CONTROLLING INFORMATION SYSTEMS:

Introduction to Enterprise Management and Internal Control

Organizational Governance
It is the process by which organizations select objectives, establish processes to
achieve objectives, and monitor performance.
Objective setting includes defining mission, vision, purpose and strategies to
establish relationships
Mission - A written declaration of an organizations core purpose and focus that
normally remains unchanged over time.
Vision - A description of what an organization would like to achieve or
accomplish in the mid-term or long-term future.
Enterprise Risk Management
It is the process effected by an entitys board of directors, management and other
personnel, applied strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk to be within its risk
appetite, to provide reasonable assurance regarding the achievement of entity
objectives.
Components of Enterprise Risk Management:
1. Internal Environment
2. Objective Setting
3. Event Identification
4. Risk Assessment
5. Risk Response
6. Control Activities
7. Information and Communication
Internal Control
It is a process affected by an entitys board of directors, management, and other
personnel designed to provide reasonable assurance regarding the achievement
of objectives.
Control Matrix
It is a tool designed to assist you in evaluating the potential effectiveness of
controls in a business process by matching control goals with relevant control
plans.
Control Goals:
1. Ensure effectiveness of operations by achieving selected goals for the
operations process.
2. Ensure efficient employment of resources. (ex: people, computers)
3. Ensure security of resources. (ex: cash, data assets, inventory)
4. Ensure input validity.
5. Ensure input completeness.
Comp4 (Accounting Information System)

6. Ensure input accuracy.

7. Ensure update completeness.
8. Ensure update accuracy.
Control Hierarchy
The Control Environment
Overall policies and procedures that
demonstrate an organizations commitment to
the importance of control.

Pervasive Control Plans

Address multiple goals and apply to
many processes.

Business Process Control

Plans
Relate to specific AIS process or
to the technology used to
implement the process.

CONTROLLING INFORMATION SYSTEMS:

Comp4 (Accounting Information System)

Introduction to Pervasive Controls

Personnel Policy Control Plans
Policy
It is a plan or process put in place to guide and thus achieve goals.
Policies differ from rules or law.
Merely guide behavior toward the actions that are most likely to achieve desired
goals.
Selection and Hiring Control Plans
Candidates applying for positions should be carefully screened, selected and
hired.
Retention Control Plans
Companies should make every effort to provide creative and challenging work
opportunities and when possible to offer open channels to management-level
positions.
Personnel Development Control Plans
Training must be regular.
Background should be rectified through proper training or education.
Identify opportunities for training and for personal growth.
Personnel Management Control Plans
1.
2.
3.
4.

Personnel Planning Control Plans

Job Description Control Plans
Supervision Control Plans
Personnel Security Control Plans

Rotation of Duties it is policy that requires an employee to alternate jobs

periodically.
Forced Vacations it is policy that requires an employee to take leave from the
job or substitutes another employee in his or her place.
Personnel Termination Control Plans
It defines the set of procedures a company follows when an employee voluntarily
(retire or resign) or involuntarily (laid off or fired) leaves an organization.
Monitoring Control Plans
Monitoring
It is the assessment by management to determine whether the control plans in
place are continuing to function appropriately over time.
It is used to correct identified problems.
Comp4 (Accounting Information System)

 IT Governance
It is a process that ensures that the enterprises IT sustains and extends the
organizations strategies and objectives.
IT Organizations
It is the department or function that develops and operates an organizations
information system.
The function (department) is composed of people, procedures, and equipment,
and it is typically called IS Department or IT Department.
COBIT Framework
Stands for Control Objectives for Information and Related Technology.
It was developed by IT Governance Institute to provide guidance to managers,
users and auditors on the best practices for the management of information
technology.
COBITs Four Broad IT Control Process Domains:
1. Plan and Organize Domain
It is the processes to develop the strategy and tactics for realizing
an organizations IT strategy.
The goal of the processes is to identify ways that IT can best
contribute to the achievement of the organizations objectives.
It also includes processes that identify and address threats and IT
requirements to address those threats.
IT Process 1: Establish Strategic Vision for Information Technology
IT Process 2: Develop Tactics to Plan, Communicate and Manage
Realization of the Strategic Vision
2. Acquire and Implement Domain
Processes within the domain are designed to identify, develop or
acquire and implement IT solutions.
It also includes changes to existing systems.
It also includes Systems Development Life Cycle (SDLC).
IT Process 3: Identify Automated Solutions
IT Process 4: Develop and Acquire IT Solutions
IT Process 5: Integrate IT Solutions into Operational Processes
IT Process 6: Manage Changes to Existing IT Systems
3. Deliver and Support Domain
It includes processes to deliver required IT services efficiently and
effectively.
IT Process 7: Deliver Required IT Services
IT Process 8: Ensure Security and Continuous Service
IT Process 9: Provide Support Services
Comp4 (Accounting Information System)

4. Monitor and Evaluate Domain

Monitoring involved two phases:
First: Putting controls in place to periodically follow up on the
operation of control plans.
Second: Ensuring that appropriate communications are taking
place.
IT Process 10: Monitor and Evaluate the Processes

Comp4 (Accounting Information System)

CONTROLLING INFORMATION SYSTEMS:

Business Process and Application Controls
The Control Framework
The Control Matrix it is a tool designed to assist you in evaluating the potential
effectiveness of controls in a particular business process by matching control goals with
relevant control plans.
Steps in Preparing Control Matrix:
A. Specifying Control Goals
5. Identifying operations process goals.
Effectiveness Goals
Efficiency Goals
Security Goals
6. Identifying information process goals.
Input Goals
Update Goals
B. Recommending Control Plans
1. Identify Present Control Plans
2. Evaluating Present Control Plans
3. Identifying and Evaluating Missing Control Plans
a. Examine the Control Matrix
b. Analyze the Systems Flowchart
Applying the Control Framework
A.

Control Plans for Manual and Automated Data Entry

Document Design
It is a control plan in which a source document is designed to make it easier
to prepare the document initially and later to input data from the document.
Written Approvals
It is a form of a signature or initials on a document to indicate that someone
has authorized the event.
Electronic Approval business events are routed using a computer
systems workflow facility to persons authorized to approve the event.
Ex: Purchase requisitions might be routed for approval to those with
budgetary authority
Preformatted Screens
It is used to control the entry of data by defining the acceptable format of each
data field.
Ex: The screen might force users to key exactly nine alphabetic characters in
one field and exactly five numerals in another field.
The cursor may automatically move to the next field on the screen.
Online Prompting
Requests user input or asks questions that the user must answer.

Comp4 (Accounting Information System)

Ex: Provided Options. Accept, Edit or Reject competed screen.

Populate Input Screens with Master Data

The clerk enters the identification code for an entity such as customer and the
system retrieves data about that entity from a master data.
It makes data entry quicker and more efficient
Ex: Using customer ID (code)
Compare Input Data with Master Data
It is used to determine the accuracy and validity of the input data.
Three Types of Comparisons:
1. Input/Master Data Match
2. Input/Master Data Dependency Checks
3. Input/Master Data Validity and Accuracy Checks
Procedures for Rejected Inputs
It is designed to ensure that erroneous data are corrected and resubmitted for
processing.
To make sure that the corrected input does not still contain errors, the
corrected input data should undergo all routines through which the input was
processes originally.
Programmed Edit Checks
It is actually performed by data entry programs upon entry of the input data.
It can highlight actual or potential input errors and allow them to be corrected
quickly and efficiently.
Confirm Input Acceptance
It causes the data entry program to inform the user that the input has been
accepted for processing
The program may flash a message on the screen telling a user that the input
has been accepted.
Automated Data Entry
These methods use fewer human resources and capture more data in a
period of time than is possible with manual entry.
Ex: OCR, Bar Codes, RFID and EDI
Digital Signatures
It is used to validate the identity of the sender and the integrity of an
electronic message to reduce the risk that a communication was sent by an
unauthorized system or user or was intercepted or modified in transit.

B. Control Plans for Data Entry with Batches

Turnaround Documents
Used to capture and input a subsequent event.
Key Verification
This takes place when input documents are keyed by one individual and then
keyed by a second individual.
The data entry software compares the second keystrokes to the strokes
keyed by the first individual.

Comp4 (Accounting Information System)

Sequence Check
It can be applied to those documents to determine that all documents have
been processed and that no extra documents have been processed
Manually Reconcile Batch Totals
Computer Agreement of Batch Totals

Comp4 (Accounting Information System)