Internal Control and Risk Evaluation
University of Phoenix
Internal Control and Risk Evaluation
Kudler Fine Foods is a gourmet food store with three locations currently and the vision of opening more stores in the future. To accomplish the goals of opening new locations entails certain types of risks. This brief will analyze the risk associated with the Accounting Information System (AIS) in the areas of accounts payable, accounts receivable, inventory, and payroll, identify all risks and internal control points by incorporating the controls and risks into the flowcharts, design internal controls to mitigate risks to the systems, evaluate the application of internal controls to the systems, and discuss other controls, outside the system that Kudler Fine Foods may need.
Analyze Risks in the System
Business enterprises face a variety of risks, including business, audit, security, and continuity risks. For Kudler Foods an analysis performed on their information technology risks as it pertains to business would be IT timing. However, Kudler does not face the risk of IT timing because there is industry specific software that has already been tested by other companies in the retail industry.
The audit risk that Kudler faces as it pertains to inherent risk is that the business is retail. The likelihood that there could be material errors or fraud in the area of inventory, accounts payable, accounts receivables, and payroll do exist. Kudler does face control risk in all of these areas simply because the system is new and there have been no controls put in place to detect material errors or fraud on a timely basis. Detection risk is also a problem for Kudler in the event that the auditors do not detect failures in the control system once it is in place.
The security risk that Kudler faces is the risk associated with data access and integrity. Kudler may experience unauthorized access to data physically or logically. Many risks are associated with both unauthorized physical and logical access. These risks increase with information system integration and remote access capability. Controls must be put in place that allows employees access to sensitive company data. Remote access is a good feature for employees, but it does create the potential for hackers to break into an information system.
Continuity risk includes risks associated with an information system’s availability and backup and recovery. Kudler will have to implement controls that ensure their information system is always accessible to users.
Design Internal Controls
To mitigate the threat of these risks to the system, it is important to make certain there are controls in place allowing the system to operate smoothly. For the inherent risks, it is hard to implement controls, because there are risks to being in business. Monitoring the competition and being aware of the market will be helpful. In planning an audit engagement, auditors must assess each of these risks and determine an acceptable level. For control risks, management must ensure that all transactions are recorded in a timely manner to eliminate material errors or fraud.
Once the system is implemented there is concern of security risks. For this, it is important to make sure the physical location of the server is off limits to everyone but those who are required access it. Remote access should be password protected; users should be required to change their passwords on a regular basis. The system should be encrypted to make hacking difficult. To minimize continuity risks backup and recovery system are to be installed to making the system always accessible to the users.
Application of Internal Controls
The application of internal controls for Kudler Fine Food consists of input controls, processing controls, and output controls. The application of these controls to the systems will secure all information in the systems and support the continual operations of the business. “The purpose of application controls is to prevent, detect, and correct errors and irregularities in transactions that are processed.(Bagranoff, Simkin, & Strand, p. 286)
Input controls are the most important and strongest controls application they “ensure the validity, accuracy, and completeness of the data entered into a system. It is cost-effective to test input data for the attributes of validity, accuracy, and completeness as early as possible.” (Bagranoff, et al, p. 287)
Input controls application consist of three categories: observation, recording and transcription of data, edit tests, and additional input controls. The flowcharts prepared for payroll, accounts payable, accounts receivable, and inventory processes provide for these categories as part of the input controls application. Processing controls focuses on how to manipulate accounting data after it is input into the computer system to provide a good audit trail. A good audit trial allows tracking of a single transaction, documentation of changes, preparation of financial reports, and correction of errors.
Output controls apply to the forms of output for storage after the processing of the information by a computer system. “The objective is to ensure the output’s validity, accuracy, and completeness” (Bagranoff, et al p.293). Regulating the distributing and use of printed output is particularly applied to handling checks and confidential documents.
We turn our attention to outside controls, and how to safeguard against them. Having different physical and logical access points at Kudler Fine Foods protection where the system is vulnerable is mandatory. The problems Kudler may face to their personal network are “social engineering, physical infrastructure threats, programmed threats such as viruses and worms, denial of service attacks, and holes in application and security software” (Hunton, 2004, p.131).
With each threat there are ways to safeguard the system and protect it from outside threats. Social engineering involves human and software threats to the IT system. To safeguard against these threats create strict guidelines for each employee to follow when using the system, have training programs to teach employees how to protect the system from social engineering, allow certain access to private files, pay close attention to who enters the system, assign passwords for different levels of employees, install a firewall system, and use penetration programs to evaluate your systems defenses regularly (Hunton, 2004). To protect from physical threats place your main system in a safe place, make sure the system has a powerful backup power supply and have every system protected with ant-virus software.
Kudler Foods face a variety of risks, including business, audit, security, and continuity risks. To mitigate the threat of these risks to the system, it is important to make certain there are controls in place allowing the system to operate smoothly. The application of internal controls for Kudler Fine Food consists of input controls, processing controls, and output controls. With each threat there are ways to safeguard the system and protect it from outside threats through social engineering.
Payroll Process Flowchart
Accounts Receivable Flowchart
Bagranoff, N.A., Simkin, M.G., & Norman, C. (2008). Core concepts of accounting information systems (10th ed). : Wiley & Sons
Hunton, J. E. (2004). Core Concepts of Information Technology Auditing. Retrieved from http://www.switched.com/2009/08/17/burglar-steals-laptop-taunts-victim-via-her-facebook-account/.