C.

Transaction Processing Control

Transaction processing controls are procedures designed to ensure that elements of an

organization’s internal control process are implemented in the specific applications systems
contained within each of an organization’s transaction cycles. Transaction processing
controls consist of general controls and application controls. General controls affect all
transaction processing. Application controls are specific to individual applications. General
controls concern the overall environment of transaction processing.

a. General controls comprise the following:

 The plan of data processing organization
 General operating procedures
 Equipment control features
 Equipment and data-access controls

A plan of organization for data processing includes provision for segregation of duties
within data processing and the organizational segregation of data processing from other
operations. General operating procedures include written manuals and other
documentation that specify procedures to be followed. Equipment control features are
those that are installed in computers to identify incorrect data handling or erroneous
operation of the equipment. Equipment and data-access controls involve procedures
related to physical access to the computer system and data. There should be adequate
procedures to protect equipment and data files from damage or theft.

b. Application Control
The application Application controls are specific to individual applications. Application
controls are categorized into input, processing, and output controls. These categories
correspond to the basic steps in the data processing cycle.
1. Input controls are designed to prevent or detect errors in the input stage of data
processing. When computers are used for processing, the input stage involves the
conversion of data into a machine-readable format.
 2. Processing Control are designed to provide assurances that processing has occurred
according to intended specification and that no transactions have been lost or
incorrectly inserted into processing systems.
3. Output Control are designed to check that input and processing resulted in valid
output and that output are distributed properly.

Preventative, Detective, and Corrective Controls

Transaction processing controls may also be classified as being primarily preventative,
detective, or corrective in nature.
 Preventative controls act to prevent errors and fraud before they happen.
 Detective controls act to uncover errors and fraud after they have occurred.
 Corrective controls act to correct errors.

D. Communicating the Objectives of Internal Control

Internal control is human. An internal control process is a process of checking someone else's
work. The principle function of internal control is to influence the behavior of everyone
involved in a business system. The objectives of internal control must be seen as relevant to
the individuals who will comprise the control system. The system must be designed such that
each employee is convinced that controls are meant to prevent difficulties or crises in the
otherwise could affect him or her very personally.

Goals and Behaviors Pattern

Information systems have several purposes; one of the main goals is productivity. Reliability
of information and the safeguarding of assets are also important goals. These goals are at
times contradictory. Behavior caused by a conflict of interest is the abolition of internal
control tasks (such as document counting) with it’s aim to increasing productivity. The goals
of an internal control system are achieved through the actions of the people in the system.
The reliance on a formal plan of organization and related methods and measure to attain
these goals entails important assumptions concerning collusion, reporting of irregularities,
power relationships, and other behavior patterns within the organization. Organizational
 independence and segregation of duties are consistent with good internal control only if the
probability of collusion between two or more duly segregated employees is low.

E. Analysis Of Internal Control Process

Internal control process analysis requires an understanding of the process at the time the
process is designed as well as when the process has been executed. The internal control
process routinely gathers information on the execution of tasks, transfer of authority,
approval, and verification. This internal control duties documentation should be evaluated to
determine the reliability of the system operation. Internal control processes routinely collect
information concerning fulfillment of duties, transfer of authority, approval, and verification.
This documentation of internal control duties must be examined to evaluate the reliability of
the system’s operation. There are several reasons why internal control duties may not be
administered. New employees or perhaps even experienced employees may not understand
their duties. More common is the omission of an internal control duty (such as counting
documents) in order to increase production.

Analytical Techniques

Internal control questionnaire is one of the commonly used analytical techniques for
analyzing internal controls. These questionnaires often become standard forms in public
accounting firms, internal audit departments, and other organizations that are routinely
involved with internal control reviews. Analytic flowcharts can also be used in internal
control analysis, especially if the analysis involves the application of a computer system.
Application control matrices are useful as analytical forms relevant to internal information
systems internal control reviews.

Questionnaires do serve as documentation that a review was undertaken; however,

questionnaires are necessarily standardized and therefore are not equally applicable in all
circumstances. Their use often must be supplemented with other forms of analysis, such as
write-ups, flowcharts, or other charting techniques. Analytic flowcharts might be used in
internal control analysis, particularly if the analysis involves a computer system application.
Flowcharting itself is not a form of structured analysis but rather a technique to organize data
 for analysis. An application controls matrix provides a structured form of analysis that is
particularly relevant to internal control reviews of information systems.

F. Internal Control and Compliance in Small Business and Small Public Companies

The small business has no independent IT or internal audit department, and in many cases
it is run by managers with no accounting education or financial expertise. Finally, there may
be little or no separation between the owners and managers, generating increased opportunity
for management override of internal control. The COSO report, “Internal Control over
Financial Reporting—Guidance for Smaller Public Companies,” suggests various ways small
public companies can compensate for their small size. The suggestions in this report apply to
private small businesses as well:

 Leadership Involvement. Many small businesses are run by a single leader. This
individual is typically familiar with all aspects of the business. The result is that the
leader can actively oversee and be involved in all operations and the financial
reporting process.
 Effective Boards of Directors. Smaller businesses are often relatively simple. This
means that the members of the Board of Directors can develop substantial expertise in
all areas of the business, effecting better oversight. Also, the informal nature of small
businesses often facilitates better communications between members of the board
and management.
 Limited Segregation of Duties and Increased Focus on Monitoring. Large
companies can easily have separate departments for purchasing, inventory, billing,
general accounting, receiving, sales, and so on. Such is typically not possible in the
small business, where many functions often get collapsed into single individuals.
Managers can compensate for the relative lack of segregation of duties by placing
increased emphasis on monitoring. This can be accomplished by management’s
focusing more on observing employees, reviewing reports, investigating unusual
transactions, and so on.
 Compensating for Limitations in Information Technology. Businesses without an
IT department or IT expertise can rely on outside application service providers (ASPs)
for the accounting, software, and IT needs. For example, a business might use the
Web-based Microsoft Dynamics for their accounting system.

Another challenge facing small business is how to develop their internal control processes
within limited budgets. Both small and large companies can gain cost efficiencies by using
the following approaches:

 Apply a Top-Down Risk Assessment (TDRA) Approach to Internal Control

Assessment. TDRA is defined by PCAOB Auditing Standard No. 5 as “An audit of
internal control over financial reporting that is integrated with an audit of financial
 statements.” The goal of TDRA is to determine the scope and required evidence
necessary to adequately test and assess internal controls.
 Focus on Changes. Financial items that have changed the most from one period to the
next get special attention. For example, a 50% increase in accounts receivables over
one quarter would likely deserve investigation.
 Manage Reporting Objectives. Considerable gains in efficiencies can be produced by
giving the most attention to financial reporting objectives that are material to the
financial statements.
 Right-Size Documentation.