Chapter 9

Controlling Information
Systems: Business Process and
Application Controls

Accounting Information Systems 7e

Ulric J. Gelinas and Richard Dull

Copyright © 2008 Thomson Southwestern, a part of The Thomson Corporation. Thomson, the Star logo, and
South-Western are trademarks used herein under license.

1
 Learning Objectives
• Complete the steps in the control framework
and prepare a control matrix.
• Write explanations that describe how the
business process and application controls
introduced in this chapter accomplish control
goals.
• Describe the importance of business
process and application controls to
organizations with enterprise systems and
those engaging in e-Business.
 The Control Matrix
• The control matrix is a tool designed to
assist you in analyzing the effectiveness
of controls (PCAOB Auditing standard
#2 – “Effectiveness of Control Design”)
• It establishes the criteria to be used in
evaluating the controls in a particular
business process.

3
 Sample Control Matrix
  Control Goals of the Lenox Cash Receipts Business Process

  Control goals of the operations process (a) Control goals of the information process (a)

Ensure effectiveness of operations Ensure efficient employ- Ensure security of For the remittance advice inputs, ensure: For the AR master data, ensure:
ment of resources (eg.
resources (eg. Checks and
Recommended control
people and AR data)
plans (b)
computers)
  A B IV IC IA UC UA

Present Controls                  

P-1: Immediately endorse       P-1 (c)          

incoming checks

P-2: Compare input P-2 P-2     P-2   P-2    

(remittance advices
[RAs]) with master
data (AR master
data)

Missing Controls                  

M-1 Immediately separate                  

checks and RAs

M-2 Compare checks and RAs                  

4
 Lenox Company Annotated
Systems Flowchart
M A IL R O O M A C C O U N T S R E C E IV A B L E C O M PU TER C A S H IE R

P -2
C u s to m e r RAs A
Cash
V e r ify , lo g e v e n t o n r e c e ip ts
c a s h r e c e ip t s e v e n t e v e n t d a ta
M -1 d a ta , u p d a te A R ,
RAs n o t if y c le r k E n d o rse d
Che cks
Checks K e y c u s to m e r
n u m b e r ,in v o ic e
n u m b e r ,a m o u n t a n d P r in t d e p o s it
che ck num ber s lip
P -1 Tem p F ile d u n t il
E n d o rse
M -2 file d e p o s it s lip
checks
is r e c e iv e d
A c c o u n ts
" A c c e p te d
r e c e iv a b le
and At end
m a s te r d a ta
p ro ce sse d " of day
E n d o rse d
Checks E n d o rse d E r r o r r o u t in e
Che cks not show n

A E n d o rse d
C o m p are Checks
1
D e p o s it
s lip

R A = R e m it t a n c e a d v ic e 2
D e p o s it
s lip
D e p o s it 1
s lip

Bank
5
 Steps in Preparing Control
Matrix
I. Specifying control goals represents
the first step in building a control
matrix. The goals are listed across the
top row of the matrix.
1. Identify the operations process goals
a. Effectiveness goals
b. Efficiency goals
c. Security goals
2. Identify Information Process Goals
a. Input Goals
b. Update Goals

6
 Operations Process Goals:
Effectiveness Goals
i. Ensure the successful accomplishment of the goals set forth for
the business process
ii. Different processes have different effectiveness goals. For
Lenox’s cash receipts process we include only two examples
here:
– A — Timely deposit of checks
– B — Comply with compensating balance agreements with the
depository bank
– Other possible goals of a cash receipts would be shown as
goals C, D, and so forth, and described at the bottom of the
matrix (in the matrix legend).
iii. With respect to other business processes, such as production,
we might be concerned with effectiveness goals related to the
following:
– Goal A—to maintain customer satisfaction by finishing
production orders on time.
– Goal B—to increase market share by ensuring the highest
quality of finished goods.

7
 Operations Process Goals:
Efficiency Goals
i. The purpose of efficiency control goals of the operations
process is to ensure that all resources used throughout
the business process are being employed in the most
productive manner
ii. In parentheses, notice that we have listed two resources
of the cash receipts process for which efficiency is
applicable—people and computers.
• In fact, people and computers would always be considered in
the efficiency assessments related to accounting information
systems.
iii. In other business processes, such as receiving goods
and supplies, we might also be concerned with the
productive use of equipment such as trucks, forklifts,
and hand-held scanners.

8
 Operations Process Goals:
Security Goals
i. The purpose of security control goals of the operations process
is to ensure that entity resources are protected from loss,
destruction, disclosure, copying, sale, or other misuse.
ii. In parentheses, we have included two resources of the cash
receipts process over which security must be ensured—cash
and information (accounts receivable master data).
• With any business process, we are concerned with information that is
added, changed, or deleted as a result of executing the process, as well
as assets that are brought into or taken out of the organization as a
result of the process, such as cash, inventory, and fixed assets.
iii. With regard to other business processes, such as shipping, we
might include customer master data and shipping data.
• Note: The security over hard assets used to execute business
processes, such as computer equipment, trucks, trailers, and loading
docks, is handled through pervasive controls (discussed in Chapter 7).
9
 Information Process Goals: Input
Goals
i. With respect to all business process data entering the
system, the purpose of input goals of the information
process is to ensure:
• input validity (IV)
• input completeness (IC) and
• input accuracy (IA).
ii. With the cash receipts process, we are concerned with
input validity, accuracy, and completeness over cash
receipts
• Here, they are in the form of remittance advices
• Notice that we specifically name the input data of concern in
parentheses.
iii. With respect to other business processes, such as hiring
employees, we would be concerned with other inputs,
such as employee, payroll, and benefit plan data.

10
 Information Process Goals: Update
Goals
i. Update goals must consider all related information that will
be affected by the input data, including master file data and
ledger data. For the business process input data, the
purpose of update control goals of the information process
is to ensure:
• The update completeness (UC) and
• Update accuracy (UA)
ii. With regard to the cash receipts information process, we
recognize that the accounts receivable data will be updated
by cash receipts
• Cash received reflects the debit and customer account reflects the
credit).
• Notice that we list accounts receivable master data in the control
matrix.
iii. Other business processes, such as cash payments, would
involve different update concerns, such as vendor, payroll,
or accounts payable master data.
11
 Steps in Preparing the Control
Matrix

II. Recommending Control Plans

1. Annotating “Present” Control Plans
2. Evaluating “Present” Control Plans
3. Identifying and Evaluating “Missing”
Control Plans

12
 Annotating Present Control
Plans
• Start on the upper left-hand column of the systems
flowchart and spot the first manual keying symbol, manual
process symbol, or computer process symbol (process
related symbols)
• Then, follow the sequential logic of the systems flowchart
and identify all of the process-related symbols.
• Each process-related symbol reflects an internal control
plan which is already present.
• It is important to recognize that while a control plan may be
present, it may not be working as effectively as it should;
thus, you might recommend ways to strengthen or augment
existing control plans

13
 Annotate the Process Flow
Chart
• Review the flowchart and determine
whether a control is present (P-) or
missing (M-)
• Annotate the flowchart
– If controls are present, mark P-
– If controls are absent, mark M-

14
 Annotating Present Control
Plans
a. Reviewing the Lenox systems flowchart (Figure
9.2), you will find that the first process-related
symbol is entitled “Endorse checks.”
– Because this process appears on the flowchart, this
control plan already exists, meaning, it is present as
opposed to missing.
– Accordingly, place a P- beside the process, indicating
that is it present, and a 1 beside the P- reflecting the
first present control plan on the flowchart.
– As a result, you should have annotated the systems
flowchart with a P-1.

15
 Annotating Present Control
Plans

b. Continue reviewing the systems

flowchart by following its sequential
logic, annotating the flowchart with P-
2, P-3, and so on until you have
accounted for all present control plans.

16
 Evaluating “Present” Control
Plans:
• Write number (P-1, P-2, P-3 through P-n) and name of
each control plan in the left-hand column of the control
matrix.
• Then, starting with P-1, look across the row and determine
which control goals the plan addresses and place a P-1 in
each cell of the matrix for which P-1 is applicable.
• It is possible that a given control plan can attend to more
than one control goal.
• Continue this procedure for each of the present control
plans.
• Simultaneously, in the legend of the matrix, describe how
the control plan addresses each noted control goal.

17
 Identifying and Evaluating
“Missing” Control Plans:
• The next step in recommending control
plans is to determine if additional
controls are needed to address missing
control goal areas, strengthen present
control plans, or both.

18
 Identifying and Evaluating “Missing”
Control Plans:
• Examining the controls matrix: The first place to start is to look at the
control matrix and see if there are any control goals (operations or
information) for which no present control plan is addressing.
• If so, you need to do the following:
i. In the left-hand column of the matrix, number the first missing control plan
as M-1 and label or title the plan.
ii. Across the matrix row, place M-1 in each cell for which the missing control
is designed.
iii. In the legend of the matrix, explain how the missing control will address
each noted control goal.
iv. On the systems flowchart, annotate M-1 where the control should be
inserted.
v. If there are still control goals for which no control plan has addressed,
develop another plan (M-2) and repeat the four previous steps (i through
iv). Continue this procedure until each control goal on the matrix is
addressed by at least one control plan.
• With regard to Lenox, we have noted two missing control plans in the
sample control matrix for the Cash Receipts Business Process
• M-1 and M-2, although more might exist

19
 Evaluating the systems
flowchart:
• Even though all of the control goals on the matrix are now
addressed, closely review the systems flowchart one more
time.
• Look for areas where further controls are needed.
• Just because all control goals on the matrix have one or
more associated control plans, we might have to to add
more control plans or strengthen existing plans to reduce
residual risk to an acceptable level in certain areas.
• It takes training and experience to spot risks and
weaknesses of this nature
• In Chapters 10 through 16 you will learn more about how to
make such critical internal control assessments.

20
 Causeway Control Matrix
  Control Goals of the Causeway cash receipts process

  Control Goals of the operations process Control goals of the information process

  Ensure effectiveness of Ensure efficient Ensure security of For the remittance advice inputs (i.e., cash For the accounts
operations: employ-ment of resources (cash, receipts), ensure: receivable master data,
resources (people, AR master data) ensure:
  computers)

Recommended control plans

  A B     IV IC IA UC UA

Present Controls                  

P-1: Immediately endorse incoming checks       P-1          

P-2: Compare checks and RAs         P-2   P-2    

P-3: Preformatted screens P-3 P-3 P-3       P-3    

P-4: Online prompting P-4 P-4 P-4       P-4    

P-5 Programmed edit checks. P-5 P-5 P-5       P-5    

P-6: Manual agreement of RA batch totals       P-6 P-6 P-6 P-6 P-6 P-6

P-7: Manual agreement of deposit batch totals       P-7 P-7 P-7 P-7    

Missing Controls                  

M-1: Turnaround documents M-1 M-1 M-1       M-1    

M-2: Enter cash receipts in the mailroom M-2 M-2 M-2     M-2 M-2    

M-3: Computer agreement of batch totals M-3 M-3 M-3   M-3 M-3 M-3 M-3 M-3

21
 Sample Control Plans for Data
Input

1. Manual and automated data entry

2. Data entry with batches of input data

22
 C e n tr a l c o m p u te r
D a t a e n t r y c le r k (s e r v e r )

In t e r n a l p a r t y
W e b s e rve r
in p u t s o u r c e

P -1 0
P -1 In p u t d o c u m e n t P -1 1
P -5
P -2 P -1 2
P o p u la t e in p u t
V e r if y d ig it a l
s c r e e n w it h
s ig n a t u r e

Manual
m a s te r d ata
P -3 K e y m a s te r
P -4 r e c o r d ID

And
M a s te r
d a ta
M a s te r
d a ta
P -6

Automated C o m p a r e in p u t
P -7 C o m p a r e in p u t
w it h m a s t e r d a t a

Data Entry
E r r o r r o u t in e
w it h m a s t e r
P -6 not show n P -7
d a ta

P -8 E r r o r r o u t in e
not show n
E d it a n d r e c o r d
Ke y docum e nt
in p u t , n o t if y c le r k
d a ta

P -8
"A c c e p te d E d it a n d r e c o r d
P -9 fo r Eve n t in p u t , n o t if y W e b
p r o c e s s in g " d a ta s e rve r

P -9
En d
W e b s e rve r

23
   Control Goals of the (blank) Business Process

  Control Goals of the Operations Process Control Goals of the Information Process (a)

  Ensure Effectiveness of Ensure Efficient Ensure For the (blank) inputs, ensure: For the (blank)
Operations Employment of Security of master data,
  Resources Resources ensure:
(people, (event data,
  computers) assets)

Recommended Control Plans

  A       IV IC IA UC UA

Control Present Controls

P-1: Document design

 

P-1
 

 
 

P-1
 

 
 

 
 

 
 

P-1
 

 
 

Matrix for P-2: Written approvals

P-3: Preformatted screens

 

P-3
 

 
 

P-3
P-2

 
P-2

 
 

 
 

P-3
 

 
 

Automated P-4: Online prompting P-4   P-4       P-4    

and Manual P-5: Populate input screen with

master data
P-5   P-5   P-5   P-5    

Entry
P-6: Compare input data with master P-6   P-6   P-6   P-6    
data

P-7: Procedures for rejected Inputs           P-7 P-7    

P-8: Programmed edit checks P-8   P-8 P-8 P-8   P-8    

P-9: Confirm input acceptance           P-9      

P-10: Automated data entry P-10   P-10       P-10    

P-11: Enter data close to the P-11   P-11     P-11 P-11    

originating source

P-12: Digital signatures       P-12 P-12   P-12    

Missing Controls                  

None noted                  

24
 Available Control Plans for
Data Input
• P-1: Document design
• P-2: Written approvals
• P-3: Preformatted screens
• P-4: Online prompting
• P-5: Populate input screen with master
data
• P-6: Compare input data with master
data
25
 Available Control Plans for
Data Input, Cont’d.
• P-7: Procedures for rejected Inputs
• P-8: Programmed edit checks
• P-9: Confirm input acceptance
• P-10: Automated data entry
• P-11: Enter data close to the
originating source
• P-12: Digital signatures

26
 Data Entry with Batches
• Data entry with batches involves collecting
inputs into work units called batches; batched
inputs are then keyed into system as a batch
– Implies some delay between the economic event
and its reflection in the system
– Allows for controls focusing on the batch, e.g.,
batch control totals (hash or other totals from
batch)
– Batch entry is often followed by an exception and
summary report

27
Data Entry with Batches
System Flowchart
Figure 9-5 – system flowchart here

28
Data Entry with Batches Control Matrix
  Control Goals of the Shipping Business Process

  Control Goals of the Operations Process Control Goals of the Information Process

  Ensure Ensure Efficient Ensure Security For the picking ticket inputs, ensure: For the AR master data,
Effectiveness of Employment of of Resources ensure:
Operations Resources (inventory, AR
  (people, master data)
computers)
 

Recommended Control Plans

  A     IV IC IA UC UA

Present Controls                

P-1: Turnaround documents P-1 P-1   P-1   P-1    

P-2: Manually reconcile batch totals       P-2 P-2 P-2    

P-3: Agree run-to-run totals (reconcile input and output batch totals)     P-3 P-3 P-3 P-3 P-3 P-3

P-4: Review tickler file (file of pending shipments) P-4       P-4      

P-5: One-for-one checking (compare picking tickets and packing slips)     P-5 P-5 P-5 P-5 P-5 P-5

Missing Controls                

M-1: Key verification           M-1    

M-2: Sequence check       M-2 M-2      

M-3: Computer agreement of batch totals M-3 M-3   M-3 M-3 M-3    

29
 Data Entry with Batches
Control Plans
Present Controls
• P-1: Turnaround documents
• P-2: Manually reconcile batch totals
• P-3: Agree run-to-run totals (reconcile input and
output batch totals)
• P-4: Review tickler file (file of pending shipments)
• P-5: One-for-one checking (compare picking tickets
and packing slips)
Missing Controls
• M-1: Key verification
• M-2: Sequence check
• M-3: Computer agreement of batch totals
30
 Batch Control Plans
• Batch control plans, to be effective,
should ensure that:
– All documents are included in batch
– All batches are submitted for processing
– All batches are accepted by computer
– All differences are disclosed, investigated
and corrected on a timely basis

31
 Batch Control Plans
• Batch control procedures start by grouping event data and calculating totals for
the group: Several different types of batch control totals can be calculated
– Document/record counts are simple counts of the number of documents entered in a
batch
• This procedure represents the minimum level required to control input completeness.
• Because one document could be intentionally replaced with another, this control is not
effective for ensuring input validity and says nothing about input accuracy.
– Item or line counts
• Counts number of items or lines entered, such as a count of the number of invoices being
paid by all the customer remittances.
• By reducing the possibility that line items or entire documents could be added to the batch
or not be input, this control improves input validity, completeness, and accuracy.
• Remember, a missing event record is a completeness error and a data set missing from an
event record is an accuracy error.
– Dollar totals
• Sum of dollar value of items in batch
• By reducing the possibility that entire documents could be added to or lost from the batch
or that dollar amounts were incorrectly input, this control improves input validity,
completeness, and accuracy.
– Hash totals
• Are a summation of any numeric data existing for all documents in the batch, such as a
total of customer numbers or invoice numbers in the case of remittance advices.
• Unlike dollar totals, hash totals normally serve no purpose other than control.
• Hash totals can be a powerful batch control because they can determine if inputs have
been altered, added, or deleted.
• These batch hash totals operate for a batch in a manner similar to the operation of
document/record hash totals for individual inputs.
32