Choons Guide to Control

Matrices
For AFW2851 use only

by Tan Choon Ling

23/5/2011

Disclaimer
This guide is NOT designed to replace the lecture
notes, they are meant to make reading the lecture
notes EASIER
The examples in this guide are from the lecture notes
because with a different way of explaining things,
hopefully you can understand the lecture notes better
Finally, I CAN be wrong, so let me know if you see
something you feel is not right so I can help make this
guide better. (This is especially true in regards to the
background knowledge needed to understand Control
Matrices)

Some background knowledge

You need to know these things first before
moving on to Control Matrices:
Business Processes
System Flowcharts
Control Goals and Control Plans

Business Processes
As you all know, a business consists of many smaller
processes, each having its own purposes/goals.

Hostile Takeover Process

Cash Receipts Process

Lenox Bookstore

Literature Procurement Process

Event Management Process

Business Processes
For example, the goals of the Cash Receipts process are:
Make daily cheque deposits into the bank
Comply with compensating balance agreements
with the depository bank
And the goal of the Literature Procurement process is:

To ensure stocks of books/magazines are

maintained

System Flowcharts
Generally, for each business process, there should be one system flowchart

System Flowcharts
System flowcharts are supposed to show you two things
Information processes (activities, logic flows, inputs, outputs and data
storage)
Operations processes (entities, physical flows, and operations
activities)
NOTE: even though they have the word process, a business process is NOT
the same as an information/operations process.
In fact, a business process CONTAINS the two processes mentioned, along
with a 3rd process, the management process, but that is normally not shown
in a system flowchart.
By showing you the who/what/where/when of these two processes
mentioned above, system flowcharts should tell you exactly how the goals of
each business process is achieved

The Control Matrix

Now, we arrive at the Control Matrix.
Control Matrices are meant to show us:
the control goals of a business process
the existing control plans that help achieve the control goals
Control Goals of the Lenox Cash Receipts Business Process

Control goals of the operations process

Ensure
effectiveness of
operations

Ensure
efficient
employment
of resources
(e.g., people
and
computers)

Ensure
security of
resources (e.g.,
checks and AR
master data)

Control goals of the information process

For the remittance advice
inputs, ensure:

IV

IC

IA

For the AR master

data, ensure:

UC

UA

What are control goals?

Recap: Each business process has one or more purposes/goals. And the
system flowchart for each business process also tells us how the
operations and information processes work.
Theres a reason why the operations and information processes exist
within a business process (again, we do not bother with management
processes at this point). And these reasons are the control goals!

The operations process is meant to make sure that:

the purposes/goals for the business process is effective
the things that are used in this business process is used efficiently
the things in this business process is safe
The information process is meant to make sure that all information:
has valid input
has complete input
has accurate input
is updated completely
is updated accurately

Back to the Control Matrix...

Control Goals of the Lenox Cash Receipts Business Process

For each
purpose/goal of
the business
process, write a
letter in its own
column, and
describe it at the
bottom. The
number of goals
are man-made,
so there is now
way to definitely
saw how many
and what these
goals are.

Control goals of the operations process

Ensure
effectiveness of
operations

(1)
A

Ensure
efficient
employment
of resources
(e.g., people
and
computers)

Control goals of the information process

Ensure
security of
resources (e.g.,
checks and AR
master data)

For the remittance advice

inputs, ensure:

(2)

IV

(1)

For the AR master

data, ensure:

(3)

(1)

IC

(1)

Effectiveness goals include:

A Timely deposit of checks
B Comply with compensating balance agreements with the depository bank

(2)

IA

UC

(1)

(1)

UA

(1)

IV = Input validity
IC = Input completeness
IA = Input accuracy
UC = Update completeness
UA = Update accuracy

(1) These will ALWAYS stay the same in EVERY control matrix, no matter what business process the control
matrix represents
(2) You will have to know the inputs for the business process, so its not always remittance advice or AR master
data
(3) You wont know what resources need to be secure, most likely its also the inputs of the business process,
but there might be others as well

What are control plans?

Control plans are simply information processing policies and procedures
that help to accomplish the control goals for any business process.
(I know this is exactly the same as in the lecture notes, but the only way to
give a simpler explanation is that one control plan accomplishes one or
more control goals. But if you write this in the exam, you most likely wont
get full marks, since this only explains what a control plan DOES, not what
it IS.)

How do I determine them?

As far as I know, you cant. The textbook does explain how in a later
chapter, but I dont think its covered in our own lectures, check with
Eugene to make sure (then again, youre not expect to create your own
control matrix, merely to understand what it is and how to read it).

Different Types of Control Plans

(read this slide from bottom -> up!)

The Control Environment doesnt achieve control goals

directly, but has factors that influence the effectiveness of
Pervasive/Business Process Control Plans (either for better
or worse). The Control Environment reflects the
organizations (primarily the board of directors and
managements) general awareness of and commitment to
the importance of control throughout the organization.

One control plan can also be in many (possibly even all)

business processes. These are called Pervasive Control
Plans.

One control plan can be in one business process. This kind

of control plans are known as Business Process Control
Plans (some textbooks call it Application Control Plans,
instead)

For Example...
(read this slide from bottom -> up!)

If a reward system is imposed (by upper management)

that pressures employees to meet unrealistic performance
goals, then employees might be tempted to ignore
controls that are in place (or bend the rules) to achieve
them. Note that the reward system isnt a control plan,
but it does affect the effectiveness of all control plans in
the company (in this case, for worse!).

One control plan can be prevent unauthorized access to

all computer systems. Since many business processes
require access to the computer system, this control plan is
a Pervasive Control Plan.

One control plan can be immediately endorse incoming

checks. Since checks are only involved in the Cash Receipt
process, this control plan is a Business Process Control
Plan.

Control plans and System Flowcharts

Once youre done figuring out the control plans for a particular business
process (by hook or by crook), take a look at the System Flowchart for that
business process.
Trace the flow of the System Flowchart, and find out if there are any keying
operation, manual operation or computer processing symbols that does
any of the control plans.

Keying operation

Manual operation

Computer processing

If there are, that means the control plan is already present in the business
process, so we label that trapezium/rectangle as P-1, P-2, P-3, etc. etc.

Control plans and System Flowcharts

It is also possible for some control plans that are not handled by any
symbol in the flowchart.
If that is the case, then we must try to figure out where is the best place
for that control plan to be implemented some time in the future (again,
how this is done, I have no idea). These are control plans that are missing
from the business process, so we label these specific areas as M-1, M-2,
M-3, etc. etc.

For Example...
M AILROOM

ACCOUNTS RECEIVABLE

CASHIER

COM PUTER
P-2

Customer

M -1

Verify, log event on

cash receipts event
data, update AR,
notify clerk

RAs
Checks

P-1
M -2

RAs

Key customer
number,invoice
number,amount and
check number

Cash
receipts
event data

Endorsed
Checks
Print deposit
slip
Filed until
deposit slip
is received

Temp
file

Endorse
checks
"Accepted
and
processed"
Endorsed
Checks

Accounts
receivable
master data

At end
of day
Endorsed
Checks

Error routine
not shown

Endorsed
Checks
1
Deposit
slip

Compare

RA = Remittance advice

Deposit
slip
Deposit
slip

2
1

Bank

In this case, 4 control plans have been created for this business
process, but only 2 of the these plans are actually carried out (P-1,
P-2) while the other 2 have been decided to be at M-1 and M-2.

Back to the Control Matrix...

Control Goals of the Lenox Cash Receipts Business Process
Control goals of the operations process (a)

This (c) is only

here to show
the order of
filling out the
Control
Matrix. Note
that (a) and
(b) also
shouldnt be
in the matrix
either.

Preferably, the
missing
controls should
achieve the
goals that the
present
controls didnt.

Ensure
effectiven
ess of
operation
s

Recommended
control
plans (b)
A

Ensure efficient
employm
ent of
resource
s (eg.
people
and
computer
s)

Ensure security
of
resource
s (eg.
Checks
and AR
data)

Control goals of the information process (a)

For the remittance advice
inputs, ensure:

IV

IC

For the AR master

data,
ensure:

IA

UC

UA

Present Controls
P-1: Immediately
endorse
incoming
checks
P-2: Compare
input
(remittan
ce
advices
[RAs])
with
master
data (AR
master
data)

P-1 (c)

P-2

P-2

P-2

P-2

Missing Controls
M-1 Immediately
separate
checks
and RAs
M-2 Compare
checks
and RAs

Both the present and missing controls are written down on the left side of
the table. After that, find out which control goals are achieved by which
control plans, and write their name in the correct cell.

Finally...
Control matrices are meant to show us the current strengths (present
controls) and weaknesses (missing controls) of any particular business
process. Generally, when investigating a business process for the first time,
it wont be perfect and will have some control goals that wont be
achieved until the missing controls are perfected.

So the steps are...

Figure out control
plans

Look at System Flowchart to see

which are present and missing

Draw out and fill in

the Control Matrix

REMINDER: Again, you arent expected to create a Control Matrix.

Understanding how it is made, what it does and how to read it is enough
torture for now.