Contents Cover Title Page Copyright About the Authors Eddy Vaassen Roger Meuwissen Caren Schelleman Preface Part I: Foundations of Internal Control Chapter 1: Organizations and their Systems Introduction Information in Organizations Information and Communication Technology Governance and Control An Integral Control Framework Quality and Quality Criteria Developments in Organizations, Technology and Society Alignment in a Complex Control Environment The Relationship between Information Disciplines Summary Chapter 2: Internal Control Introduction The Importance of Internal Control The Evolution of Internal Control The COSO Reports Corporate Governance The Scope of Internal Control Cornerstones of Internal Control Classifications of Internal Controls Conclusion Summary Chapter 3: Bridging the Gap between Internal Control and Management Control Introduction A Management Control Framework Avoiding Management Control Problems Market Control Cultural Control Input Control Process Control Output Control The Relationship between Management Control and Internal Control Control and Innovation A Combination of Hard and Soft Controls Summary Chapter 4: The Dynamics of Control and IT Introduction Information and IT Components of Information Systems Information System Development IT Applications IT-enabled Innovations The Importance of IT Information Security Codes on Information Security IT-enabled Innovations and Internal Control IT Governance Summary Chapter 5: Documenting and Evaluating Internal Control Systems Introduction Narrative Descriptions of Internal Control Systems Graphic Documentation of Internal Control Systems The Controls Checklist Automated Tools in Documenting Internal Control Systems Normative Internal Control Descriptions The Internal Control Manual Summary Part II: Internal Control in Various Organizational Processes Chapter 6: Organizational Processes Introduction Primary and Secondary Organizational Processes Organizational Processes in the Value Cycle Summary Chapter 7: The Purchasing Process Introduction Risks, Exposures and Internal Controls in the Purchasing Process Purchase Requisitions Purchase Orders Receipt of Goods Validation of Invoices Accounts Payable Payment of Vendor Invoices A Generic Logical Data Flow Diagram of the Purchasing Process Summary Chapter 8: The Inventory Process Introduction Risks, Exposures and Internal Controls in the Inventory Process Receiving Goods Recording of Goods Storage Release of the Goods Inventory Counts Summary Chapter 9: The Production Process Introduction Risks, Exposures and Internal Controls in the Production Process Product Design Annual Planning, Cost Calculation and Production Planning Job Preparation Raw Materials Release Production and Production Records Post-calculation A Generic Data Flow Diagram of the Production Process Summary Chapter 10: The Sales Process Introduction Risks, Exposures and Internal Controls in the Sales Process Preparing Offers Order Receipt and Order Acceptance Billing Picking and Shipping Accounts Receivable Cash Sales A Generic Logical Data Flow Diagram of the Sales Process Summary Chapter 11: Secondary Processes Introduction Human Resources Management Investment in Fixed Assets Cash Management Accounting and General Ledger Process Summary Part III: Internal Control in Various Types of Organizations Chapter 12: Typology of Organizations Introduction Typology of Organizations Trade Organizations Production Organizations Service Organizations with a Limited Flow of Goods Service Organizations that Put Space and Electronic Capacity at their Customers’ Disposal Service Organizations that Put Knowledge and Skills at their Customers’ Disposal Governmental and Other Not-for-profit Organizations Introduction to the Following Chapters Summary Chapter 13: Trade Organizations Introduction Characteristics of Trade Organizations with Cash Sales Characteristics of Trade Organizations with Credit Sales Summary Chapter 14: Production Organizations Introduction Characteristics of Organizations that Produce to Stock Characteristics of Organizations with Mass Customization Characteristics of Agrarian and Extractive Organizations Characteristics of Organizations that Produce to Order Summary Chapter 15: Service Organizations with a Limited Flow of Goods Introduction Limited Flow of Own Goods Limited Flow of Goods Owned by Third Parties Summary Chapter 16: Service Organizations that Put Space and Electronic Capacity at their Customers' Disposal Introduction Disposition of Specific Space Disposition of Specific Electronic Capacity Disposition of Nonspecific Space Summary Chapter 17: Service Organizations that Put Knowledge and Skills at their Customers' Disposal Introduction Selling of Man Hours Deployment of Intellectual Property Selling of Financial Products Summary Chapter 18: Governmental and Other Not-for-profi t Organizations Introduction Characteristics of Governmental and Other Not-for-profit Organizations Risks, Exposures and Internal Controls of Governmental and Other Not-forprofit Organizations Administrative and Organizational Conditions in Governmental and other NotFor-Profit Organizations Summary Bibliography Glossary Index This edition fi rst published 2009 Copyright © 2009 John Wiley & Sons Ltd Registered office John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom For details of our global editorial offi ces, for customer services and for information about how to apply for permission to reuse the copyright material in this book please see our website at www.wiley.com The right of the author to be identifi ed as the author of this work has been asserted in accordance with the Copyright, Designs and Patents Act 1988 All rights reserved No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by the UK Copyright, Designs and Patents Act 1988, without the prior permission of the publisher Wiley also publishes its books in a variety of electronic formats Some content that appears in print may not be available in electronic books Designations used by companies to distinguish their products are often claimed as trademarks All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners The publisher is not associated with any product or vendor mentioned in this book This publication is designed to provide accurate and authoritative information in regard to the subject matter covered It is sold on the understanding that the publisher is not engaged in rendering professional services If professional advice or other expert assistance is required, the services of a competent professional should be sought Library of Congress Cataloging-in-Publication Data Vaassen, E H J (Eddy H J.) Accounting information systems and internal control / Eddy Vaassen, Roger Meuwissen and Caren Schelleman.–2nd ed p cm Includes bibliographical references and index ISBN 978-0-470-75395-8 (pbk.) Accounting–Data processing Information storage and retrieval systems–Accounting I Meuwissen, Roger II Schelleman, Caren III Title HF5679.V33 2009 657.0285—dc22 2009017247 economical networks edit checks education and training efficiency control efficiency variances electronic data interchange (EDI) electronic funds transfer (EFT) electronic wallet encryption Enron enterprise resource planning (ERP) relationship with internal control systems Enterprise Risk Management (ERM) erasable programmable read only memory (EPROM) Ericsson-Vodafone Contract event identification event logging execution control execution function executive information systems (EIS) expectations control expert systems exposures accounting firms agrarian and extractive organizations banks garage businesses governmental and not-for-profit organizations insurance companies inventory process museums organizations that produce to order organizations that produce to stock organizations with mass customization production process purchasing process restaurants sales process software companies telephone operators trade organizations with cash sales trade organizations with credit sales trade organizations with credit sales transportation companies extended business reporting language (XBRL) extended markup language (XML) extractive organizations see agrarian and extractive organizations factoring fallback systems fat client feedback mechanisms feedforward mechanisms firewalls fixed assets, investment in flexible firm Ford Motor Company foreign key formal checks four-eye principle garage business administrative and organizational conditions main processes risks, exposures and internal controls general theory of the firm governance government governance governmental organizations administrative and organizational conditions characteristics risks, exposures and internal controls group decision support system (GDSS) group-based rewards groupware hackers hard controls human resources management hyper goal-oriented behavior hypertext markup language (HTML) indirect checks industrial age information quality spectrum of information age information and communication technology (IT) applications enabled innovations governance importance of information and managerial uses quality spectrum of infrastructure relationship with internal control information asymmetry information manager information provision information security information systems (IS) components of development informational alignment informational mechanisms innovation, control and input control input devices institutional impediments insurance companies administrative and organizational conditions characteristics main processes risks, exposures and internal controls integral control framework integrity controls integrity of information intellectual property interactive control systems interim billing internal accounting controls internal control (IC) adjustments, e-communication and classifications cornerstones evolution of importance management control vs scope of shared service centres and see also internal controls internal control manual internal control measures internal control systems automated tools in documentation checklist graphic documentation narrative descriptions normative descriptions internal controls accounting firms agrarian and extractive organizations banks garage businesses governmental and not-for-profit organizations insurance companies inventory process museums organizations that produce to order organizations that produce to stock organizations with mass customization production process purchasing process restaurants sales process software companies telephone operators trade organizations with cash sales trade organizations with credit sales transportation companies internal environment Internet portals Internet protocol (IP) Internet protocol secure (IPsec) Internet service provider (ISP) intraorganizational transfers inventory availability check inventory counts inventory process risks, exposure and internal controls in in trade organizations with cash sales inventory records investment analysis and decision investment in fixed assets investment need invoices validation of vendor, payment of ITIL (IT Infrastructure Library) job design job preparation knowledge-based theory of the firm knowledge creation knowledge integration knowledge workers lapping levers of control linear approach to systems development Linux local area network (LAN) logical data flow diagram (DFD) lot recording machine readable turnaround documents magnetic ink character recognition Management Accounting and Management Control (MA&MC) management control (MC) avoiding problems framework internal control vs management cycle adjustment evaluation planning structuring management guidelines accounting firms agrarian and extractive organizations banks garage businesses government and not-for-profit organizations insurance companies museums organizations that produce to order organizations that produce to stock organizations with mass customization restaurants software companies telephone operators trade organizations with credit sales transportation companies management information system (MIS) managerial information provision (MEP) manufacturing resource planning (MRII) market control adverse selection informational mechanisms institutional impediments moral hazard social mechanisms social-psychological factors taxes and endowments transaction costs mass customization master file material checks material resources, provision of materials requirements planning (MRP) message authentication codes Metro, Washington Microsoft Microsoft Visio mission statements Mizuho Securities monitoring moral hazard museums administrative and organizational conditions characteristics main processes risks, exposures and internal controls Near Field Communication (NFC) negative checks neo-classical price theory neural networks new economy non-governmental organizations (NGOs) norm of reciprocity normative internal control descriptions normative theories not-for-profit organizations administrative and organizational conditions characteristics risks, exposures and internal controls objective setting obsolescence offers, preparation of on-line analytical processing (OLAP database) operation of asset operational alignment operational controls operations list optical character recognition (OCR) order acceptance order receipt organization types organizational control organizations that produce to order administrative and organizational conditions main process risks, exposures and internal controls organizations that produce to stock administrative and organizational conditions characteristics main processes risks, exposures and internal controls organizations with mass customization administrative and organizational conditions mass processes risks, exposure and internal controls output control output devices outsourcing overreporting parallel administrations partial observation payment making PDCA cycle performance evaluation person-task alignment personal identification number (PIN) personnel controls physical and social arrangements physical data flow diagram physical security picking PIN cards/numbers point-of-sale systems policy control positive checks post-billing post-calculation pre-action reviews pre-billing pre-calculation preemption price variances prices primary key primary organizational processes priority process control processing of financial transaction data product design production efficiency organizations that produce to stock production information system production manager production order production organizations production planning organizations that produce to stock production process generic data flow diagram risks, exposures and internal controls in production records production report production standards programmed controls progress control prototyping public key infrastructure (PKI) punch card purchase orders purchase requisitions purchasing clerk purchasing process generic logical data flow diagram in risks, exposures and internal controls in in trade organizations with cash sales quality quality criteria quality inspector quality spectrum of information accuracy completeness efficiency precision timeliness understandability validity quality spectrum of the IT infrastructure availability compliance with rules and regulations confidentiality efficiency maintainability transferability quasi-goods Radio Frequency Identification Tags (RFID) random access memory (RAM) raw materials release re-order points read-only memory (ROM) real goods receipt of goods receiving cash receiving report reconciliations recording financial transaction data financial transaction data function goods recruitment and selection redundancy release of goods remuneration restaurants administrative and organizational conditions main processes risks, exposures and internal controls results control retro-fit risk assessment risk map risk response risk sharing risks accounting firms agrarian and extractive organizations banks garage businesses governmental and not-for-profit organizations insurance companies inventory process museums organizations that produce to order organizations that produce to stock organizations with mass customization production process purchasing process restaurants sales process software companies specific telephone operators trade organizations with cash sales trade organizations with credit sales transportation companies routing control Royal Ahold sales force automation (SFA) sales process logical data flow diagram of risks, exposures and internal controls in trade organizations with cash sales Sarbanes-Oxley Act secondary key secondary organizational processes secure electronic transaction (SET) Securities and Exchange Commission security codes on information computer information physical security segregation of duties accounting firms agrarian and extractive organizations banks garage businesses government and not-for-profit organizations insurance companies museums organizations that produce to order organizations that produce to stock organizations with mass customization restaurants software companies telephone operators trade organizations with cash sales trade organizations with credit sales transportation companies selection and placement self-checking selling of financial products of man hours service level agreement (SLA) service organizations with knowledge and skills at customers' disposal with limited flow of goods with space and electronic capacity at customers' disposal shared service centre (SSC) Shell shipping shop within a shop single-loop learning smartcards social mechanisms social-psychological factors soft controls software companies administrative and organizational conditions characteristics main processes risks, exposures and internal controls source data automation Sprint Nextel standards control steering paradigm storage goods of higher value in open warehouses goods of low value storage devices strategic enterprise management (SEM) strategic planning subsidiary ledger supply chain management system controls systems development life cycle (SDLC) systems flowcharts tariffs data task assignment taxes and endowments telephone operators administrative and organizational conditions characteristics main processes risks, exposures and internal controls teleprocessing monitor (TPM) termination theft of goods of work-in-process thin client threats from ICT proliferation tone at the top total checks trade organizations threats to trade firms trade organizations with cash sales administrative and organizational conditions main processes risks, exposures and internal controls trade organizations with credit sales administrative and organizational conditions main processes risks, exposures and internal controls training transaction costs transaction file transportation companies administrative and organizational conditions main processes risks, exposures and internal controls visibility and control in treasury management turnaround document Twente University Computer Department typology of organizations underreporting universal product code (UPC) UNIX user controls validation of invoices value-added network (VAN) value cycle organizational processes in for a trade firm value of cash position values per product Vanderbilt Museum variance analysis vendor delivery terms vendor invoices, payment of vendor selection vendors virtual organizations virtual private networks (VPN) vision statements warehouse clerk waterfall approach to systems development web page wide area network (WAN) Windows WorldCom write-downs ... Data Vaassen, E H J (Eddy H J.) Accounting information systems and internal control / Eddy Vaassen, Roger Meuwissen and Caren Schelleman. 2nd ed p cm Includes bibliographical references and index... Descriptions of Internal Control Systems Graphic Documentation of Internal Control Systems The Controls Checklist Automated Tools in Documenting Internal Control Systems Normative Internal Control Descriptions... Auckland, New Zealand Caren's research and teaching interests focus on auditing and accounting information systems and internal control She has presented her research at leading accounting and