Internal Controls Notes - ACCG2050

Learning objectives

  • Explain the importance of control activities in the accounting process
  • Evaluate internal controls as general or application
  • Provide examples of general controls and application controls
  • Identify preventive, corrective and detective controls
  • Explain a disaster recovery plan
  • Understand the effectiveness and limitations of a control system

Control activities, business processes and accounting

  • Errors can occur in the financial reporting process.
  • Not all risks are
  • Auditing standards are the basis of external financial statement audits.
  • Primary concern is the financial accuracy of the statements.
  • For an accountant working with a AIS, the concern extends beyond financial to non-financial risks and controls.

Internal controls as part of enterprise risk management

  • Applying internal controls involves an evaluation of assertions coupled with a risk assessment.
  • Once risk has been identified, the extent needs to be evaluated.
  • After identifying risks, policies and procedures to address the risks will be implemented – these policies are called control activities.

Types of control activities

  • ASA 315 classifies controls into five types: 55 types:
    1. authorisation
    2. performance reviews
    3. information processing controls
    4. physical controls
    5. segregation of duties

1. Authorisation

  • Activities and procedures to assure transactions and events are carried out by those with the .
  • Set defined roles, responsibilities and adherence mechanisms for individuals within the organisation.

2. Performance reviews

  • Review or analysis of performance, _ with those that were expected or planned.

3. Information processing controls

  • Work towards the accuracy, completeness and authorisation of transactions.
  • Accuracy: data entered is correct and reflects actual recorded events.
  • Completeness: all events are recorded.
  • General controls: policies and procedures that support applications and application controls.
  • Application controls: manual or automated procedures, at business process level, related to the processing of transactions by individual applications.

4. Physical controls

  • Controls put in place to physically protect the resources of the organisation, including protecting them from the risk of theft or damage.

5. Segregation of duties

  • Certain key functions should not be performed by the same person.
  • Applies across the IT systems within the organisation.

Other classification: Preventive, detective and corrective controls

  • Preventive, detective and corrective controls: how to deal with a risk.
  • Input, processing and output controls: where the control activity operates.

Preventive, detective and corrective controls

  • Preventive controls are designed to ____ errors or irregularities.
  • For example: password, required fields, a firewall or an input control preventing a data error.
  • Detective controls will not prevent errors, but instead alert those using the system to _.
  • For example: virus software scan.
  • Corrective controls are designed to _ an error or irregularity after it has occurred.
  • For example: disaster recovery plan or virus protection software.
  • This classification scheme of preventive, detective and corrective controls can be applied to both general and application controls.

Where control activity takes place

  • Input controls: operate as data ____ the system.
  • Processing controls: ensure correct of data e.g. making sure data is correctly updated in the various data stores.
  • Output controls: protect outputs generated by the process e.g. how outputs are prepared.
  • Input, processing and output controls operate within a business process and are designed based on the particular risks present within the process – they are application controls.

MACQUARIE University

Controls for a Computerised AIS

Aims of a computerised accounting information system

  • Proper authorisation
    • User privileges, access rights, user restrictions, approval over threshod
  • Proper recording
    • Records right type and format, reflect the reality of the underlying transaction or event.
    • E.g. Input accuracy
  • Completeness
    • at individual transaction and business process level
  • Timeliness
    • Processing does not need to occur immediately – need to suit organisational needs
    • Batch/online real-time processing/ Online data gathering and batch processing

General controls

  • PHYSICAL CONTROLS
  • SEGREGATION OF DUTIES
  • USER ACCESS
  • SYSTEMS DEVELOPMENT PROCEDURES
  • USER AWARENESS OF RISKS
  • DATA STORAGE PROCEDURES.
  • General controls are those that relate across all the information systems in an organisation.

General controls – Physical controls

  • Physical controls are concerned with restricting access to the physical resources. Major concern is who has physical access.
  • Organisations employ a range of physical controls:
    • Locked computing premises.
    • Discrete premises that do not attract attention.
    • Swipe card access.
    • Biometric access controls.
    • Onsite security.
    • Security cameras to record access to the premises.

General controls – Segregation of duties

  • The separating of employee duties and to prevent fraud
  • Between the users of IT, the maintainers of the IT systems, system designers, system testers and those with access to the data.

General controls – User access

  • Logical access of users to the systems within the organisation.
  • Eg, use of passwords and a unique identification code to restrict system access

General controls – Systems development procedures

  • MAINTENANCE AND DEVELOPMENT OF DIFFERENT INFORMATION SYSTEMS.
  • REQUIRES POLICIES, PROCEDURES AND RESTRICTIONS.
  • Different user privileges, such as the system administrator.
  • Preventive control: assurance that untested or incompatible software and software that has not been appropriately reviewed or licensed will not be placed on the system.

General controls – User awareness of risks

  • SECURITY EDUCATION TRAINING AND AWARENESS PROGRAMS TO ENSURE EMPLOYEES ARE AWARE OF:
    • Information system risks.
    • Security threats and issues.
    • Organisational security policies.
    • The policies for detection of fraud.

General controls – Data storage procedures

  • INFORMATION ABOUT CUSTOMERS, STAFF AND INTELLECTUAL PROPERTY IS STORED ON SERVERS →
  • If released it could financially and non-financially consequences.
  • Controls: data access logs, restriction of user privileges and encryption of stored data.
  • MAJOR RISKS ASSOCIATED WITH CLOUD STORAGE:
    • Inability to audit and monitor at file level.
    • Inability to access the internet to access data.
    • Unresolved security issues include data security, network security, data integrity, web application security and so on.
  • Controls: schedule backups (batch or real time).

Security policies

  • Information security policies to protect electronic resources.
  • Document an organisation’s approach to security.
  • Usually by following a framework and/or standard.
  • Should be understood and used by all users.

Application controls

  • Built around the operation of a particular process.
  • Relate to the key system stages of: INPUT, PROCESSING, OUTPUT.
  • Application controls:

Application controls – Input controls

  • Standardised forms.
  • Pre-numbering documents.
  • Sequence checks.
  • Turnaround documents: Automated form completion.
  • Transaction authorisation procedures.
  • Batch totals.
  • Independent reviews.

Application controls – Processing controls

  • AIM TO ENSURE THAT DATA WITHIN THE SYSTEM IS CORRECTLY AND ACCURATELY PROCESSED.
  • Run-to-run totals.
  • Reconciliations.
  • Batch totals.
  • Sequence checks.
  • Hash totals.

Application controls – Output controls

  • PROTECT ACCESS TO DIGITAL OUTPUTS (SEGREGATION OF DUTIES).
  • Examples: access privileges, ability to generate reports, page numbering of reports and end-of- report footers; integrated ERP system
  • PHYSICAL CONTROL.
  • Example: confidential information should not be printed on a printer accessible by all staff.
  • DATABASE QUERIES: DETECTING IRREGULARITIES OR ANOMALIES.
  • Example: queries of credit returns to detect cash/AR fraud

Disaster recovery plan

  • (Disaster recovery plans section title)

Disaster recovery plans

  • Disaster types:
    • Terrorism e.g. September 11.
    • Natural disasters e.g. fire or flood, cyclones.
    • Online operations e.g. web server going down.
  • Disaster recovery plan: the strategy that will be put into action, in the event of a disaster that disrupts normal operations, as soon as possible and ___that relate to its processes.

Disaster recovery plan components

  • Hot site
  • Cold site
  • Evacuation staff: present at the location of the disaster.
  • Access staff: after the disaster.
  • Key employees in the recovery plan need to be contactable: Contact and staff responsibilities, role/s and reporting plan; drills; remote site staff.
  • Extranets
  • Need to consult with such partners and related bodies when developing plans

Limitations of internal control

The limitations of controls

  • Threats to an organisation’s objectives:
    • Judgement error
    • Unexpected transactions: designers of a control system cannot predict every possible outcome and every future event.
    • Collusion: when two or more people conspire to jointly commit a fraud.
    • Management override: controls are only effective if management is ethical and responsible in promoting ‘good’ behaviour.
    • Weak internal controls: controls that are poorly designed or weak.
    • Conflicting signals: possibility that different signals are being sent by management to employees.
  • An internal control system does not provide 100% assurance that an organisation’s objectives will be achieved:

The limitations of controls – Additional threats

  • Management incompetence: incompetence at the top can flow down and impact on the remainder of the organisation.
  • External factors: external factors beyond our control that can have dramatic impacts on an organisation e.g. natural disasters.
  • Fraud: working around internal controls for personal gain.
  • Regulatory environment: changes in the regulatory environment can impact the way that organisations operate.
  • Information technology: in a constant state of flux e.g. threats from viruses.

Key take away points

  • Accounting and control activities was inter-related
  • Types of controls based on how to deal with risk and where control activity takes place
  • Aims of a computerised AIS
  • The components and importance of a disaster recovery plan were discussed
  • Internal control is not foolproof, it is prone to risks and limitations