Transaction Transaction Processing and the Processing and the

Internal Control Internal Control ProcessProcess

Small Business Information Small Business Information Systems Systems

Professor Barry FloydProfessor Barry Floyd

AgendaAgenda

Necessity for controlsNecessity for controls RisksRisks Current thinking ….Current thinking …. CyclesCycles Segregation of dutiesSegregation of duties

Necessity for controlsNecessity for controls

Reduce exposuresReduce exposures Exposure consists of the potential Exposure consists of the potential

financial effect multiplied by the financial effect multiplied by the probability of occurrence (risk)probability of occurrence (risk)

Common exposuresCommon exposures Excessive costs, Deficient Revenues, Loss of Excessive costs, Deficient Revenues, Loss of

assets, Inaccurate accounting, Business assets, Inaccurate accounting, Business interruption, Statutory Sanctions, interruption, Statutory Sanctions, Competitive Disadvantage, Fraud and Competitive Disadvantage, Fraud and embezzlementembezzlement

Internal Control ProcessInternal Control Process

Used to provide reasonable Used to provide reasonable assurance regarding achievement of assurance regarding achievement of objectives in following categories:objectives in following categories: Reliability of financial reporting, Reliability of financial reporting, Effectiveness and efficiency of Effectiveness and efficiency of

operations, operations, Compliance with applicable laws and Compliance with applicable laws and

regulationsregulations

Current thinking …Current thinking … Control frameworksControl frameworks

COBIT (Control Objectives for Information and COBIT (Control Objectives for Information and Related Technology)Related Technology)

Addresses the issue of control from 3 vantage points:Addresses the issue of control from 3 vantage points: Business Objectives – Information must conform to criteria: Business Objectives – Information must conform to criteria:

Effectiveness, Efficiency, Confidentiality, Integrity, Effectiveness, Efficiency, Confidentiality, Integrity, Availability, Compliance with legal requirements and Availability, Compliance with legal requirements and ReliabilityReliability

IT Resources – People, Apps, technology, Facilities, and IT Resources – People, Apps, technology, Facilities, and datadata

IT Processes – Planning and organization, acquisition and IT Processes – Planning and organization, acquisition and implementation, delivery and support, and monitoringimplementation, delivery and support, and monitoring

COSO (Committee of Sponsoring OrganizationsCOSO (Committee of Sponsoring Organizations Internal Control – Integrated Framework Internal Control – Integrated Framework

Defines internal controls and provides guidance for Defines internal controls and provides guidance for evaluating and enhancing internal control systemsevaluating and enhancing internal control systems

CyclesCycles Revenue cycleRevenue cycle

events related to the distribution of goods and services to events related to the distribution of goods and services to other entities and the collection of related paymentsother entities and the collection of related payments

Expenditure cycleExpenditure cycle events related to the acquisition of goods and services events related to the acquisition of goods and services

from other entities and the settlement of related from other entities and the settlement of related obligationsobligations

Production cycleProduction cycle events related to the transformation of resource into events related to the transformation of resource into

goods and servicesgoods and services Finance cycleFinance cycle

events related to the acquisition and management of events related to the acquisition and management of capital funds, including cashcapital funds, including cash

REFERENCE: Introduction to MS GP 8.0 Focus on Internal Controls by Brundson, Romney, and Steinbart

Segregation of DutiesSegregation of Duties

For example, we do not want an For example, we do not want an employee to be able to enter an employee to be able to enter an order, approve the order, fulfill the order, approve the order, fulfill the order, and receive payment for the order, and receive payment for the order.order.

Why?Why?

Segregation of dutiesSegregation of duties

Three major dutiesThree major duties Authorization: Approving transactions and Authorization: Approving transactions and

decisionsdecisions Recording: preparing source documents; Recording: preparing source documents;

entering data into online systems; maintaining entering data into online systems; maintaining journals, files or databases; preparing journals, files or databases; preparing reconciliations, and preparing performance reconciliations, and preparing performance reportsreports

Custody: handling cash, tools, inventory, or Custody: handling cash, tools, inventory, or fixed assets; receiving incoming customer fixed assets; receiving incoming customer checks; writing checks on the organization’s checks; writing checks on the organization’s bank account.bank account.

SeparationSeparation Separating Custodial functions from Recording Separating Custodial functions from Recording

functions prevents employees from falsifying functions prevents employees from falsifying records in order to conceal theft of assets records in order to conceal theft of assets entrusted to them.entrusted to them.

Separating Recording functions from Separating Recording functions from Authorization functions prevents an employee Authorization functions prevents an employee from falsifying records to cover up an from falsifying records to cover up an inaccurate or false transaction that was inaccurate or false transaction that was inappropriately authorized.inappropriately authorized.

Separating Authorization functions from Separating Authorization functions from Custodial functions prevents authorization of a Custodial functions prevents authorization of a fictitious or inaccurate transaction as a means fictitious or inaccurate transaction as a means of concealing asset theft.of concealing asset theft.

Segregation of Duties - Segregation of Duties - GPGP

Category Great Plains Activity Examples

AuthorizationCreate or delete master

recordsAdd customer, delete vendor, create

general ledger account, etc

  Implement securityCreate/delete users and assign

permissions

  Approve transactionsApprove batches, perform write-offs, enter

a discount, etc.

  Field Controls

Establish customer credit limits, payment terms, override pricing, permit sales exceeding credit limit, etc.

Recording Enter and post transactionsEnter sales orders, change purchase

orders, post transaction, etc.

 Change non-critical master

file dataUpdate customer addresses, employee

address,etc

  Reconcile

Prepare bank reconciliations, perform comparisons of aging reports to control account, etc

Custody Print informationPrint company checks, preprinted

purchase orders, etc

Enter a Sales OrderEnter a Sales Order

First let’s create a ‘batch’ with First let’s create a ‘batch’ with transaction and control totalstransaction and control totals Transactions > Sales > Sales BatchesTransactions > Sales > Sales Batches

Now create two sales Now create two sales ordersorders

Check out sales batchCheck out sales batch

WHO POSTS THIS? SHOULD SOMEONE APPROVE THIS?

Setup Posting DefaultsSetup Posting Defaults

Tools > Tools >

Setup >Setup >

Posting Posting > >

PostingPosting

Setting Up UsersSetting Up Users Tools>Setup>System>Advanced SecurityTools>Setup>System>Advanced Security

Activity TrackingActivity Tracking

Tools>Setup>System>Activity TrackingTools>Setup>System>Activity Tracking

The Audit TrailThe Audit Trail

Audit trails are an important component Audit trails are an important component of internal controls.of internal controls.

The audit trail documents the source of The audit trail documents the source of general ledger postings.general ledger postings.

Accountants and auditors use the audit Accountants and auditors use the audit trail to trace transactions from the point trail to trace transactions from the point of origin to the general ledger and vice of origin to the general ledger and vice versa.versa.

In GP, the audit trail functions In GP, the audit trail functions automaticallyautomatically

The Audit TrailThe Audit Trail

Source document codes are first Source document codes are first component of GP’s audit trailcomponent of GP’s audit trail

Codes identify point of originCodes identify point of origin Tools>Setup>Posting>Source Tools>Setup>Posting>Source

DocumentDocument

Source Document CodesSource Document Codes

Audit Trail Codes SetupAudit Trail Codes Setup

Tools>Setup>Posting>Audit Trail Tools>Setup>Posting>Audit Trail CodesCodes

SJ Code for sales Transactions areassigned SLSTE prefix

Review Audit TrailReview Audit Trail

Inquiry>Financial>DetailInquiry>Financial>Detail

Choose 0000-1200-00

Select first transaction andClick on Journal Entry

Review Audit TrailReview Audit Trail

SJ code identifying Document entered throughReceivables in the SalesSeries. SLSTE audit trail meaningDocument posted as Sales Transaction.

Five Elements ofFive Elements ofInternal Control ProcessInternal Control Process

Control environmentControl environment Risk assessmentRisk assessment Control activitiesControl activities Information and Information and

communicationcommunication MonitoringMonitoring

Five Elements ofFive Elements ofInternal Control ProcessInternal Control Process

Control environmentControl environment Risk assessmentRisk assessment Control activitiesControl activities Information and Information and

communicationcommunication MonitoringMonitoring

Control EnvironmentControl Environment

Integrity and ethical valuesIntegrity and ethical values Commitment to competenceCommitment to competence Management philosophy and operating Management philosophy and operating

stylestyle Organizational structureOrganizational structure Attention and direction provided by the Attention and direction provided by the

board of directors and its committeesboard of directors and its committees Manner of assigning authority and Manner of assigning authority and

responsibilityresponsibility Human resource policies and proceduresHuman resource policies and procedures

Five Elements ofFive Elements ofInternal Control ProcessInternal Control Process

Control environmentControl environment Risk assessmentRisk assessment Control activitiesControl activities Information and Information and

communicationcommunication MonitoringMonitoring

Risk AssessmentRisk Assessment

Process of identifying, analyzing, Process of identifying, analyzing, and managing risks that affect the and managing risks that affect the company’s objectivescompany’s objectives

Five Elements ofFive Elements ofInternal Control Process Internal Control Process

Control environmentControl environment Risk assessmentRisk assessment Control activitiesControl activities Information and Information and

communicationcommunication MonitoringMonitoring

Control ActivitiesControl Activities

Policies and procedures established to Policies and procedures established to help ensure that management directives help ensure that management directives are carried out.are carried out. Plans of organization (segregation of duties)Plans of organization (segregation of duties)

authorizing vs. recording vs. maintaining authorizing vs. recording vs. maintaining custodycustody

Procedures w/ control docsProcedures w/ control docs Restricted AccessRestricted Access Independent checksIndependent checks Info processing controls Info processing controls

Transaction processing Transaction processing controlscontrols

Transaction processing controls – Transaction processing controls – procedures, techniques, etc. to achieve procedures, techniques, etc. to achieve goals of organization in reducing riskgoals of organization in reducing risk

General controlsGeneral controls Designed to make sure an organization’s control Designed to make sure an organization’s control

environment is stable and well-managed.environment is stable and well-managed. Application controlsApplication controls

Prevent, detect, and correct transaction errors Prevent, detect, and correct transaction errors and fraud. Concerned with accuracy, and fraud. Concerned with accuracy, completeness, validity, and authorization.completeness, validity, and authorization.

General ControlsGeneral Controls

Definition of Definition of responsibilitiesresponsibilities

Prenumbered formsPrenumbered forms Preprinted formsPreprinted forms LabelingLabeling DocumentationDocumentation Backup and recoveryBackup and recovery Transaction trailTransaction trail

Error-source Error-source statisticsstatistics

Reliable PersonnelReliable Personnel Training of Training of

personnelpersonnel Rotation of dutiesRotation of duties Forms designForms design

Application controlsApplication controls

InputInput AuthorizationAuthorization ApprovalApproval Formatted inputFormatted input CancellationCancellation Exception InputException Input PasswordsPasswords Amount control Amount control

totaltotal Hash totalHash total

Reasonable Reasonable checks checks

Overflow checksOverflow checks Format checksFormat checks Check digitCheck digit DatingDating Expiration Expiration

checkschecks

Input controls are designed to prevent or detect errors in the input stage of data processing

Application ControlsApplication Controls

Processing Processing ControlsControls MechanizationMechanization StandardizationStandardization DefaultsDefaults Batch BalancingBatch Balancing

Processing controls are designed to provide assurances that processing has occurred according to intended specifications and that no transactions have been lost or incorrectly entered.

Clearing accountClearing account Tickler fileTickler file MatchingMatching

Application ControlsApplication Controls

Output ControlsOutput Controls ReconciliationReconciliation AgingAging Suspense fileSuspense file Periodic auditPeriodic audit Discrepancy reportsDiscrepancy reports

Output controls are designed to check that input and processing resulted in valid output and that outputs are properly distributed.

SummarySummary

Controls are an important part of Controls are an important part of your information system … think your information system … think about what you would do in your about what you would do in your organization?organization?