Transaction Processing and the Internal Control Process Small Business Information Systems Professor Barry Floyd

Agenda Necessity for controls Necessity for controls Risks Risks Current thinking …. Current thinking …. Cycles Cycles Segregation of duties Segregation of duties

Necessity for controls Reduce exposures Reduce exposures Exposure consists of the potential financial effect multiplied by the probability of occurrence (risk) Exposure consists of the potential financial effect multiplied by the probability of occurrence (risk) Common exposures Common exposures Excessive costs, Deficient Revenues, Loss of assets, Inaccurate accounting, Business interruption, Statutory Sanctions, Competitive Disadvantage, Fraud and embezzlement Excessive costs, Deficient Revenues, Loss of assets, Inaccurate accounting, Business interruption, Statutory Sanctions, Competitive Disadvantage, Fraud and embezzlement

Internal Control Process Used to provide reasonable assurance regarding achievement of objectives in following categories: Used to provide reasonable assurance regarding achievement of objectives in following categories: Reliability of financial reporting, Reliability of financial reporting, Effectiveness and efficiency of operations, Effectiveness and efficiency of operations, Compliance with applicable laws and regulations Compliance with applicable laws and regulations

Current thinking … Control frameworks Control frameworks COBIT (Control Objectives for Information and Related Technology) COBIT (Control Objectives for Information and Related Technology) Addresses the issue of control from 3 vantage points: Addresses the issue of control from 3 vantage points: Business Objectives – Information must conform to criteria: Effectiveness, Efficiency, Confidentiality, Integrity, Availability, Compliance with legal requirements and Reliability Business Objectives – Information must conform to criteria: Effectiveness, Efficiency, Confidentiality, Integrity, Availability, Compliance with legal requirements and Reliability IT Resources – People, Apps, technology, Facilities, and data IT Resources – People, Apps, technology, Facilities, and data IT Processes – Planning and organization, acquisition and implementation, delivery and support, and monitoring IT Processes – Planning and organization, acquisition and implementation, delivery and support, and monitoring COSO (Committee of Sponsoring Organizations COSO (Committee of Sponsoring Organizations Internal Control – Integrated Framework Internal Control – Integrated Framework Defines internal controls and provides guidance for evaluating and enhancing internal control systems Defines internal controls and provides guidance for evaluating and enhancing internal control systems

Cycles Revenue cycle Revenue cycle Revenue cycle Revenue cycle events related to the distribution of goods and services to other entities and the collection of related payments events related to the distribution of goods and services to other entities and the collection of related payments Expenditure cycle Expenditure cycle Expenditure cycle Expenditure cycle events related to the acquisition of goods and services from other entities and the settlement of related obligations events related to the acquisition of goods and services from other entities and the settlement of related obligations Production cycle Production cycle events related to the transformation of resource into goods and services events related to the transformation of resource into goods and services Finance cycle Finance cycle events related to the acquisition and management of capital funds, including cash events related to the acquisition and management of capital funds, including cash REFERENCE: Introduction to MS GP 8.0 Focus on Internal Controls by Brundson, Romney, and Steinbart

Segregation of Duties For example, we do not want an employee to be able to enter an order, approve the order, fulfill the order, and receive payment for the order. For example, we do not want an employee to be able to enter an order, approve the order, fulfill the order, and receive payment for the order. Why? Why?

Segregation of duties Three major duties Three major duties Authorization: Approving transactions and decisions Authorization: Approving transactions and decisions Recording: preparing source documents; entering data into online systems; maintaining journals, files or databases; preparing reconciliations, and preparing performance reports Recording: preparing source documents; entering data into online systems; maintaining journals, files or databases; preparing reconciliations, and preparing performance reports Custody: handling cash, tools, inventory, or fixed assets; receiving incoming customer checks; writing checks on the organization’s bank account. Custody: handling cash, tools, inventory, or fixed assets; receiving incoming customer checks; writing checks on the organization’s bank account.

Separation Separating Custodial functions from Recording functions prevents employees from falsifying records in order to conceal theft of assets entrusted to them. Separating Custodial functions from Recording functions prevents employees from falsifying records in order to conceal theft of assets entrusted to them. Separating Recording functions from Authorization functions prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized. Separating Recording functions from Authorization functions prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized. Separating Authorization functions from Custodial functions prevents authorization of a fictitious or inaccurate transaction as a means of concealing asset theft. Separating Authorization functions from Custodial functions prevents authorization of a fictitious or inaccurate transaction as a means of concealing asset theft.

Segregation of Duties - GP CategoryGreat Plains ActivityExamples Authorization Create or delete master records Add customer, delete vendor, create general ledger account, etc Implement security Create/delete users and assign permissions Approve transactions Approve batches, perform write-offs, enter a discount, etc. Field Controls Establish customer credit limits, payment terms, override pricing, permit sales exceeding credit limit, etc. RecordingEnter and post transactions Enter sales orders, change purchase orders, post transaction, etc. Change non-critical master file data Update customer addresses, employee address,etc Reconcile Prepare bank reconciliations, perform comparisons of aging reports to control account, etc CustodyPrint information Print company checks, preprinted purchase orders, etc

Enter a Sales Order First let’s create a ‘batch’ with transaction and control totals First let’s create a ‘batch’ with transaction and control totals Transactions > Sales > Sales Batches Transactions > Sales > Sales Batches

Now create two sales orders

Check out sales batch WHO POSTS THIS? SHOULD SOMEONE APPROVE THIS?

Setup Posting Defaults Tools > Setup > Posting > Posting

Setting Up Users Tools>Setup>System>Advanced Security Tools>Setup>System>Advanced Security

Activity Tracking Tools>Setup>System>Activity Tracking Tools>Setup>System>Activity Tracking

The Audit Trail Audit trails are an important component of internal controls. Audit trails are an important component of internal controls. The audit trail documents the source of general ledger postings. The audit trail documents the source of general ledger postings. Accountants and auditors use the audit trail to trace transactions from the point of origin to the general ledger and vice versa. Accountants and auditors use the audit trail to trace transactions from the point of origin to the general ledger and vice versa. In GP, the audit trail functions automatically In GP, the audit trail functions automatically

The Audit Trail Source document codes are first component of GP’s audit trail Source document codes are first component of GP’s audit trail Codes identify point of origin Codes identify point of origin Tools>Setup>Posting>Source Document Tools>Setup>Posting>Source Document

Source Document Codes

Audit Trail Codes Setup Tools>Setup>Posting>Audit Trail Codes Tools>Setup>Posting>Audit Trail Codes SJ Code for sales Transactions are assigned SLSTE prefix

Review Audit Trail Inquiry>Financial>Detail Inquiry>Financial>Detail Choose Select first transaction and Click on Journal Entry

Review Audit Trail SJ code identifying Document entered through Receivables in the Sales Series. SLSTE audit trail meaning Document posted as Sales Transaction.

Five Elements of Internal Control Process Control environment Control environment Risk assessment Risk assessment Control activities Control activities Information and communication Information and communication Monitoring Monitoring

Five Elements of Internal Control Process Control environment Control environment Risk assessment Risk assessment Control activities Control activities Information and communication Information and communication Monitoring Monitoring

Control Environment Integrity and ethical values Integrity and ethical values Commitment to competence Commitment to competence Management philosophy and operating style Management philosophy and operating style Organizational structure Organizational structure Attention and direction provided by the board of directors and its committees Attention and direction provided by the board of directors and its committees Manner of assigning authority and responsibility Manner of assigning authority and responsibility Human resource policies and procedures Human resource policies and procedures

Five Elements of Internal Control Process Control environment Control environment Risk assessment Risk assessment Control activities Control activities Information and communication Information and communication Monitoring Monitoring

Risk Assessment Process of identifying, analyzing, and managing risks that affect the company’s objectives Process of identifying, analyzing, and managing risks that affect the company’s objectives

Five Elements of Internal Control Process Control environment Control environment Risk assessment Risk assessment Control activities Control activities Information and communication Information and communication Monitoring Monitoring

Control Activities Policies and procedures established to help ensure that management directives are carried out. Policies and procedures established to help ensure that management directives are carried out. Plans of organization (segregation of duties) Plans of organization (segregation of duties) authorizing vs. recording vs. maintaining custody authorizing vs. recording vs. maintaining custody Procedures w/ control docs Procedures w/ control docs Restricted Access Restricted Access Independent checks Independent checks Info processing controls Info processing controls

Transaction processing controls Transaction processing controls – procedures, techniques, etc. to achieve goals of organization in reducing risk Transaction processing controls – procedures, techniques, etc. to achieve goals of organization in reducing risk General controls General controls Designed to make sure an organization’s control environment is stable and well-managed. Designed to make sure an organization’s control environment is stable and well-managed. Application controls Application controls Prevent, detect, and correct transaction errors and fraud. Concerned with accuracy, completeness, validity, and authorization. Prevent, detect, and correct transaction errors and fraud. Concerned with accuracy, completeness, validity, and authorization.

General Controls Definition of responsibilities Definition of responsibilities Prenumbered forms Prenumbered forms Preprinted forms Preprinted forms Labeling Labeling Documentation Documentation Backup and recovery Backup and recovery Transaction trail Transaction trail Error-source statistics Reliable Personnel Training of personnel Rotation of duties Forms design

Application controls Input Input Authorization Authorization Approval Approval Formatted input Formatted input Cancellation Cancellation Exception Input Exception Input Passwords Passwords Amount control total Amount control total Hash total Hash total Reasonable checks Overflow checks Format checks Check digit Dating Expiration checks Input controls are designed to prevent or detect errors in the input stage of data processing

Application Controls Processing Controls Processing Controls Mechanization Mechanization Standardization Standardization Defaults Defaults Batch Balancing Batch Balancing Processing controls are designed to provide assurances that processing has occurred according to intended specifications and that no transactions have been lost or incorrectly entered. Clearing account Tickler file Matching

Application Controls Output Controls Reconciliation Aging Suspense file Periodic audit Discrepancy reports Output controls are designed to check that input and processing resulted in valid output and that outputs are properly distributed.

Summary Controls are an important part of your information system … think about what you would do in your organization? Controls are an important part of your information system … think about what you would do in your organization?