Internal controls form an important part of the process of protecting an organization’s resources. They directly affect the allocation and use of an organization’s resources and therefore ultimately impact on the overall performance of an organization. One of the resources useful in an organization is information, and this paper seeks to explain the relationship that exists between the process of information system development and the internal control function of an organization.
The relationship between internal control and the systems development process
Internal control forms an essential part of accounting. It is one of the benchmark processes upon which the success of the accounting function and to the performance of the organization as a whole is dependent. Internal control has been defined as a process designed to enable an organization meet its specified goals and objectives by establishing standard methods of directing and allocating the organization’s resources, monitoring and measuring them. Internal control ensures that both physical and intellectual resources of an organization are protected by prevention and detection of fraud, both internally and externally.
Internal control involves providing assurance that the organization’s objectives are being met. Assurance on the effectiveness and efficiency of operations of the organization should be made by the internal controls. The internal controls should also ensure that the relevant laws and regulations are met and the financial reports produced by the organization are reliable. In formulating the internal control standards to be adopted by an organization, the following elements of internal control have to be evaluated and analyzed. The control environment, both internal and external, is one of the elements that have to be analyzed to set the control culture in the individuals who form the organization (Chorafas 2001). The second element of internal control is risk assessment, and its analysis enables the identification of the risks involved in the achievement of the objectives of the organization. The information system is also analyzed to identify the processes needed to identify, collect and disseminate information through the various management levels in the organization. Control and monitoring ensures that management decisions are carried out and standards used to evaluate the performance of the internal control activities.
Accounting information systems form one of the basis elements required for effective internal control. The systems development process is in particular very important since it is the point at which the internal control of an organization can be reconciled with the accounting information system of the organization. The steps involved in the development of the accounting information system need to integrate the internal control requirements so that the system that results enhances the control mechanisms of the organization.
The first step in systems development is the statement of systems objectives. It is desirable that all the stakeholders in the organization, both internal and external, submit their needs that they will require from the accounting information system developed. The system should comply with the legal requirements required of the organization. Since this is an essential part of internal control, care should be taken that in specifying the systems objectives, the accounting information system legal requirements should be comprehensively identified so that the information obtained meets all the statutory requirements. Compliance aspects such as transaction existence, transaction occurrence, valuation and disclosure requirements can only be effectively by the internal control mechanism of an organization if the systems statutory and compliance objectives of the accounting information system are well specified at the objectives statement phase of the systems development (Post & Anderson 2006).
In the statement of system objectives in the development of an accounting information system, the needs required of the system should be comprehensively identified to ensure that the information obtained from the system in future is complete. Internal control always seeks to assure about the completeness of the information produced by an organization, and this measure will ensure that completeness of information produced in the system is complete.
The internal control function in an organization also has an objective of monitoring the transactions, operations and management processes of the organization. To integrate these needs into the system, the potential information needs that will be required from the accounting information system should be well stated in the systems objectives to ensure that information output from the system in future is relevant and reliable.
The information needs of the different management levels in the organization should also be identified in the statement of the systems objectives. This assures that reliable and relevant information is availed to all the mangers of the organization. To enable effective internal control, specification of these different managerial needs ensure that the system to be developed provides information relevant only to a particular manager. It also assures that information does not fall on the wrong hands, for example, reports meant for strategic level managers do not reach tactical managers (Post & Anderson 2006).
The second phase of systems development is the creation of alternatives. Alternative systems that can be developed to meet the specified organizational objectives are identified and dummy systems developed for each alternative. These are meant to observe the behavior of the system when confronted with different data set, different scenarios and how effectively and efficiently the system can handle exceptional information needs (Post & Anderson 2006). From these alternatives, a choice is made which best suits the organizational information needs. An evaluation of the internal control objectives of the organization is one of the important factors that should be considered to ensure that the best choice is made from the available alternatives. The system alternative which best fits the organizational internal control objectives should be chosen for further development. The potential of an alternative to provide timely, complete, accurate and reliable information efficiently in the future should influence the choice. This will ensure that the system developed will not only meet the organizational future information needs, but also ensure that the internal control mechanisms of the organization are efficient and effective.
The system design phase is meant to put a logical structure of the real system in a form that can be interpreted by other people in the organization other than the designers. In making the system design, all the processes specified in the systems objectives should be integrated into the design of then accounting information system (Hightower 2008). The design ought to review the inputs of the system, outputs, storage requirements, data collection procedures and controls in place to ensure integrity and security of information. The internal control mechanisms of the organization need to be integrated with the system design to ensure smooth fitting of the two functions in the organization. It is essential that the internal control procedures and controls be integrated with the accounting information design to ensure that the purposes of the internal controls can be achieved by requesting output from the accounting system to be developed.
System design also involves specification of the programs and hardware needed to ensure the smooth operation of the system being developed. This physical design produces the program specification, physical files, database and user interface for selected or targeted software or hardware. This influences how users of information will interact with the system and the expected output to various users (Beynon-Davies 2009). The internal control function of the organization seeks to assure of the integrity and security of information available to the organization, and the system design phase of developing the accounting information system can assist in provision of this assurance. The user interface of the system can be designed to offer several levels of restriction to information access. Passwords and other forms of encryption to limit access to information can be used to meet the internal control objective of assuring the security and integrity of information available to the organization.
The internal control mechanisms integrated into an accounting information system can only be put into use in the system implementation phase. This involves the actual usage of the system that has been developed to meet the objectives specified in the first stage. It is in the implementation stage of the system development that the actual performance of the internal control mechanisms integrated into the system are put into actual use. The internal control needs of the organization are actually met by using the outputs of the accounting information system. Assurance of the existence and occurrence of the transactions, the completeness of financial statements and reports, presentation and disclosure and relevance of financial information obtained will be obtained from the system if such needs were fully integrated into the system in the earlier stages of system development (Chorafas 2001).
The procedures, data maintenance and storage and security of information, all of which form part of the internal control mechanisms, will be put into actual use in the system implementation process. Relevant users of information from the system will be required to authenticate their identities to access information from the system. The system will provide relevant information to these users according to their level of management or any other criteria which may have been put in place to restrict access. The integrity and security of the information will thus be assured and this internal control function will be met (Hightower 2008).
Database management is part of the system implementation phase. Database management assures that the information is stored in a secure manner and its access is only for authorized individuals. Methods of updating and making retrieval of information from the database are put in place (Beynon-Davies 2009).
. Internal control seeks to assure on the relevance and reliability of information delivered to users and database management aids in the achievement of this objective. Database management also aids in ensuring the completeness and accuracy of accounting information obtained from a system.
Security measures that are established in the system being implemented should enable the organization prevent and detect fraud. The physical and electronic barriers to access of information should act to deter potential fraudsters in the organization while the records of transactions, operations and individuals accessing the system should provide an easy way of making audits to identify fraudsters in the organization when actual fraud occurs (Beynon-Davies 2009).
System evaluation phase is the last stage in the system development process is the system evaluation. The performance of the system developed is evaluated against set standards and areas for improvement identified. This is a very important phase for internal control since it enables the organization to evaluate its internal control measures against set standards of compliance and disclosure (Hightower 2008). Other aspects of internal control such as security and integrity of information are also evaluated at this stage. Proposals for improvement of the internal control function are made together with improvement proposals for the whole system. This enables the organization to continuously improve its internal control mechanisms to make them more effective and reliable.
System development is a multistage process which cannot be clearly separated from the internal control function of an organization. The two processes are complimentary to each other, and the achievement of the objectives of one lead to achievement of the goals of the other. It is therefore important that organizations seek ways of seamlessly integrating internal control process to the system development process to ensure that the best results are obtained at the minimum cost and time.
Beynon-Davies P. (2009). Business Information Systems. Basingstoke: Palgrave.
Chorafas, D., N. (2001). Implementing and Auditing the Internal Control System. New York, NY: Palgrave MacMillan.
Hightower, R. (2008). Internal Control Policies and Procedures. New Jersey: John Wiley and Sons.
Post, G., & Anderson, D., (2006). Management information systems: Solving business problems with information technology. (4th ed.). New York: McGraw-Hill Irwin.