INFORMATION PROCESSING CONTROLS

What are information processing controls?

Information processing controls are the manual controls (performed by humans) and the
computerised controls (performed by the computer system) within an application or
business cycle (E.g., Revenue and Receipts Cycle) through which a transaction is
initiated, recorded, processed, and reported. These controls also include any changes to
the standing data on the Masterfile used by the application or cycle.

The purpose of these controls is to provide reasonable assurance that the transaction
processed through the cycle are valid (they actually occurred and have been authorised)
and are recorded, processed, and reported accurately and completely.
Stages in the transaction process:
The primary objective of information processing controls is to prevent or detect and
correct misstatements arising from when a transaction is input to or processed by an
application or an output is generated from the application.

INPUT PROCESSING OUTPUT

Stages Description
Input The input of a transaction relates to the capturing or initiation thereof on
a specific application such as Peoplesoft or Xero. The input could be
through manual input of data by a user or through an interface from
another application. The input part of a transaction flow can be called
raw data.
Processing The processing of raw data ensures that the individual components of
the transaction are recorded correctly into various files and databases,
including the accounting records (debits and credits). The processing of
raw data is performed automatically. Once a transaction has been
processed, the raw data is converted into information the company can
use.

1
 Stages Description
Output The output of information is the final form in which data is used. The
output of information can occur in numerous formats, depending on the
purpose or use of the information.
Source: Auditing Fundamentals Page 169 - 171
Manual vs computer controls:
Information processing controls consist of manual and computerised (automated)
controls that integrate to form an important part of transaction processing. Three types
exist:
Independent manual IT-dependent manual Programmed controls
controls: controls: (also known as
automated controls):
Manual controls are These are manual controls These controls are solely
performed independently dependent on the output dependent on and
from the computer system produced by the computer performed by the computer
and are not dependent on system. system without human
the information produced interaction.
by the computer system.
Source: Auditing Fundamentals Page 171

2
INPUT CONTROLS:

Input controls are designed to ensure that data entered and master file amendments
captured are valid, accurate and complete.

If input controls are not implemented effectively, it could result in (risks):

Data on the system

Unauthorised
being added, deleted Errors occuring during
transactioned being
or changed without initiation or recording
entered
authorisation

Errors previously
made going Data being lost or not
uncorrected and captured at all
undetected

Source: Auditing Fundamentals Page 171

Controls should be implemented when recording data onto a computer to address the
risks identified above. These controls should be applied to the following:

• The person capturing the document or data and the document captured onto the
system (user-related controls).
• The computer screen aids the person capturing the document (screen aids).
• Checking the validity, accuracy, and completeness of the data captured by logical
programmed controls.
• Management review of the captured data to identify and correct any errors
timeously.

3
 INPUT CONTROLS: USER-RELATED CONTROLS
The following user-related controls should be implemented:
 Training: Users should receive specific training on the
functionalities necessary to perform their job function to
reduce the number of errors.
 Dedicated employees: Users should perform specific job
functions. Performing repetitive tasks should mitigate the risk
of error.
 This will also help to keep the employees responsible for
capturing data accountable. This can be achieved by setting
User-related up access profiles (logical access controls), each user
controls: receiving a unique username linked to a password.
The following control should be implemented over the
documents that are captured onto the system:
 All documents should comply with acceptable document
standards, such as pre-printed and sequentially numbered
documents.
 Documents should be well-designed and easy to understand.
 Controls should be implemented over the custody of the
documents (who has access to which documents).
Source: Auditing Fundamentals Page 173

4
 INPUT CONTROLS: Screen Aids
Screen aids are controls built into the program and reflect on the screen to assist a user
in capturing data with the least effort and lowest error probability.
1. Minimum keying of information
Also referred to as dropdown menus or limited selection options.

This control is built into the program and only requires the user to enter the necessary
information. This helps the user not to enter unwanted information and thus reduces
the risk of errors.
Matching:
The user can only enter a unique code or number when information is already captured
on the program (Masterfile). The system will automatically retrieve all the information
associated with this item and automatically populate specific fields.
Typically standing data like contact details or physical address is retrieved and added
to the transaction.

5
 User selects the supplier from a dropdown list.

Once selected, the following information

is automatically populated on the
screen – thus reducing the risk of errors.

Dropdown menus:
Another example is the use of
dropdown menus or tick boxes.
As there is only a limited number
of possible answers, the program
lists these options in a dropdown
menu, reducing the risk of errors
when the information is captured.
Depending on the type of
information, the system can allow
multiple selections or only one
selection.

2. Screen layout
When data is captured directly onto the program, the screen layout should ensure that
the user inputs all required data. This can be achieved by designing the screen like a
hard-copy document. The screen layout should also be standard and user-friendly,
requiring minimum data to be captured.
The example shown above
shows what a well-
designed and user-friendly
website looks like. This
makes it easier for the user
to know which field data
should be entered.

6
3. Screen prompts and screen dialogue
The computer should prompt the user to enter data where data is missing or incorrect.
Prompting or computer dialogue could be used to guide the user on how to complete
the fields or highlight errors.

The screen dialogue gives guidance to the

user on what information should be entered.

4. Compulsory fields / Mandatory fields

Mandatory fields are an essential control as they will not let the user continue the
process until all the required fields are completed.

Mandatory fields are usually indicated by the "*" next to the field or highlighted in red.
The example above shows that your mobile phone number and email are mandatory
fields you MUST enter before continuing.

7
 Mandatory Fields

5. Shading of fields
Shading of fields (or individual buttons) is done to prevent the users from carrying out
specific functions they are not allowed to carry out. This works together with the
principle of Least Privilege (or access Tables). The feature is not disabled for all users
but is only available to specific users with access to them.
This control can also be used for Mandatory fields but shading the "Continue" or "Finish"
button on a page.

Source: Auditing Fundamentals Page 173 - 174

8
 INPUT CONTROLS: Logical Programmed Controls
Logical programmed controls are application controls that test data input against pre-
determined rules programmed into the computer package to validate the input.
Existence/validity checks:
These controls are designed to ensure that the transaction entered relates to a valid
customer/supplier or that the transaction may be authorised. These controls include:
The control verifies the customer detail entered against the
customer Masterfile already created. This type of control is
typically implemented where customers must be approved
Validity test before buying products.
For example, Your Makro card needs to be swiped before you
can pay for your goods – the system checks the validity of the
customer information against the Masterfile.
This control works similarly to the validation test, where the input
information is compared to the information on the system, but
no validation is required in this case.
An example of this control is when your order at a restaurant is
Matching checks /
keyed against a table number. When you need to pay, the table
Related data test
number is entered, and the system matches the table number to
the order details already captured on the system.
In accounting programs, control is typically found when
documents in the same process are being created.
This control will test the input against a pre-determined
rule/condition.
Data
For example, if a person buys clothes on account from a clothing
checks/approval
store, the system will calculate the total sales value and test it
checks
against the remaining credit available. The sales transaction will
not be processed if the total sales value exceeds the credit limit.

9
Reasonability and limit checks:
These types of control will test the input data for reasonability (compared to pre-set
information) or limit the information's quantity. The controls include:
The control will not allow the user to enter more than a pre-set limit
or threshold. If the user tries to do this, the system will reject the
input.
Limit check / For example, when a customer buys on credit. If the transaction
Range check exceeds the available credit, the system will not accept and process
the transaction.
Remember that the user can enter less than the pre-set limit
amount, but the computer system will not allow more.
The control works on the same principle as a limit check, but the
Reasonability / computer system will not stop the user from continuing if the data
Reasonableness exceeds the pre-set limit.
check The system will log this, and a senior should review the log later and
follow up.
Format checks: A format check is a validation check which ensures that entered data
is in a particular format or pattern.
The control will ensure that the user can only enter numerical digits
in a field requiring numerical digits (a contact number) or only letters
in a field requiring letters.
Alphabetic/
Alpha-
numerical/
Numeric
character check

The completeness test requires that a field must be completed

Mandatory field / before being able to continue.
Missing data
test /
Completeness
test

10
 The control ensures that the number of digits (characters) entered a
Field length test/
field does not exceed or equal a certain amount. (E.g., your ID
Size check
number would require 13 digits).
The control has been designed to ensure that valid signs (for
example, the "@" in an email) are included when the user types in
Valid character the information.
checks

A sign test requires the field entered to be either positive or negative.

For example, a program would report an error if a negative inventory
quantity is entered.

Sign check

INPUT CONTROLS: Review, reporting and expectation monitoring

A senior staff member should periodically extract logs, audit trails
and registers from the computer to review activities and identify
any unusual transactions.
Any unusual items should be investigated, and corrective action
should be taken.
Various reports can be extracted, such as:
Review,
reporting and  Logs and registers of all computer activity and transactions.
expectation  Exception reports of activities outside the norm or exceeding a
monitoring pre-determined benchmark.
 An audit trail shows the flow of financial information and controls,
including listings of transactions and summaries.
 Control reports reflect, for example, the total amount invoiced for
a particular period.
 Error reports
Source: Auditing Fundamentals Page 174 - 175
11
 INPUT CONTROLS: Additional batch input controls
In any business, many transactions take place daily. Depending on the type of business,
this can range from hundreds to thousands of daily transactions. All these transactions
need to be captured and processed on the computer system.
Depending on the level of IT integration in the business and the number of daily
transactions, a business will decide which method to apply when capturing and
processing transactions. Some may employ real-time processing, where the transaction
is captured as it takes place.
Smaller businesses might not have the resources to invest in such IT
infrastructure and still use a paper-based (manual) system. They will
process these transactions in batches once a week (or every two
weeks).
These batches can be made up of any number of transactions, but usually, a batch
contains 20, 50 or 100 transactions. With the use of batches, the following risks exist:
 There is a risk that not all batch transactions have been captured.
 There is a risk that errors were made while capturing the transactions.
 There is a risk that invalid transactions were added to the batch.

Batching is a technique that assists in controlling an activity (capturing transactions) that

will be carried out on a batch of transactions to ensure that all the transactions were
captured on the accounting system (complete), all the transactions have been accurately
captured, and only valid transactions have been added to the batch. The following key
concepts are important to understand:
Control totals Includes the financial total, the hash total, and the record total
Financial total The total of any field holding monetary amounts (E.g., the total of all
the invoice amounts).
Hash total The total of any numerical field, excluding the financial field (E.g., the
total of all the invoice numbers).
Record total The total number of records (transactions) in the batch.
Batch control The sheet is attached to each batch. The batch controls sheet should
sheet contain the following:
 Unique batch number.
 Control totals.
 Identification of the type of transaction (e.g., invoices)
 Spaces for signatories
Batch Register Register used to record the physical movement of batches. The
recipient of the batch should sign the register after checking what is
being signed for.
12
How does a batch control system work?
1. Transactions are grouped into batches of 20, 50 or 100.
2. For each batch, a batch control sheet is prepared. The control totals for the batch
are calculated and entered into the batch control sheet.
3. A senior person should review the details on the batch control sheet to ensure it was
correctly calculated and all the details have been completed.
4. The batch's details (unique batch number, date, and time) are entered into the batch
register, and a responsible person takes control of the batch.
5. When the batch needs to be captured, the capturer will sign the batch register as
proof of taking control of the batch (document control and isolation of responsibility).
6. The batch details (e.g., batch description, unique batch number, and control totals)
are entered into the computer's accounting system to create a batch header label.
7. The information of each record/transaction in the batch is entered into the accounting
system (subject to automated application controls).
8. When all the records/transactions have been captured, the computer calculates its
control totals based on pre-determined fields. The computer compares the control
totals (calculated) with the control totals entered (see number 6).
9. The batch is accepted for processing if the control totals agree and no other error
type is detected.
10. If the totals do not agree, the batch is rejected and sent for correction.

Source: Auditing Fundamentals Page 175

Masterfile Change Controls

Master files within a computer system contain standing data frequently used by
accounting software. Master file changes occur when the standing data on the master
file is changed, updated, or new data is added to the master file.
The need for master file changes occurs from either the user of the information or from
external sources.
When master file changes occur, we need to ensure that sufficient and appropriate
controls have been implemented to ensure that:
 Only valid (authorised and actually occurred) changes are made.
 Changes are made accurately.
 All changes are made.

13
Some information systems might already have a degree of control programmed into the
application; for example, specific accounting software will not allow you to delete a
customer or supplier account from the master file if there is an outstanding balance on
the account. But these controls might not be sufficient to prevent unauthorised changes.
The following controls should be implemented over master file changes:
1. Each amendment should be requested using pre-printed and sequentially
sequenced Master file Amendment Forms (MAFs).
 All supporting documentation (evidence) should be attached to the MAF.
 The MAF will be prepared by PERSON 1.
N If the change request is made on the system (electronically), the supporting
documentation should be uploaded and attached to this request.
2. The MAF should be reviewed by a senior (PERSON 2), and they should sign the
MAF as proof that it has been reviewed and approved.
 The person reviewing the MAF should also compare the MAF to the supporting
documentation.
 Perform a logic test on the request - would it make sense to make the change.
3. The changes to the Masterfile (on the computer system) should be captured from
the approved MAF.
 The changes should be captured on the system by PERSON 3;
 After the changes have been made, the MAF should be filled sequentially with
supporting evidence.
3.1 The following logical access controls should be implemented:
Restrict access to the master file (write access) to PERSON 3 only using
usernames and passwords.
Please note that other users can view the master file but should not have access
to make any changes thereon.
N Careful consideration should be given to access to confidential information (E.g.,
the CEO's remuneration package).
3.2 The following screen aids and related features and program controls (input) can
be implemented to ensure accurate and complete Masterfile amendments:
 Screen formatting, the screen design should be like the MAF document.
 The system automatically generates a new account number; and
 Minimum keying in of information

14
3.3 Logical Programmed Controls:
 Verification/matching checks to validate a debtor account number against the
debtor's Masterfile (if an existing customer).
 Alphanumeric checks on specific fields.
 Field size check and mandatory/missing data checks.
 Sequence checks on MAFs entered.
4. The computer should log all master file amendments on sequenced logs, and no
write (edit) access to the logs should exist.
5. The changes to the master file should be reviewed and approved:
 The review/approval should be done by PERSON 4.
 The person doing the review/approval should agree the changes on the master
file to the approved MAF and supporting documentation.
6. Regularly (E.g., every day or once a week), the log indicating all amendments to
the master file should be extracted (output register) from the system,
 A senior staff member should review the log.
 The log sequence should be tested for any missing/duplicate numbers.
N Any suspicious changes or missing/duplicate numbers should be investigated.
6.1 The reviewer should confirm the following:
 Changes were made only by authorised staff.
 Each change has approved MAFs in the file (Log to MAFs).
 Each MAF was adjusted on the system (MAFs to Log).
7. Access to the master file (staff should use usernames & passwords to access
Masterfile – isolation of responsibility):
 Limited, authorised staff members should be able to change the Masterfile
(write access).
 Limited, authorised staff members should be able to approve changes to the
Masterfile (review access).
 A staff member who can make changes and those who can authorise changes
should not be the same staff members – segregation of duties.
 The system should log the identity (username) of the person making the
changes – isolation of responsibility.
Source: Auditing Fundamentals Page 180

15