Page 263 - COSO Guidance Book
P. 263
The framework provides an example of an internal source of data of a personnel time-reporting
system and an example of internal data as employees’ hours charged on projects.
An example of an external source of data that is provided is a regulatory body. The related example of
external data would be new requirements or standards.
Point of focus — Processes relevant data into information
Information systems process and transform relevant data into information.
The framework notes that entities develop information systems to obtain, capture, and process data
from internal and external sources into information to meet well-defined information requirements.
Information systems include people, processes, data, and technology that support business
processes managed internally as well as those business processes supported through relationships
with outsourced service providers (such as cloud computing providers) and other third parties (such
as customers or suppliers) who interact with the entity.
Information may be acquired in a number of ways (manually, automated, or a combination of manual
and automated methods). For example, some general ledger systems require the user to manually
enter journal entries to the general ledger that are obtained from various accounting subsystems.
Information can also be obtained through the use of information technology, such as in the case of a
faith-based entity that receives a daily report of donations made at its website that is managed by a
third party (automated acquisition of information). This daily report can be used to prepare a journal
entry to the general ledger and also is a source of information to reconcile the bank account.
In some instances, captured information and underlying data require a series of both manual and
automated processes to provide assurance the information and data are at the relevant level and the
necessary level of specificity. For example, when an owner-manager of an entity decides to extend
credit, manual processes need to be performed such as performing a credit check before
establishing a credit limit. The automated process control is that the system will compare the
customer’s credit limit with the sum of the current charges and account balance before additional
credit sales are permitted or denied.
In other cases, information may be obtained directly from an internal or external source. For example,
a community bank might compare the current interest rate it pays on deposits (internal source) with
rates paid by similar financial institutions that are published weekly in a local newspaper (external
source). The community bank might adjust its deposit rate based on a comparison of its deposit
rates with its competitors’ rates.
Another aspect of information is that management designs and implements control processes
concerning the integrity of data input into information systems and over the completeness and
accuracy of processing such data into information used by other controls. For example, the entity
might maintain a batch control total of the number of hours worked for a particular time period that is
submitted for payroll processing. This total would be reconciled with the payroll system’s output of
total hours that were paid. Management might also perform an overall analytical review procedure to
provide assurance that the total payroll amount was reasonable.
The framework states that the nature and extent of information requirements, the complexity and
volume of information, and the dependence on external parties (such as cloud service providers)
affect the gamut of information systems complexity, including the extent of technology that is
implemented.
© 2020 Association of International Certified Professional Accountants. All rights reserved. 6-5
