1 / 19

Controlling Information Systems: Business Process Controls

Controlling Information Systems: Business Process Controls. Learning Objectives. Understand steps in control framework Know how to prepare control matrix Comprehend the generic business process control plans introduced in this chapter

eytan
Télécharger la présentation

Controlling Information Systems: Business Process Controls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Controlling Information Systems: Business Process Controls

  2. Learning Objectives • Understand steps in control framework • Know how to prepare control matrix • Comprehend the generic business process control plans introduced in this chapter • Be able to describe how the business process controls accomplish control goals • Appreciate the importance of controls to organizations with enterprise systems • Appreciate the importance of controls to organizations engaging in e-Business Business Process Controls

  3. The Control Matrix • The control matrix is a tool designed to assist you in analyzing a systems flowchart and related narrative. • It establishes the criteria to be used in evaluating the controls in a particular business process.

  4. Sample Control Matrix

  5. Available Control Plans for Data Input • 1: Document Design—source document is designed to easily complete and key data • 2: Written Approvals—signature or initials indicating approval of event processing • 3: Preformatted Screens—defines acceptable format for each data field (e.g., 9 numeric characters for SSN) • 4: Online Prompting—requests user input or asks questions, e.g., message box

  6. Available Control Plans for Data Input, Cont’d. • 5: Programmed Edit Checks • Automatically performed by data entry programs upon entry of data • Reasonableness checks (limit checks)—tests input for values within predetermined limits • Document/record hash totals—compares computer total to manually calculated total • Mathematical accuracy checks—compare calculations performed manually to computer calculations, e.g., compare invoice total to manually entered to computer calculated total • Check Digit verification – a functionally dependent extra digit is appended to a number; if miskeying occurs, a check digit mismatch occurs and the system rejects the input

  7. Available Control Plans for Data Input • 6: Procedures for rejected input—rejected inputs are corrected and resubmitted for processing • 7: Keying corrections—clerk corrects inputs • 8: Interactive feedback checks—computer informs clerk that input has been accepted/rejected • 9: Record input—record is recorded in transaction data rather than being re-keyed at another time • 10: Key verification—data is keyed by two different individuals then compared by the computer

  8. Recommended Control Plans with Master Data • 11: Enter data close to originating source • Input data is entered directly and immediately it reduces input costs, inputs are less likely to be lost, errors are less likely and can more easily corrected • Online transaction entry (OLTE), online real-time processing (OLRT), and online transaction processing (OLTP) are all examples of this processing strategy. • 12: Digital signatures • Authenticate that the sender of the message has the authority to send it and detects messages that have been altered in transit • an application of public key cryptography involving the use of a private encryption key to “sign” the data transmitted

  9. Recommended Control Plans with Master Data • 13: Populate input with master data • User enters an entity’s ID code and the system then retrieves certain data about that entity from existing master data. • User might be prompted to enter the customer ID (code). • By accessing the customer master data, the system automatically provides data such as the customer’s name and address, the salesperson’s name, and the sales terms. • This reduces the number of keystrokes required, making data entry quicker, more accurate, and more efficient. • Therefore, the system automatically populates input fields with existing data

  10. Recommended Control Plans with Master Data • 14: Compare input data with master data—the system compares inputs with standing (master) data to ensure their accuracy and validity • Input/master data dependency checks • These edits test whether the contents of two or more data elements or fields on an event description bear the correct logical relationship. • For example, input sales events can be tested to determine whether the salesperson works in the customer’s territory. • If these two items don’t match, there is some evidence that the customer number or the salesperson identification was input erroneously. • Input/master data validity and accuracy checks • These edits test whether master • data supports the validity and accuracy of the input. For example, this edit • might prevent the input of a shipment when no record of a corresponding customer • order exists. If no match is made, we may have input some data incorrectly, • or the shipment might simply be invalid. We might also compare elements • within the input and master data.

  11. Data Entry with Batches • Data entry with batches involves collecting inputs into work units called batches; batched inputs are then keyed into system as a batch • Implies some delay between the economic event and its reflection in the system • Allows for controls focusing on the batch, e.g., batch control totals (hash or other totals from batch) • Batch entry is often followed by an exception and summary report

  12. Batch Control Plans • Batch control procedures start by grouping event data and calculating totals for the group: Several different types of batch control totals can be calculated • Document/record countsare simple counts of the number of documents entered in a batch • This procedure represents the minimum level required to control input completeness. • Because one document could be intentionally replaced with another, this control is not effective for ensuring input validity and says nothing about input accuracy. • Item or line counts • Counts number of items or lines entered, such as a count of the number of invoices being paid by all the customer remittances. • By reducing the possibility that line items or entire documents could be added to the batch or not be input, this control improves input validity, completeness, and accuracy. • Remember, a missing event record is a completeness error and a data set missing from an event record is an accuracy error. • Dollar totals • Sum of dollar value of items in batch • By reducing the possibility that entire documents could be added to or lost from the batch or that dollar amounts were incorrectly input, this control improves input validity, completeness, and accuracy. • Hash totals • Are a summation of any numeric data existing for all documents in the batch, such as a total of customer numbers or invoice numbers in the case of remittance advices. • Unlike dollar totals, hash totals normally serve no purpose other than control. • Hash totals can be a powerful batch control because they can determine if inputs have been altered, added, or deleted. • These batch hash totals operate for a batch in a manner similar to the operation of document/record hash totals for individual inputs.

  13. P-1: use of turnaround documents • Turnaround documents are used to capture and input a subsequent event. • Picking tickets, inventory count cards, remittance advice stubs attached to customer invoices, and payroll time cards are all examples of turnaround documents. • For example, we have seen picking tickets that are printed by the computer, used to pick the goods, and sent to shipping where the bar code on the picking ticket is scanned to trigger the recording of the shipment.

  14. P-2: batch totals control • Calculation of batch totals ensures that the data input arises from legitimate events (input validity) and that all events in the batch are captured (input completeness).

  15. P-3: Reconciliation of Batch Totals • The manual reconciliation of batch totals control plan operates in the following manner: • a. First, one or more of the batch totals are established manually • b. As individual event descriptions are scanned, the data entry program accumulates independent batch totals. • c. The computer produces reports (or displays) with the relevant control totals that must be manually reconciled to the totals established prior to the particular process. • d. The person who reconciles the batch total must determine why the totals do not agree and make corrections as necessary to ensure the integrity of the input data

  16. P-4: Reconcile input and output batch totals (agreement of run-to-run totals) • This is a variation of the agreement of batch totals controls. • With agreement of run-to-run totals, totals prepared before a computer process has begun are compared, manually or by the computer, to totals prepared at the completion of the computer process. • These post-process controls are often found on an error and summary report. • When totals agree, we have evidence that the input and the update took place correctly. • This control is especially useful when there are several intermediate steps between the beginning and the end of the process and we want to be assured of the integrity of each process.

  17. P-5: use of tickler file and one-for-one checking • This has two purposes: • One is to ensure that all picking tickets are linked to an associated packing slip, • The other is to ensure that all items on related picking tickets and packing slips match. • We regularly review a tickler file, to clear items from that file. • Tickler files may be digitized reflecting events that need to be completed, such as open sales orders, open purchase orders, and so forth. • Should tickler file documents remain in the file too long, the person or computer monitoring will determine the nature and extent of the delay. • Picking tickets are compared to their associated packing slips using one-for-one checking to determine that they agree. • Differences may indicate errors in input or update. • This procedure provides us detail as to what is incorrect within a batch. • Being very expensive to perform, one-for-one checking should be reserved for low-volume, high-value events.

  18. P-6: Automated Sequence Checks • Whenever documents are numbered sequentially, a sequence check can be automatically applied to those documents. • Batch sequence checks work best when we can control the input process and the serial numbers of the input data, such as payroll checks. • In a batch sequence check, the event data within a batch are checked as follows: • a. The range of serial numbers constituting the batch is entered. • b. Each individual, serially pre-numbered event data is entered. • c. The computer program sorts the event data into numerical order; checks the documents against the sequence number range; and reports missing, duplicate, and out-of-range event data. • Cumulative sequence check provides input control when the serial numbers are not entered in sequence (i.e., picking tickets might contain broken sets of numbers). • Matching of individual event data (picking ticket #s) is made to a file that contains all document numbers (all sales order numbers). • Periodically, reports of missing numbers are produced for manual follow-up. • Reconciling a checkbook is another example of a situation where the check numbers are issued in sequence. • However, the bank statement we receive may not contain a complete sequence of checks. • Our check register assists us in performing a cumulative sequence check to make sure that all checks are eventually cleared.

  19. P-7: Computer Agreement of Batch Totals • The computer agreement of batch totals plan works in the following manner: • a. First, one or more of the batch totals are established manually (i.e., in the user department in Figure 9.9). • b. Then, the manually prepared total is entered into the computer and is written to the computer batch control totals data. • c. As individual event descriptions are entered, a computer program accumulates independent batch totals and compares these totals to the ones prepared manually and entered at the start of the processing. • d. The computer prepares a report, which usually contains details of each batch, together with an indication of whether the totals agreed or disagreed. • Batches that do not balance are normally rejected, and discrepancies are manually investigated and included in a summary report

More Related