Types and Principles of Accounting Controls

Types and Principles of Accounting Controls

I. Overview of Risk and Internal Control

A. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internalcontrol as follows:

1. Definition Internal control is a process effected by the entity's Board of Directors,management, and other personnel designed to provide reasonable assurance regardingthe achievement of objectives in the following categories:

a. Effectiveness and efficiency of operations;

b. Reliability of financial reporting;

c. Compliance with applicable laws and regulations.

2. Accordingly, internal control is closely connected to the achievement of managementobjectives related to operations, financial reporting, and compliance with laws andregulations.

3. Control objectives A number of accounting pronouncements (SAS 78 and SAS 94,among others) have identified the following as general objectives of internal control:

a. Safeguard assets of the firm;

b. Promote efficiency of the firm's operations;

c. Measure compliance with management's prescribed policies and procedures;

d. Ensure accuracy and reliability of accounting records and information:

i. Identify and record all valid transactions;

ii. Provide timely information in appropriate detail to permit proper classificationand financial reporting;

iii. Accurately measure the financial value of transactions; and

iv. Accurately records transactions in the time period in which they occurred.

e. Note that these objectives hold regardless of whether the accounting system ismanual or automated.

II. Categories of Controls

The classifications of accounting controls discussed in this lesson are different ways of looking at controls.These classifications can be useful in developing and evaluating the benefits and limitations of thesecontrols.

A. Preventive, detective, and corrective controls This classification focuses on the timing ofthe control relative to the potential error: that is, when the controls are applied. A wellcontrolled system balances preventive and detective controls and includes corrective controls asneeded.

1. Preventive controls "before the fact" controls Preventive controls attempt tostop an error or irregularity before it occurs. They tend to be "passive" controls, thatis, once they are in place they simply need to be activated to be effective. Examples ofpreventive controls include locks on buildings and doors, use of user names and passwordsto gain access to computer resources, and building segregation of duties into theorganizational structure.

2. Detective controls "after the fact" controls Detective controls attempt to detectan error after it has occurred. They tend to be "active" controls, that is, they must becontinually performed in order to be effective. Examples of detective controls include dataentry edits (e.g., checks for missing data, values that are too large or too small),reconciliation of accounting records to physical assets (bank reconciliations, inventorycounts), and tests of transactions to determine whether they comply with management'spolicies and procedures (audits).

a. Effective detective controls, when known to the relevant constituency, often takeon preventive characteristics. For example, surveillance cameras arefundamentally detective controls: they are designed to detect the commission of anunauthorized act. However, when it is known that surveillance cameras are in use,they can also serve to prevent unauthorized acts. The decrease in the number ofdrivers running red lights, when drivers know that surveillance cameras are installedon traffic signals, is a current example of this phenomenon.

Note:The dual nature of such controls can make it difficult to properlycategorize a control as preventive or detective. In theseinstances, search for the fundamental, underlying nature of the

control; distinguish this from the secondary effects of the control.

3. Corrective controls are always paired with detective controls They attempt toreverse the effects of the observed error or irregularity. Examples of corrective controlsinclude maintenance of backup files, disaster recovery plans, and insurance.

B. Feedback and feedforward controls This classification of controls closely relates to theprevious one. Feedback and feedforward controls focus on changing inputs or processes topromote desirable outcomes by comparing actual results (feedback) or projected results (feedforward) to a predetermined standard.

1. Feedback controls Evaluate the results of a process, and if the results areundesirable, adjust the process to correct the results; most detective controls are alsofeedback controls.

2. Feedforward controls Project future results based on current and past information,and if the future results are undesirable, change the inputs to the system to prevent theoutcome. Many inventory ordering systems are essentially feedforward controls: thesystem projects product sales over the relevant time period, identifies the current inventorylevel, and orders inventory sufficient to fulfill the sales demand.

C. General controls and application controls This classification appears in many controlmodels, including auditing standards (SAS 55, SAS 78, SAS 95), the COSO model, and the COBITmodel (see lessons related to these topics). Its focus is on the functional area of the control: thatis, where the control is applied rather than when it is applied. The model divides informationprocessing controls into two categories: general controls and application controls:

1. General controls General controls are controls over the environment as a whole. Theyapply to all functions, not just specific accounting applications. General controls help ensurethat data integrity is maintained.

a. Examples of general controls include restricting physical access to computerresources, production and storage of backup files, and performing background checksof computer services personnel.

2. Application controls Application controls are controls over specific data input, dataprocessing, and data output activities. Application controls are designed to ensure theaccuracy, completeness, and validity of transaction processing. As such, they have arelatively narrow focus on those accounting applications that are involved with data entry,updates, and reporting.

a. Examples of application controls include checks to ensure that input data iscompletely and properly formatted (e.g., dates, dollar amounts), that accountnumbers are valid, and that values are reasonable (e.g., that we don't sell quantitiesthat are greater than the quantity currently in inventory).

III. Linking Controls to Risks

Example:Linking controls to risks that the controls will or will not prevent ordetect is an important skill for the CPA exam. For example, imagine thata company implements a new password policy that requires users to

provide longer, more complex passwords. Which of the following risks will this newpolicy NOT reduce?

A. Crackers using software to figure out the passwords of employees;

B. Hackers gaining access to the computer system;

C. Piggybacking, i.e., someone gaining unauthorized access by following anemployee into the building.

In this case, the new security policy will reduce the risk of A and B but not C.

FlashcardsFlashcard #1 (FC7048)

Define "preventive controls". "Before the fact" controls designed to stop an error orirregularity from occurring. Examples of preventivecontrols include locks on building and doors, passwordprotected access to files, and segregation of duties.

Flashcard #2 (FC7047)

Define "detective controls". "After the fact" controls designed to detect an errorafter it has occurred (though preferably before theerroneous information is used to update the databaseor appears in reports). Examples of detective controlsinclude data entry edits (field checks, limit tests) andreconciliation of batch control totals.


Define "corrective controls". Paired with detective controls, they attempt to reversethe effects of the error or irregularity which has beendetected. Examples of corrective controls includemaintenance of backup files, disaster recovery plans,and insurance.


Define "application controls". Controls over specific data input, data processing, anddata output activities. Designed to ensure theaccuracy, completeness, and validity of transactionprocessing. As such, application controls have arelatively narrow focus on those accountingapplications that are involved with data entry, update,and reporting.


Define "general controls". Controls over the environment as a whole. Apply to allfunctions, not just specific accounting applications.General controls help ensure that data integrity ismaintained.


Define "feedforward controls". A process in which future results are projected basedon current and past information and, if the futureresults are undesirable, the inputs to the system arechanged to avoid the projected outcome. Manyinventory ordering systems are essentially feedforward controls: the system projects product salesover the relevant time period, identifies the currentinventory level, and orders inventory sufficient to fulfillthe sales demand.


Define "feedback controls". A procedure in which the results of a process areevaluated and, if the results are undesirable, theprocess is adjusted to correct the results; mostdetective controls are also feedback controls.


Define "internal control". A process, effected by the entity's Board of Directors,management, and other personnel, that is designed toprovide reasonable assurance regarding theachievement of objectives in the following categories:effectiveness and efficiency of operations, reliability offinancial reporting, and compliance with applicablelaws and regulations.

Proficiency QuestionsQuestion #1 (PQ5235)

Creating a daily backup of a realtime transaction processing system is an example of a correctivecontrol.

True

False

Question #2 (PQ0367)

Control objectives in a computerized environment are the same as those in a manualenvironment.

True

False


Detective controls are more costly than preventive and corrective controls.

True

False


Application controls are controls over the computing environment as a whole.

True

False


Providing user documentation, maintaining fire suppression equipment in the File Library, andusing usernames and passwords to control access to the system are all examples of GeneralControls.

True

False


According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO),information processing controls can be grouped into two primary classifications: PreventiveControls and Detective Controls.

True

False

Past Exam QuestionsQuestion #1 (AICPA.120620BEC)

Review of the audit log is an example of which of the following types of security control?

A. Governance.

B. Detective.

C. Preventive.

D. Corrective.

Question #2 (AICPA.120613BEC)

Which of the following statements presents an example of a general control for a computerizedsystem?

A. Limiting entry of sales transactions to only valid credit customers.

B. Creating hash totals from Social Security numbers for the weekly payroll.

C. Restricting entry of accounts payable transactions to only authorized users.

D. Restricting access to the computer center by use of biometric devices.

Question #3 (AICPA.090774.BEC)

Controls in the information technology area are classified into the categories of preventive,detective, and corrective. Which of the following is a preventive control?

A. Contingency planning.

B. Hash total.

C. Echo check.

D. Access control software.

Question #4 (AICPA.061219BECSIM)

Milo Corp. maintains daily backups of its accounting system in a fireproof vault in the file library.Weekly, monthly, and annual backups are stored in a secure, fireproof vault at an offsitelocation.Maintenance of the backup files is an example of

A. a detective control.

B. a feedback control.

C. a corrective control.

D. a preventive control.


Which of the following is an example of a detective control?

A. Use of preformatted screens for data entry.

B. Comparison of data entry totals to batch control totals.

C. Restricting access to the computer operations center to dataprocessing staff only.

D. Employing a file librarian to maintain custody of the program and data files.

Proficiency Question AnswersQuestion #1 : True

Question #2 : True

Question #3 : True

Question #4 : False

Question #5 : True

Question #6 : False

Past Exam Question AnswersQuestion #1 (AICPA.120620BEC)

A. A review of the audit log is not an example of a "governance" security control. In fact, there is no suchcategory of controls as "governance." This is a nonsense answer.

B. (Correct!) Reviewing an audit log is an example of a detective control since such reviews are useful in"detecting" problems in the system that have already occurred.

C. Reviewing an audit log is unhelpful in preventing problems in a system. Instead, a review of an audit log wouldbe helpful in detecting system problem.

D. While reviewing an audit log may be useful in correcting system problems, this is not the primary function ofreviewing an audit log.

Question #2 (AICPA.120613BEC)

A. The described control is an application, not a general, control since it relates specifically to the revenue / salescycle.

B. The described control is an application, not a general, control since it relates specifically to the payroll /disbursements cycle.

C. The described control is an application, not a general, control since it relates specifically to the disbursementscycle.

D. (Correct!) Restricting access to the computer center is an example of a general control.

Question #3 (AICPA.090774.BEC)

A. Contingency planning relates primarily to detective and corrective procedures.

B. A hash total is a detective control.

C. An echo check is a detective control.

D. (Correct!) Access control software is a preventive control.


A. Detective controls allow the user to determine that an error or problem has occurred. Detective controls arealways paired with corrective controls.

B. Feedback controls provide results of operations or activities, which are then compared to planned results.

C. (Correct!) Corrective controls allow the user to recover from a problem once it has been identified.

D. Preventive controls are designed to stop errors and irregularities from occurring.


A. The use of preformatted screens helps prevent data entry clerks from making errors but does not detecterrors.

B. (Correct!) Reconciliation of data entry totals with batch control totals will detect errors made by the dataentry clerks.

C. Restricting access to computer operations helps to prevent unauthorized access to the system.

D. Employing a file librarian helps to prevent unauthorized access to program and data files.

Types and Principles of Accounting Controls

Documents

Transcript of Types and Principles of Accounting Controls