Date post: | 27-Dec-2015 |
Category: |
Documents |
Upload: | george-hoover |
View: | 213 times |
Download: | 0 times |
Transaction Transaction Processing and the Processing and the
Internal Control Internal Control ProcessProcess
Small Business Information Small Business Information Systems Systems
Professor Barry FloydProfessor Barry Floyd
AgendaAgenda
Necessity for controlsNecessity for controls RisksRisks Current thinking ….Current thinking …. CyclesCycles Segregation of dutiesSegregation of duties
Necessity for controlsNecessity for controls
Reduce exposuresReduce exposures Exposure consists of the potential Exposure consists of the potential
financial effect multiplied by the financial effect multiplied by the probability of occurrence (risk)probability of occurrence (risk)
Common exposuresCommon exposures Excessive costs, Deficient Revenues, Loss of Excessive costs, Deficient Revenues, Loss of
assets, Inaccurate accounting, Business assets, Inaccurate accounting, Business interruption, Statutory Sanctions, interruption, Statutory Sanctions, Competitive Disadvantage, Fraud and Competitive Disadvantage, Fraud and embezzlementembezzlement
Internal Control ProcessInternal Control Process
Used to provide reasonable Used to provide reasonable assurance regarding achievement of assurance regarding achievement of objectives in following categories:objectives in following categories: Reliability of financial reporting, Reliability of financial reporting, Effectiveness and efficiency of Effectiveness and efficiency of
operations, operations, Compliance with applicable laws and Compliance with applicable laws and
regulationsregulations
Current thinking …Current thinking … Control frameworksControl frameworks
COBIT (Control Objectives for Information and COBIT (Control Objectives for Information and Related Technology)Related Technology)
Addresses the issue of control from 3 vantage points:Addresses the issue of control from 3 vantage points: Business Objectives – Information must conform to criteria: Business Objectives – Information must conform to criteria:
Effectiveness, Efficiency, Confidentiality, Integrity, Effectiveness, Efficiency, Confidentiality, Integrity, Availability, Compliance with legal requirements and Availability, Compliance with legal requirements and ReliabilityReliability
IT Resources – People, Apps, technology, Facilities, and IT Resources – People, Apps, technology, Facilities, and datadata
IT Processes – Planning and organization, acquisition and IT Processes – Planning and organization, acquisition and implementation, delivery and support, and monitoringimplementation, delivery and support, and monitoring
COSO (Committee of Sponsoring OrganizationsCOSO (Committee of Sponsoring Organizations Internal Control – Integrated Framework Internal Control – Integrated Framework
Defines internal controls and provides guidance for Defines internal controls and provides guidance for evaluating and enhancing internal control systemsevaluating and enhancing internal control systems
CyclesCycles Revenue cycleRevenue cycle
events related to the distribution of goods and services to events related to the distribution of goods and services to other entities and the collection of related paymentsother entities and the collection of related payments
Expenditure cycleExpenditure cycle events related to the acquisition of goods and services events related to the acquisition of goods and services
from other entities and the settlement of related from other entities and the settlement of related obligationsobligations
Production cycleProduction cycle events related to the transformation of resource into events related to the transformation of resource into
goods and servicesgoods and services Finance cycleFinance cycle
events related to the acquisition and management of events related to the acquisition and management of capital funds, including cashcapital funds, including cash
REFERENCE: Introduction to MS GP 8.0 Focus on Internal Controls by Brundson, Romney, and Steinbart
Segregation of DutiesSegregation of Duties
For example, we do not want an For example, we do not want an employee to be able to enter an employee to be able to enter an order, approve the order, fulfill the order, approve the order, fulfill the order, and receive payment for the order, and receive payment for the order.order.
Why?Why?
Segregation of dutiesSegregation of duties
Three major dutiesThree major duties Authorization: Approving transactions and Authorization: Approving transactions and
decisionsdecisions Recording: preparing source documents; Recording: preparing source documents;
entering data into online systems; maintaining entering data into online systems; maintaining journals, files or databases; preparing journals, files or databases; preparing reconciliations, and preparing performance reconciliations, and preparing performance reportsreports
Custody: handling cash, tools, inventory, or Custody: handling cash, tools, inventory, or fixed assets; receiving incoming customer fixed assets; receiving incoming customer checks; writing checks on the organization’s checks; writing checks on the organization’s bank account.bank account.
SeparationSeparation Separating Custodial functions from Recording Separating Custodial functions from Recording
functions prevents employees from falsifying functions prevents employees from falsifying records in order to conceal theft of assets records in order to conceal theft of assets entrusted to them.entrusted to them.
Separating Recording functions from Separating Recording functions from Authorization functions prevents an employee Authorization functions prevents an employee from falsifying records to cover up an from falsifying records to cover up an inaccurate or false transaction that was inaccurate or false transaction that was inappropriately authorized.inappropriately authorized.
Separating Authorization functions from Separating Authorization functions from Custodial functions prevents authorization of a Custodial functions prevents authorization of a fictitious or inaccurate transaction as a means fictitious or inaccurate transaction as a means of concealing asset theft.of concealing asset theft.
Segregation of Duties - Segregation of Duties - GPGP
Category Great Plains Activity Examples
AuthorizationCreate or delete master
recordsAdd customer, delete vendor, create
general ledger account, etc
Implement securityCreate/delete users and assign
permissions
Approve transactionsApprove batches, perform write-offs, enter
a discount, etc.
Field Controls
Establish customer credit limits, payment terms, override pricing, permit sales exceeding credit limit, etc.
Recording Enter and post transactionsEnter sales orders, change purchase
orders, post transaction, etc.
Change non-critical master
file dataUpdate customer addresses, employee
address,etc
Reconcile
Prepare bank reconciliations, perform comparisons of aging reports to control account, etc
Custody Print informationPrint company checks, preprinted
purchase orders, etc
Enter a Sales OrderEnter a Sales Order
First let’s create a ‘batch’ with First let’s create a ‘batch’ with transaction and control totalstransaction and control totals Transactions > Sales > Sales BatchesTransactions > Sales > Sales Batches
Setup Posting DefaultsSetup Posting Defaults
Tools > Tools >
Setup >Setup >
Posting Posting > >
PostingPosting
Setting Up UsersSetting Up Users Tools>Setup>System>Advanced SecurityTools>Setup>System>Advanced Security
Activity TrackingActivity Tracking
Tools>Setup>System>Activity TrackingTools>Setup>System>Activity Tracking
The Audit TrailThe Audit Trail
Audit trails are an important component Audit trails are an important component of internal controls.of internal controls.
The audit trail documents the source of The audit trail documents the source of general ledger postings.general ledger postings.
Accountants and auditors use the audit Accountants and auditors use the audit trail to trace transactions from the point trail to trace transactions from the point of origin to the general ledger and vice of origin to the general ledger and vice versa.versa.
In GP, the audit trail functions In GP, the audit trail functions automaticallyautomatically
The Audit TrailThe Audit Trail
Source document codes are first Source document codes are first component of GP’s audit trailcomponent of GP’s audit trail
Codes identify point of originCodes identify point of origin Tools>Setup>Posting>Source Tools>Setup>Posting>Source
DocumentDocument
Audit Trail Codes SetupAudit Trail Codes Setup
Tools>Setup>Posting>Audit Trail Tools>Setup>Posting>Audit Trail CodesCodes
SJ Code for sales Transactions areassigned SLSTE prefix
Review Audit TrailReview Audit Trail
Inquiry>Financial>DetailInquiry>Financial>Detail
Choose 0000-1200-00
Select first transaction andClick on Journal Entry
Review Audit TrailReview Audit Trail
SJ code identifying Document entered throughReceivables in the SalesSeries. SLSTE audit trail meaningDocument posted as Sales Transaction.
Five Elements ofFive Elements ofInternal Control ProcessInternal Control Process
Control environmentControl environment Risk assessmentRisk assessment Control activitiesControl activities Information and Information and
communicationcommunication MonitoringMonitoring
Five Elements ofFive Elements ofInternal Control ProcessInternal Control Process
Control environmentControl environment Risk assessmentRisk assessment Control activitiesControl activities Information and Information and
communicationcommunication MonitoringMonitoring
Control EnvironmentControl Environment
Integrity and ethical valuesIntegrity and ethical values Commitment to competenceCommitment to competence Management philosophy and operating Management philosophy and operating
stylestyle Organizational structureOrganizational structure Attention and direction provided by the Attention and direction provided by the
board of directors and its committeesboard of directors and its committees Manner of assigning authority and Manner of assigning authority and
responsibilityresponsibility Human resource policies and proceduresHuman resource policies and procedures
Five Elements ofFive Elements ofInternal Control ProcessInternal Control Process
Control environmentControl environment Risk assessmentRisk assessment Control activitiesControl activities Information and Information and
communicationcommunication MonitoringMonitoring
Risk AssessmentRisk Assessment
Process of identifying, analyzing, Process of identifying, analyzing, and managing risks that affect the and managing risks that affect the company’s objectivescompany’s objectives
Five Elements ofFive Elements ofInternal Control Process Internal Control Process
Control environmentControl environment Risk assessmentRisk assessment Control activitiesControl activities Information and Information and
communicationcommunication MonitoringMonitoring
Control ActivitiesControl Activities
Policies and procedures established to Policies and procedures established to help ensure that management directives help ensure that management directives are carried out.are carried out. Plans of organization (segregation of duties)Plans of organization (segregation of duties)
authorizing vs. recording vs. maintaining authorizing vs. recording vs. maintaining custodycustody
Procedures w/ control docsProcedures w/ control docs Restricted AccessRestricted Access Independent checksIndependent checks Info processing controls Info processing controls
Transaction processing Transaction processing controlscontrols
Transaction processing controls – Transaction processing controls – procedures, techniques, etc. to achieve procedures, techniques, etc. to achieve goals of organization in reducing riskgoals of organization in reducing risk
General controlsGeneral controls Designed to make sure an organization’s control Designed to make sure an organization’s control
environment is stable and well-managed.environment is stable and well-managed. Application controlsApplication controls
Prevent, detect, and correct transaction errors Prevent, detect, and correct transaction errors and fraud. Concerned with accuracy, and fraud. Concerned with accuracy, completeness, validity, and authorization.completeness, validity, and authorization.
General ControlsGeneral Controls
Definition of Definition of responsibilitiesresponsibilities
Prenumbered formsPrenumbered forms Preprinted formsPreprinted forms LabelingLabeling DocumentationDocumentation Backup and recoveryBackup and recovery Transaction trailTransaction trail
Error-source Error-source statisticsstatistics
Reliable PersonnelReliable Personnel Training of Training of
personnelpersonnel Rotation of dutiesRotation of duties Forms designForms design
Application controlsApplication controls
InputInput AuthorizationAuthorization ApprovalApproval Formatted inputFormatted input CancellationCancellation Exception InputException Input PasswordsPasswords Amount control Amount control
totaltotal Hash totalHash total
Reasonable Reasonable checks checks
Overflow checksOverflow checks Format checksFormat checks Check digitCheck digit DatingDating Expiration Expiration
checkschecks
Input controls are designed to prevent or detect errors in the input stage of data processing
Application ControlsApplication Controls
Processing Processing ControlsControls MechanizationMechanization StandardizationStandardization DefaultsDefaults Batch BalancingBatch Balancing
Processing controls are designed to provide assurances that processing has occurred according to intended specifications and that no transactions have been lost or incorrectly entered.
Clearing accountClearing account Tickler fileTickler file MatchingMatching
Application ControlsApplication Controls
Output ControlsOutput Controls ReconciliationReconciliation AgingAging Suspense fileSuspense file Periodic auditPeriodic audit Discrepancy reportsDiscrepancy reports
Output controls are designed to check that input and processing resulted in valid output and that outputs are properly distributed.