Assess process controls and information-system deficiencies that affect reliable financial reporting.
Information systems and process controls determine whether financial reporting data can be trusted. A correct accounting policy is not enough if the system omits transactions, allows unauthorized changes, produces unreliable reports, or depends on uncontrolled spreadsheets.
In Core 1, control analysis should be practical. Identify the process weakness, explain the financial reporting risk, and recommend a control or follow-up procedure that addresses that risk.
| Control area | Reporting risk | Better control response |
|---|---|---|
| System access | Unauthorized users can create, change, or approve transactions. | Role-based access, periodic user review, removal of terminated users. |
| Data entry | Transactions can be entered with wrong account, amount, date, or customer. | Input validation, approval, exception reports, review of changes. |
| Authorization | Purchases, sales, payroll, or journal entries may be recorded without approval. | Approval thresholds, documented review, system workflow. |
| Reconciliations | Subledgers and general ledger may contain unexplained differences. | Timely reconciliation, investigation, reviewer sign-off. |
| Change management | System reports or formulas may change without testing. | Change approval, testing evidence, version control. |
| Spreadsheet use | Formula errors, overwritten cells, or unprotected files may distort reporting. | Locked formulas, review, version history, independent recalculation. |
| Monitoring | Deficiencies may persist because no one reviews exceptions. | Exception reporting, management review, escalation of unresolved items. |
The control recommendation should be tied to the financial reporting assertion or balance affected.
A design problem means the control, even if performed, would not address the risk. An operating problem means the control could work but was not performed consistently or properly.
| Problem type | Example | Response |
|---|---|---|
| Design deficiency | The same employee creates vendors, approves invoices, and releases payments. | Redesign duties or add independent approval and review. |
| Operating deficiency | Bank reconciliations are designed but have not been prepared for four months. | Bring reconciliations current and monitor timely completion. |
| Documentation deficiency | Manager says reviews occur but there is no evidence. | Require sign-off, date, review notes, or system approval trail. |
| Monitoring deficiency | Exception reports are generated but no one investigates them. | Assign ownership and require documented resolution. |
| IT deficiency | Users retain access after role changes. | Perform access reviews and remove inappropriate permissions. |
Distinguishing the problem type helps avoid vague recommendations such as “improve controls.”
Controls can prevent errors before they occur or detect them after the fact.
| Control type | Example | Use |
|---|---|---|
| Preventive | System blocks invoice payment without approved purchase order. | Reduces unauthorized or invalid transactions. |
| Detective | Monthly reconciliation compares accounts payable subledger to general ledger. | Finds errors after processing. |
| Corrective | Unmatched receiving reports are investigated and adjusted. | Fixes identified errors and process gaps. |
| Compensating | Owner reviews bank activity daily in a small business with limited segregation. | Mitigates risk when ideal segregation is not practical. |
Small organizations may not have perfect segregation of duties. In those cases, recommend realistic compensating controls rather than textbook controls that cannot be implemented.
Information systems affect reporting through both application controls and broader IT controls.
Common risks include:
If the case includes IT facts, explain how the system risk affects completeness, accuracy, cut-off, valuation, or disclosure.
Control deficiencies matter because they affect financial reporting reliability.
| Deficiency | Possible statement effect |
|---|---|
| No receiving match before invoice entry. | Inventory and payables may be incomplete or misstated. |
| Sales staff can change prices after invoicing. | Revenue and receivables may be inaccurate. |
| Manual journal entries are not reviewed. | Management override or classification errors may occur. |
| Payroll changes lack approval. | Wage expense and liabilities may be misstated. |
| Inventory count sheets are not controlled. | Inventory existence and completeness may be unreliable. |
| Bank reconciliations are late. | Cash, debt, and cut-off errors may remain undetected. |
The answer should say what could go wrong in the statements, not only what is weak in the process.
Use this order for systems-and-controls questions:
This structure turns a control weakness into a reporting recommendation.
| Pitfall | Better approach |
|---|---|
| Saying “segregate duties” for every issue. | Recommend the specific approval, access, reconciliation, or review that addresses the risk. |
| Ignoring small-entity constraints. | Use compensating controls when full segregation is unrealistic. |
| Confusing design and operating problems. | State whether the control is inadequate or merely not performed. |
| Treating IT as separate from reporting. | Explain how access, reports, or changes affect financial statement data. |
| Omitting statement impact. | Link the deficiency to completeness, accuracy, valuation, cut-off, or disclosure. |