IT CONTROLS CASE
As accountants, auditors, and other finance professionals with an interest in protecting a business from fraud and error, it’s important to review the general computer and application controls for software development used through a company’s business operations. These systems are built by humans and are therefore susceptible to the same fallacies as manual processes, resulting in the same controls needs. An in-house programmer, contracted 3rd party, accounting employee, or any other person affecting the software development process and/or providing input has an opportunity to incorrectly enter or intentionally mishandle information or commit fraud. With opportunity, motive, and rationalization they are likely to do so if controls surrounding these processes aren’t properly established.
Analysis of GCC and Application Controls of Xidax, LLC
Xidax, LLC, an online gaming computer retailer located at http://www.xidax.com is at high risk to lose thousands of dollars per transaction if their general computer and application controls are corrupted by any of the aforementioned errors, or deliberate fraud, within their online marketplace. Walking through a typical transaction yields insight into this process and results in recommendations for improvement that one might suggest to management. Comment by Vieve Gillette: INSTRUCTION NOTE:Analyze the general computer controls (GCC) and application controls of an E-commerce website that you use frequently or are otherwise familiar with.
To start a transaction for a Xidax desktop, the item for ‘desktops’ is selected from the product menu (Exhibit 1), the ability to customize expensive personal desktop machines are then presented on-screen with the starting price, up to $3,353 (Exhibit 2). Comment by Vieve Gillette: INSTRUCTIONS NOTE:Attempt to complete a transaction, or transactions, through the website, taking screenshots of the transaction progress. Proceed with the transaction(s) as far as you would like through the purchase process using either real information (black out personal information on the screenshot when turning in the assignment) or fictitious information.
During the customization process of the gaming system, the customer is brought through a series of inventory items that are available for purchase. In this process, numerous controls are executed that impact the validity of the information recorded to the general ledger and sub ledgers from this transaction. The first ledger that is directly impacted by this customization process is inventory. During this transaction process, the customer is brought through a series of steps selecting the parts to build their dream gaming device. The parts information is drawn from a database of inventory files containing the prices, SKUs, descriptions, and quantity – which, when quantity is one or higher, displays to the customer as an available product for the customized build. When no part is available, the customization steps shows ‘none’ available (Exhibit 3). It’s likely that this part was sold out and retired due to the reality that the technology of computers is changing on a regular basis. Newer, better computer hardware components are sought out by avid gamers and the company would want to announce any new parts through this customization process. In the case of a pre-released item, the inventory is not yet available, but the customer has the option to purchase if they want their machine built with this part as soon as it arrives in stock (Exhibit 4). The notification of the preordered item on the front-end is to set expectations for customers.This is an example of the quality testing that was done during the SLDC to ensure that the database is accurately reflecting and presenting items only in stock. The assumption by an outsider is also that the receiving and warehouse managers are keeping inventory counts accurate and up to date, since inventory displays, and therefore sales, depend upon that accuracy.
On the other hand, a flaw was discovered during this process within the pricing. When presented with the option of selecting the ‘Reservoir 1 – Strand 1’ color, the option ‘none’ is free and any color is an upgrade of $150. After selecting none and proceeding to the next step to select ‘Reservoir 2 – Strand 2’ the ‘none’ option is free and all colored options state ‘same price’ (Exhibit 5a & 5b).
During this second step, if the customer selects a color after selecting ‘none’ in step one, they receive their second color choice for free. A savvy computer shopper would understand that Xidax was trying to set their pricing to state that if you choose a color option for the Strand 1 of the Reservoir at $150, you would get the choice of the second color included in that $150. It is a two for one deal, considering you are required to have the two strands, they are just giving you the option of coloring them differently.This is supposed to be available only if you pay for colored strands as a packaged deal. If you made no color selection, then you shouldn’t get the option to pay the same cost as the first strand, ‘free’, unless it is also of no color. This is a broken mathematical control on the pricing for the e-commerce site. This is likely an error on part of an employee, but results in the opportunity for fraud by the customer. Therefore the recommendation here would be to implement controls surrounding the development, programming, production and validation of pricing inputs. Any one of these areas could have resulted in this flaw costing the company $75 for each computer built to these specification.
Once the customer has worked their way through all of the customization steps, they are presented with the checkout process. The final build of the gaming system is displayed on screen, naming all parts selected, as well as the final price. For the sake of reflecting the possibility of risk within these controls, if a customer were to build their computer with the most elite products that Xidax offers, the total would amount to $21,497 (Exhibit 6). Considering Microsoft only makes a 21% profit margin, using the same margin the cost of goods could be upwards of $16,982 (79% of the sale amount) for Xidax. This would be a direct hit to cash flows for Xidax. A hit that they wouldn’t be able to recover in the event of customer fraud (Goldsborough, 2015). A reasonableness check here would be wise, considering most people cannot afford such a machine. The control recommendation would be to have any computer over a certain dollar amount, such as $2000, require that a specialist speak or chat with the customer to assist with the customization of their computer.
So far, the checkout process hasn’t caused impairment of company funds, although the risk remains. The final inputs of the checkout process play key controls in protecting the validity of the transaction. For audit purposes, the production team should test for quality assurance among the inputs. Controls should check for reasonableness, mathematical accuracy, formatting requirements, and digit validity. An example of a test would be inputs of an incorrect street address. If this is found to have proper controls, upon submission, an error will notify the customer they must correct their information to proceed (Exhibit 7). If the control is broken, then the test will show that the information submitted incorrectly still proceeds with the transaction as if it were true inputs. For Xidax, the broken controls found through a test of inputs included a false numerical last name (a format check) and a non-existent phone number (a digit check)(Exhibit 8). Comment by Vieve Gillette: INSTRUCTIONSNext, test the various input controls and document your findings (Reasonableness check, math check, format check, and digits check). Analyze the types of front-end input controls that are in place and the effectiveness of those controls.
If the customer isn’t able to resolve their inputs or runs into other unavoidable flaws during the checkout process, the help desk for Xidax can be found within the website. Every page has a popup to chat with a help desk or sales representative (Exhibit 9). In addition, a dedicated ‘Contact Us’ page is available for questions or concerns. The recommendations found through various customer inquiries and comments are important during the review and update process to further improve the controls for the company’s e-commerce platform.
After all inputs are resolved and the checkout is finalized, the e-commerce platform sends all pertinent information back into the company’s accounting software, which would record the data as a series of files and journal entries in the accounting database. The dollar value of the parts would move out of the inventory subledger and into a cost of goods sold ledger, along with changes to inventory and sales. Meanwhile, the customer’s order would be recorded in a special journal while the order is finalized. In the case of the pre released merchandise, the transacted sale would show revenue isn’t recorded and inventory isn’t transferred into cost of goods sold until it has (1) been received and (2) the customer has been shipped the product. Until both of these events take place, the sale is unearned revenue, and therefore a liability. Comment by Vieve Gillette: INSTRUCTIONS This will require making some assumptions, as the company’s system is not available for you to access. Please analyze both the processing and controls, including the important data sets that will be utilized by the company to update the GL. Finally, provide any recommendations for improvement related to the controls you tested or would have tested. Print out your analysis and turn in a hard copy in class, along with the screenshots as exhibits. Make sure you are very detailed as to the types of transactions, activities, processing and controls that relate specifically to your chosen E-commerce experience (company). This should pertain to the company you have chosen to analyze and it should not be a generic analysis. Comment by Vieve Gillette: INSTRUCTIONSAlso analyze the backend theoretical processing of the transaction(s) and further relevant GCC and application controls all the way from initiation of the transaction to the updating of the company’s GL.
Beyond the transactional controls discussed in the previous sections, the company will want to establish controls within network operations, both internal and external, including environmental threats that could place burden or risk to property, resources, and financial records. Security professionals for the company will want to make sure that they are executing and monitoring the systems for any possible attempt to break into the systems. Such attempts may present themselves in the form of malware, spyware, and hacking. The threats of each could potentially corrupt the databases, steal data, or give offsite access to confidential company information. It’s important for system professionals at Xidax to attempt to hack into their own sites to audit their risk for such issues. They should then implement controls, such as encryption, secure passwords and networks, and other preventative measures. In the event the systems are destroyed or taken down as a result of break-ins or environmental issues, such as fire, a backup and restoration plan should also be in place for the company.
Ultimately, every part of the website, other than potentially UX Design, should be considered a realm where fraud or error could exist. Both IT professionals and accountants will want to evaluate, review, update, and monitor these systems regularly for improvements to the controls preventing risk to the company’s financial accuracy and profitability.
Exhibit 1: Landing Page and Menu Selection
Exhibit 2: Product Selection and Starting Price
Exhibit 3: Customization Process, Inventory and Display of No Available Inventory
Exhibit 4: Customization Process, Inventory, and Pre Released items.
Exhibit 5: Pricing Issues
Exhibit 6: Total Transaction of a Single System
Exhibit 7: Error for Failed Information
Exhibit 8:Invalid Information Accepted
Exhibit 9: Help Desk
Goldsborough, R. (2015, November 15). Profit Margins of the Makers of PCs and Handheld Devices. Retrieved June 29, 2017, from http://www.infotoday.com/LinkUp/Profit-Margins-of-the-Makers-of-PCs-and-Handheld-Devices-107588.shtml