Ruth W. Epps, Ph. D. CPAVirginia Commonwealth UniversitySusan S. Gwathmey, CMAJanuary, 2003Internal Control Issues: The Case of Changes to Information Processes Benjamin Bae, Ph. D. Department of Accounting School of Business Virginia Commonwealth University Richmond, VA 23284 Phone: (804) 828-7137 FAX: (804) 828-1719 Email:[email protected] Ruth W. Epps, Ph. D. CPA Department of Accounting School of Business Virginia Commonwealth University Richmond, VA 23284 Phone: (804) 828-1608 FAX: (804) 828-1719 Email:[email protected] Susan S. Gwathmey, CMA January, 20031. Introduction Much has been written on data integrity as part of the internal control framework in respect to auditing financial statements for external reporting. “However, in the business world, accurate financial reporting is but one component of a greater objective: developing and maintaining a competitive advantage. Other components may include cost and product leadership, quality, and speed of delivery, among others. Internal control can be a useful tool for achieving and extending all of these goals” (Curtis and Wu 2000). Both operations and upper management need information on sales quantities by territory, product type, and customer. Other information needs include production costs by department and product, inventory levels, accounts receivable and payable balances, cash flow projections, other non-financial performance indicators such as production utilization, material efficiency, on-time delivery, and so on. Good controls to provide information for internal decision making in support of company objectives are critical to the long term success of a corporation. As companies make changes to their information systems they need to be cognizant of the need to include data integrity controls in their new processes. In reality two distinct classes of control models exist: those of the "business control model" and the "more focused control models for IT." COBIT is the cord which pulls the two models together. Its underpinning concept is that control in IT is approached by looking at information that is needed to support the business objectives and by looking at information as being the result of the combined application of IT - related resources that need to be managed by IT processes. 1The Control Objectives for Information and Related Technology(COBIT) – Framework (ISACF 2000) lists the following business requirements of information which have been matched with the broader categories of information technology (IT) controls, that will help an organization to achieve its objectives: COBIT IT Fiduciary Requirements IT Security Requirements IT Quality Requirements Business Controls Business Controls Business Controls (a) quality (d) effectiveness and efficiency of operations (g) confidentiality (b) cost ) (h) integrity (c) delivery (e) reliability of information (i) availability (f) compliance with laws and regulations Additionally, the COBIT framework also provides a matrix which shows that information technology processes and detailed controls are affected by application controls, including data integrity. The focus of this paper is on the importance of the review and implementation of controls for integrity, particularly when changes are made to current information processes. We first define the terms: integrity, validity, accuracy, and completeness. Next, we point out the potential benefits and risks to internal control of increased use of automated information technology as stated in Statement of Auditing Standards (SAS) No. 94. Finally, we give some examples of instances where because of changes to the current information processes certain data integrity controls needed attention. 2Definition of Terms: Integrity: relates to the validity, accuracy, and completeness of information in accordance with a business’s set of values and expectations (ISACF 2000). Validity: concerned with information about an event that actually happened, i.e. a sale that occurred versus recording fictitious sales information. Accuracy: concerned with whether or not the information represents the actual event correctly. For example, reporting sales as 10,000 units rather than the actual amount of 1,000 units would be inaccurate. Completeness: refers to whether or not the information represents all relevant transactions. For example, 3 production runs occurred in a particular day, but only 2 were recorded and posted, would be an example of incomplete information about production. Potential Benefits and Risks to Internal Control of Increased Use of Automated Information Technology as stated in Statement of Auditing Standards No. 94 “PARA 18. Information technology provides potential benefits of effectiveness and efficiency for an entity’s internal control because it enables an entity to: (a) Consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions or data. (b) Enhance the timeliness, availability, and accuracy of information. (c) Facilitate the additional analysis of information. (d) Enhance the ability to monitor the performance of the entity’s activities and its policies and procedures. (e) Reduce the risk that controls will be circumvented. (f) Enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems. 3Additionally, PARA 19. Information technology also poses specific risks to an entity’s internal control, including: (a) Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both. (b) Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions. (c) Unauthorized changes to data in master files. (d) Unauthorized changes to systems or programs. (e) Failure to make necessary changes to systems or programs. (f) Inappropriate manual intervention. (g) Potential loss of data. PARA 20. The extent and nature of these risks to internal control vary depending on the nature and characteristics of the entity’s information system (SAS 94).” Given the above risks and the fact that companies rely on such data to make business decisions, it is understandable why it is of value to review control procedures after making changes to information