Internal Controls of Information Technology - Essay Example

Internal Controls Related to the Revenue Cycle The company’s revenue cycle is a very (if not the most) important part of the company’s operations. This cycle is composed of many processes. One of these is the sales order process. In this process, IT is involved in making sure that no sales order will be processed if any of the primary information (such as customer name and volume ordered) required by the company are not completely encoded in and captured by the system. The criterion used to evaluate this process is accuracy, that is, “amounts and other data relating to the…transactions and events have been recorded appropriately” (Puttick and van Esch, 2007, p. 260). The control here is that the system will compare the encoded data with the required primary information. According to Hall and Singleton (2005, p. 395), IT controls for this process are data validation controls to detect missing information such as missing data checks (data “are used to examine the contents of a field for the presence of blank spaces”) and numeric-alphabetic data checks (the determination of “whether the correct form of data is in a field”). Another IT control in this process is the “sign checks or tests to see if the sign of a field is correct for the type of record being processed” (Hall and Singleton, 2005, p. 307) such as a positive amount for sales orders or negative amount for sales returns. One way to test this control is to encode details of a sales order in the system, exclude some or all of the primary information and see if the system will still generate the sales order. Another process in the revenue cycle is the credit checking process for a customer. The IT involvement in this process are that it ensures that no customer will be granted additional credit if the customer has already exceeded the approved credit line and that no customer’s order will be accepted if there is no approved credit line in the first place. In this case, the presence of proper authorization is the main criterion used to evaluate the process. The controls here are the system compares the total amount of credit granted to the customer with the credit line of the same customer and it also checks if the potential customer has an existing credit line with the company and, based on this comparison, accepts or rejects the customer’s order. In both cases, IT uses limit checks to “determine if the value in the field exceeds an authorized limit” (Hall and Singleton, 2005, p. 395). Another IT control is access control or override capability control, that is, only those company officers who are authorized to approve those customers who were previously rejected by the system can access the system and manually override the system’s rejection. For the control tester, one way to test the controls is to encode a fictitious sale for a customer that will make the customer’s current credit exceed his or her credit line and see if the system will accept the order. Another way to test the controls is to encode the sales order of a fictitious customer who has no approved credit line in the company and see if the system will not process the fictitious customer. Another process included in the revenue cycle is the updating of the accounts receivable subsidiary ledger. At the end of each day, the system ensures that only valid sales transactions and cash receipts (related to on account sales) are captured in the accounts receivable change report. In this process the key criteria are completeness of the transactions recorded, accuracy of the information processed and recorded and actual occurrence of the transactions recorded. The key control here is that the system reconciles the numbers shown in this change report “with total sales, total cash receipts (on account), and the general ledger” (Hall and Singleton, 2005, p. 403) or the GL for the same day. With IT, it implements several controls to support this key control. These are generation of an error listing, maintenance of transaction logs which show successfully-processed transactions, unique transaction identifiers which identifies each transaction by assigning unique numbers to each transaction and, in general, generating automatic audit trails of the related transactions. These audit trails reports “ensure data can be traced through a system from its source to its final destination” (Pathak, 2005, p. 10). The test here is to perform a manual tie-up of the amounts shown in the change report, the total sales, the total cash receipts and the GL. Another test is to “trace sample transactions through the audit trail reports” (Hall and Singleton, 2005, p. 404) generated by the system and see if the transactions are properly captured in the related reports. Internal Controls Related to the Expenditure Cycle The expenditure cycle involves the purchasing, payroll and cash disbursement processes. One of the processes involved with purchasing is the preparation of a purchase requisition. In this process, the IT’s role is to make sure that the quantities of the items sold during the day are still above “their reorder points” (Hall and Singleton, 2005, p. 437). If the quantity is below such reorder point, the system ensures that there is a requisition file prepared for the inventory item and that, once the requisition file is prepared, no duplicate order will be placed for the same item. In this process, the main criterion for the evaluation is if there is proper inventory management and control and the completeness of the inventory files (including the applicable reorder points). A control in this process is that the system will flag the applicable inventory item as ‘on order’ to ensure that there will be no duplicate order placed for this item. In this case, IT may utilize batch controls to process sales transactions, update the inventory items and capture those items that are already below their reorder points. IT may also use real-time processing controls to immediately capture those inventory items that are below reorder points within any given time of the day. Lastly, IT also utilizes a log of automatic transactions to maintain a record of those inventory items ordered and tagged ‘on order’. To test the control, the tester can create fictitious inventory and sales transactions that will reduce a certain inventory item below the reorder point. He or she can then check if the requisition order was prepared and if the inventory item was appropriately tagged ‘on order’. With payroll, according to Hall and Singleton (2005), one critical process is the updating of the employee file to reflect newly-hired and resigned employees, changes in pay rates, status, deductions and changes in job positions. Another critical procedure is the actual preparation of the payroll checks of the employees and the release of such checks to the employees. IT’s role in this aspect is to ensure that no payroll check will be released unless the employee is authorized to receive such check. Thus, proper authorization, completeness of the list of new employees and the changes in payroll information, accuracy of the details and the changed information and existence of the actual payroll liability of the company are key criteria for this process. One control in this process is the matching of the attendance files of the employees against the updated employee file found in the system. In this case, access controls implemented by IT are critical as this will ensure that the data being matched by the system to the attendance files are correct and valid. Other controls of IT that are important in this process are limit checks (for pay rates or employee hours that exceed company policy), range checks (for establishing upper and lower limits on pay rates) and reasonableness checks (for checking if the value is reasonable when taken into consideration with other data in the record). For the tester, this control can be tested by creating attendance files of both existing and non-existent employees and see if the system or the payroll application will accept the correct file and reject the invalid attendance files. Lastly, two related processes in the expenditure cycle are the updating of the accounts payable to reflect the purchases or payroll or disbursement transactions and the generation of a summary report called the “accounts payable change report” (Hall and Singleton, 2005, p. 461). In these processes, the system's role is to ensure that only valid transactions are properly captured and recorded in this report and in other related reports. The key criteria to evaluate the process are the completeness of the data processed, the actual occurrence of the transactions for which the data pertain to and the accuracy of the information processed by the system. The key control here is that the report will be reconciled by the system with “total vendor invoices received, total disbursements, and the general ledger” (Hall and Singleton, 2005, p. 461). For IT, its controls in this aspect are the transaction logs, the unique transaction identifiers, the error listing and other system-generated audit trail reports. As to the test of the controls, the tester can test this control by performing his or her own tie up between the change report, the received vendor invoices, the total cash outlays and the GL. The tester can also sample certain transactions in this cycle and trace them through the system and through the audit trail reports to ensure that these transactions are properly reflected in their corresponding reports. References Hall, James A. and Singleton, Tommie (2005). Information Technology Auditing and Assurance. Singapore: Thomson Learning Asia. Pathak, Jagdish (2005). Information Technology Auditing. Germany: Springer-Verlag Berlin Heidelberg. Retrieved on June 13, 2009 from http://books.google.com/ books?id=YEMw_2UBzPgC&pg=PA5&dq=information+technology+internal+controls+auditing&lr=#PPP1,M1. Puttick, G., van Esch, Sandy (2007). The Principles and Practice of Auditing. 9th edition. South Africa: Juta & Co. Ltd. Retrieved on June 12, 2009 from http://books.google.com/books? id=jQSDMo-a94C&printsec=frontcover&dq= principles+and+practice+of+auditing. Read More