lOMoARcPSD|5600552

WEEK 6: Internal Controls

RECAP:

Systems Flowchart: present a comprehensive picture of the management, operations, information systems &
process controls embodied in business processes

Data Flow Diagrams (DFD): portray business process activities, stores of data & flows of data among these elements

Flowchart Symbols Classification:

• Input symbols
• Processing symbols
• Output symbols
• Data stores
• Connectors
 lOMoARcPSD|5600552

INTERNAL CONTROLS:

Types of Control Activities:

• Performance Reviews: activities that involve some form of review or analysis of performance
• Information processing controls: put in place within the ordination to work towards accuracy, completeness
& authorisation of transactions
o Accuracy – aim to make sure that all data that enters the system is correct & reflects the actual
events that are being recorded
o Completeness – aim of ensuring that all events that occur are recorded within the system
o Authorisation (validity) – concerned with whether or not the events that occur are appropriately
approved before being executed
• Physical Controls: controls that are put in place to physically protect the resources of the organisation
• Segregation of Duties: concept that crrtain key functions should not be performed by the same person

Segregation of Duties:
Typical reference point within a business process is the separation of the following 4 activities:

• Record Keeping – person who records a transaction

• Execution – person who performs a transaction
• Custody – person in possession of the assets involved in a transaction
• Reconciliation – person who reconciles transaction data

Types of Controls – Classification 1:

• Preventive Controls – designed to stop errors or irregularities occurring

• Detective Controls – will not prevent controls from occurring but alert those involved in the system when an
error occurs
• Corrective Controls – designed to correct an error or irregularity after it has occurred

Types of Controls – Classification 2 (not relationship with Classification 1)

• Input Controls – designed to operate as data enters the system. These controls will typically aim to provide
reasonable assurance about accuracy, validity and completeness of data being entered
• Process Controls – put into place to work towards the correct handling of data within the information
process stages
• Output Controls – concerned with the various outputs generated by the process, and focused on issues such
as who can request outputs, how outputs are prepared and making sure all outputs are accounted for
General Controls:

Relates across all the information systems in an organisation

• Physical Controls
o Locked computing premises
o Swipe card access
o Biometric access controls
o Onsite security
o Security Camera
• Segregation of Duties
• User Access (Passwords)
• User Awareness of Risks
• Data storage procedures

INFORMATION PROCESSING CONTROLS (POSSIBLE CONTROL PLANS)

Input Controls for Data Entry

• Standardised forms
• Pre-numbered documents
• Sequence Checks
o If all pre-numbered documents are input to a computer system, then use the computer system to
enforce a sequence check
• Turnaround Documents
o Documents that originate as the output from one system and become input for another
§ E.g. boarding pass
o With barcode & rfid systems
• Validity Checks
o Take a given input for a field & ensure that it is an acceptable value
§ E.g. existence of a customer or product
• Completeness Checks
o Ensure that all required data are entered
o Ensure that all documents in a batch are there
• Limit Checks
o Check values input into a field to make sure they fit within a pre-determined upper limit
• Range Checks
 lOMoARcPSD|5600552

o Function in a manner similar to limit checks, with the exception that the checks apply to both upper
and lower limits
• Reasonableness Checks
o Operate to check that numeric input for a field is within a reasonable numeric range
• Redundant Data Checks
o By having the data entered twice and then checking the two sets of inputs and making sure that they
are identical

More Input Controls

• Automated Form Completion – Dropdown Menus

• Transaction Authorisation Procedures – Through setting correct user privileges when a system is
established
o E.g. by requiring staff to log on with unique usernames and passwords, setting up user privileges and
access rights, etc
• Batch Totals (compared with hash totals)
• Independent review

Processing Controls

• Batch Totals – when data is being shifted from one file to another the data should not change (backup)
• Sequence Checks – At the processing stage, these checks can operate to ensure that no data have gone
missing during processing activities
• Hash Totals – Batch totals based around meaningless figures
o E.g. sum of all customer numbers in a batch
• Reconciliations – allows comparison of two sets of information that should theoretically be the same to
identify any inconsistencies
o More powerful if two sets of information are prepared by two different people and an independent
third person performs the review
• Run-to-run Totals
o E.g. the closing balance of accounts receivable (after the sales have been transferred) should equal
the opening balance (before transfers) plus sales (ignoring any payments from customers)

Output Controls

Built around protecting the outputs of the system. These controls protect access to outputs as well as the format &
content of outputs

Examples:
 lOMoARcPSD|5600552

• Access privileges
• Ability to generate reports
• Page numbering of reports
• End of reports footers

DISASTER RECOVERY PLANS:

• Disaster recovery plan: strategy that the organisation will put into action, in the event of a disaster that
disrupts normal operations, to resume operations as soon as possible and recover data that relate to its
processes
• Key provisions include:
o Provisions for temporary sites
§ Hot sites vs. cold sites
• Hot site – already set up
• Cold site – have to set it up yourself
o Staffing
o Restoring business relationships

RISK MANAGEMENT:
 lOMoARcPSD|5600552

EXECUTION OF INTERNAL CONTROLS

• Consideration of control execution – be it manual or computerised – is important, since there are different
characteristics of manual and computerised controls that can impact on their effectiveness within the
organisation
• Manual Controls:
o Prone to human errors
o Can handle irregularities
• Computer Controls:
o Consistent
o Rely on a sound control environment & general controls

DOCUMENTING CONTROLS

Once controls are established, it is essential to ensure that documentation outlines how these controls operate

• Methods of documentation
o Narrative descriptions
o Questionnaires & checklists
o Flowcharts
o Control matrix (not examinable)