For example, in the buying process in an integrated system, a key transaction is often “Create Purchase Order.

” This transaction sets up the data about the purchase, and it is carried throughout the process. The controls over future activities, such as making sure that all payments are for authorized purchases, depend on the completeness, accuracy, authorization, and protected storage of that initial transaction. Controls in this example are evidenced throughoutthe process by checking back to the purchase order and its data, as held on the system and stored in the related database. Application controls (authorization to purchase is the most obvious) also enforce completeness and accuracy to some extent. To pay the vendor after the item(s) comes(s) in and a goods received note is created, the invoice can be matched to both the goods received noted and purchase order. Called a “three-way match,” this is generally considered a strong automat3ed control (as long as the matching data is protected). The payment may be made automatically through EDI (electronic data interchange), EFT (electronic funds transfer), or a debit from a bank account. This helps ensure completeness and accuracy as well as authorization. Completeness can be accomplished through anticipation controls—the system expects a shipment and an invoice for every purchase order created and maycontinually report outstanding purchase orders until they are cleared—while accuracy can be accomplished through comparison to the original data. Throughout such integrated system processes, there may be little to no human contact, and control design becomes al the more important. Being able to enter and process one transaction—in this case, the purchase order—without appropriate controls in place could mean ability to create fictitious vendors (creating vendors should be a process separate from creating purchase orders), make payments to the wrong people, and other fraudulent activities. AUTHORIZATION: - Controls to ensure that only appropriate transactions are processed in accordance with management intentions. - authorization controls answer the question “Should the transaction be processed at all?” -Authorization can be granted in many ways by the system, based on user privileges, passwords to authenticate users, access to the server/network, access to the application, access to specific transactions indicated by special codes, and so forth -In systems that still have paper-based transactions, authorization typically place before processing, but may be built into the system as well -includes the nonrepudiation concept: a user—for example in a Web-based financial transaction—cannot later deny that he or she entered a transaction (authorized by the user), based on codes and other identifiers