Chapter 9

Controlling Information
Systems: Business Process
and Application Controls
Accounting Information Systems 8e
Ulric J. Gelinas and Richard Dull

2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated,
in whole or in part, except for use as permitted in a license distributed with a certain product
or service or otherwise on a password-protected website for classroom use

Learning Objectives
Complete the steps in the control framework
and prepare a control matrix.
Write explanations that describe how the
business process and application controls
introduced in this chapter accomplish control
goals.
Describe the importance of business
process and application controls to
organizations with enterprise systems and
those engaging in e-business.
2

The Control Matrix

The control matrix is a tool designed to
assist in analyzing the effectiveness of
controls (PCAOB Auditing Standard
Number 5 Effectiveness of Control
Design).
Establishes the criteria to be used in
evaluating the controls in a particular
business process.
3

Lenox
Control
Matrix

Control Matrix Explanations

Lenox Company Annotated

Systems Flowchart

Steps in Preparing a Control

Matrix
STEP I: Specify control goals.
1. Identify the Operations Process Goals
a. Effectiveness goals
b. Efficiency goals
c. Security goals

2. Identify Information Process Goals

a. Input Goals
b. Update Goals
7

Operations Process Goals:

Effectiveness Goals
Ensure the successful accomplishment of the goals set forth for the business
process.
Different processes have different effectiveness goals. For Lenoxs cash
receipts process two examples are:

A: Timely deposit of checks.

B : Comply with compensating balance agreements with the

depository bank.

Other possible goals of a cash receipts would be shown as goals C, D,

etc. and described at the bottom of the matrix (in the matrix legend).
With respect to other business processes, such as production, possible
effectiveness goals are :

A: Maintain customer satisfaction by finishing orders on time.

B: Increase market share by ensuring the highest quality of goods.

8

Operations Process Goals:

Efficiency Goals
Ensure that all resources used throughout the
business process are being employed in the
most productive manner.
For Lenoxs cash receipts process, and for all
accounting information systems, people and
computers should always be included in the
efficiency assessment.
For other business processes, such as receiving
goods and supplies, efficiency goals include the
productive use of equipment.
9

Operations Process Goals:

Security Goals
Ensure that entity resources are protected from loss,
destruction, disclosure, copying, sale, or other misuse.
Two resources of the cash receipts process over which
security must be ensured are cash and information
(accounts receivable master data).
With any business process, information that is added,
changed, or deleted as a result of executing the process,
and assets that are brought into or taken out of the
organization as a result of the process are a concern.
Note that the security over hard assets used to execute
business processes, such as computer equipment, trucks,
trailers, and loading docks, is handled through pervasive
controls (discussed in Chapter 7).
10

Information Process Goals:

Input Goals
With respect to all business process data entering the
system, ensure:
input validity (IV)
input completeness (IC)
input accuracy (IA)
With the cash receipts process, concern is with IV, IC and
IA over cash receipts. Lenox uses remittance advices (RA).
Notice that the input data of concern is specifically named.
With respect to other business processes, such as hiring
employees, concern would be with other inputs, such as
employee, payroll, and benefit plan data.
11

Information Process Goals:

Update Goals

Update goals must consider all related information that will be

affected by the input data, including master file and ledger
data.

Ensure:
Update completeness (UC)
Update accuracy (UA)

With the cash receipts information process, accounts

receivable data will be updated by cash receipts.
Cash is debited and customer account is credited.
Accounts receivable master data is listed in the control
matrix.

Other business processes, such as cash payments, would

involve different update concerns, such as vendor, payroll, or
accounts payable master data.
12

Steps in Preparing the Control

Matrix
STEP II: Identify recommend Control
Plans
1. Annotate Present Control Plans
2. Evaluate Present Control Plans
3. Identify and Evaluate Missing
Control Plans
13

Annotate Present Control Plans

Start in the upper left-hand column of the systems flowchart .
Identify the first manual keying symbol, manual process symbol,
or computer process symbol (process related symbols).
Follow the sequential logic of the systems flowchart and identify
all of the process-related symbols.
Each process-related symbol reflects an internal control plan
which is already present.
Recognize that the current control plan may not be working as
effectively as it should. Recommendations may be needed to
strengthen or augment existing control plans.
14

Annotate the Systems Flowchart

Review the flowchart and determine
whether a control is present (P-) or
missing (M-)
Annotate the flowchart
If controls are present, mark P If controls are absent, mark M-

15

Annotating Present Control Plans

a. Review the Lenox systems flowchart (Figure 9.2).
The first process-related symbol is entitled
Endorse checks.
Because this process appears on the flowchart, this
control plan already exists, meaning, it is present as
opposed to missing.
Accordingly, place a P- beside the process, indicating
that is it present, and a 1 beside the P- reflecting the
first present control plan on the flowchart.
As a result, the systems flowchart should be annotated
with a P-1.
16

Annotating Present Control Plans

b. Continue reviewing the systems
flowchart by following its sequential
logic, annotating the flowchart with P2, P-3, and so on until all present
control plans have been accounted
for.

17

Evaluate Present Control Plans

Write numbers (P-1, P-2, P-3 through P-n) and name of each
control plan in the left-hand column of the control matrix.
Start with P-1. Look across the row and determine which
control goals the plan addresses. Place a P-1 in each cell of
the matrix for which P-1 is applicable.
It is possible that a given control plan can attend to more than
one control goal.
Continue this procedure for each of the present control plans.
Simultaneously, in the legend of the matrix, describe how the
control plan addresses each noted control goal.

18

Identify and Evaluate Missing

Control Plans
Determine if additional controls are needed to
address missing control goal areas,
strengthen present control plans, or both.
Look at the control matrix and see if there are
any control goals (operations or information)
for which no present control plan is
addressing. If so, take the steps on the
following slide.
19

Identify and Evaluate Missing

Control Plans

In the left-hand column of the matrix, number the first missing control
plan as M-1 and label or title the plan.

Place M-1 in each cell in the matrix row for which the missing control
is designed.

In the matrix legend, explain how the missing control will address
each noted control goal.

Annotate M-1 on the systems flowchart where the control should be

inserted.

If there are other control goals which no plan has addressed,

develop plan M-2 and repeat the steps. Continue until each control
goal on the matrix is addressed by at least one control plan.

Two missing control plans have been identified for Lenox. More
might exist.
20

Evaluate the Systems Flowchart

Look for areas where further controls are
needed.
Control plans might need to be added or
existing plans might need to be strengthened to
reduce residual risk to an acceptable level.
Training and experience are required to identify
these risks and weaknesses.
Chapters 10 through 16 discuss how to make
critical internal control assessments.
21

Sample Control Plans for Data

Input
1. Manual and automated data entry
2. Data entry with batches of input
data

22

Systems
flowchart:
Manual
And
Automated
Data Entry

23

Control
Matrix for
Automated
and
Manual
Entry

24

Available Control Plans for Data

Input

P-1: Document design

P-2: Written approvals
P-3: Preformatted screens
P-4: Online prompting
P-5: Populate input screen with master data
P-6: Compare input data with master data
25

Available Control Plans for Data

Input (Contd.)
P-7: Procedures for rejected Inputs
P-8: Programmed edit checks
P-9: Confirm input acceptance
P-10: Automated data entry
P-11: Enter data close to the originating
source
P-12: Digital signatures
26

Data Entry with Batches

Data entry with batches involves collecting
inputs into work units called batches; batched
inputs are then keyed into system as a group.
Implies some delay between the economic event
and its reflection in the system.
Allows for controls focusing on the batch, e.g.,
batch control totals (hash or other totals from
batch).
Batch entry is often followed by an exception and
summary report.
27

Batch Control Plans

To be effective, batch control plans should ensure
that:
All documents are included in the batch.
All batches are submitted for processing.
All batches are accepted by the computer.
All differences are disclosed, investigated and
corrected on a timely basis.
Batch control procedures start by grouping event
data and calculating totals for the group. Several
different types of batch control totals can be
calculated as shown on the next two slides.
28

Batch Control Plans

Document/record counts
Simple count of the number of documents entered in a batch.
Minimum level required to control input completeness.
Because a document could be intentionally replaced, this control is
not effective for ensuring input validity.
Input accuracy is not addressed.
Item or line counts
Counts number of items or lines entered, such as a count of the
number of invoices being paid by all customer remittances.
Improves input validity, completeness, and accuracy by reducing the
possibility that line items or entire documents could be added to the
batch or not be input.
A missing event record is a completeness error and a data set
missing from an event record is an accuracy error.

29

Batch Control Plans

Dollar totals
Sum of dollar value of items in batch.
By reducing the possibility that entire documents could be
added to or lost from the batch or that dollar amounts were
incorrectly input, this control improves input validity,
completeness, and accuracy.
Hash totals
Summation of any numeric data existing for all documents in
the batch, such as a total of customer numbers or invoice
numbers in the case of remittance advices.
Hash totals are a powerful control, as they can determine if
inputs have been altered, added, or deleted.
Batch hash totals are, for a batch, similar to document/record
hash totals for individual inputs.
30

System
Flowchart:
Data Entry
with
Batches

31

Control
Matrix for
Data Entry
with
Batches

32

Data Entry with Batches

Control Plans
Present Controls
P-1: Turnaround documents
P-2: Manually reconcile batch totals
P-3: Agree run-to-run totals (reconcile input and output
batch totals)
P-4: Review tickler file (file of pending shipments)
P-5: One-for-one checking (compare picking tickets and
packing slips)
Missing Controls
M-1: Sequence check
M-2: Computer agreement of batch totals
33

Computer Agreement of
Batch Totals

34

Public Key Cryptography and

Digital Signatures

35