Controlling

Information
Systems:
Business Process
Controls
Learning Objectives
Understand steps in control
framework
Know how to prepare control
matrix
Comprehend the generic
business process control plans
introduced in this chapter
Be able to describe how the
business process controls
accomplish control goals
Appreciate the importance of
controls to organizations with
enterprise systems
Appreciate the importance of
controls to organizations
engaging in e-Business
Business
Process
Controls
3
The Control Matrix
The control matrix is a tool designed to
assist you in analyzing a systems
flowchart and related narrative.
It establishes the criteria to be used in
evaluating the controls in a particular
business process.

4
Sample
Control
Matrix
5
Available Control Plans for Data
Input
1: Document Designsource document is
designed to easily complete and key data
2: Written Approvalssignature or initials
indicating approval of event processing
3: Preformatted Screensdefines
acceptable format for each data field (e.g.,
9 numeric characters for SSN)
4: Online Promptingrequests user input
or asks questions, e.g., message box
6
Available Control Plans for Data
Input, Contd.

5: Programmed Edit Checks
Automatically performed by data entry programs upon
entry of data
Reasonableness checks (limit checks)tests input for values
within predetermined limits
Document/record hash totalscompares computer total to
manually calculated total
Mathematical accuracy checkscompare calculations
performed manually to computer calculations, e.g., compare
invoice total to manually entered to computer calculated total
Check Digit verification a functionally dependent extra digit is
appended to a number; if miskeying occurs, a check digit
mismatch occurs and the system rejects the input
7
Available Control Plans for Data Input
6: Procedures for rejected inputrejected inputs
are corrected and resubmitted for processing
7: Keying correctionsclerk corrects inputs
8: Interactive feedback checkscomputer informs
clerk that input has been accepted/rejected
9: Record inputrecord is recorded in transaction
data rather than being re-keyed at another time
10: Key verificationdata is keyed by two different
individuals then compared by the computer
8
Recommended Control Plans with
Master Data
11: Enter data close to originating source
Input data is entered directly and immediately it reduces
input costs, inputs are less likely to be lost, errors are
less likely and can more easily corrected
Online transaction entry (OLTE), online real-time
processing (OLRT), and online transaction processing
(OLTP) are all examples of this processing strategy.
12: Digital signatures
Authenticate that the sender of the message has the
authority to send it and detects messages that have
been altered in transit
an application of public key cryptography involving the
use of a private encryption key to sign the data
transmitted
9
Recommended Control Plans with
Master Data
13: Populate input with master data
User enters an entitys ID code and the system then
retrieves certain data about that entity from existing
master data.
User might be prompted to enter the customer ID (code).
By accessing the customer master data, the system
automatically provides data such as the customers
name and address, the salespersons name, and the
sales terms.
This reduces the number of keystrokes required, making
data entry quicker, more accurate, and more efficient.
Therefore, the system automatically populates input
fields with existing data
10
Recommended Control Plans with Master Data
14: Compare input data with master datathe system compares inputs with
standing (master) data to ensure their accuracy and validity
Input/master data dependency checks
These edits test whether the contents of two or more data elements
or fields on an event description bear the correct logical relationship.
For example, input sales events can be tested to determine whether
the salesperson works in the customers territory.
If these two items dont match, there is some evidence that the
customer number or the salesperson identification was input
erroneously.
Input/master data validity and accuracy checks
These edits test whether master
data supports the validity and accuracy of the input. For example, this
edit
might prevent the input of a shipment when no record of a
corresponding customer
order exists. If no match is made, we may have input some data
incorrectly,
or the shipment might simply be invalid. We might also compare
elements
within the input and master data.
11
Data Entry with Batches
Data entry with batches involves collecting
inputs into work units called batches; batched
inputs are then keyed into system as a batch
Implies some delay between the economic event
and its reflection in the system
Allows for controls focusing on the batch, e.g.,
batch control totals (hash or other totals from
batch)
Batch entry is often followed by an exception and
summary report
12
Batch Control Plans
Batch control procedures start by grouping event data and calculating totals for
the group: Several different types of batch control totals can be calculated
Document/record counts are simple counts of the number of documents entered in a
batch
This procedure represents the minimum level required to control input completeness.
Because one document could be intentionally replaced with another, this control is not
effective for ensuring input validity and says nothing about input accuracy.
Item or line counts
Counts number of items or lines entered, such as a count of the number of invoices being
paid by all the customer remittances.
By reducing the possibility that line items or entire documents could be added to the batch
or not be input, this control improves input validity, completeness, and accuracy.
Remember, a missing event record is a completeness error and a data set missing from an
event record is an accuracy error.
Dollar totals
Sum of dollar value of items in batch
By reducing the possibility that entire documents could be added to or lost from the batch or
that dollar amounts were incorrectly input, this control improves input validity,
completeness, and accuracy.
Hash totals
Are a summation of any numeric data existing for all documents in the batch, such as a total
of customer numbers or invoice numbers in the case of remittance advices.
Unlike dollar totals, hash totals normally serve no purpose other than control.
Hash totals can be a powerful batch control because they can determine if inputs have
been altered, added, or deleted.
These batch hash totals operate for a batch in a manner similar to the operation of
document/record hash totals for individual inputs.

13
P-1: use of turnaround
documents
Turnaround documents are used to capture and
input a subsequent event.
Picking tickets, inventory count cards, remittance
advice stubs attached to customer invoices, and
payroll time cards are all examples of turnaround
documents.
For example, we have seen picking tickets that are
printed by the computer, used to pick the goods,
and sent to shipping where the bar code on the
picking ticket is scanned to trigger the recording of
the shipment.
14
P-2: batch totals control
Calculation of batch totals ensures that the
data input arises from legitimate events
(input validity) and that all events in the
batch are captured (input completeness).
15
P-3: Reconciliation of Batch Totals
The manual reconciliation of batch totals control
plan operates in the following manner:
a. First, one or more of the batch totals are established
manually
b. As individual event descriptions are scanned, the data
entry program accumulates independent batch totals.
c. The computer produces reports (or displays) with the
relevant control totals that must be manually reconciled to
the totals established prior to the particular process.
d. The person who reconciles the batch total must determine
why the totals do not agree and make corrections as
necessary to ensure the integrity of the input data
16
P-4: Reconcile input and output batch totals
(agreement of run-to-run totals)
This is a variation of the agreement of batch totals controls.
With agreement of run-to-run totals, totals prepared before a
computer process has begun are compared, manually or by the
computer, to totals prepared at the completion of the computer
process.
These post-process controls are often found on an error and
summary report.
When totals agree, we have evidence that the input and the
update took place correctly.
This control is especially useful when there are several
intermediate steps between the beginning and the end of the
process and we want to be assured of the integrity of each
process.
17
P-5: use of tickler file and one-for-one checking
This has two purposes:
1. One is to ensure that all picking tickets are linked to an associated
packing slip,
2. The other is to ensure that all items on related picking tickets and
packing slips match.
We regularly review a tickler file, to clear items from that file.
Tickler files may be digitized reflecting events that need to be completed,
such as open sales orders, open purchase orders, and so forth.
Should tickler file documents remain in the file too long, the person or
computer monitoring will determine the nature and extent of the delay.
Picking tickets are compared to their associated packing slips
using one-for-one checking to determine that they agree.
Differences may indicate errors in input or update.
This procedure provides us detail as to what is incorrect within a batch.
Being very expensive to perform, one-for-one checking should be
reserved for low-volume, high-value events.
18
P-6: Automated Sequence Checks
Whenever documents are numbered sequentially, a sequence check can
be automatically applied to those documents.
Batch sequence checks work best when we can control the input process
and the serial numbers of the input data, such as payroll checks.
In a batch sequence check, the event data within a batch are checked as follows:
a. The range of serial numbers constituting the batch is entered.
b. Each individual, serially pre-numbered event data is entered.
c. The computer program sorts the event data into numerical order; checks the
documents against the sequence number range; and reports missing, duplicate, and
out-of-range event data.
Cumulative sequence check provides input control when the serial
numbers are not entered in sequence (i.e., picking tickets might contain
broken sets of numbers).
Matching of individual event data (picking ticket #s) is made to a file that contains
all document numbers (all sales order numbers).
Periodically, reports of missing numbers are produced for manual follow-up.
Reconciling a checkbook is another example of a situation where the check
numbers are issued in sequence.
However, the bank statement we receive may not contain a complete sequence of
checks.
Our check register assists us in performing a cumulative sequence check to make sure
that all checks are eventually cleared.
19
P-7: Computer Agreement of Batch Totals
The computer agreement of batch totals plan works in the
following manner:
a. First, one or more of the batch totals are established manually (i.e., in
the user department in Figure 9.9).
b. Then, the manually prepared total is entered into the computer and is
written to the computer batch control totals data.
c. As individual event descriptions are entered, a computer program
accumulates independent batch totals and compares these totals to the
ones prepared manually and entered at the start of the processing.
d. The computer prepares a report, which usually contains details of
each batch, together with an indication of whether the totals agreed or
disagreed.
Batches that do not balance are normally rejected, and discrepancies are
manually investigated and included in a summary report