CIA2002

ACCOUNTING INFORMATION
SYSTEMS

Introduction to Internal Control

LECTURE 5
 Understanding Internal Control
➢ Internal control is a system of procedures,
policies, and practices aimed at ensuring the
efficient and effective operation of an
organization.

➢ It helps organizations achieve objectives

related to
⚫ operational effectiveness and efficiency,
⚫ reliable financial reporting, and
⚫ compliance with laws and regulations.
 Why Do We Need Controls?

ensure
maintain the
safeguard compliance achieve achieve
integrity of with
assets data effectiveness efficiency
regulations
 Threats in AIS
➢ Threatsare potential events that may
cause harm or loss.

➢ Examples in AIS include:

• Cyberattacks: Hacking, ransomware.
• Fraud: Employee manipulation of
financial records.
• Data Loss: Accidental deletion, natural
disasters
 Risks in AIS
➢ Risks are the likelihood and impact of
threats materializing.

➢ Common AIS risks include:

• Unauthorized Access: Breach of data
confidentiality.
• System Downtime: Interruptions affecting
business operations.
• Financial Misstatements: Due to errors or
fraud.
 What is an Accounting Error?
➢ An error in an accounting entry that was not
intentional.

➢ When spotted, the error or mistake is often

immediately fixed.

➢ Most common accounting errors are either

clerical mistakes or errors of accounting
principle.
What are the types of errors
accounting?
 Irregularities in AIS
➢ Irregularities are intentional manipulations or fraudulent
activities within the AIS to mislead users of financial
information.
➢ Examples
1. Falsified Financial Statements:
1. Overstating revenue to attract investors - Misleads

stakeholders, leading to potential legal

consequences and loss of credibility.
2. Fraudulent Transactions:
1. Creating fake vendor accounts to transfer money

through bogus invoices - Financial losses,

reputational damage, and regulatory penalties.
 The Internal Controls Shield -
Mitigation of Threats and Risks

9
 Components of Internal Controls
_
• Control Environment: Ethical values, management
philosophy, organizational structure – e.g. Establishing
clear ethical guidelines and training programs.

• Risk Assessment: Identification and analysis of risks –

e.g. Regular risk assessment meetings and documented
risk registers.

• Control Activities: Policies and procedures addressing

identified risks – e.g. . Approval processes, segregation of
duties, and periodic reconciliations.
 Components of Internal Controls

• Information and Communication: Effective

communication channels – e.g. Regular internal
reporting systems and transparent communication
platforms.

• Monitoring Activities: Continuous assessment and

adjustments to controls – e.g. Continuous assessment
and adjustments to controls.
Component of Internal Control –
Registration for CIA2002

As you interacts with the university’s

academic processes, you becomes an active
participant in the same types of internal
controls you learning about in class.
 Component of Internal Control –
Registration for CIA2002
Student Responsibility in
COSO Component Internal Control Purpose
CIA2002

Register ethically and Promotes a culture of

Control Environment
honestly fairness and accountability

Evaluate workload before Prevents overload and

Risk Assessment
registering supports academic success

Follow registration rules and Ensures consistent, fair

Control Activities
prerequisites, Attendance course enrolment

Monitor emails, course Keeps student informed

Info & Communication
portal, and updates and responsive

Review grades and seek Identifies weaknesses and

Monitoring Activities
help when needed enables improvement
 Component of Internal Control –
Attendance & Responsibilities in
CIA2002
Student Responsibility in
COSO Component Internal Control Purpose
CIA2002

Control Environment

Risk Assessment

Control Activities

Info & Communication

Monitoring Activities
 Nature of Internal Controls
• Preventive Controls:
• Designed to prevent errors or irregularities (e.g.,
separation of duties).

• Detective Controls:
• Designed to identify errors or irregularities after
occurrence (e.g., reconciliations).

• Corrective Controls:
• Designed to correct issues identified by detective
controls (e.g., data backups and recovery)
Mitigation of Threats and Risks: Nature of
Internal Controls

Figure 3-3

16
 Characteristics of Mitigating Controls
Feature Preventive Detective Corrective
Controls Controls Controls
Timing Before the During/after the After detection
event event of the event
Examples Password
Data recovery,
policies, Reconciliations
system
segregation of , audit trails
updates
duties
Objective Fix errors and
Prevent errors/ Identify errors/
improve
irregularities irregularities
processes
Implementation Proactive Monitoring Restorative
Focus measures systems actions
 Core Principles of Internal Control

• Segregation of Duties,
• Authorization of Transactions,
• Access Control,
• Independent Verification, and
• Accounting Records.

These components align with different control types

(preventive, detective, corrective) and serve to
mitigate risks and maintain reliable, efficient
processes.
 Integration of Controls in Internal
Control Frameworks
Control Type Example in Practice Objective
Different staff create Prevent fraud/errors
Segregation of
Preventive and approve purchase by dividing
Duties
orders. responsibilities.
Authorization Manager approves Prevent
of Preventive purchases over unauthorized
Transactions $5,000. activities.
Protect sensitive
Password-protected
Access data from
Preventive financial records
Control unauthorized
accessible by finance.
access.
Auditor reviews
Independent Identify errors or
Detective monthly
Verification irregularities.
reconciliations.
Ensure records are
Accounting Preventive/ Maintain detailed logs
accurate and
Records Detective of sales transactions.
complete.
 Segregation of Duties (SoD)
➢ Segregation of Duties divides tasks and
responsibilities among different individuals to
reduce the risk of errors, fraud, and misuse of
assets.

➢ Objective
• Ensure no single individual has control over all
aspects of a critical process.
• Mitigate the risk of fraudulent activities or
manipulation.
 Examples of Segregation of Duties
➢ Cash Handling:
⚫ One person collects cash, while another records it and
a third reconciles it.
➢ Payroll
⚫ HR sets up employee records, the accounting team
processes payroll, and an independent team audits
the payments.
➢ Risks of Poor SoD
• Fraud: Employees exploiting their control over
multiple functions.
• Errors: Unintentional mistakes going undetected.
 Authorization of Transactions
➢ Definition
⚫ Authorization involves granting formal approval
before transactions occur, ensuring that all activities
align with organizational policies and limits.
➢ Objective
• Prevent unauthorized or inappropriate activities.
• Ensure accountability by assigning responsibility for
approvals.
➢ Types of Control
• Preventive Control: Stops unauthorized actions
before they happen.
Examples Authourization of Transaction
➢ Purchase Approval:
⚫ Managers approve purchase orders exceeding a
certain amount.
➢ Credit Limit Authorization:
⚫ Customer credit limits require manager approval
before being exceeded.
➢ Risks Without Proper Authorization
• Unauthorized expenditures.
• Fraudulent activities such as fake expense claims.
 Access Control
➢ Definition
⚫ Access Control restricts who can view or use
systems, data, or resources. It ensures that only
authorized individuals can perform specific
actions.
➢ Objective
• Protect sensitive information and systems.
• Prevent unauthorized access and misuse.
➢ Types of Control
• Preventive Control: Restricts access to
sensitive data and systems.
 Examples of Access Control
➢ Physical Access:
⚫ Restricted access to server rooms or financial
documents.
➢ System Access:
⚫ Role-based access control (e.g., finance staff access
payroll but not sales data).
➢ Authentication:
⚫ Use of multi-factor authentication (MFA) for logging into
sensitive systems.
➢ Risks Without Proper Access Control
• Data breaches due to unauthorized access.
• Insider threats or accidental data leaks.
 Independent Verification
➢ Definition
⚫ Independent Verification involves reviewing
processes or transactions by someone not
involved in their execution to ensure accuracy and
integrity.
➢ Objective
• Identify errors or irregularities.
• Confirm compliance with policies and procedures.
➢ Types of Control
• Detective Control: Identifies issues that have
already occurred.
 Examples of Independent Verification
➢ Bank Reconciliations:
⚫ Comparing internal cash records with bank
statements.
➢ Inventory Counts:
⚫ Cross-checking physical inventory with system
records.
➢ Vendor Statement Reconciliations:
⚫ Reviewing vendor invoices against payment records.
➢ Risks Without Independent Verification
• Errors or fraudulent activities may go undetected.
• Lack of accountability.
 Accounting Records
➢ Definition
⚫ Accurate and complete accounting records provide a
trail of transactions, supporting transparency and
accountability.
➢ Objective
• Ensure that all transactions are recorded accurately
and in a timely manner.
• Facilitate auditing and financial reporting.
➢ Types of Control
• Preventive Control: Ensures records are maintained.
• Detective Control: Detects omissions or inaccuracies
in records.
 Examples of Accounting Records
➢ Audit Trails:
⚫ Maintain detailed logs of financial transactions.

➢ Standardized Formats:
⚫ Use templates for invoices and journal entries to
ensure consistency.

➢ Regular Updates:
⚫ Daily reconciliation of cash and ledger entries.

➢ Risks Without Proper Accounting Records

• Loss of financial integrity.
• Difficulty in detecting fraud or errors.
 Exercise 1: Identify Control Types

➢ Task: Classify the following as Segregation of Duties,

Authorization, Access Control, Independent
Verification, or Accounting Records.

1. Manager approves expense reports exceeding

$1,000.
2. Monthly inventory count reconciled with the system.
3. Only finance staff can access payroll data.
4. Different individuals handle vendor creation and
vendor payment approval.
5. Maintaining a detailed log of journal entries.
Exercise 2: Control Implementation

➢ Scenario:
⚫ A company faces fraudulent activities due to a
single individual managing vendor creation
and payment.

➢ Task:
⚫ Propose one preventive, one detective, and
one corrective control.
 Levels of Control in AIS

General Controls
(develop, implement, operate, maintain)

Application Controls
(specific systems)

These controls ensure the integrity, confidentiality, and

availability of data processed through AIS and align
with the organization's objectives.
 General Controls
➢ Definition
⚫ General controls are high-level controls that
encompass the overall IT environment.
⚫ They ensure that IT systems and data are
secure, reliable, and available.

➢ Objectives
• Protect system infrastructure from unauthorized
access or misuse.
• Support the operation of application controls.
• Prevent or detect potential system-wide issues.
 Examples of General Controls
1. Access Security:
1. Implementation of firewalls, intrusion detection
systems (IDS), and password policies.
2. Example: Role-based access control for
sensitive data.

2. Change Management:
1. Procedures for managing changes to software,
hardware, and processes.
2. Example: Documenting and testing all changes
to a payroll system before deployment.
 Examples of General Controls
1. Backup and Recovery:
1. Regularly backing up critical data and having a
disaster recovery plan in place.
2. Example: Scheduled backups of financial data to
secure offsite storage.

2. System Maintenance:
1. Ensuring timely updates and patch management for
hardware and software.
2. Example: Applying software patches to address
security vulnerabilities.
 Examples of General Controls

1. Physical Security:
1. Restricting physical access to servers and data
centres.

1. Example: Using biometric access for server

rooms.
 Application Controls
➢ Definition
⚫ Application controls are specific to software
applications and ensure accurate and complete
data processing within these applications.
➢ Objectives
• Ensure that input data is valid, authorized, and
accurate.
• Prevent, detect, and correct errors in individual
transactions.
• Maintain data integrity during processing and
storage.
Categories of Application Controls

Input Controls:
Ensure data is accurate, complete, and
authorized before entering the system.

Examples:
⚫ Field validation: Allowing only numeric data in an
"amount" field

⚫ Drop-down menus: Limiting input options for consistency.

Categories of Application Controls
Processing Controls: Ensure data is
processed correctly and without duplication or
omission.

Examples:
➢ Batch totals: Summing up totals for verification
during batch processing.

➢ Cross-checks: Comparing invoice amounts with

purchase order amounts.
Categories of Application Controls
Output Controls: Ensure the output is
accurate, authorized, and distributed to the
correct individuals.

Examples:
➢ Report generation: Reconciling system-generated
reports with source data.

➢ Encryption: Securing emailed financial reports.

Comparison of General and Application
Controls
Aspect General Controls Application Controls
Broad, affecting the
Specific to individual
Scope entire IT
software applications.
environment.
Data accuracy,
System-level security
Focus completeness, and
and reliability.
processing.
Backup systems,
Input validation, batch
Examples firewalls, physical
processing controls.
security.
Preventive and Preventive, detective,
Type
detective. and corrective.
 Exercise 1: Identify Control Levels
Task: Classify each of the following as a General
Control or Application Control.

1. Biometric access to the server room.

2. Automatic log-off after 15 minutes of inactivity.
3. Input validation for customer addresses.
4. Monthly reconciliation of sales reports with
invoices.
5. Regular system backups.
6.
 Exercise 2: Designing Controls

➢ Scenario:
⚫ Your organization faces risks of
incorrect sales data entry and
unauthorized access to its sales system.

➢ Task:
⚫ Propose one general control and one
application control to address these
risks.
Exercise 3: Analyzing Control Failures

➢ Scenario:
⚫ A data breach occurred due to poor password
policies, and transaction data was altered in an
accounting application.

➢ Task: Identify:
1. The failed general control.
2. The failed application control.
 Examples of Internal Control

➢ Adequate documentation ➢ Bank reconciliation

➢ Background checks ➢ Batch control totals

➢ Back-up computer files ➢ Data encryption

➢ Back-up power supplies ➢ Document matching

➢ Edit checks
 Examples of Internal Control

➢ Firewalls ➢ Physical security

➢ Insurance and bonding ➢ Preformatted data entry
screens
➢ Internal audits
➢ Prenumbered documents
➢ Limit checks
➢ Restrictive endorsements
➢ Lockbox systems of checks
 Examples of Internal Control
➢ Daily deposit of cash receipts

➢ Segregation of duties

➢ User training

All internal controls have associated costs—financial,

operational and behavioral.

The key is ensuring that the benefits outweigh the

costs.
 Discussion

➢ Describe situations in your daily activities,,

where you have experienced or employed
general control and application controls