CHAPTER 10 -Processing Integrity and
Availability Controls

Processing Integrity

Availability

INPUT CONTROLS

FORMS DESIGN

CANCELLATION AND STORAGE OF SOURCE DOCUMENTS

DATA ENTRY CONTROLS

ADDITIONAL BATCH PROCESSING DATA ENTRY CONTROLS

ADDITIONAL ONLINE DATA ENTRY CONTROLS

PROCESSING CONTROLS

OUTPUT CONTROLS

ILLUSTRATIVE EXAMPLE: CREDIT SALES PROCESSING

INPUT CONTROLS

PROCESSING CONTROLS

OUTPUT CONTROLS

PROCESSING INTEGRITY CONTROLS IN SPREADSHEETS

MINIMIZING RISK OF SYSTEM DOWNTIME

RECOVERY AND RESUMPTION OF NORMAL OPERATIONS

DATA BACKUP PROCEDURES

DISASTER RECOVERY AND BUSINESS CONTINUITY PLANNING

EFFECTS OF VIRTUALIZATION AND CLOUD COMPUTING

“garbage in, garbage out” highlights the importance of input controls. If the data
entered into a system are inaccurate, incomplete, or invalid, the output will be too.

Two particularly important forms design controls involve:

  1. All source documents should be sequentially prenumbered. Prenumbering improves control by making it possible to verify that no documents are missing.
  1. A turnaround document is a record of company data sent to an external party and then returned by the external party for subsequent input to the system. Turnaround documents are prepared in machine-readable form to facilitate their subsequent processing as input records.

Source documents that have been entered into the system should be canceled so they cannot be inadvertently or fraudulently reentered into the system.

this manual control must be supplemented with automated data entry controls, such as the following:

● A field check determines whether the characters in a field are of the proper type.

● A sign check determines whether the data in a field have the appropriate arithmetic sign.

● A limit check tests a numerical amount against a fixed value.

● A range check tests whether a numerical amount falls between predetermined lower and
upper limits.

● A size check ensures that the input data will fit into the assigned field.

● A completeness check (or test verifies that all required data items have been entered.

● A validity check compares the ID code or account number in transaction data with
similar data in the master file to verify that the account exists.

● A reasonableness test determines the correctness of the logical relationship between
two data items.

● ID codes (such as part numbers) can contain a check digit that is computed from the
other digits.

  • sequence check - An edit check that determines if a transaction file is in the proper numerical or alphabetical sequence.
  • batch totals - The sum of a numerical item for a batch of documents, calculated prior to processing the batch, when the data are entered, and subsequently compared with computer-generated totals after each processing step to verify that the data was processed correctly

The following are three commonly used batch totals:

  1. A financial total sums a field that contains monetary values, such as the total dollar
    amount of all sales for a batch of sales transactions.
  1. A hash total sums a nonfinancial numeric field, such as the total of the quantityordered field in a batch of sales transactions.
  1. A record count is the number of records in a batch.
  • Prompting - An online data entry completeness check that requests each required item of input data and then waits for an acceptable response before requesting the next required item.
  • closed-loop verification - An input validation method that uses data entered into the system to retrieve and display other related information so that the data entry person can verify the accuracy of the input data.

Important processing controls include the following:

Data matching. In certain cases, two or more items of data must be matched before an action can take place.

File labels. File labels need to be checked to ensure that the correct and most current
files are being updated.

Two important types of internal labels are header and trailer records

header record - Type of internal label that appears at the beginning of each file and contains the file name, expiration date, and other file identification information.

trailer record - Type of internal label that appears at the end of a file; in transaction files, the trailer record contains the batch totals calculated during input.

Recalculation of batch totals. Batch totals should be recomputed as each transaction record is processed, and the total for the batch should then be compared to the values in the trailer record

Cross-footing and zero-balance tests. Often totals can be calculated in multiple ways.

cross-footing balance test - A processing control that verifies accuracy by comparing two alternative ways of calculating the same total.

zero-balance test - A processing control that verifies that the balance of a control account equals zero after all entries to it have been made.

Write-protection mechanisms. These protect against overwriting or erasing of data
files stored on magnetic media.

Concurrent update controls. Errors can occur when two or more users attempt to update
the same record simultaneously. Concurrent update controls prevent such errors by locking out one user until the system has finished processing the transaction entered by the other.

Important output controls include the following:

User review of output. Users should carefully examine system output to verify that it is
reasonable, that it is complete, and that they are the intended recipients.

Reconciliation procedures.Periodically, all transactions and other system updates
should be reconciled to control reports, file status/update reports, or other control mechanisms

External data reconciliation. Database totals should periodically be reconciled with
data maintained outside the system.

Data transmission controls. Organizations also need to implement controls designed to
minimize the risk of data transmission errors.

Two other common data transmission controls are:

  1. Checksums. When data are transmitted, the sending device can calculate a hash of
    the file, called a checksum
  1. Parity bits. Computers represent characters as a set of binary digits called bits

Processing these transactions includes the following steps:

(1) entering and editing the transaction data

(2) updating the customer and inventory records (the amount of the credit purchase is added to the customer’s balance; for each inventory item, the quantity sold is subtracted from the quantity on hand)

(3) preparing and distributing shipping and/or
billing documents

Validity checks identify transactions with invalid account numbers or invalid
inventory item numbers. Field checks verify that the quantity-ordered and price fields contain only numbers and that the date field follows the correct MM/DD/YYYY format.

The system reads the header records for the customer and inventory master files and verifies that the most current version is being used. As each sales invoice is processed, limit checks are used to verify that the new sale does not increase that customer’s account balance beyond the pre-established credit limit

Billing and shipping documents are routed to only authorized employees in the accounting and shipping departments, who visually inspect them for obvious errors. A control report that summarizes the transactions that were processed is sent to the sales, accounting, and inventory control managers for review

Careful testing of spreadsheets before use could have prevented these kinds of costly mistakes. Although most spreadsheet software contains built-in “audit” features that can easily detect common errors, spreadsheets intended to support important decisions need more thorough testing to detect subtle errors.

fault tolerance - The capability of a system to continue performing when there is a hardware failure.

redundant arrays of independent drives (RAID) - A fault tolerance technique that records data on multiple disk drives instead of just one to reduce the risk of data loss.

Common design features include the following:

● Raised floors provide protection from damage caused by flooding.

● Fire detection and suppression devices reduce the likelihood of fire damage.

● Adequate air-conditioning systems reduce the likelihood of damage to computer equipment due to overheating or humidity.

● Cables with special plugs that cannot be easily removed reduce the risk of system damage due to accidental unplugging of the device.

● Surge-protection devices provide protection against temporary power fluctuations that
might otherwise cause computers and other network equipment to crash.

● An uninterruptible power supply (UPS) system provides protection in the event of a prolonged power outage, using battery power to enable the system to operate long enough to back up critical data and safely shut down

● Physical access controls reduce the risk of theft or damage.

When a problem occurs, data about everything that has happened since the last backup is lost unless it can be reentered into the system. Thus, management’s answer to the first question determines the organization’s recovery point objective (RPO), which represents the maximum amount of data that the organization is willing to have to reenter or potentially lose.

recovery time objective (RTO) - The maximum tolerable time to restore an organization’s information system following a disaster, representing the length of time that the organization is willing to attempt to function without its information system.

full backup - Exact copy of an
entire database.

the two types of daily partial backups:

  1. incremental backup - A type of partial backup that involves copying only the data items that have changed since the last partial backup. This produces a set of incremental backup files, each containing the results of one day’s transactions.
  1. differential backup - A type of partial backup that involves copying all changes made since the last full backup. Thus, each new differential backup file contains the cumulative effects of all activity since the last full backup

disaster recovery plan (DRP) - A plan to restore an organization’s IT capability in the event that its data center is destroyed.

cold site - A disaster recovery option that relies on access to an alternative facility that is prewired for necessary telephone and Internet access, but does not contain any computing equipment.

hot site - A disaster recovery option that relies on access to a completely operational alternative data center that is not only prewired but also contains all necessary hardware and software.

real-time mirroring - Maintaining complete copies of a database at two separate data centers and updating both copies in real-time as each transaction occurs.

business continuity plan (BCP) - A plan that specifies how to resume not only IT operations but all business processes in the event of a major calamity

Virtualization

  • can significantly improve the efficiency and effectiveness of disaster recovery and resumption of normal operations
  • reduces the time needed to recover
    (RTO) from hardware problems.
  • can also be used to support real-time mirroring in which two copies of each virtual machine are run in tandem on two separate physical hosts

Cloud computing

  • providers typically utilize banks of redundant servers in multiple locations, thereby reducing the risk that a single catastrophe could result in system downtime and the loss of all data.
  • if a public cloud provider goes out of business, it may be difficult, if not impossible,
    to retrieve any data stored in the cloud.
  • accountants need to assess the long-run financial viability of a cloud provider before their organization commits to outsource any of its data or applications to a public cloud.