–  An entity with a sophisticated enterprise resource planning (ERP) system will have different
                   control activities than one that uses an off-the-shelf computer accounting system.
                   Off-the-shelf computer accounting software generally has been tested by a wide range and
                   number of users when compared with a sophisticated ERP system.

               –  An entity with decentralized operations and an emphasis on local autonomy and innovation
                   presents different control circumstances than another whose operations are constant and highly
                   centralized.
                   This stems from the likelihood that management’s emphasis on the importance of internal
                   control and the level of management’s risk tolerance will vary among locations in a decentralized
                   environment.

              Point of focus — Determines relevant business processes

               Management decides which relevant business processes require control activities.

               Transaction controls are the most basic control activities in an entity because they address risk
               responses in the in-place business processes to meet management’s objectives. Transaction
               controls are chosen and developed wherever the business process may be present, ranging from the
               entity’s financial consolidations process to the customer support process at a particular operating
               unit.

               Controls to mitigate these risks are often classified into various transaction-processing systems,
               such as revenue, purchasing, payroll, and so forth.
               A generally accepted way to consolidate these business process risks into a more manageable form
               is to categorize them according to information-processing objectives of completeness, accuracy, and
               validity.
               The following information-processing objective definitions are used in the framework:

               –  Completeness — Transactions that occur are recorded. For instance, an organization can mitigate
                   the risk of not processing all transactions with vendors by selecting actions and transaction
                   controls that support the objective that all invoice transactions are processed within the
                   accounts-payable system (process).

                   An example of transactions that occur but not recorded is when assets are misappropriated.
                   Many asset-misappropriation schemes occur with no record of the transaction in order to hide
                   the theft. For example, an employee could steal an item of inventory and not record the theft. This
                   type of theft would most likely not be discovered until a physical inventory count is conducted and
                   the count does not reconcile with the books.

               –  Accuracy — Transactions are recorded at the correct amount and in the right account (and on a
                   timely basis) at each stage of processing.

                   For example, a small retail entity might have barcodes attached to all inventory items. These
                   items are scanned when sold, prompting the system to access a file of updated inventory prices
                   and data and thus assure that the correct amount of revenue and cost of goods sold are
                   recorded. The inventory and cash or accounts receivable are also correctly updated for each sale.



            © 2020 Association of International Certified Professional Accountants. All rights reserved.    5-5