an
organization with poor database security controls. In such a situation, even data processed by
systems with adequate built in application controls may be at risk. An individual who is able to
circumvent database security (either directly or via a malicious program), may then change, steal,
 or corrupt stored transaction data. Thus, general controls are needed to support the functioning of
application controls, and both are needed to ensure accurate financial reporting.
6.2.2.1 IT Governance Control: IT governance is a broad concept relating to the decision rights and
accountability for encouraging desirable behavior in the use of IT. Though important, not all
elements of IT governance relate specifically to control issues that SOX addresses and that are
outlined in the COSO framework. In this section, we consider three governance issues that do:
organizational structure of the IT function. The discussion on each of these governance issues
begins with an explanation of the nature of risk and a description of the controls needed to
mitigate the risk.
6.2.2.2 Organizational structure: control Previous sections have stressed the importance of
segregating incompatible duties within manual activities. Specifically, operational tasks should
be separated to: 1. Segregate the task of transaction authorization from transaction processing.
2. Segregate record keeping from asset custody. 3. Divide transaction-processing tasks among
individuals so that fraud will require collusion between two or more individuals. The tendency in
an IT environment is to consolidate activities. A single application may authorize, process, and
record all aspects of a transaction. Thus, the focus of segregation control shifts from the
operational level (transaction processing tasks that computer programs now perform) to
higher level organizational relationships within the IT function. The interrelationships among
systems development, application maintenance, database administration, and computer
operations activities are of particular concern. The following section examines organizational
control issues within the context of two generic models. (i.e. the centralized model and the
distributed model).

Segregation of Duties within the Centralized Firm.

Figure shows Organizational Chart of a Centralized IT Function