Accounting Information Technology and Business Solutions 2 nd
Accounting, Information Technology, and Business Solutions, 2 nd Edition By Hollander, Denna, Cherrington Supplemental Chapter D Power. Point slides by: Bruce W. Mac. Lean, Faculty of Management, Dalhousie University Sample Electronic Data Processing Controls Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Objectives n n Identify what contributes to a strong control environment and controls that contribute to it. Identify specific controls to prevent, detect, or recover from risks associated with: ä ä Operating activities. Information processing risk. Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Review of Controls Philosophy n n Every entity, whether it is a business organization, governmental agency, or not-for-profit entity has some stated objectives. Entities are established to do something for someone. They might be organized to make money, provide public services, or administer an estate. There are many opportunities available to these entities to achieve their objectives. With each opportunity, there is some risk. The risks may be: ä strategic - doing the wrong things; ä decision - failure to make a needed decision or selecting a poor alternative, ä operating - doing the right things the wrong way; ä financial - losing financial resources or creating financial liabilities; or ä information - making errors in recording, maintaining, and reporting activities. Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Control Environment n n The control environment sets the tone of the organization and influences the control consciousness of its people. The control environment encompasses several factors, but these are some of the most important: ä ä ä the integrity and ethical values of the organization as a whole, management’s philosophy, and how the organization treats its people. Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Integrity and Ethical Values n Controls that can help improve the integrity and ethical values of the organization include: ä ä Hire honest people. Establish a Code of Conduct. Have a Violations Review Committee. Review Company Practices and Rules. Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Impact of Management’s Philosophy on the Control Environment n n Management’s philosophy can either contribute to, or help prevent a high-risk environment. Questions that may be asked to identify a high-risk environment include: Do. Does people Does Is themanagement understand organization company have the have committed company’s a well a defined to policies organizational and If theisentity has of andirectors, annual audit of If there a board are practices, structure conservative hiringwhat competent withthey appropriate or are reasonable people responsible division who for, of and duties to whom and they their financial statements, does it there outside representatives on report? responsibilities approach possess the in knowledge accepting and identified business and skills reporting relationships have an audit committee to the board? Hassomanagement risks needed that important andtoinperform reporting developed activities their theaassigned are financial culture planned, that emphasizes executed, oversee the audit? integrity controlled, results jobs? andofethical and operations? monitored behavior? on a timely basis? Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Human Resource Policies and Practices n n People are frequently the most important assets of the organization. However, if they are not the right people and if they are not managed properly, they may become more of a liability than an asset. Human resource policies and practices relate to hiring, orienting, training, evaluating, counseling, promoting, compensating, and terminating employees. The following controls can help ensure success in hiring and retaining quality employees: ä ä ä Check the background of each applicant. Bond people in critical positions. Explain organization policies and procedures. Define promotion and personal growth opportunities. Define procedures for terminating employees. Provide well‑defined work schedules. Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Risk Assessment n n Risk assessment is a process of identifying things that can go wrong and the probability of their occurrence. There are no exhaustive checklists identifying all the things that can go wrong. People with criminal minds work on expanding these checklists all the time. They are looking for weaknesses in the system and identifying ways to take advantage of a weakness for personal gain, without being caught. Failure to identify these weaknesses before they are identified by people with criminal minds often results in significant losses. Some of the important areas you should investigate during the risk assessment phase include: ä ä ä Where has the company incurred losses in the past and how much has been lost? Where have similar companies incurred losses and how much have they lost? Ask employees where errors and irregularities are most likely to occur. Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Control Activities n We can classify control activities by their use (i. e. , whether they are used to prevent, detect, or recover from errors or irregularities). ä ä n Preventive controls focus on preventing an error or irregularity. Detective controls focus on identifying when an error or irregularity has occurred. Corrective controls focus on recovering from, repairing the damage from, or minimizing the cost of an error or irregularity. An error is an unintended mistake on the part of an employee while an irregularity is an intentional effort to do something that is undesirable to the organization. Control activities relevant to the information processing activities of an entity may be broadly classified into three areas: ä ä ä (a) separation of duties, (b) physical controls, and (c) information processing controls. Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Separate Accounting and Information Systems from Other Organization Functions n Accounting and information systems are support functions and should have organizational independence from the departments that use their information and perform the operational activities of the organization. It implies that to the extent possible, the organization should ensure that: ä ä A user department initiates all transactions. User departments authorize new business application software and changes to current application software. Custody of assets resides with designated operational departments. Errors in transaction data should be entered on an error log, referred back to the user department for correction, and followed up on by the control group. Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Separate Responsibilities within the Information Systems Function n Some functions within the information systems areas are incompatible and ideally separate. When possible, organizations should separate the following functions from each other: ä ä ä Systems analysis - analyzing the information and processing needs and designing or modifying the application software. Database administration - integrating the data requirements of analysis and design to maintain an enterprise data resource. Programming - writing computer programs to perform the tasks designed by analysts. Operations - running the application programs (designed by systems analysts and written by the programmers) on the computer. Information systems library - storing programs and files when not in use and keeping track of all versions of data and applications. Data control - reconciling input and output, distributing output to authorized information customers, and monitoring the correction of errors. Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Physical Controls n Physical controls encompass the physical security of the organization's assets and records, authorization to access computer programs and data files, and periodically counting the quantities of physical assets and comparing them with amounts shown on financial records. ä ä ä Physical Security of Assets and Records Access Controls C Computer Programs and Files Reconcile Physical Quantities with Recorded Quantities Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Physical Security of Assets and Records n The assets and sensitive records of the organization should be protected and only released to, or accessed by, authorized individuals. ä n n n Many of these are simple controls such as separate storage rooms, locks on doors and filing cabinets, and surveillance people. Physical access controls prevent unauthorized access to the computer devices themselves. Typically, large systems or file servers are housed in a locked room that is entered only with a combination lock or a key. When unauthorized personnel or others gain access to the physical devices, they can seriously disrupt operations or even destroy the devices themselves. Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Access controls n n n Systems access Physical access Data and Application access Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Access Controls for Computer Programs and Files n n When IT is embedded in the business and information processes, individuals who execute business events must gain access to the technology to execute business and information processes. Unauthorized access to the system represents a tremendous risk to the organization. Preventing unauthorized access to the system is critical. Controlling access is particularly important when the system has online, real-time transaction processing capabilities Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Access Controls for Computer Programs and Files n n Access controls restrict unauthorized access to the system itself, to physical devices, and to data in the system. System access controls are used to prevent unauthorized access into the system. Organizations must control who obtains access to the system through an on-line terminal or by data communication lines. A password is a unique identifier that only the user should know and is required to enter each time he/she logs onto the system. Unless passwords are formally assigned, routinely changed, and protected from use by other people, they will quickly get into the wrong hands and provide unauthorized access to the system. The access control matrix identifies the functions each user can perform once they gain access to the computer. It controls what data and programs the user may access. Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Case In Point: Passwords n n n Surveys show that most passwords are “no-brainers” for hackers trying to break into a system. The most common password is the users own name or the name of a child. The second most common password is “secret. ” Other common passwords in order of usage are: ä ä ä ä Stress related words such as “deadline” or “work” Sports teams or sports terms like “bulls” or “golfer” “Payday” “Bonkers” The current season (e. g. “winter” or “spring”) The users ethnic group Repeated characters (e. g. “bbbbb” or “AAAAA”) Obscenities or sexual terms Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Data and Application Access Controls n n Data and application access controls maintain the integrity and privacy of data and processes within a computer system. They should prevent loss, destruction, or access of data and applications by unauthorized personnel. Encryption is used to protect highly sensitive and confidential data. Encryption is a process of encoding data entered into the system, storing or transmitting the data in coded form, and then decoding the data upon its use or arrival at its destination. Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Reconcile Physical Quantities with Recorded Quantities n Periodically, the physical assets should be compared with the assets recorded on the financial records. Auditors generally require a physical count of inventory on hand to compare with the amount reported on the financial statements. The same idea should be applied to other assets: ä ä ä At the end of each sales clerks shift the amount of cash in the cash drawer should be counted and compared with the sales total from the cash register for the employee's shift. Fixed assets such as computer equipment should be tagged with identification numbers and assigned to specific employees. At least annually an inventory clerk should compare what each employee actually has with what they have been issued. Property, plant, equipment, and inventories of all types should be counted and the quantities compared with the financial records. Any differences should be reconciled. Frequently this identifies errors and irregularities that would never be detected otherwise. Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Types of Updating Processes GRANDPARENT Batch Process Update Old Reference Data Event and Maintenance Data PARENT Real-Time Process Update Process New Reference Data Old Reference Data Event and Maintenance Data Report Process Update Process New Reference Data Event and Maintenance Data Update Process Report Old Reference Data CHILD Event and Maintenance Data Update Process New Reference Data Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Grandparent-Parent-Child Batch Processing Backup Example Journal Voucher Batch Key in journal voucher data If we lost the “child” master file, we could process the transaction file against the “parent” master file Unsorted Journal Vouchers Sort vouchers in chart of account order Sorted Journal Vouchers (Parent) General Ledger Master Edit input and update master file Grandparent “Old” General Ledger Master from preceding batch process run (not shown on this day’s run) Irwin/Mc. Graw-Hill Old General Ledger Master New General Ledger Master Parent Child Sorted Journal Vouchers Error and Exception Report Ó The Mc. Graw-Hill Companies, Inc. , 2000
Rollback and Recovery On-line Processing Backup Example Journal Voucher data Transaction data are stored in a transaction log. Input data (could use scanner) Transaction Log If we lost the master file, we could rollback to the backup master and reprocess the transaction log data against the backup master. General Ledger Master Edit data and update master file Master Backu p N Error and Exception Message (Journal Voucher file numerical order) Periodic Backup of the Master Reference data Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Field Checks n n n check digit completeness check default value field or mode check range (limit) check validity/ set check Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Record Checks n n master reference check reasonableness check referential integrity valid sign check Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Batch Checks n n n sequence check transaction type check batch control totals ä ä ä hash control total financial/numeric total record control total Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
File Controls n n n External file labels Internal file labels Lock out procedures Read-only file designation File protection rings Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Documentation n n n Procedural documentation Systems documentation User manual Application documentation Operator manual Data documentation ä ä n record layout data dictionary Operating documentation Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Give Accounting and Information Systems Organizational Independence n To the Extent Possible, Separate Responsibilities Within the Information Systems Function ä ä ä Systems Analysis Database Administration Programming Operations Information Systems Library Data control Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
Reporting Instructions - Used to Generate Queries, Documents, and Reports n 4. n n n Access the user output request, along with any specifications or parameters. Validate that the user should have access to the requested information. Determine if a format is stored for the output. If so, access the format file. If not allow the user to help specify a format or use a default format. Access necessary data from appropriate data pools and process it (if necessary). Communicate the output to the screen, printer, or computer file and display it in the prescribed format. Irwin/Mc. Graw-Hill Ó The Mc. Graw-Hill Companies, Inc. , 2000
- Slides: 29