Running head: Internal Control and Risk Evaluation

Internal Control and Risk Evaluation
The purpose of this brief is to identify and analyze possible risks, internal control points, design internal controls, evaluate the application of internal controls and discuss other outside controls, that Kudler Fine Foods may need to upgrade the computer systems.
Analysis of Risks of Computer Systems
After reviewing the previous flowcharts it is recommended that Kudler Fine Foods automate more of its accounts payable, accounts receivable, inventory, and payroll processes and standardize these processes across all Kudler locations. Therefore, increased computer controls will be needed to ensure the security of data. Computer data could be compromised if proper computer controls are not in place. Risks include theft of confidential and sensitive information stored on computer servers such as company bank account information or personnel records of Kudler clientele and staff. If proper internal controls are not implemented breaches of sensitive data stored in folders that are accessible through the Internet will be exposed through file sharing software with the other Kudler locations.
Identify risks and internal control points
Identifying risks and internal controls are imperative when information systems are used extensively throughout the fundamental business processes. Information systems general controls are the policies and procedures that apply to all of an entity's information systems. General controls help ensure the proper operation of information systems by creating the environment for proper operation of internal control points. Internal control points include security management, logical and physical access, configuration management, segregation of duties, and contingency planning. These business process controls are those controls that are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing. Internal control points include controls over input, processing, output, master data, application interfaces, and data management system interfaces
Design of Internal Controls
For accounts payable, an entity’s accounting and internal control system over purchases, payables and cash disbursements will affect the nature, extent and timing of tests of balances procedures. Smaller entities may be expected to have a good accounting system and informal policies, procedures and, at the least, key internal controls. Most of these key controls for smaller entities will be performed at the entity-level of management-level persons.
In the inventory department barcode scanners will be used to track receipt of purchase inventory items. The barcode scanners will be preprogrammed with the full list of inventory items, codes, and pricing. In addition, the barcode scanners will be equipped with the ability to transmit data electronically to the purchasing, inventory, general ledger, and payment modules. Information controls should be minimal since the barcode scanner simply records and transmit basic data. To mitigate risk only management will be responsible for scanning received inventory and transmitted data via barcode scanner.
Employees will be able to clock in and out using the cash register terminals via magnetic stripe ID cards. Possible risks include unauthorized access to employee records at cash register terminals. The internal control needed would be a two-step login process where the employee swipes his/her magnetic ID card and then types in a unique Personal Identification Number (PIN). To mitigate this risk, a POS terminal will automatically “lock” itself after five minutes of inactivity. In the account receivable department the transaction process can be divided into five broad functional areas, each of which should, if possible, be staffed by employees who are independent of the other functional areas. They are sales transaction which is the sale of merchandise by a clerk, followed by authorization by the credit department or other approval as is required by the KFF's policies. Thirdly, there is accounting recordation which is processing the sales transaction in the system. Asset custody is receiving of cash or checks for inventory. The last function of the accounts receivable process is verification or reconciliation. If all locations do not have sufficient personnel to permit five different employees to perform each of these functional areas, they should try to achieve the maximum employee independence within the functional areas, and depend more on the reconciliation function.
Application of Internal Controls to Upgraded Systems
When an inventory order is delivered, a manager or store supervisor will scan goods received with the barcode scanner. Use of the barcode scanner will significantly reduce or eliminate data entry errors and improve efficiency.
Store employees will clock in and out using POS terminals, which will eliminate the need for time clocks and punch cards. Each employee will be assigned a magnetic ID badge and will create a unique six-digit PIN code to log on to the POS terminal. The ID badge provides secure access to the POS terminal, while the PIN code adds an extra layer of security for confidential employee information.
Evaluate the application of internal controls
Internal control should be used to support the organization in accomplishing its objectives by managing its risks, while complying with rules, regulations, and organizational policies. Kudler Fine Food needs to thoroughly evaluate the AIS selected for risks as it includes confidential customer, vendor, payroll and corporate information within the master databases. The types of risks associated with Kudler’s new AIS system are system setup, data transfer and implementation issues, the AIS is exceeding server capacity, other technology issues, and internal security breaches such as fraud, loss, or misuse of data. Kudler should determine the various roles and responsibilities with respect to internal control, including the governing body, management at all levels, employees, and internal and external assurance providers, as well as coordinate the collaboration among participants. Kudler management will foster an organizational culture that motivates members of the organization to act in line with a risk management strategy and policies on internal control set by the governing body to achieve the organization’s objectives. Along with segration of duties each person within the organization should be held accountable for the achievement of assigned internal control objectives.
Additional Controls Recommended
Kudler should place its data processing server in a secure location either in or close to corporate headquarters. The server needs to be in a room with one or two entrances or exits, and access should be limited to authorized employees only. Daily backup needs to be implemented, so if there were to be a problem KFF can restore all the information up till the last day the system was backed up. This should be done by an authorized person and backup information logged on a daily basis.
Conculsion
It is the responsibility of Kudler Fine Foods’ management to understand, monitor, and control risks. This document has shed some light on potential risks the company could face, but being prepared for all risks is impossible. Evaluating and implementing a system of internal controls allows the company to have peace of mind that the organization is able to deal effectively with managing its data, resources, and operations from certain risks. Internal controls also support reliable reporting and compliance with laws and regulations, which are necessary for best practices in business. References
Apollo Group, Inc. (2013). Kudler Fine Foods: Intranet. Retrieved from ACC/542 –
Accounting Information Systems course website.
Disaster Recovery Journal. (2011). Generally Accepted Practices: Risk Evaluation and Control.
Retrieved from http://www.drj.com/GAP/gap
Goldenberg, N. (2011). Are Your ERP Systems Vulnerable? Retrieved from http://www.eisneramper.com/ERP-Systems-Vulnerability-211.aspx
Hunton, J. A., Bryant, S. M., & Bagranoff, N. A. (2004). Core Concepts of Information
Technology Auditing. New York: Wiley & Sons.
Pomerantz, G. and Rao, N. (August, 2009). 2009 Segregation of Duties Checklist. Retrieved from http://www.bdoconsulting.com/resources/thought-leaders/SegDutiesChecklist-
19.pdf