Controls

1
Controls
2
Objectives

• Identify what contributes to a strong control
  environment and controls that contribute to it.
• Identify specific controls to prevent, detect, or
  recover from risks associated with
• Operating activities.
• Information processing risk.

3
The Relationship between Risks, Opportunities,
and Controls

• Risks
• A risk is any exposure to the chance of injury or
  loss.
• Opportunities and Objectives
• Opportunity and risk go hand in hand. You can't
  have an opportunity without some risk and with
  every risk there is some potential opportunity.
• Controls
• A control is an activity we perform to minimize
  or eliminate a risk.

4
Internal Control Systems

• Internal controls encompass a set of rules,
  policies, and procedures an organization
  implements to provide reasonable assurance that
• (a) its financial reports are reliable,
• (b) its operations are effective and efficient,
  and
• (c) its activities comply with applicable laws
  and regulations.
• These represent the three main objectives of the
  internal control system.
• The organization's board of directors,
  management, and other personnel are responsible
  for the internal control system.

5
Control Classification Schemes
Entire Organization Data Processing
environment Event Occurrence Information
Processes
Administrative Controls Accounting
Controls
Preventive, Detective, and Corrective
Controls
Input, Processing, and Output
Controls
Control Environment General Controls Ap
plication Controls
Control Environment IT/Human Controls Busines
s Event Controls Information Processing Controls
6
Risk Assessment

• Risk assessment identifies and analyzes the
  relevant risks associated with the organization
  achieving its objectives.
• Risk assessment forms the basis for determining
  what risks need to be controlled and the
  controls required to manage them.

7
Control Activities

• Control activities are the policies and
  procedures the organization uses to ensure that
  necessary actions are taken to minimize risks
  associated with achieving its objectives.
  Controls have various objectives and may be
  applied at various organizational and functional
  levels.
• Control Usage - Prevent, Detect, and Correct
• Control activities may be classified by their use
  C whether they are used to prevent, detect, or
  recover from errors or irregularities. The
  purpose of each control is evident by its name.
• Preventive controls focus on preventing an error
  or irregularity.
• Detective controls focus on identifying when an
  error or irregularity has occurred.
• Corrective controls focus on recovering from,
  repairing the damage from, or minimizing the cost
  of an error or irregularity.

8
Control Activities

• Physical controls include security over the
  assets themselves, limiting access to the assets
  to only authorized people, and periodically
  reconciling the quantities on hand with the
  quantities recorded in the organizations
  records.
• Information processing controls are used to check
  accuracy, completeness, and authorization of
  transactions.
• General controls cover data center operations,
  systems software acquisition and maintenance,
  access security, and application systems
  development and maintenance.
• Application controls apply to the processing of a
  specific application, like running a computer
  program to prepare employee's payroll checks each
  month.

9
Control Activities

• Performance Reviews
• Performance reviews are any reviews of an
  entitys performance.
• Some of the more common reviews
• compare actual data to budgeted data or prior
  period data,
• operating data to financial data, and
• data within and across various units,
  subdivisions, or functional areas of the
  organization.

10
Traditional Control Philosophy

• Much of the traditional accounting and auditing
  control philosophy has been based on the
  following concepts and practices
• Extensive use of hard-copy documents to capture
  information about accounting transactions, and
  frequent printouts of intermediate processes as
  accounting transactions flow through the
  accounting process.
• Separation of duties and responsibilities so the
  work of one person checks the work of another
  person.

• Duplicate recording of accounting data and
  extensive reconciliation of the duplicate data.
• Accountants who view their role primarily as one
  of independence, reactive, and detective.
• Heavy reliance on a year-end review of financial
  statements and extensive use of long checklists
  of required controls.
• Greater emphasis given to internal control than
  to operational efficiency.
• Avoidance or tolerance toward advances in
  information technology.

11
Risks and Controls in an Event-Driven System

• An event-driven system provides a framework for
  classifying risks that builds upon what you have
  already learned about decision, business, and
  information processes. Acquiring the ability to
  identify risk requires knowledge of the business
  organization.
• Business events trigger three types of
  information processes
• Recording event data (e.g., recording the sale of
  merchandise).
• Maintaining resource, agent, and location data
  (e.g., updating a customers address).
• Reporting useful information (preparing a report
  on sales by product).

12
Operating Event Risks

• Business event risk results in errors and
  irregularities having one or more of the
  following characteristics
• A business event
• occurring at the wrong time or sequence.
• occurring without proper authorization.
• involving the wrong internal agent.
• involving the wrong external agent.
• involving the wrong resource.
• involving the wrong amount of resource.
• occurring at the wrong location.

13
Taxonomy of Business and Information Process Risk
Organization Risk
Business Event Risk
Information Processing Risk
System Resource Risks
Resources
Development and Operation
Recording Processes
Events
Access
Maintenance Processes
Agents
Systems Failure Data Loss
Reporting Processes
Locations
Human Behavior
14
Information Processing Risks

• Recording risks include recording incomplete,
  inaccurate, or invalid data about a business
  event. Incomplete data results in not having all
  the relevant characteristics about an operating
  event. Inaccuracies arise from recording data
  that do not accurately represent the event.
  Invalid refers to data that are recorded about a
  fabricated event.
• Maintaining risks are essentially the same as
  those for recording. The only difference is the
  data relates to resources, agents, and locations
  rather than to operating events. The risk
  relating to maintenance processes is that changes
  with respect to the organization's resources,
  agents, and locations will go either undetected
  or unrecorded (e.g., customer or employee moves,
  customer declares bankruptcy, or location is
  destroyed through a natural disaster).
• Reporting risks include data that are improperly
  accessed, improperly summarized, provided to
  unauthorized individuals, or not provided in a
  timely manner.

15
Review of Controls Philosophy

• Every entity, whether it is a business
  organization, governmental agency, or
  not-for-profit entity has some stated objectives.
  Entities are established to do something for
  someone. They might be organized to make money,
  provide public services, or administer an estate.
  There are many opportunities available to these
  entities to achieve their objectives. With each
  opportunity, there is some risk.
• The risks may be
• strategic - doing the wrong things
• decision - failure to make a needed decision or
  selecting a poor alternative,
• operating - doing the right things the wrong way
  
• financial - losing financial resources or
  creating financial liabilities or
• information - making errors in recording,
  maintaining, and reporting activities.

16
Control Environment

• The control environment sets the tone of the
  organization and influences the control
  consciousness of its people.
• The control environment encompasses several
  factors, but these are some of the most
  important
• the integrity and ethical values of the
  organization as a whole,
• managements philosophy, and
• how the organization treats its people.

17
Integrity and Ethical Values

• Controls that can help improve the integrity and
  ethical values of the organization include
• Hire honest people.
• Establish a Code of Conduct.
• Have a Violations Review Committee.
• Review Company Practices and Rules.

18
Impact of Managements Philosophy on the Control
Environment

• Managements philosophy can either contribute to,
  or help prevent a high-risk environment.
• Questions that may be asked to identify a
  high-risk environment include

Do people understand the companys policies and
practices, what they are responsible for, and to
whom they report? Has management developed a
culture that emphasizes integrity and ethical
behavior?
Does the company have a well defined
organizational structure with appropriate
division of duties and responsibilities and
identified reporting relationships so that
important activities are planned, executed,
controlled, and monitored on a timely basis?
19
Human Resource Policies and Practices

• People are frequently the most important assets
  of the organization.
• However, if they are not the right people and if
  they are not managed properly, they may become
  more of a liability than an asset.
• Human resource policies and practices relate to
  hiring, orienting, training, evaluating,
  counseling, promoting, compensating, and
  terminating employees.
• The following controls can help ensure success in
  hiring and retaining quality employees
• Check the background of each applicant.
• Bond people in critical positions.
• Explain organization policies and procedures.
• Define promotion and personal growth
  opportunities.
• Define procedures for terminating employees.
• Provide well-defined work schedules.

20
Risk Assessment

• Risk assessment is a process of identifying
  things that can go wrong and the probability of
  their occurrence. There are no exhaustive
  checklists identifying all the things that can go
  wrong. People with criminal minds work on
  expanding these checklists all the time. They
  are looking for weaknesses in the system and
  identifying ways to take advantage of a weakness
  for personal gain, without being caught. Failure
  to identify these weaknesses before they are
  identified by people with criminal minds often
  results in significant losses.
• Some of the important areas you should
  investigate during the risk assessment phase
  include
• Where has the company incurred losses in the past
  and how much has been lost?
• Where have similar companies incurred losses and
  how much have they lost?
• Ask employees where errors and irregularities are
  most likely to occur.

21
Control Activities

• We can classify control activities by their use
  (i.e., whether they are used to prevent, detect,
  or recover from errors or irregularities).
• Preventive controls focus on preventing an error
  or irregularity.
• Detective controls focus on identifying when an
  error or irregularity has occurred.
• Corrective controls focus on recovering from,
  repairing the damage from, or minimizing the cost
  of an error or irregularity.
• An error is an unintended mistake on the part of
  an employee while an irregularity is an
  intentional effort to do something that is
  undesirable to the organization.
• Control activities relevant to the information
  processing activities of an entity may be
  broadly classified into three areas
• (a) separation of duties,
• (b) physical controls, and
• (c) information processing controls.

22
Separate Accounting and Information Systems from
Other Organization Functions

• Accounting and information systems are support
  functions and should have organizational
  independence from the departments that use their
  information and perform the operational
  activities of the organization. It implies that
  to the extent possible, the organization should
  ensure that
• A user department initiates all transactions.
• User departments authorize new business
  application software and changes to current
  application software.
• Custody of assets resides with designated
  operational departments.
• Errors in transaction data should be entered on
  an error log, referred back to the user
  department for correction, and followed up on by
  the control group.

23
Separate Responsibilities within the Information
Systems Function

• Some functions within the information systems
  areas are incompatible and ideally separate.
  When possible, organizations should separate the
  following functions from each other
• Systems analysis - analyzing the information and
  processing needs and designing or modifying the
  application software.
• Database administration - integrating the data
  requirements of analysis and design to maintain
  an enterprise data resource.
• Programming - writing computer programs to
  perform the tasks designed by analysts.
• Operations - running the application programs
  (designed by systems analysts and written by the
  programmers) on the computer.
• Information systems library - storing programs
  and files when not in use and keeping track of
  all versions of data and applications.
• Data control - reconciling input and output,
  distributing output to authorized information
  customers, and monitoring the correction of
  errors.

24
Physical Controls

• Physical controls encompass the physical security
  of the organization's assets and records,
  authorization to access computer programs and
  data files, and periodically counting the
  quantities of physical assets and comparing them
  with amounts shown on financial records.
• Physical Security of Assets and Records
• Access Controls C Computer Programs and Files
• Reconcile Physical Quantities with Recorded
  Quantities

25
Physical Security of Assets and Records

• The assets and sensitive records of the
  organization should be protected and only
  released to, or accessed by, authorized
  individuals.
• Many of these are simple controls such as
  separate storage rooms, locks on doors and filing
  cabinets, and surveillance people.
• Physical access controls prevent unauthorized
  access to the computer devices themselves.
• Typically, large systems or file servers are
  housed in a locked room that is entered only with
  a combination lock or a key.
• When unauthorized personnel or others gain access
  to the physical devices, they can seriously
  disrupt operations or even destroy the devices
  themselves.

26
Access controls

• Systems access
• Physical access
• Data and Application access

27
Access Controls for Computer Programs and Files

• When IT is embedded in the business and
  information processes, individuals who execute
  business events must gain access to the
  technology to execute business and information
  processes.
• Unauthorized access to the system represents a
  tremendous risk to the organization.
• Preventing unauthorized access to the system is
  critical.
• Controlling access is particularly important
  when the system has online, real-time
  transaction processing capabilities

28
Access Controls for Computer Programs and Files

• Access controls restrict unauthorized access to
  the system itself, to physical devices, and to
  data in the system.
• System access controls are used to prevent
  unauthorized access into the system.
  Organizations must control who obtains access to
  the system through an on-line terminal or by data
  communication lines.
• A password is a unique identifier that only the
  user should know and is required to enter each
  time he/she logs onto the system. Unless
  passwords are formally assigned, routinely
  changed, and protected from use by other people,
  they will quickly get into the wrong hands and
  provide unauthorized access to the system.
• The access control matrix identifies the
  functions each user can perform once they gain
  access to the computer. It controls what data
  and programs the user may access.

29
Case In Point Passwords

• Surveys show that most passwords are
  no-brainers for hackers trying to break into a
  system.
• The most common password is the users own name or
  the name of a child. The second most common
  password is secret.
• Other common passwords in order of usage are
• Stress related words such as deadline or work
• Sports teams or sports terms like bulls or
  golfer
• Payday
• Bonkers
• The current season (e.g. winter or spring)
• The users ethnic group
• Repeated characters (e.g. bbbbb or AAAAA)
• Obscenities or sexual terms

30
Data and Application Access Controls

• Data and application access controls maintain the
  integrity and privacy of data and processes
  within a computer system. They should prevent
  loss, destruction, or access of data and
  applications by unauthorized personnel.
• Encryption is used to protect highly sensitive
  and confidential data. Encryption is a process
  of encoding data entered into the system, storing
  or transmitting the data in coded form, and then
  decoding the data upon its use or arrival at its
  destination.

31
Reconcile Physical Quantities with Recorded
Quantities

• Periodically, the physical assets should be
  compared with the assets recorded on the
  financial records. Auditors generally require a
  physical count of inventory on hand to compare
  with the amount reported on the financial
  statements. The same idea should be applied to
  other assets
• At the end of each sales clerks shift the amount
  of cash in the cash drawer should be counted and
  compared with the sales total from the cash
  register for the employee's shift.
• Fixed assets such as computer equipment should be
  tagged with identification numbers and assigned
  to specific employees. At least annually an
  inventory clerk should compare what each employee
  actually has with what they have been issued.
• Property, plant, equipment, and inventories of
  all types should be counted and the quantities
  compared with the financial records. Any
  differences should be reconciled. Frequently
  this identifies errors and irregularities that
  would never be detected otherwise.

32
Types of Updating Processes
Types of Updating Processes
GRANDPARENT
33
Grandparent-Parent-Child Batch Processing Backup
Example
Journal Voucher Batch
Key in journal voucher data
If we lost the child master file, we could
process the transaction file against the
parent master file
Unsorted Journal Vouchers
Sort vouchers in chart of account order
Sorted Journal Vouchers
General Ledger Master
Edit input and update master file
(Parent)
Grandparent
Old General Ledger Master from preceding batch
process run (not shown on this days run)
Error and Exception Report
Sorted Journal Vouchers
New General Ledger Master
Old General Ledger Master
Parent
Child
34
Rollback and Recovery On-line Processing Backup
Example
35
Field Checks

• check digit
• completeness check
• default value
• field or mode check
• range (limit) check
• validity/ set check

36
Record Checks

• master reference check
• reasonableness check
• referential integrity
• valid sign check

37
Batch Checks

• sequence check
• transaction type check
• batch control totals
• hash control total
• financial/numeric total
• record control total

38
File Controls

• External file labels
• Internal file labels
• Lock out procedures
• Read-only file designation
• File protection rings

39
Documentation

• Procedural documentation
• Systems documentation
• User manual
• Application documentation
• Operator manual
• Data documentation
• record layout
• data dictionary
• Operating documentation

40
Give Accounting and Information Systems
Organizational Independence

• To the Extent Possible, Separate Responsibilities
  Within the Information Systems Function
• Systems Analysis
• Database Administration
• Programming
• Operations
• Information Systems Library
• Data control

41
Reporting Instructions - Used to Generate
Queries, Documents, and Reports

• Access the user output request, along with any
  specifications or parameters. Validate that the
  user should have access to the requested
  information.
• Determine if a format is stored for the output.
  If so, access the format file. If not allow the
  user to help specify a format or use a default
  format.
• Access necessary data from appropriate data pools
  and process it (if necessary).
• Communicate the output to the screen, printer, or
  computer file and display it in the prescribed
  format.

4.