Introduction to Accounting Information System Semester of Notes
Introduction to Accounting Information System Semester of Notes ACCTG 320
Popular in Introduction to Accounting Information System
Popular in Accounting
One Day of Notes
verified elite notetaker
This 74 page Bundle was uploaded by Shogo Okuda on Tuesday October 28, 2014. The Bundle belongs to ACCTG 320 at University of Washington taught by Staff in Spring2011. Since its upload, it has received 239 views. For similar materials see Introduction to Accounting Information System in Accounting at University of Washington.
Reviews for Introduction to Accounting Information System Semester of Notes
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 10/28/14
ACCTG32O Notes 41 AIS Ch3 Systems Documentation Techniques Documentation encompasses the narratives flowcharts diagrams and other written materials that explain how a system works who what when where why and how of data entry processing storage information output and system controls diagrams flowcharts tables and other graphical representations of information Narrative description supplement documentation written step by step explanation of system components and interactions 1 Data flow diagram DFD a graphical description of data sources flows processes storage and destinations 2 Document flowchart a graphical description of the flow of documents and information between departments or areas of responsibility 3 System flowchart graphical description of the relationship among the input processing and output in an information system 4 Program flowchart graphical description of the sequence of logical operations a computer performs as it executes a program Data source data destination entites that send or receive data that the system uses or produces An entity can be both a source and a destination Squares Data flow movement of data among processes stores sources and destinations Transformation processes processes that transform data from inputs to outputs are represented by circles Often referred to as bubbles Data store repository of data Represented by two horizontal lines Subdividing the DFD Context diagram highest level DFD bc it provides the reader w a summary level view of a system Flowchart an analytical technique used to describe some aspect of an information system in a clear concise and logical manner Uses standard set of symbols to describe pictorially the transaction processing procedures a company uses and the flow of data through a system 1 Inputoutput symbols represent devices or media that provide input to or record output from processing operations 2 Processing symbols show what types of devices are used to process data or indicate when processing is performed manually 3 Storage symbols represent the devices used to store data 4 Flow and miscellaneous symbols indicate the flow of data where flowcharts begin or end where decisions are made and when to add explanatory notes to flowcharts Document flowchart illustrates the flow of documents and information among areas of responsibility within an organization Internal control flowcharts document flowcharts that describe and evaluate internal controls Can reveal system weaknesses or inefficiencies such as inadequate communication flows unnecessary complexity in document flows or procedures responsible for causing wasteful delays System flowcharts depict the relationships among system input processing and output Program flowchart illustrates the sequence of logical operations performed by a computer in executing a program ACCTG32O Notes 48 Ch4 Purchases and Cash Disbursement Cycle Starts with the preparation of a written or oral purchase requisition for goods or services and ends with the disbursement of cash to pay for the purchase and the recording of the disbursement Large number of account balances affected in the purchases and cash disbursement cycle Subcycles actions common transactions and typical accounts affected Purchases cash purchasescredit purchases Inventory Cash AP Fixed Assets Repair and Maintenance Cash disbursements payments on AP payments on notes Cash AP Purchases discounts Notes Payable Purchases returns and allowances Purchase returns purchases allowances AP Purchases returns and allowances Provision for depreciation and adjustment for prepaids and accruals Depreciation Income tax provision Interest expense provision Depreciation expense Income tax expense Income taxes payable Interest payable Accountant s objectives U1I L Jgt t All existing transactions for each subcycle are recorded All transactions are recorded and summarized at the correct amounts All transactions are correctly classi ed as de ned by the chart of accounts All transactions are included in the proper period All material disclosures affecting the accounts are included in the nancial statements and related footnotes Purchases Actions and Related Documents Requisition goods or services Purchase requisition Process purchase order Purchase order Receive goods or services receiving report Receive invoice from vendor vendor s invoice Record in purchases journal and subsidiary ledger Purchases journal AP subsidiary ledger Fixed asset subsidiary ledger Summarize purchases journal and post to general ledger general ledger Cash Disbursements Actions and Related Documents 1 2 Payments on AP or pmts on other liabilities notes or mtge Purchases for cash Process cash disbursement check Record in cash disbursement journal and subsidiary ledger cash disbursement journal AP subsidiary ledger Summarize cash disbursement journal and post to general ledger general ledger Purchases returns and allowances actions and related documents Process return or allowance request return or allowance request Ship goods returns only shipping document Receive debit from vendor debit memo Record in purchases returns and allowances journal and subsidiary ledger purchases returns and allowances journalAP subsidiary ledger 0 Summarize purchase returns and allowances journal and post to general ledger general ledger Prepaids Accruals and Depreciation Actions and Related Documents 0 Determine accrual for unpaid interest accrued interest memo 0 Record in general journal general journal subsidiary ledger 0 Post to general ledger general ledger AP trial balance Fixed Assets Trial Balance Internal Controls 0 Adequate documents and records 0 Authorization of transactions gt Authorization to order goodsservices including quantity gt Authorization of price gt Authorization to receive the goods or services gt Authorization to disburse cash 0 Separation of the custody of assets from acctg 0 Independent checks on performance ltgt Acct for all receiving reports ltgt Check prices actually paid for goods against those available from local stores catalogs and price lists ltgt Check the mathematical accuracy of journals and records ltgt Reconcile all control accounts to the related subsidiary ledgers ltgt Prepare a monthly bank reconciliation Bank Reconciliation Common causes Deposits recorded in the books in one period but not deposited until the next period Checks are recorded and mailed in one period but not clearing the bank until the next period Bank service charges not recorded in the books until the following the bank s deduction of them from the bank balance ACCTG32O Notes 329 Systems Understanding Guide Ch1 Recording transactions requires Identify the exchanges or adjustments that must be recorded Determine which account balances are affected by the exchanges or adjustments Assign proper values to the transactions for each account Record the transactions in the proper time period Record the transactions in the accounting records and summarize them into the nancial statements U1I bJgt t Transactions occur prepare documents H record in journals 3r post to ledgers B prepare unadjusted general ledger trial balance prepare and post adjusting entries prepare adjusted trial balance P p prepare nancial statements m prepare closing entries Transactions occur 3 most common transaction cycles 1 Sales and cash receipts 2 Purchases and cash disbursements 3 Payroll Documents Internally vs externally prepared When they are prepared relative to When the transactions Document prepared b4 transaction 1 Issue order to buy goods or services ex purchase order 2 Receive order for a sale of goods or services ex customer purchase order Document prepared at same time transaction occurs 1 Receive goods or services ex receiving report 2 Deliver goods ex bill of ladingshipping document Document prepared after transaction occurs 1 Send bill for goods or services ex sales invoice 2 Receive bill for goods or services purchased ex vendor s invoice Record in Journals Every transaction occurring during an accounting period should be recorded in a journal Journals follow the requirements of a double entry recording system Most companies use a general journal and several special journals Number and titles of journals for different companies vary W the acctg info needs and system design preferences of mgmt I bJgt t Post to led gers General ledger and description of general ledger accts depend on the need of mgmt All transactions must be transferred from the journals to the general ledger periodically usually monthly General ledger includes the accumulated net total of all transactions by account balance since the inception of the company Subsidiary ledgers Prepare unadjusted general ledger trial balance It is a listing of general ledger account balances at a point of time W the debits in one column and the credits in another Work sheet typically includes 0 Account number 0 Account title 0 Prior year post closing trial balance 0 Current year unadjusted trial balance 0 Adjustments 0 Adjusted trial balance 0 Income statement 0 Balance sheet Preparing and post adjusting entries Primary reason convert from cash basis Important requirements in adjusting entries Adjusting entries are prepared only at the end of the period When a company plans to prepare nancial statements Every adjusting entry affects both the B S and I S The total debits and credits must equal for each adjusting entries All adjusting entries are rst recorded in the general journal Each adjusting entry is prepared separately Each amt in each adjusting entry is posted individually to the appropriate general ledger account Most adjusting entries are not posted to subsidiary ledgers accrual basis 6 general categories of adjusting entries Prepaid expense Accrued expense Accrued revenue Unearned revenue Estimated items Estimated items Inventory adjustment Prepare adjusted trial balance Prepare nancial statements Several differences between the Worksheet totals and the nancial statements 0 Financial statements descriptions and details must be carefully stated to conform to GAAP 0 Frequently more than 1 account balance is combined in the trial balance to make up a nancial statement total 0 Classi ed nancial statements must distinguish between current and non current assets and liabilities 0 Financial statements must include a CF statement 0 Footnote info and other disclosures required for nancial statements are usually not available on the trial balance Prepare closing entries Happens only annually 3 closing entries for a typical company 1 Close all revenue accounts to income summary 2 Close all expense accounts to income summary 3 Close the income summary to stockholders equity Several facts about closing entries are important to understand Closing entries are prepared only at the end of the organization s year Closing entries are prepared after all transactions and adjusting entries have been prepared and posted to the general ledger Every revenueexpense acct must be closed to enable the company to begin a new year W a 0 balance Total debits and credits must equal for each closing entry Each account in each closing entry is posted individually to the appropriate general ledger account Closing entries are recorded initially in the general journal and then posted too the ledger general Post closing trial balance Relationships among Financial Statements Trial Balances Ledgers Journals Documents and Transactions Internal Controls methods used by a company to safeguard its assets and provide reasonable assurance of the accuracy of accounting data Documents and records sould be Prenumbered consecutively Prepared before a transaction occurs at the time it occurs or as soon thereafter as possible Suf ciently simple to make sure that they are understood Designed for multiple uses Whenever possible Constructed in a manner that aids in correct preparation Authorization of transactions Separation of the custody of assets from accounting Independent checks on performance ACCTG32O Notes 45 SUA Ch3 Starts with the receipt of an order from a customer for goods or services and ends with the collection and recording of the cash receipt for the sale Essential part is the recording of accounts receivable 5 primary subcycles Sales Cash receipts Sales returns and allowances Estimate of bad debt expense Write off of uncollectible accounts U1I L Jgt t Sales Actions and Related Documents 0 Receive order from customer Customer purchase order 0 Ship goods or perform services Bill of lading or other shipping document 0 Bill customer Sales invoice Price List 0 Record in sales journal and subsidiary ledger Sales Journal AR subsidiary ledger 0 Summarize sales journal and post to general ledger General ledger Cash Receipts Actions and Related Documents Collections on AR Cash Sales and All others borrowing sales of or interest on investments disposal of xed assets 0 Receive cash Remittance advice Cash receipts prelist 0 Deposit cash bank deposit slip 0 Record in cash receipts journal and subsidiary ledger cash receipts journal AR subsidiary ledger 0 Summarize cash receipts journal and post to general ledger General ledger Sales Returns and Allowances Actions and Related Documents 0 Process sales return and allowance request sales return request 0 Received goods returns only receiving report 0 Credit the customer Credit memo 0 Record in sales returns and allowances journal and subsidiary ledger sales returns and allowances journal AR subsidiary ledger 0 Summarize sales returns and allowances journal and post to general ledger Estimate of Bad Debt Expense Actions and Related Documents Determine provision for bad debts provision for bad debts memo Record in general journal general journal Post to general ledger general ledger Write off of uncollectible AR Actions and Related Documents Identify uncollectible AR list of uncollectible AR Record in general journal and subsidiary ledger General journalAR subsidiary ledger Post to general ledger General ledger AR Aged Trial Balance 1 2 Reconciles the control account to the subsidiary ledger as a check on certain recording errors Shows a listing of AR in a convenient format to enable mgmt to review the amt each customer owes Provides information about the adequacy of the allowance for doubtful accounts and the need to write off certain accounts as uncollectible Internal Controls Adequate documents and records Authorization of transactions Approval of credit before shipment takes place Shipment of the goods Determination of appropriate price ot charge for the goods Price includes terms and freight Approval of credits to AR for such things as sales returns and allowances or write off of uncollectible accounts Determining cash discounts allowed for customers payments made before the discount date Separation of the custody of assets from accounting Independent checks on performance ltgt Account for all prenumbered shipping documents ltgt Account for all prenumbered sales invoices ltgt Compare prices on invoices charged to customers for shipments to a price list approved by mgmt ltgt Check the footing in journals and records ltgt Reconcile the AR control account to the related subsidiary ledger ltgt Prepare a monthly bank reconciliation Monthly statement to customers ACCTG32O Notes 329 Chl AIS An Overview System set of 2 or more interrelated components that interact to achieve a goal Goal con ict when subsystem is inconsistent w the goals of another subsystem or with the system as awhole Goal congruence when a subsystem achieves its goals while contributing to the organization s overall goal Data facts that are collected recorded stored and processed by an information system Information data that have been organized and processed to provide meaning and improve the decision making process Information overload when those limits are passed resulting in a decline in decision making quality and an increase in the cost of providing that info IT used to help decision makers more effectively lter and condense information Value of info bene t produced by the information cost of producing it Useful info Relevant reduces uncertainty improves decision making or con rms or corrects prior expectations Reliable free from error or bias accurately represents organization events or activities Complete does not omit important aspects of the events or activities it measures Timely provided in time for decision makers to make decisions Understandable presented in a useful and intelligible format Veri able 2 independent knowledgeable people produce the same information Accessible available to users when they need it and in a format they can use Business process set of related coordinated and structured activities and tasks that are performed by a person or by a computer or a machine and that help accomplish a speci c organizational goal Transaction an agreement between 2 entities to exchange goods or services or any other event that can be measured in economic terms by an organization Transaction processing process that begins with capturing transaction data and ends with informational output Ex nancial statement Giveget exchange most engage in small number but each type of exchange happens many times 5 major business processestransaction cycles Revenue cycle goods and services are sold for cash or a future promise to receive cash Expenditure cycle companies purchase inventory for resale or raw materials to use in producing products in exchange for cash or a future promise to pay cash Production or conversion cycle raw materials are transformed into nished goods Human resourcespayroll cycle employees are hired trained compensated evaluated promoted and terminated Financing cycle companies sell shares in the company to investors and borrow money and where investors are paid with dividends and interests is paid on loans Last activity in common cycle activities send appropriate information to the other cycles General ledger and reporting system used to generate information for both mgmt and external parties AIS intelligence the information providing vehicle of that language 6 components of AIS 1 The people who use the system 2 Procedures and instructions used to collect processand store data 3 The data about the organization and its business activities The software used to process the data 5 IT infrastructure including the computers peripheral devices and network communications device used in the AIS 6 Internal controls and security measures that safeguard AIS data These 6 componenets enable an AIS to ful ll 3 important business functions 1 Collect and store data about organizational activities resources and personnel 2 Transform data into information so mgmt can plan execute control and evaluate activities resources and personnel Decision making is discussed in detail later in this chapter 3 Provide adequate controls to safeguard the organization s assets and data 5 How an AIS can add value to an organization Improving the quality and reducing the costs of products or services Improving ef ciency Sharing knowledge Improving the ef ciency and effectiveness of its supply chain Improving the internal control structure Improving decision making OU1I bJgt t AIS can help improve decision making in several ways 0 It can identify situations requiring mgmt action 0 Can reduce uncertainty and thereby provide a basis for choosing among alternative actions 0 Can store info about the results of previous decisions which provides valuable feedback that can be used to improve future decisions 0 Can provide accurate info in a timely manner 0 Analyzed sales data to discover items that are purchased together and it uses such information to improve the layout of merchandise to encourage additional sales of related items Strategic thinking and planning most important skill sets for CIO 3 factors that in uence the design of an AIS developments in IT business strategy and organizational culture Predictive analysis uses data warehouses and complex algorithms to forecast future events based on historical trends and calculated probabilities Value chain consist 5 primary activities that directly provide values to customers 1 Inbound logistics consists of receiving storing and distributing the materials an organization uses to create the services and products it sells Operations activities transform inputs into nal products or services Outbound logistics activities distribute nished products or services to customers Marketing and sales activities help customers buy the organization s products or services Service provide post sale support to customers 39gtquot Support activities allow 5 primary activities to be performed ef ciently and effectively 4 categories 1 Firm infrastructure acctg nance legal and general administration activities that allow an organization to function AIS part of it 2 HR recruiting hiring training and compensating employees 3 Technology activities improve a product or service Include RampD investments in IT and product design 4 Purchasing procure raw materials supplies machinery and the buildings used to carry out the primary activities Supply chain organization s value chain is part of it Ch 2 Overview of Transaction Processing and ERP Systems Data processing cycle operations performed on data to generate meaningful and relevant information Data must be collected about 3 facets of each business activity 1 Each activity of interest 2 The resources affected by each activity 3 The people who participate in each activity Source documents used to collect data about their business activities Turnaround documents company output sent to an external party who often adds data to the document and then are returned to the company as an input document Ex utility bill Source data automation capture transaction data in machine readable form at the time and place of their origin Ex ATM Data Storage General ledger contains summary level data for every asset liability equity revenue and expense account Subsidiary ledger contains detailed data for any general ledger account with many individual subaccounts Often used for A R inventory xed assets and AP Control account general ledger account corresponding to a subsidiary ledger helps maintain the accuracy of AIS data Coding systematic assignment of numbers or letters to items to classify and organize them Sequence codes items are numbered consecutively to account for all items Any missing items cause a gap in the numerical sequence Ex prenumbered checks invoices and purchase orders Block code clock of numbers are reserved for speci c categories of data Group codes 2 or more subgroups of digits used to code items often use din conjunction w block codes Mnemonic codes letters and numbers are interspersed to identify an itme Code should 0 Be consistent w its intended use which requires that the code designer determine desired system outputs prior to selecting the code 0 Allow for growth 0 Be as simple as possible to minimize costs facilitate memorization and interpretation and ensure employee acceptance 0 Be consistent w the company s organizational structure and across the company s divisions Chart of accounts list of the assigned to each general ledger account General journal used to record infrequent or nonroutine transactions loan pmts and end of period adjusting and closing entries Specialized journal records large of repetitive transactions such as sales cash receipts and cash disbursements Audit trail traceable path of a transaction through a data processing system from point of origin to nal output or backwards from nal output to point of origin Entity something about which information is stored such as employees inventory items and customers Each entity has attributes characteristics of interests that are stored such as pay rate and address Field where computer store data Record elds containing data about entity attributes constitute this Data Value content where each intersecting row and column is a eld win a record File group of related records Master le ledger in a manual AIS stores cumulative info about an organization Transaction le contains records of individual business transactions that occur during a speci c time Database set of interrelated centrally coordinated les 4 different type of data processing activities CRUD 1 Creating new data records such as adding a newly hired employee to the payroll database 2 Reading retrieving or viewing existing data 3 Updating previously stored data 4 Deleting data such as purging the vendor master le of all vendors the company no longer does business with Batch processing updating done periodically such as daily cheaper and more ef ent the data are current and accurate only immediately after processing 0 M only used for applications such as payroll that do not need frequent updating and that naturally occur or are processed at xed time periods Online realtime processing most companies update each transaction as it occurs ensures that stored info is always current p d increase decision making usefulness Information output Presented in one of 3 forms document report query response Documents records of transactions or other company data Reports used by employees to control operational activities and by managers to make decisions and to formulate business strategies Query used to provide the information needed to deal w problems and questions that need rapid action or answers ERP ERP integrate all aspects of a company s operations w a traditional AIS Typical ERP includes 0 Financial general ledger AR AP xed assets budgeting cash mgmt and prepration of managerial reports and nancial statements 0 HR and payroll HR payroll employee bene ts training time and attendance bene ts and govt reporting 0 Order to cash sales order entry shipping inventory cash receipts commission calculation 0 Purchase to pay purchasing receipt and inspection of inventory inventory and warehouse mgmt and cash disbursements 0 Manufacturing engineering production scheduling bill of materials WIP work ow mgmt quality control cost mgmt and manufacturing processes and projects 0 Project mgmt costing billing time and expense performance units activity mgmt 0 CRM sales and mktg commissions service customer contact and call center support 0 System tools tools for establishing master le data specifying flow of information access controls and so on Advantages ERP provides an integrated enterprise wide single View of the organization s data and nancial situation Data input is captured or keyed once rather than multiple times as it is entered into different systems Mgmt gains greater visibility into every area of the enterprise and grater monitoring capabilities The organization gains better access control Procedures and reports are standardized across business units Customer service improves bc employees can quickly access orders available inventory shipping information and past customer transaction details Manufacturing plants receive new orders in real time and the automation of manufacturing processes leads to increased productivity Disadvantages Cost ERP hardware software and consulting costs range form 50 to 500 million for a Fortune 500 company and upgrades can cost 50 million to 100 million Midsized company spend 10 and 20 million Amount of time reqruied Changes to business processes Complexity Resistance ERP vendor or consulting company 3 types of services consulting customization and support ACCTG32O Notes 413 SUA Ch 5 Payroll Cycle Payroll could be considered a part of the purchases and cash disbursements cycle 0 Employees are normally retained on LT basis 0 Disbursements require special consideration bc of tax Withholding laws and fringe bene t considerations 0 Most companies maintain a separate bank account for payroll and a separate journal for payroll disbursements 0 Both the purchase of and cash disbursements for payroll services are usually recorded at the same time and in the same journal reason is the short time span between the purchase of employee services and payment for the services 2 subcycles 1 Receipt and payment of employee services hire employees receive employee services process time cards 2 Payroll accruals determine accruals for payroll and payroll taxes record in GJ and post go GL Accountant s objectives All existing payroll transactions are recorded All transactions are recorded and summarized at the correct amounts All transactions are correctly classi ed as de ned by the chart of accounts All transactions are included in the prior period Accrued payroll and payroll taxes at the B S date are stated at the correct amounts All material disclosures affecting the accounts are included in the nancial statements and related footnotes OU1I L Jgt t Receipt of and payment for employee services actions and related documents 0 Hire employees personnel record deduction authorization form 0 Receive employee services time card 0 Pay for employee services payroll check checks to others gt Summarize the time cards and calculate the gross pay Withholdings and net pay for each employee gt Prepare and distribute payroll checks gt Make disbursements for Withholdings from employees gt Calculate and pay employer payroll taxes and fringe bene ts 0 Record in payroll journal and subsidiary ledger payroll journal employee earnings subsidiary ledger 0 Summarize payroll journal and post to general ledger general ledger Payroll and Payroll tax accruals actions and related documents 0 Determine payroll and payroll tax accruals payroll accrual memo 0 Record in general journal general journal 0 Post to general ledger general ledger Internal Controls 0 Adequate documents and records 0 Authorization of transactions ltgt Hiring of personnel ltgt Wage rate ltgt Regular and overtime hours ltgt Dismissal of personnel Use of time clocks Segregation of duties Imprest payroll cash ltgt Cash receipt a weekly transfer on the payroll payment date form the general cash account ltgt Cash disbursements employee checks after all employees have cashed their checks the amt of the balance in the payroll account is zero unless a constant balance is maintained ltgt When an imprest payroll account is used pmts to the govt and others for withheld income taxes payroll taxes and fringe expenses are paid from the general cash account Independent checks on performance gt Prepare an independent bank reconciliation gt Recalculate hours shown on time cards compare wage rates to union contracts and compare withholdings to income tax withholding tables gt Account for all payroll time cards and checks Ch 6 Inventory Cycle Periodic Inventory Method Only way to obtain an accurate balance for the ending inventory is to count the inventory physically determine the cost of each inventory item and calculate the total balance Steps in Determining Inventory Using the Periodic Method 1 2 3 4 5 Count inventory tag system Summarize inventory Determine correct unit cost of inventory FIFOLIFOWeighted avg and lower of cost or market Extend price times quantity and add totals Record in general ledger by journal entry Perpetual Inventory Method COGS is calculated for each sale and the residual is ending inventory 1 2 Record the sale at selling price Record the COGS at cost Bene ts of perpetual method 1 Qty and value on had at any time for any time in inventory can be determined by examining the perpetual records Provide a check on the accuracy of the COGS and a measure of losses through such things as theft and spoilage Source of Info in the Perpetual Records Sales inventory items only Sales returns not sales allowances Purchases inventory items only Purchase returns inventory returns only Physical count When there are perpetual records Periodically most companies take a physical count of the actual inventory for comparison to the perpetual difference due to errors and theft Internal Controls 0 Perpetual records 0 Segregation of duties 0 Safekeeping of inventory 0 Independent checks on performance ltgt Second counts of inventory by an independent count team during the periodic inventory count ltgt Recalculation of unit and total costs of inventory on the physical inventory summaries ACCTG32O Notes 427 Ch 21 AIS Development Strategies Purchasing Software Canned software sold to users with similar requirements Turnkey systems software and hardware sold as a package Many written by vendors who specialize in a particular industry Major problem with canned software may not meet all of company s information needs Application service providers deliver software over the Internet companies can rent Companies that buy AIS software follow normal SDLC except 0 During conceptual systems design companies determine whether software that meets AIS requirements is available and if so whether to buy it or create their own 0 Some physical design and implementation and conversion steps can be omitted For example the company usually does not need to design code and test program modules or document the computer program Vendors are found by referrals at conferences in industry magazines on the Internet or in the phone book Request for proposal RFP asking to propose a system that meets their needs by a speci ed date for large and complex systems It is important b c 1 Saves time 2 Simpli es the decision making process Reduces errors Avoids potential for disagreement Benchmark problem an input processing and output task typical of what the new AIS will perform Point scoring assigns a weight to each evaluation criterion based on its importance Requirement costing estimates the cost of purchasing or developing unavailable features Development by In House information systems departments Custom software developed when doing so provides a signi cant competitive advantage Hurdles signi cant amounts of time complexity of the system poor requirements insuf cient planning inadequate communication and cooperation lack of quali ed staff and poor top mgmt support When using outside developer a company maintains control over the development process as follows 0 Carefully select a developer that has experience in the company s industry and an in depth understanding of how the company conducts its business 0 Sign a contract that rigorously de nes the relationship between the company and the developer places responsibility for meeting system requirements on the developer and allows the project to be discontinued if key conditions are not met 0 Plan the project in detail and frequently monitor each step in the development 0 Communicate frequently and effectively 0 Control all costs and minimize cash out ows until the project is accepted Enduser computing EUC is the hands on development use and control of computer based information systems by users It is inappropriate for complex systems such as those that process a large number of transactions or update database records payrollARAP general ledger inventory Advantages 0 User creation control and implementation 0 Systems that meet user needs 0 Timeliness 0 Freeing up of systems resources 0 Versatility and ease of use Disadvantages 0 Logic and development errors 0 Inadequately tested applications 0 Inef cient systems 0 Poorly controlled and documented systems 0 System incompatibilities 0 Duplication of systems and data Wasted resources 0 Increased costs Help desk supports and controls end user activities Outsourcing hiring an outside company to handle all or part of an organization s data processing activities Most companies do not outsource strategic IT mgmt business process mgmt or IT architecture Advantages of outsourcing 0 A business solution 0 Asset utilization 0 Access to greater expertise and better technology 0 Lower costs 0 Less development time 0 Elimination of peaks and valleys usage 0 Facilitation of downsizing Disadvantages 0 In exibility 0 Loss of control 0 Reduced competitive advantage 0 Locked in system 0 Unful lled goals 0 Poor service 0 Increased risk Business process reengineering BPR drastic one time event approach to improving and automating business processes Had a low success rate Business process management BPM systematic approach to continuously improving and optimizing an organization s business processes Important principles underlying BPM 0 Business processes can produce competitive advantages 0 Business processes must be managed end to end 0 Business processes should be agile 0 Business process must be aligned With organizational strategy and needs Business process mgmt systems BPMS automate and facilitate business process improvements Process centered BPMS has 4 major components 0 A process engine to model and execute applications including business rules 0 Business analytics to help identify and react to business issues trends and opportunities 0 Collaboration tools to remove communication barriers 0 A content manager to store and secure electronic documents images and other les Prototyping systems design approach in which a simpli ed working model of a system is developed Developed using 4 steps 1 Meet with users to agree on the size and scope of the system and to decide what the system should and should not include Focus on what output should be produced 2 Develop an initial prototype Emphasis on low cost and rapid development 3 Use the feedback to modify the system and return it to the users 4 Use the system Operational prototypes turned into fully functional systems Incorporates the things ignored in step 1 provides backup and recovery and integrates the prototype with other systems Nonoperational throwaway prototypes used in several ways When to use prototype when there is high level of uncertainty it is unclear what questions to ask the AIS cannot be clearly visualized or there is a high likelihood of failure Good candidate decision support systems executive info systems expert systems and information retrieval systems Advantages 0 Better de nition of the user needs 0 Higher user involvement and satisfaction 0 Faster development time 0 Fewer errors 0 More opportunity for changes 0 Less costly Conditions that favor the use of prototyping Users needs are not understood change rapidly or evolve as the system is used System requirements are hard to de ne System inputs and outputs are not known Disadvantages 0 Signi cant user time 0 Less ef cient use of system resources 0 Inadequate testing and documentation 0 Negative behavioral reactions 0 Never ending development Computer aided software or systems engineering CASE integrated package of tools that skilled designers use to help plan analyze design program and maintain an information system Advantages 0 Improved productivity 0 Improved program quality 0 Cost savings 0 Improved control procedures 0 Simpli ed documentation Problems 0 Incompatibility 0 Cost 0 Unmet expectations ACCTG32O Notes 423 Ch 20 Introduction to Systems Development and Systems Analysis Companies change their systems for the following reasons Changes in userbusiness needs Increased competition business growth or consolidation downsizing operations mergers and divestitures or new regulations can alter an organization s structure and purpose To remain responsive the system must change Technological changes as technology advances and becomes less costly organizations adopt new technologies Improved business processes many companies change their systems to improve inef cient business processes Competitive advantage to increase the quality qty and speed of information to improve productsservices to lower costs and to provide other competitive advantages Productivity gains can automate clerical tasks decrease task performance time and provide employees w specialized knowledge Systems integration organizations with incompatible systems integrate them to remove incompatibilities and to consolidate databases Systems age and need to be replaced they become less stable and eventually need to be replaced Systems Development The systems development cycle Systems analysis where the information needed to purchase develop or modify a system is gathered Do initial investigation determine do system survey do feasibility study information needs and systems requirements Y deliver systems requirements Conceptual design the company decides how to meet user needs Identify and evaluate design alternatives develop design speci cations l deliver conceptual design requirements Physical design the company translates the broad user oriented conceptual design requirements into the detailed speci cations used to code and test computer programs design input and output documents create les and databases develop procedures and build controls develop programs into the new system Design output design database design input 0 design controls 0 develop procedures 0 deliver developed system Implementation and conversion develop an implementation and conversion plan install complete documentation 0 hardware and software train personnel 3 test the system convert from old to new system deliver operational system Operations and maintenance the new system is periodically reviewed and modi cations are made as problems arise or as new needs become evident Fine tune and do post implementation review Pr deliver improved system In addition 3 activities planning managing behavioral reactions to change and assessing the ongoing feasibility of project are performed throughout the life cycle modify system 0 operate system p do ongoing maintenance C The players Management most important system development roles are to emphasize the importance of involving users in the process to provide support and encouragement for development projects and to align systems with corporate strategies Accountants and other users AIS users communicate their information eeds to system developers IS systems steering committee executive level IS steering committee plans and oversees the IS function Consists of high level mgmt such as the controller and systems and user department management Set AIS policies ensures top mgmt participation guidance and control and facilitates the coordination and integration of systems activities 0 Project development team each development project has a team of system analysts and specialists managers accountants and users to guide its development 0 Systems analysts and programmers system analysts study existing systems design new ones and prepare the speci cations used by computer programmers Interact with employees throughout the organization to bridge the gap between the user and technology Computer programmers write programs using the speci cations developed by the analysts Also modify and maintain existing computer programs Planning Systems Development 2 systems development plans are needed 1 Project development plan prepared by the project team contains a costbene t analysis developmental and operational requirements ppl hardware software nancial and a schedule of activities required to develop and operate the new application 2 Master plan prepared by the IS steering committee speci es what the system will consist of how it will be developed who will develop it how needed resources will be acquired and where the AIS is headed Planning Techniques Program evaluation and review technique PERT requires that all activities and the precedent and subsequent relationships among them be identi ed Critical path the path requiring the greatest amount of time Gantt chart bar chart with project activities on the left hand side and nits of time across the top Advantage ability to show graphically the entire schedule for a large complex project including progress to date and status A disadvantage charts do not show the relationships among project activities Feasibility study prepared during systems analysis and updated as necessary during the SDLC Prepared with input from mgmt accountants systems personnel and users 5 important aspects to be considered during a feasibility study 1 Economic feasibility will system bene ts justify the time money and resources required to implement it 2 Technical feasibility can the system be developed and implemented using existing technology 3 Legal feasibility does the system comply w all applicable federal and state laws administrative agency regulations and contractual obligations 4 Scheduling feasibility Can the system be developed and implemented in the time allotted 5 Operational feasibility does the organization have access to people who can design implement and operate the proposed system Will people use the system Capital Budgeting Calculating Economic Feasibility Capital budgeting model bene ts and costs are estimated and compared to determine whether the system is cost bene cial 3 commonly used capital budgeting techniques 1 Payback period number of years required for the net savings to equal the intial cost of investment Project with the shortest payback period is usually selected 2 Net Present Value NPV all estimated future cash ows are discounted back to the present using a discount rate that re ects the time value of money Highest is usually selected 3 Internal rate of return IRR effective interest rate that results in an NPV of zero Compared with a minimum acceptable rate to determine acceptance or rejection Usually highest IRR is selected Behavioral aspects of change crucial because the best system will fail without the support of the people it serves 0 Fear people fear the unknown losing their jobs losing respect or status failure technology and automation and the uncertainty accompanying change 0 Top mgmt support employees who sense a lack of top mgmt support for change wonder why they should endorse it 0 Experience With prior changes employees who had a bad experience with prior changes are more reluctant to cooperate 0 Communication employees are unlikely to support a change unless the reasons behind it are explained 0 Disruptive nature of change requests for info and interviews are distracting and place additional burdens on people causing negative feelings toward the change that prompted them 0 Manner in which change is introduced 0 Biases and emotions ppl w emotional attachments to their duties or coworkers may not want to change if those elements are affected 0 Personal characteristics and background generally younger and more highly educated people are the more likely they are to accept change Resistance often takes 1 of 3 forms aggression projection or avoidance 0 Aggression behavior that destroys cripples or weakens system effectiveness such as increased error rates disruptions or deliberate sabotage 0 Projection blaming the new system for everything that goes wrong System integrity can be damageddestroyed 0 Avoidance ignoring a new AIS in the hope that the problem will eventually go away Preventing behavioral problems 0 Obtain management support appoint a champion who can provide resources and motivate others to assist and cooperate with systems development 0 Meet users needs 0 Involve users 0 Allay fears and stress new opportunities 0 Avoid emotionalism 0 Provide training 0 Reexamine performance evaluation 0 Keep communication lines open 0 Test the system 0 Keep the system simple and humanize it 0 Control users expectations Request for systems development prepared when a new or improved system is needed describes current problems the reasons for the change the proposed system s objectives and its anticipated bene ts and costs Initial investigation conducted to screen the requests for systems development A new AIS is not the answer to organizational problems A proposal to conduct systems analysis prepared for approved projects Assigned a priority and added to the master plan Systems survey an extensive study of the current AIS that has the following objectives 0 Gain an understanding of company operations policies procedures and information ow AIS strengths an weakness and available hardware software and personnel 0 Make preliminary assessments of current and future processing needs and determine the extent and nature of the changes needed 0 Develop working relationships with users and build support for the AIS 0 Collect data that identify user needs conduct a feasibility analysis and make recommendations to mgmt Interview gathers answers to why questions Questionnaires used when the amount of information to be gathered is small and well de ned is obtained from many people or from those who are located elsewhere or is intended to verify data from other sources Observation used to verify information gathered using other approaches and to determine how a system actually works rather than how it should work Systems documentation describes how the AIS is intended to work Consists of questionnaire copies interview notes memos document copies and models Physical models illustrate how a system functions by describing document ow computer process performed the ppl performing them and the equipment used Logical models focus on essential activities what is being done and the flow of information not on the physical processes of transforming and storing data Systems survey report supported by documentation such as memos interview and observation notes questionnaire data le and record layouts and descriptions input and ouptput descriptions copies of documents E R diagrams owcharts and data ow diagrams Possible contents of system requirements 0 Processes business process descriptions 0 Data elements name size format source and signi cance of required data elements 0 Data structure how the data elements will be organized into logical records 0 Outputs Description of the purpose frequency and distribution of system outputs 0 Inputs Description of contents source and person responsible for system inputs 0 Documentation how the new system and each subsystem will operate 0 Constraints deadlines schedules security requirements staf ng limitations and statutory or regulatory requirements 0 Controls controls to ensure the accuracy and reliability of inputs outputs and processing 0 Reorganizations organizational reorganization needed to meet users information needs such as increasing staff levels and adding new job functions 1 Ask users What they need simplest and fastest strategy but many people do not understand their needs 2 Analyze external systems if a solution already exists do not reinvent the wheel 3 Examine existing systems determine if existing modules are used as intended may be augmented by manual tasks or may be avoided altogether Helps determine whether a system can be modi ed or must be replaced 4 Create a prototype when it is dif cult to identify requirements a developer can quickly rough out a system for users to critique AIS objectives Usefulness Economy Reliability Availability timeliness customer service capacity ease of use exibility tractability auditability security Systems analysis report summarize and document analysis activities A gono go decision is made up to 3 times during systems analysis During the intial investigation to determine Whether to conduct a system survey At the end of the feasibility study to determine Whether to proceed to the information requirements phase At the completion of the analysis phase to decide Whether to proceed to conceptual systems design ACCTG32O Notes 41 SUA Ch Flowcharting Written description of the acctg system affecting a company39s financial statements serves several purposes Minimizes the likelihood of an incomplete or ineffective accounting system Provides a record for training new employees and reminding existing personnel how the system should operate Assists in making improvements to the system Provides info for accounting personnel to communicate with other personnel about the system Improves the ability to communicate with people outside the company To obtain maximum benefit from a description of an acctg system should have 1 2 The origin of every document and record in the system All processing that takes place The disposition of every document and record in the system The department of personnel performing the duties The existing internal controls a Separation of duties b Authorization and approval c Independent checks Use of narrative common when a system is simple and easy to describe 3 types of flow charts 1 Systems flowchart emphasizes the flow of documents and records in the organization Does not show the segregation of duties Internal control flowchart this shows the segregation of duties plus other internal controls Program flowchart more detailed than the previous 2 Primary use is for computer programming Segregation of duties not shown Several qualities that help flowcharts communicate effectively Use of specialized symbols Use of flowlines o Solid lines documentsrecords were prepared filed or distributed o Dotted lines info on the documents or records was examined Show separation of duties Include relevant internal controls Include written comments and clarification annotation or footnotes Show the source of every document in the flowchart Every document must come from 1 of 3 sources o Received from a source outside the company o Received from a department not shown in the flowchart o Prepared by a department included in the flowchart Use a process symbol for every document or record prepared Show the disposition of every document in the flowchart Every document must go to 1 of 3 places o Sent to a source outside the company o Sent to a dept not shown in the flowchart o Filed Overall approach 1 2 Decide on the system or process to be flowcharted Determine information about the documents records and activities in the system Develop a tentative organization for the flowchart including segregation of duties Draw a rough sketch of the system or process Draw a flowchart including comments and annotation s Trace the documents and records for one or two transactions through the flowchart Flowcharting symbols for manual systems Document paper documents and reports of all types sales invoice receiving report time card Manual operations or process performance by a human of any processing function which causes a change in value form or location of information sales invoice prepared by clerk Terminal beginning ending or interruption of flowchart used to indicate info entering or leaving system receipt of order form customer Off line storage off line storage of documents and records duplicate sales invoice if filed in numerical order Journalledger symbol recording of processed information in journalsledgers entry in sales journal Decision used to indicate a decision requiring different actions for a yes or no answer customer credit satisfactory Annotation the addition of descriptive comments or explanatory notes as clarification a billing clerk checks credit b4 preparing an invoice On page connector exit to or entry from another part of flowchart on same page keyed by using numbers a document transfer from one department to another Off page connector exit to or entry from another part of flowchart on different page Directional flowlines o Direction of processing or data flow o Dotted line indicates only information flow not document flow ACCTG32O Notes 55 Ch 8 Information Systems Controls for System Reliability Part 1 Information Security COBIT framework 1 Effectiveness the information must be relevant and timely 2 Ef ciency the information must be produced in a cost effective manner 3 Con dentiality sensitive information must be protected from unauthorized disclosure 4 Integrity the information must be accurate complete and valid 5 Availability the information must be available Whenever needed 6 Compliance controls must ensure compliance With internal policies and With external legal and regulatory requirements 7 Reliability mgmt must have access to appropriate information needed to conduct daily activities and to exercise its duciary and governance responsibilities Domains basic mgmt activities in IT processes 1 Plan and organize P0 77 De ne a strategic IT Plan f De ne the info architecture 397 Determine technological direction 11 De ne the IT processes organization and relationships 7j Manage the IT investment 7 Communicate mgmt aims and direction 3 Manage IT HR 7 Manage quality 7 Assess and manage IT risks 1 Manage projects 2 Acquire and Implement AI 7 Identify automated solutions f Acquire and maintain application software 397 Acquire and maintain technology infrastructure J1 Enable operation and use 7j Procure IT resources 7 Manage changes 3 Install and accredit solutions and changes 3 Deliver and support DS 77 De ne and manage service levels f Manage 3rd party services 397 Manage performance and capacity 11 Ensure continuous service 7j Ensure systems security 7 Identify and allocate costs 3 Educate and train users 7 Manage service desk and incidents 7 Manage the con guration 1 Manage problems 39j Manage data 3 Manage the physical environment 1 Manage operations 4 Monitor and evaluate ME 77 Monitor and evaluate IT performance f Monitor and evaluate internal control 397 Ensure compliance with external requirements 11 Provide IT governance Five categories that most directly pertain to system reliability and the reliability of an organization s nancial statements 1 Security access to the system and its data is controlled and restricted to legitimate users 2 Con dentiality sensitive organizational information mktg plans trade secrets is protected from unauthorized disclosure 3 Privacy personal info about customers is collected used disclosed and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure 4 Processing integrity data are processed accurately completely in a timely manner and only with proper authorization 5 Availability the system and its information are available to meet operational and contractual obligations Two Fundamental information security concepts 1 Security is a mgmt issue not a technology issue Mgmt s role in information security Create and foster a pro active security aware culture Inventory and value the organization s information resources Assess risks and select a risk response Develop and communicate security plans policies and procedures Acquire and deploy information security technologies and products Monitor and evaluate the effectiveness of the organization s information security program OU1I L Jgt t 2 Defense in depth and the Time Based Model of Information Security Defense in depth to employ multiple layers of controls in order to avoid having a single point of failure Preventive controls can never provide 100 protection Time based model of security to employ a combination of detective and corrective controls that identify an information security incident early enough to prevent the loss or compromise of information P time it takes an attacker to break through the organization s preventive controls D time it takes to detect that an attack is in progress C time it takes to respond to the attack organization s security procedures are effective Basic steps criminals use to attack an organization s information system 1 Conduct reconnaissance 2 Attempt social learning 77 Social engineering trick an unsuspecting employee into granting them access f Spear phishing sending emails purportedly from someone that the victim knows or should know Scan and map the target Research Execute the attack Cover tracks 39gtquot Preventive controls Commonly used information security controls Preventive Training User access controls authentication and authorization Physical access controls locks guards Network access controls rewalls intrusion prevention systems Device and software hardening controls con guration options Detective a Log analysis b Intrusion detection systems c Security testing and audits d Managerial reports Corrective a Computer incident response teams CIRT b Chief information Security Of cer CISO c Patch management ooocr gtgt Piggybacking allow other people to follow them through restricted access entrance Authentication process of verifying the identity of the persondevice attempting to access the system 3 types of credentials can be used to verify a person s identity 1 Something they know such as passwords or personal identi cation numbers 2 Something they have such as smart cards or ID badges 3 Some physical characteristics referred to as biometric identi er such as their ngerprints or voice To be effective passwords must satisfy a number of requirements Length Multiple character types Randomness Changed frequently Multifactor authentication use of 2 or all 3 types in conjunction quite effective Multimodal authentication using multiople credentials fo the same type can also improve security Authorization process of restricting access of authenticated users to speci c portions of the system and limiting what actions they are permitted to perform Compatibility test matches the user s authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action Border router connects an organization s IS to the Internet Firewall either a special purpose hardware device or software running on a general purpose computer Demilitarized zone DMZ separate network that permits controlled access from the Internet to selected resources such as the orgnanization s e commerce Web server Transmission Control Protocol TCP speci es the procedures for dividing les and documents into packets to be sent over the Internet and the methods for reassembly of the original document or le at the destination Internet Protocol IP speci es the structure of those packets and how to route them to the proper destination Every IP packet consists of 2 parts header and body Routers designed to read the destination address elds in IP packet headers to decide where to send route the packet next Access control list ACL determines which packets are allowed entry and which are dropped Static packet ltering screens individual IP packets based solely on the contents of the source andor destination elds in the IP packet header Stateful packet ltering creates and maintains a table in memory that lists all established connections between the organization s computers and the Internet Deep packet inspection process of examining the data contents of a packet Intrusion prevention systems IPS monitors patterns in the traf c ow rather than only inspecting individual packets to identify and automatically block attacks Remote authentication dialin user service RADIUS standard method for verifying the identity of users attempting to obtain dialin access War dialing calls every telephone number assigned to the organization to identify those which are connected to modems Any rogue modems discovered should be disconnected with sanctions applied to the employees responsible for installing them All wireless access points should be located in the DMZ In addition following procedures need to be followed to adequately secure wireless access 0 Turn on available security features 0 Authenticate all devices attempting to establish wireless access to the network before assigning them an IP address 0 Con gure all authorized wireless devices to operate only in infrastructure mode which forces the device to connect only to wireless access points In addition prede ne a list of authorized MAC addresses and con gure wireless points to accept connections only if the device s MAC address is on the authorized list 0 Use noninformative names for the access point s address service set identi er SSID 0 Reduce the broadcast strength of wireless access points locate them in the interior of the building and use directional antennas to make unauthorized reception off premises more dif cult Special paint and window lms can also be used to contain wireless signals within a building 0 Encrypt all wireless traf c End points workstations servers printers and other devices 3 areas deserve special attention 1 Endpoint con guration 2 User account mgmt 3 Software design Endpoint con guration Vulnerabilities aws that can be exploited to either crash the system or take control of it Vulnerability scanners tools used to identify unused and therefore unnecessary programs that represent potential security threats Hardening process of modifying the default con guration of endpoints to eliminate unnecessary settings and services Detective Controls Log analysis process of examining logs to identify evidence of possible attacks Intrusion detection systems IDSs consist of a set of sensors and a central monitoring unit that create logs of network traf c that was permitted to pass the rewall and tehn analyze those logs for signs of attempted or successful intrusions Main difference between IDS and IPS former only produces a warning alert when it detects a suspicious pattern of network traf c whereas the latter also automatically takes steps to stop a suspected attack Penetration test an authorized attempt by either an internal audit team or an external security consulting rm to break into the organization s information system Computer incident response team CIRT responsible for dealing with major incidents should include not only technical specialists but also senior operations mgmt bc some potential responses to security incidents have signi cant economic consequences CIRT should lead the organization s incident response process through the following 4 steps 1 Recognition that a problem exists typically occurs when an IPSIDS signals an alert or as a result of log analysis by a systems administrator 2 Containment of the problem Once an intrusion is detected prompt action is needed to stop it and to contain the damage 3 Recover damage caused by the attack must be repaired May involve restoring data from backup and reinstalling corrupted programs 4 Follow up once recovery is in process the CIRT should lead the analysis of how the incident occurred Exploit set of instructions for taking advantage of a vulnerability Patch code released by software developers that xes a particular vulnerability Patch management process for regularly applying patches and updates to all software used by the organization Virtualization takes advantage of the power and speed of modern computers to run multiple systems simultaneously on one physical computer Cloud computing takes advantage of the high bandwidth of the modern global telecommunication network to enable employees to use a browser to remotely access software data storage devices hardware and entire application environments Arrangement referred to as private public or hybrid cloud depending upon whether the remotely accessed resources are entirely owned by the organization 3 party or mix of the two ACCTG32O Notes 510 Ch 9 Information Systems Controls for Systems Reliability Pt2 Con dentiality and Privacy Actions that must be taken to preserve con dentiality 1 Identi cation and classi cation of the info to be protected 2 Encryption of sensitive information 3 Controlling access to sensitive information 4 Training Sensitive information is exposed in plain view whenever it is being processed by a program displayed on a monitor or included in printed reports Consequently protecting con dentiality requires application of the principle of defense in depth supplementing encryption with access ctrls and training Information rights management IRM software provides an additional layer of protection to speci c information resources offering the capability not only to limit access to speci c les or documents but also to specify the actions that individuals who are granted access to that resource can perform Data loss prevention DLP software works like antivirus program in reverse blocking outgoing messages that contain key words or phrases associated w the IP or other sensitive data the organization wants to protect Digital Watermark detective control that enables an organization to identify con dential information that has been disclosed should supplement DLP software Training is arguably the most important control for protecting con dentiality Data masking programs that replace customers personal information with fake values 2 major privacy related concerns spam and identity theft Spam unsolicited email that contains either advertising or offensive content Controlling the Assault of Non Solicited Pornography and Marketing CAN SPAM Guidelines 0 The sender s identity must be clearly displayed in the header of the msg 0 The subject eld in the header must clearly identify the msg as an advertisement or solicitation 0 The body of the msg must provide recipients with a working link that can be used to opt out of future email 0 The body of the msg must include the sender s valid postal address 0 Organization should not send commercial email to randomly generated addresses nor should they set up Web sites designed to harvest email addresses of potential customers Identity theft unauthorized use of someone s personal information for the perpetrator s bene t Generally Accepted Privacy Principles GAPP 1 Management 2 Notice 3 Choice and consent 4 Collection 7 Cookie text le created by a web site and stored on a visitor s hard disk 5 Use and retention 6 Access 7 Disclosure to 3rd parties 8 Security 9 Quality 10 Monitoring and enforcement encryption process of transforming normal content called plaintext to unreadable gibberish called cipherteXt Decryption reverses the process transforming ciphertext back into plaintext 3 important factors determine the strength of any encryption system 1 Key length 2 Encryption length 3 Policies for managing the cryptographic keys Secrecy is not necessary for strength Key escrow involves making copies of all encryption keys used by employees and storing those copies securely Systematic encryption system use the same key both to encrypt and decrypt DES AES Asymmetric encryption systems use 2 keys Public key widely distributed and available to everyone Private key kept secret and known only to the owner of that pair of keys RSA PGP Asymmetric encryption system solves 2 problems of both parties need to know the shared secret key as well as needs of separate secret keys to be created for use by each party with whom the use of encryption is desired Main drawback is speed Hashing process that takes plaintext of any length and transforms it into a short code called a hash Difference between encryption 1 Encryption always produces ciphertext similar in length to the original plainetext but hashing always produces a hash that is of a xed short length regardless of the length of the plaintext 2 Encryption is reversible but hashing is not Hashing also use every bit in the original plaintext to calculate the hash value 2 provides a means to verify that the contents of a ms g have not been altered Nonrepudiation how to create legally binding agreements that cannot be unilaterally repudiated by either party Digital signature hash of a document that is encrypted using the document creator s private key Provides proof about 2 important issues 1 That a copy of a document le has not been altered 2 Who created the original version of a digital document le Digital certi cate an electronic document that contains an entity s public key and certi es the identity of the owner of that particular public key Certi cate authority issues digital certi cates Public key infrastructure PKI system for issuing pairs of public and private keys and correspondin g digital certi cates Important factors 1 Procedures the certi cate authority uses to verify the identity of an applicant for a digital certi cate 2 Procedures it uses to update certi cates and revoke expired digital certi cates Virtual private network provides the functionality of a privately owned secure network without the associated costs of leased telephone lines satellites and other communication equipment ACCTG32O Notes 430 Ch 22 Systems Design Implementation and Operation Conceptual systems design developer creates a general framework for implementing user requirements and solving the problems identi ed in the analysis phase 1 Evaluating design alternatives 7 How Well it meets organizational and system objectives f How Well it meets user needs 397 Whether it is economically feasible 11 How advantages Wei gh against disadvantages Design Considerations and Alternatives Communication channels telephone Internet cable ber optics or satellite Communications network centralized decentralized distributed or local area Data storage medium tape disk hard drive CD or paper Data storage structure les or database File organization and access Random sequential or indeXed sequential access Input medium keying optical character recognition OCR magnetic ink character recognition MICR point of sale POS EDI or voice Input format source document turnaround document source data automation or screen Operations in house or outsourcing Output and update frequency instantaneous hourly daily Weekly or monthly Output medium paper screen voice CD or micro lm Output scheduling predetermined times or on demand Output format narrative table graph le or electronic Printed output format preprinted forms or system generated forms Processing mode manual batch or real time Processor personal computer server or mainframe Software acquisition canned custom or modi ed Transaction processing batch or online Conceptual design speci cations created once a design alternative is selected for following elements 1 Outpout prepared rst b c the system is designed to meet user info needs SM must decide 7 How often to produce a sales analysis report f What the report should contain 7 What it Will look like 11 Whether it is a hard copy or screen or both output 2 Data storage include Which data elements must be stored to produce the sales report how they should be stored and What type of le or database to use 3 Input include Which sales data to enter sale location and amount and Where When and how to collect the data 4 Processing procedures and operations include how to process the input and stored data to produce the sales report and in Which sequence the processes must be performed Conceptual systems design report summarizes conceptual design activities guides physical design activities communicates how all information needs will be met and helps the steering committee assess feasibility Physical systems design broad user oriented AIS requirements of conceptual design are translated into detailed speci cations that are used to code and test the computer programs Output design to determine the nature format content and timing of reports documents and screen displays Usually ts into 1 of the following 4 categories 1 Scheduled reports have a prespeci ed content and format and are prepared on a regular basis Ex monthly performance reports weekly sales analyses and annual nancial statements 2 Special purpose analysis reports have no prespeci ed contentformat and are not prepared on a regula scheduled Prepared in response to a mgmt request to evaluate an issue 3 Triggered exception reports prespeci ed content and format but are prepared only in response to abnormal conditions Excessive absenteeism cost overruns inventory shortages and situations requiring immediate corrective action trigger it 4 Demand reports have prespeci ed content and format but are prepared on request Both triggered exception reports and demand reports can be used effectively to facilitate the mgmt process Output design considerations Use who will use the output why and when do users need it and what decision will they make based on it Medium use paper screen voice email or some combination Format will narrative table or graphic format best convey information Preprinted use preprinted forms Turnaround documents Location where should output be sent Access who should have access to hard copy and screen output Detail should a summary or table of contents be included w lengthy output Should headings organize data and highlight important items Should detailed information be placed in appendix Timeliness how often should output be produced File and Database Design Considerations Medium store data on hard drive disk CD tape or paper Processing mode use manual batch or real time processing Maintenance what procedures are needed to maintain data effectively Size how many records will be stored in the database how large will they be and how fast will the number of records grow Activity level what percentage of the records will be updated added or deleted each yr Input Design include what types of data will be input and the optimal input method Form Design Computer Screen Design most effective when these procedures are followed 0 Organize the screen so data can be entered quickly accurately and completely Minimize data input by retrieving as much data as possible from the system 0 Enter data in the same order as displayed on paper forms that capture the data 0 Group logically related data together Complete the screen from left to right and top to bottom 0 Design the screen so users can jump from one data entry location to another or use a single key to go directly to screen locations 0 Make it easy to correct mistakes 0 Restrict the data or the number of menu options on a screen to avoid clutter Input Design Considerations Medium enter data using a keyboard OCR MICRlt POS terminal barcodes RFID tags EDI or voice input Source Where do data originate and how does that affect data entry Format What format ef ciently captures the data With the least effort and cost Type What is the nature of the data Volume how much data are to be entered Personnel What are data entry operators abilities functions and expertise Is additional training necessary Frequency how often must data be entered Cost how can costs be minimized Without adversely affecting ef ciency and accuracy Error detection and correction What errors are possible and how can they be detected and corrected Principles of Good Forms of Design General considerations 0 Are preprinted data used as much as possible 0 Are the Wei ght and grade of the paper appropriate for the planned use 0 Do bold type lines and shading highlight different parts of the form 0 Is the form a standard size 0 Is the form size consistent With ling binding or mailing requirements 0 If the form is mailed will the address show in a Window envelope 0 Are copies printed in different colors to facilitate proper distribution 0 Do clear instructions explain how to complete the form Introduction 0 Does the form name appear at the top in bold type 0 Is the form consecutively prenumbered 0 Is the company name and address preprinted on forms sent to external parties Main body 0 Is logically related information eg customer name address grouped together 0 Is there suf cient room to record each data item Is data entry consistent With the sequence the data is acquired Are codes or check offs that are used instead of Written entries adequately explained Conclusion 0 Is space provided to record the nal disposition of the form 0 Is space provided for a signature to indicate transaction approval 0 Is space provided to record the approval date 0 Is space provided for a dollar or numeric total 0 Is the distribution of each copy of the form clearly indicated 1 Determine user needs systems analysts consult With users and reach an agreement on user needs and software requirements 2 Create and document a development plan 3 Write program instructions computer code 77 Structured programming subdivided into small Well de ned modules to reduce complexity and enhance reliability and modi ability Modules should interact With control module rather than With each other Each module should only have one entry and exit point 4 Test the program Debugging process of discovering and eliminating program errors Large programs are often tested in 3 stages individual program modules the linkages between module and a control module and interfaces with other application programs 77 Between 20 and 30 of software development costs should be allocated to testing debugging and rewriting software 5 Document the program explains how programs work and is used to correct errors 7 Include owcharts data ow diagrams E R diagrams data models record layouts and narrative descriptions Stored in documentation manual 6 Train program users program documentation often used Install the system 8 Use and modify the system 77 Program maintenance factors that require existing programs to be revised include requests for newrevised reports changes in input le content or values such as tax rates error detection and conversion to new hardware Controls Design Considerations Validity are system interactions valid Authorization are input processing storage and output activities authorized by the appropriate managers Accuracy is input veri ed to ensure accuracy Are data processed and stored accurately Security is the system protected against a unauthorized physical and logical access to prevent the improper use alteration destruction or disclosure of information and software and b the theft of system resources Numerical are documents prenumbered to prevent errors and fraud and to detect when documents are missed missing or stolen Availability is the system available at times set forth in service level agreements Can users enter update and retrieve data during the agreed upon times Maintainability can the system be modi ed without affecting system availability security and integrity Are only authorized tested and documented changes made Are resources available to manage schedule document and communicate the changes Integrity is data processing complete accurate timely and authorized Is data processing free from unauthorized or inadvertent system manipulation Audit trail can transactions be traced from source documents to nal output Physical systems design report summarizes what was accomplished and serves as the basis for mgmt s decision whether or not to proceed to the implementation phase Systems implementation process of installing hardware and software getting the AIS up and running Implementation plan consists of implementation tasks expected completion dates cost estimates and who is responsible for each task Hidden cost of inadequate training is that users turn for help to coworkers who have mastered the system decreasing the productivity of coworkers and increasing company costs Complete documentation 3 types of documentation must be prepared for new systems 1 Development documentation describes the new AIS It includes a system description copies of output input and le and database layouts program owcharts test results and user acceptance forms 2 Operations documentation includes operating schedules les and database accessed and equipment security and le retention requirement 3 User documentation teachers users how to operate the AIS It includes a procedures manual Testing the System 1 Walkthroughs step by step reviews of procedures or program logic to nd incorrect logic errors omissions or other problems Attend early in the system design Focus in on the input outputs and data ows of the organization Subsequent walk throughs attended by programmers address logical and structural aspects of program code 2 Processing test data performed to determine whether a program operates as designed valid transactions are handled properly and errors are detected and dealt with appropriately 3 Acceptance tests use copies of real transactions and les rather than hypothetical ones Users develop the acceptance criteria and make the nal decision whether to accept the AIS Conversion changing from the old to the new AIS hardware software data les and procedures complete when the new AIS is a routine ongoing part of the system 4 conversion approaches Direct conversion terminates the old AIS when the new one is introduced Inexpensive but provides no backup AIS Parallel conversion operates the old and new systems simultaneously for a period Protects from errors but it is costly and stressful to process transactions twice Popular Phase in conversion gradually replaces elements of the old AIS with the new one Allow data processing resources to be acquired over time Disadvantages are the cost of creating the temporary interfaces between the old and the new AIS and time required to make gradual change over Pilot conversion implements a system in one part of the organization such as a branch location Advantage localizes conversion problems and allows training in a live environment Disadvantage long conversion time and need for interfaces between the old and new systems which coexist until all locations have been converted Data les may need to be modi ed in 3 ways 1 Files may be moved to a different storage medium tapes to disks 2 Data content may be changed elds and records may be addeddeleted 3 File or database format may be changed Post implementation review conducted to determine whether the system meets its planned objectives Factors to investigate during post implementation review Goals and objectives does the system help the organization meet its goals objectives and overall mission Satisfaction are users satis ed Bene ts how have users bene ted Costs are actual cost sin line with expected costs Reliability Accuracy Timeliness Compatibility Controls and security Errors do adequate error handling procedures exist Training are systems personnel and users trained to support and use the system Communications is the communications system adequate Organizational changes are organizational changes bene cial or harmful If harmful how can they be resolved Documentation is system documentation complete and accurate ACCTG32O Notes 519 Ch12 The Revenue Cycle Sales to Cash Collections Revenue cycle a recurring set of business activities and related information processing operations associated With providing goods and services to customers and collecting cash in payment for those sales Primary objective is to provide the right product in right place at the right time for the right price Mgmt must make following key decisions To What extent can and should products be customized to individual customers needs and desires How much inventory should be carried and Where should that inventory be located How should merchandise be delivered to customer Should the company perform the shipping function itself or outsource it to a 3 party that specialized in logistics What are the optimal prices of each productservice Should credit be extended to customers If so What credit terms should be offered How much credit should be extended to individual customers How can customer pmts be processed to maximize CF Organization performs 4 basic revenue cycle activities 1 Sales order entry 2 Shipping 3 Billing 4 Cash collections Threats and Controls in the Revenue Cycle General issues throughout entire revenue cycle Threat 1 Inaccurate or invalid master data 2 Unauthorized disclosure of sensitive information 3 Loss destruction of data 4 Poor performance Controls 1 data processing integrity controls 2 restriction of access to master data 3 review of all changes to master data 21 access controls 22 encryption 31 Backup and disaster recovery procedures 41 managerial reports Sales order entry Threat 9 quot incompleteinaccurate orders invalid orders uncollectible accounts stockouts or excess inventory loss of customers Controls 51 data entry edit controls 52 restriction of access to master data 61 digital signaturesWritten signatures 71 credit limits 72 speci c authorization to approve sales to new customerssales that exceed a customer s credit limit 73 aging ofAR 81 perpetual inventory control system 82 use of bar codes or RFID 83 Training 84 Periodic Physical counts of inventory 85 sales forecasts and activity reports 91 CRM systems self help Web sites and proper evaluation of customer service ratings Shipping Threats 10 picking the Wrong itemsWrong qty 11 theft of inventory 12 shipping errors delay or failure to ship Wrong qty Wrong items Wrong addresses duplication Controls 101 Bar code and RFID technology 102 reconciliation of picking lists to sales order details 111 restriction of physical access to inventory 112 documentation of all inventory transfers 113 RFID and bar code technology 114 periodic physical counts of inventory and reconciliation to recorded qty 121 reconciliation of shipping documents With sales orders picking lists and packing slips 122 use RFID systems to identify delays 123 data entry via bar code scanners and RFID 124 data entry edit controls if shipping data entered on terminals 125 con guration of ERP system to prevent duplicate shipments Billing Threats 13 failure to bill 14 billing errors 15 posting errors in AR 16 inaccurate or invalid credit memos Controls 13 1 separation of billing and shipping functions 13 2 periodic reconciliation of invoices With sales orders picking tickets and shipping documents 141 con guration of system to automatically enter pricing data 142 restriction of access to pricing master data 143 data entry edit controls 144 reconciliation of shipping documents picking tickets bills of lading and packing list to sales orders 15 1 data entry controls 15 2 reconciliation of batch totals 15 3 mailing of monthly statements to customers 15 4 reconciliation of subsidiary accounts to general ledger 161 segregation of duties of credit memo authorization from both sales oder entry and customer account maintenance 162 con guration of system to block credit memos unless there is either corresponding documentation of return of damaged goods or speci c authorization by mgmt Cash Collections Threat 17 theft of cash 18 CF problems Controls 171 separation of cash handling function from AR and credit functions 172 regular reconciliation of bank account with recorded amounts by someone independent of cash collections procedures 173 use of EFT FEDI and lockboXes to minimize handling of customer pmts by employees 174 prompt restrictive endorsement of all customer checks 175 having 2 people open all mail likely to contain customer payments 176 use of cash registers 177 daily deposit of all cash receipts 181 lockboX arrangements EFT or credit cards 182 discounts for prompt pmt by customers 183 CF budgets Sales order entry process entails 3 steps Taking customer s order checking and approving customer credit and checking inventory availability also responding to customer inquiries Sales order document usually an electronic form displayed on a comp monitor screen Contain info about item numbers qty prices and other terms of the sale Electronic data interchange EDI submits the order electronically in a format compatible with the company s sales order processing system Interactive sales order entry system not only increases sales but also help improve CF in 2 ways 1 bc may sales are built to order less capital needs to be tied up in carrying a large inventory of nished goods 2 The build to order model allows companies to collect all or part of the pmt in advance possibly even before they have to pay for the raw materials Credit limit the maximum allowable account balance that mgmt wishes to allow for a customer based on that customer s past credit history and ability to pay Credit approval must occur b4 the goods are released from inventory and shipped to the customer Accounts receivable aging report lists customer account balances by length of time outstanding Backorder created if there is not suf cient inventory on hand to ll the order Picking ticket lists the items and qty of each item that the customer ordered Customer relationship mgmt CRM systems help organize detailed info about customers to facilitate more ef cient and more personalized service Filling customer orders and shipping the desired merchandise 2 steps 1 Picking and packing the order 2 Shipping the order Packing slip lists the qty and description of each item included in the shipment Bill of lading legal contract that de nes responsibility for the goods in transit If the customer is to pay the shipping charges the copy of the bill of lading may serve as a freight bill to indicate the amt the customer should pay to the carrier Billing 2separate but closely related tasks Invoicing and updating AR which are performed by 2 separate units within the accounting department Sales invoice noti es customers of the amt to be paid and where to send pmt 2 basic ways to maintain AR open invoice and balance forward methods Open invoice method customers typically pay according to each invoice Usually 2 copies of invoice mailed to customer who is requested to return 1 copy w pmt remittance advice Customer pmt are then applied against speci c invoices Balanceforward method customers typically pay according to the amount shown on a monthly statement rather than by individual invoices Monthly statement lists all transactions including both sales and payments that occurred during the past month and informs customers of their current account balances Remittance applied against the total account balance rather than against speci c invoices Adv of open invoice method conductive to offering discounts for prompt pmt More uniform ow of cash collection throughout the month Disadvantage added complexity required to maintain information about the status of individual invoice for each customer B2B uses ex Citibank Sears JCPenny Cycle billing monthly statements are prepared for subsets of customers at different times used by balance forward method Credit memo authorizes the crediting of the customer s account Unlike the cases involving damaged or returned goods copy of the credit memo used to authorize the write off of an account is not sent to the customer Cash Collections Remittance list document identifying the names and amounts of all customer remittances and send it to AR Lockbox postal address to which customers send their remittances Electronic lockbox arrangement bank electronically sends the company info about the customer account number and the amount remitted as soon as it receives and scans those checks Electronic funds transfer EFT customers send their remittances electronically to the company s bank and thus eliminate the delay associated with the time the pmt is in the mail system Financial electronic data interchange FEDI integrates the exchange of funds EFT with the exchange of the remittance data EDI Threats and Controls Segregation of duties is the most effective control procedure for reducing the risk of safeguarding customer remittances Following pairs of duties should be segregated 1 Handling cash or checks and posting remittances to customer accounts 2 Handling cash or checks and authorizing credit memos 3 Handling cash or checks and reconciling the bank statement List of all checks received should be prepared immediately after opening the mail Cash flow budget provides estimates of cash in ows projected collection from sales and out ows outstanding payables ACCTG32O Notes 53 Ch 7 Control and Accounting Information Systems Threatevent a potential adverse occurrence Exposureimpact the potential dollar loss from a threat Likelihood of the threat probability that it will happen Internal control process implemented to provide reasonable assurance that the following control objectives are achieved Safeguard assets prevent detect their unauthorized acquisition use or disposition Maintain records in suf cient detail to report company assets accurately and fairly Provide accurate and reliable information Prepare nancial reports in accordance with established criteria Promote and improve operational ef ciency Encourage adherence to prescribed managerial policies Comply with applicable laws and regulations Accountants and systems developers help mgmt achieve their ctrl objectives by 1 Designing effective control systems that take a proactive approach to eliminating system threats and that detect correct and recover from threats when they occur and 2 Making it easier to build controls into a system at the initial design stage than to add them after the fact Internal control perform 3 important functions 1 Preventive controls dterm problems before they arise EX hiring quali ed personnel segregating employee duties and ctrl physical access to assets and info Detective controls discover problems that are not prevented EX duplicate checking of calculations and preparing bank reconciliations and monthly trial balances Corrective controls identify and correct problems as well as correct and recover from resulting errors EX maintaining backup copies of les correcting data entry errors and resubmitting transactions for subsequent processing Internal controls are often segregated into 2 categories 1 General controls make sure an organization s control environment is stable and well managed EX security IT infrastructure and software acquisition development and maintenance controls Application controls make sure transactions are processed correctly They are concerned with the accuracy completeness validity and authorization of the data captured entered processed stored transmitted to other systems and reported Robert Simons espoused 4 levels of control to help mgmt reconcile the con ict between creativity and controls 1 A belief system describes how the company creates value helps employees understand mgmt s vision communicates company core values and inspires employees to live by those values A boundary system helps employees act ethically by setting boundaries on employee behavior Employees are not told exactly what to do Instead they are encouraged to creatively solve problems and meet customer needs while meeting minimum performance standards shunning off limit activities and avoiding actions that might damage their reputation A diagnostic control system measures monitors and compares actual company progress to budgets and performance goals Feedback helps management adjust and ne tune inputs and processes so future outputs more closely match goals 4 An interactive control system helps managers to focus subordinates attention on key strategic issues and to be more involved in their decisions Interactive system data are interpreted and discussed in face to face meetings of superiors subordinates and peers Foreign corrupt practice act FCPA passed to prevent companies from bribing foreing of cial to obtain business Sarbanes Oxley Act SOX applies to publicly held companies and their auditors and was designed to prevent nancial statement fraud make nancial reports more transparent protect investors strengthen internal controls and punish executives who perpetrate fraud Some of the most important aspects of SOX Public Company Accounting Oversight Board PCAOB control the auditing profession Sets and enforces auditing quality control ethics independence and other auditing standards New rules of auditors auditors must report speci c information to the company s audit committee such as critical accounting policies and practices Audit partners must be rotated periodically SOX prohibits auditors from performing certain nonaudit services such as IS design and implementation Audit rms cannot provide services to companies if top mgmt was employed by the auditing rm and worked on the company s audit in the preceding 12 months New roles for audit committees audit committee members must be on the company s board of directors and be independent of the company One member of the audit committee must be a nancial expert Audit committee hires compensates and oversees the auditors who report directly to them New rules for mgmt CEO and CFO must certify that 1 Financial statements and disclosures are fairly presented were reviewed by mgmt and are not misleading and that 2 The auditors were told about all material internal control weaknesses and fraud If management knowingly violates these rules they can be prosecuted and ned Companies must disclose in plain English material changes to their nancial condition on a timely basis New internal control requirements section 404 requires companies to issue a report accompanying the nancial statements stating that mgmt is responsible for establishing and maintaining an adequate internal control system The report must contain management s assessment of the company s internal controls attest to their accuracy and report signi cant weaknesses or material noncompliance After SOX was passed SEC mandated that mgmt must 0 Base its evaluation on a recognized control framework 0 Disclose all material internal control weaknesses 0 Conclude that a company does not have effective nancial reporting internal controls if there are material weaknesses Control objectives for information and related technology COBIT consolidates control standards from 36 different sources into a single framework that allows 1 Mgmt to benchmark security and control practices of IT environments 2 Users to be assured that adequate IT security and control exist and 3 Auditors to substantiate their internal control opinions and to advise on IT security and control matters The framework addresses control from 3 vantage points 1 Business objectives to satisfy business objectives information must conform to seven categories of criteria that map into the objectives established by the Committee of Sponsoring Organizations COSO 2 IT resources these include people application systems technology facilities and data 3 IT processes these are broken into 4 domains planning and organization acquisition and implementation delivery and support and monitoring and evaluation Committee of Sponsoring Organizations COSO consists of the American Accounting Association the American Institute of Certi ed Public Accountants the Institute of Internal Auditors the Institute of Management Accountants and the Financial Executives Institute Internal Control Integrated Framework IC widely accepted as the authority on internal controls and is incorporated into policies rules and regulations used to control business activities Enterprise Risk Management Integrated Framework ERM process the board of directors and mgmt use to set strategy identify events that may affect the entity assess and manage risk and provide reasonable assurance that the company achieves its objectives and goals 5 interrelated components of COSO s Internal Control Model Control environment the core of any business is its people their individual attributes including integrity ethical values and competence and the environment in which they operate They are the engine that drives the organization and the foundation on which everything rests Control activities control policies and procedures help ensure that the actions identi ed by mgmt as necessary to address risks and achieve the organization s objectives are effectively carried out Risk assessment the organization must identify analyze and manage its risks It must set objectives so that the organization is operating in concert Information and Communication Information and communication systems capture and exchange the information needed to conduct manage and control the organization s operations Monitoring The entire process must be monitored and modi cations made as necessary so the system can change as conditions warrant More comprehensive ERM framework takes a risk based rather than a control based approach ERM adds 3 additional elements to COSO s IC framework Setting objectives identifying events that may affect the company and developing a response to assessed risk COSO s enterprise risk mgmt model Internal environment objective setting event identi cation risk assessment risk response control activities information and communication monitoring Internal environment company culture in uences how organizations establish strategies and objectives structure business activities and identify assess and respond to risk Internal environment consists of the following Mgmt s philosophy operating style and risk appetite The board of directors Commitment to integrity ethical values and competence Organizational structure Methods of assigning authority and responsibility Human resource standards External in uences 39gtquot Risk appetite amount of risk they are willing to accept to achieve their goals Audit committee responsible for nancial reporting regulatory compliance internal control and hiring and overseeing internal and external auditors who report all critical accounting policies and practices to them Directors should also approve company strategy and review security policies Companies endorse integrity by 0 Actively teaching and requiring it ex making it clear that honest reports are more important than favorable ones 0 Avoiding unrealistic expectations or incentives that motivate dishonest or illegal acts 0 Consistently rewarding honesty and giving verbal labels to honest and dishonest behavior 0 Developing a written code of conduct that explicitly describes honest and dishonest behaviors 0 Requiring employees to report dishonest or illegal acts and disciplining employees who knowingly fail to report them 0 Making a commitment to competence Important aspects of the organizational structure include the following 0 Centralization or decentralization of authority 0 A direct or matrix reporting relationship 0 Organization by industry product line location or marketing network 0 How allocation of responsibility affects information requirements 0 Organization of and lines of authority for acctg auditing and IS functions 0 Size and nature of company activities Policy and procedures manual explains proper business practices describes needed knowledge and experience explains document procedures explains how to handle transactions and lists the resources provided to carry out speci c duties Includes chart of accounts and copies of forms and documents Background check includes talking to references checking for a criminal record examining credit records and verifying education and work experience Most fraud is not reported or prosecuted for several reasons 1 Companies are reluctant to report fraud because it can be a public relations disaster The disclosure can also reveal system vulnerabilities and attract more fraud or hacker attacks 2 Law enforcement and the courts are busy with violent crimes and have less time and interests for computer crimes in which no physical harm occurs 3 Fraud is dif cult costly and time consuming to investigate and prosecute 4 Many law enforcement of cials layers and judges lack the computer skills needed to investigate and prosecute computer crimes 5 Fraud sentences are often light External In uences include requirements imposed by stock exchanges FASB PCAOB and SEC Objective Setting Strategic objectives high level goals that are aligned with the company s mission support it and create shareholder value are set rst Mgmt should identify alternative ways of accomplishing the strategic objectives identify and assess the risks and implications of each alternative etc Operations objectives deal with the effectiveness and ef ciency of company operations determine how to allocate resources Re ect mgmt preferences judgments and style and are a key factor in corporate success Reporting objectives help ensure the accuracy completeness and reliability of company reports improve decision making and monitor company activities and performance Compliance objectives help the company comply w all applicable laws and regulations Event identi cation Event an incident or occurrence emanating from internalexternal sources that affects implementation of strategy or achievement of objectives Events may have positive or negative impacts or both Inherent risk exists before mgmt takes any steps to control the likelihood or impact of an event Residual risk what remains after mgmt implements internal controls or some other response to risk Mgmt can respond to risk in 1 of 4 ways Reduce reduce the likelihood and impact of risk by implementing an effective system of internal controls Accept accept the likelihood and impact of the risk Share share risk or transfer it to someone else by buying insurance outsourcing an activity or entering into hedging transactions Avoid avoid risk by not engaging in the activity that produces the risk This may require the company to sell a division exit a product line or not expand as anticipated Expected loss 2 impact likelihood Risk assessment approach to designing internal controls 0 Identify the events or threats that confront the company 0 Estimate the likelihood or probability of each threat occurring 0 Estimate the impact or potential loss from each threat 0 Identify control to guard against each threat 0 Estimate the costs and bene ts from instituting controls 0 Is it cost bene cial to protect the system from a threat Yes controls to guard against the threat reduce risk by implementing Control activities policies and procedure that provide reasonable assurance that control objectives are met and risk responses are carried out Control procedures fall into the following categories Proper authorization of transactions and activities Segregation of duties Project development and acquisition controls Change mgmt controls Design and use of documents and records Safeguarding assets records and data Independent checks on performance 39gtquot Authorization empowerment often documented by signing initializing or entering an authorization code on a document or record Digital signature means of signing a document with data that cannot be forged Speci c authorization General authorization without special approval Segregation of accounting duties achieved when the following functions are separated 0 Authorization approving transactions and decisions 0 Recording preparing source documents entering data into online systems maintaining journals ledgers les or databases and preparing reconciliations and performance reports 0 Custody handling cash tools inventory or xed assets receiving incoming customer checks writing checks Collusion two or more people much easier to commit and conceal the fraud Segregation of system duties authority and responsibility should be divided clearly among the following functions 1 System administration systems administrators make sure all IS components operate smoothly and ef ciently 2 Network mgmt network managers ensure that devices are linked to the organization s internal and external networks and that those networks operate properly 3 Security mgmt security mgmt makes sure that systems are secure and protected from internal and external threats 4 Change mgmt change mgmt is the process of making sure that changes are made smoothly and ef ciently and that they do not negatively affect systems reliability security con dentiality integrity and availability 5 Users record transactions authorize data to be processed and use system output 6 Systems analysis systems analysts help users determine their information needs and design systems to meet those needs 7 Programming programmers take the analysts design and create a system by writing the 10 computer programs Computer operations computer operators run the software on the company s computers They ensure that data are input properly that they are processed correctly and that output is produced when needed Information system library maintains custody of corporate databases les and programs in a separate storage area called the information system library Data control the data control group ensures that source data have been properly approved monitors the ow of work through the computer reconciles input and output maintains a record of input errors to ensure their correction and resubmission and distributes systems output Steering committee guides and oversees systems development and acquisition Strategic master plan developed and updated yearly to align an organization s information system with its business strategies It shows the projects that must be completed and it addresses the company s hardware software personnel and infrastructure requirements Project development plan shows the tasks to be performed who will perform them project costs completion dates and project milestones signi cant oints when progress is reviewed and actual and estimated completion times are compared Each project is assigned to a manager and team who are responsible for its success or failure Data processing schedule shows when each task should be performed System performance measurements established to evaluate the system Common measurements include throughput output per unit of time utilization of time the system is used and response time how long it takes the system to respond Post implementation review performed after a development project is completed to determine whether the anticipated bene ts were achieved Systems integrator manage a systems development effort involving its own personnel its client and other vendors Companies using systems integrators should use the same project mgmt processes and controls as internal projects In addition they should Develop clear speci cations includes exact descriptions and system de nitions explicit deadlines and precise acceptance criteria Monitor the project companies should establish formal procedures for measuring and reporting a project s status It is important to Create and enforce appropriate polices and procedures Maintain accurate records of all assets periodically reconcile the recorded amounts of company assets to physical counts of those assets Restrict access to assets restricting access to storage areas protects inventories and equipment Protect records and documents reproof storage areas locked ling cabinets backup les and off site storage protect records and documents Independent checks on performance Top level reviews mgmt should monitor company results and periodically compare actual company performance to a planned performance as shown in budgets targets and forecasts b prior period performance and c competitors performance Analytical reviews Analytical review examination of the relationships between different sets of data Ex As credit sales increase so should AR Reconciliation of independently maintained records Records should be reconciled to documents or records with the same balance EX a bank reconciliation veri es that company checking account balances agree with bank statement balances 0 Comparison of actual quantities with recorded amounts 0 Double entry accounting 0 Independent review Audit trail allows transactions to be traced back and forth between their origination and the nancial statements According to AICPA AIS have 5 primary objectives to identify and record all valid transactions properly classify transactions record transactions at their proper monetary value record transactions in the proper acctg period and properly present transactions and related disclosures in the nancial statements Key methods of monitoring performance 0 Perform ERM evaluations measured using a formal or a self assessment ERM evaluation Team can be formed to conduct the eval or it can be done by internal auditing 0 Implement Effective Supervision effective supervision involves training and assisting employees monitoring their performance correcting errors and overseeing employees who have access to assets 0 Use Responsibility Accounting Systems include budgets quotas schedules standard costs and quality standards reports comparing actual and planned performance and procedures for investigating and correcting signi cant variances 0 Monitor System Activities risk analysis and mgmt software packages review computer and network security measures detect illegal access test for weaknesses and vulnerabilities report weaknesses found and suggest improvements Companies who monitor system activities should not violate employee privacy One way to do that is to have employees agree in writing to written policies that include the following 0 The technology an employee uses on the job belongs to the company 0 e mails received on company computers are not private and can be read by supervisory personnel 0 Employees should not use technology to contribute to a hostile work environment Computer security of cer CSO in charge of system security independent of the information system function and reports to the CO0 or the CEO Chief compliance of cer do all compliance issue Forensic investigators who specialize in fraud are a fast growing group in the accounting profession Computer forensics specialists discover extract safeguard and document computer evidence such that its authenticity accuracy and integrity will not succumb to legal challenges Neural networks programs with learning capabilities can accurately identify fraud Fraud hotline effective way to comply w the law and resolve whistle blower con ict ACCTG32O Notes 526 Ch15 The Human Resources Management and Payroll Cycle Human resources management HRM payroll cycle recurring set of business activities and related data processing operations associated with effectively managing the employee workforce The more important tasks include Recruiting and hiring new employees Training Job assignment Compensation payroll Performance evaluation OU1I bJgt t Discharge of employees due to voluntaryinvoluntary termination Payroll is one application that continues to be processed in batch mode To effectively utilize the organization s employees the HRMpayroll system must collect and store the information managers need to answer the following kinds of questions 0 How many employee does the organization need to accomplish its strategic plans 0 Which employees possess speci c skills 0 Which skills are in short supply Which skills are in oversupply 0 How effective are current training programs in maintaining and improving employee skill levels 0 Is overall performance improving or declining 0 Are there problems with turnover tardiness or absenteeism Knowledge management systems not only serve as a directory identifying the areas of expertise possessed by individual employees but also capture and store that knowledge so that it can be shared and used by others Threats and Controls in PayrollHRM Cycle Activity General Issues throughout entire HRMpayroll cycle Threat 1 Inaccurate or invalid master data 2 Unauthorized disclosure of sensitive information 3 Loss or destruction of data 4 Hiring unquali ed or larcenous employees 5 Violations of employment laws Controls 1 data processing integrity controls 2 restriction of access to master data 3 review of all changes to master data 21 Access controls 22 Encryption 31 Backup and disaster recovery procedures 41 sound hiring procedures including veri cation of job applicants credentials skills references and employment history 42 criminal background investigation checks of all applicants for nance related positions 51 thorough documentation of hiring performance evaluation and dismissal procedures 52 continuing education on changes in employment laws Update payroll data Threats 6 unauthorized changes to payroll master data 7 inaccurate updating of payroll master data Controls 61 segregation of duties HRM dept updates master data but only payroll dept issues paychecks 71 data processing integrity controls 72 regular View of all changes to master payroll data Validate time and attendance data Threats 8 inaccurate time and attendance data Controls 81 source data automation for data capture 82 biometric authentication 83 segregation of duties reconciliation of job time tickets to time cards 84 supervisory View Prepare Payroll Threat 9 errors in processing payroll 91data processing integrity controls batch totals cross footing of the payroll register use of a payroll clearing account and a zero balance check 92 supervisory review of payroll register and other reports 93 Issuing earnings statements to employees 94 Review of IRS guidelines to ensure proper classi cation of workers as either employees or independent contractors Disburse payroll Threats 10 Theft or fraudulent distribution Controls 101 restriction of physical access to blank payroll checks and the check signature machine 102restriction of access to the EFT system 103 prenumbering and periodically accounting for all payroll checks and review of all EFT direct deposit transactions 104require proper supporting documentation for all paychecks 105 use of a separate checking account for payroll maintained as an imprest fund 106segregation of duties cashier vs AP check distribution from hiring ring independent reconciliation of the payroll checking account 107 restriction of access to payroll master database 108veri caiton of identity of all employees receiving paychecks 109redepositing unclaimed paychecks and investigating cause Disburse payroll taxes and miscellaneous deductions Threats 11 failure to make required payments 12 untimely payments 13 inaccurate payments Controls 111 Con guration of system to make required payments using current instructions from IRS 121 same as 111 13 1 processing integrity controls 13 2 supervisory review of reports 13 3 Employee review of earnings statement Time card used for employees paid on hourly basis Time sheets data recorded by professionals in service organizations such as accounting law and consulting rms to track the time they spend performing vaiorus tasks and for which clients Source data automation can reduce the risk of unintentional errors in collecting time and attendance data IT can also reduce the risk of intentional accuracies in tie and attendance data Payroll register lists each employee s gross pay payroll deductions and net pay in a multicolumn format Also serves as the supporting documentation to authorize transferring funds to the organization s payroll checking account Deduction register lists the miscellaneous voluntary deductions for each employee Earnings statement lists the amount of gross pay deductions and net pay for the current period and year to date totals for each category Contents and Purpose of Commonly Generated HRMPayroll Reports Cumualtive earnings register cumulative year to date gross pay net pay and deductions for each employee used for employee information and annual payroll reports Workforce inventory list of employees by department used in preparing labor related reports for government agencies Position control report list of each authorized position job quali cations budgeted salary and position status lled or vacant used in planning future Workforce needs Skills inventory report list of employees and current skills useful in planning future Workforce needs and training programs Form 941 employer s quarterly federal tax return showing all Wages subject to tax and amounts Withheld for income tax and FICA led quarterly to reconcile monthly tax payments With total tax liability for quarter Form W2 report of Wages and Withholdings for each employee sent to each employee for use in preparing individual tax returns due by January 31 Form W3 summary of all W2 forms sent to federal govt along With a copy of all W2 forms due by February 28 Form 1099Misc report of income paid to independent contractors sent to recipients of income for use in ling their income tax returns due by January 31 Various other reports to government agencies data on compliance With various regulatory provisions state and local tax reports etc to document compliance With applicable regulations Three types of data processing integrity controls that can mitigate threat of payroll errors 1 batch totals batch totals should be calculated at the time of data entry and then checked against comparable totals calculated during each stage of processing If the original and subsequent hash totals of employee numbers agree it means that 1 All payroll records have been processed 2 Data into Was accurate and 3 No bogus time cards were entered during processing 2 Crossfooting the payroll register the total of the net pay column should equal the total of gross pay less total deductions If it does not an error occurred in processing that needs to be promptly investigated and corrected 3 Payroll clearing account general ledger account that is used in a 2 step process to check the accuracy and completeness of recording payroll costs and their subsequent allocation to appropriate cost centers 1 The payroll clearing account is debited for the amount of gross pay cash is credited for the amount of net pay and the various Withholdings are credited to separate liability account 2 The cost accounting process distributes labor costs to various expense categories and credits the payroll clearing account should equal the amount that Was previously debited When net pay and the various Withholdings were recorded Applying to the payroll controls related to other cash disbursements discussed in Ch13 can mitigate threat of theft of paychecksissuance of paychecks to ctitious or terminated employees 0 Access to blank payroll checks and to the check signature machine should be restricted Similarly ability tot authorize electronic funds transfer EFT transactions should be restricted and controlled through the use of strong multifactor authentication 0 All payroll checks should be sequentially prenumbered and periodically accounted for If payroll is made via direct deposit all EFT transactions should be reviewed 0 The cashier should sign all payroll checks only when supported by proper documentation the payroll register and disbursement voucher Flexible bene t plans employee chooses some minimum coverage in medical insurance retirement plans and charitable contributions Circular E Employer s tax Guide published by the IRS provides detailed instructions about an employer s obligations for withholding and remitting payroll taxes and for ling for various reports Payroll service bureau maintains the payroll mater data for each of its clients and process payroll for them Professional employer organization PEO not only processes payroll but also provides HRM services such as employee bene t design and administration bc they provide narrower range of services payroll service bureaus are generally less expensive than PEOs Payroll service bureaus and PEOs are especially attractive to small and midsized businesses for the following reasons Reduced costs economies of scale and by eliminating the need to develop and maintain the expertise required to comply w the constantly changing tax alws Wider range of bene ts Freeing up of computer resources Summary HRMpayroll cycle IS consists of 2 related but separate subsystems HRM system records and processes data about the activities of recruiting hiring training assigning evaluating and discharging employees The payroll system records and processes data used to pay employees for their services HRMPayroll system must comply w govt regulations related to both taxes and employment practices In additions it must prevent 1 Overpaying employees due to invalid time and attendance data and 2 Disbursing paychecks to ctitious employees These can be minimized by proper segregation of duties speci cally by having the following functions performed by different individuals 1 Authorizing and making changes to the payroll master le for such events as hirings rings and pay raises 2 Recording and verifying time worked by employees 3 Preparing paychecks 4 Distributing paychecks 5 Reconciling the payroll bank account ACCTG32O Notes 524 Ch13 The Expenditure Cycle Purchasing to Cash Disbursements Expenditrue cycle recurring set of business activities and related information processing operations associated With the purchase of and payment for goods and services Primary objective to minimize the total cost of acquiring and maintaining inventories supplies and the various services the organization needs to function Mgmt must make key decisions What is the optimal level of inventory and supplies to carry Which suppliers provide the best quality and service at the best prices How can organization consolidate purchases across units to obtain optimal prices How can IT be used to improve both the ef ciency and accuracy of the inbound logistics function How can the organization maintain suf cient cash to take advantage of any discounts suppliers offer How can payments to vendors be managed to maximize cash ow 4 basic expenditure cycle activities 1 Ordering materials supplies and services 2 Receiving materials supplies and services 3 Approving supplier invoices 4 Cash disbursements Comparison of Revenue and Expenditure Cycle Activities Sales order entry process orders from customers 2 ordering of materials supplies and services send orders to suppliers Shipping deliver merchandise or services to customers outbound logistics receiving receive merchandise or services from suppliers inbound logistics Billing send invoices to customers 2 processing invoices review and approve invoices from suppliers Cash collections process pmts from customers 2 cash disbursements process pmts to suppliers Threats and Controls in the Expenditrue Cycle General issues throughout the entire expenditure cycle Threat 1 Inaccurateinvalid master data 2 Unauthorized disclosure of sensitive information 3 Loss destruction of data 4 Poor performance Controls 1 Data processing integrity controls 21 Access controls 31 back up and disaster recovery procedures implement the ERP system as 3 separate instances 1 instance production used to process daily activity 2 instance used for testing and development 3 Should be maintained as an online backup to the production system to provide near real time recovery 41 managerial reports Ordering Threats 5 Inaccurate inventory records 6 Purchasing items not needed 7 Purchasing at in ated prices 8 Purchasing goodsinferior quality 9 Unreliable suppliers 10 Purchasing from unauthorized suppliers 11 Kickbacks Controls 51 perpetual inventory system 61 perpetual inventory system 71 price lists 81 purchasing only from approved suppliers 91 requiring suppliers to possess quality certi cation 101 maintaining a list of approved suppliers and con guring the system to permit purchase orders only to approved suppliers 111 requiring purchasing agents to disclose nancial and personal interests in suppliers Receiving Threat 12 Accepting unordered items 13 Mistakes in counting 14 Verifying receipt of services 15 Theft of inventory Controls 121 requiring existence of approved purchase order prior to accepting any delivery 13 1 do not inform receiving employees about qty ordered 141 budgetary controls 15 1 restriction of physical access to inventory Approving supplier invoices Threats 16 Errors in supplier invoices 17 Mistakes in posting to AP Controls 161 veri cation of invoice accuracy 171 data entry edit controls Cash disbursements Threat 18 Failure to take advantage of discounts for prompt payment 19 Paying for items not received 20 Duplicate payments 21 Theft of cash 22 Check alteration 23 Cash ow problems Controls 181 ling of invoice by due date for discounts 191 requiring that all supplier invoices be matched to supporting documents that are acknowledged by both receiving and inventory control 201 requiring a complete voucher package for all payments 211 physical security of blank checks and check signing machine 221 check protection machines 23 1 cash ow budget Economic order quantity EOQ based on calculating an optimal order size to minimize the sum of ordering carrying and stockout costs calculates how much to order Ordering costs include all expenses associated With processing purchase transactions Carrying costs those associated With holding inventory Stockout costs result from inventory shortages such as lost sales or production delays Reorder point speci es When to order Typically set the ROP based on delivery time and desired levels of safety stock to handle unexpected fluctuations in demand Materials requirement planning MRP seeks to reduce required inventory levels by improving the accuracy of forecasting techniques to better schedule purchases to satisfy production needs J ustintime JIT inventory system attempts to minimize if not totally eliminate nished goods inventory by purchasing and producing goods only in response to actual rather than forecasted sales Major difference between MRP and JIT 2 production scheduling MRP to meet forecasted sales W create an optimal qty of nished goods inventory JIT response to customer demands require carrying suf cient quantities of raw materials in order to quickly adjust production in response to consumer demand MRP better for predictable patterns of demand consumer staples JIT for relatively short life cycles and demand cannot be accurately predicted Purchase requisition identi es the requisitioner speci es the delivery location and date needed identi es the item numbers descriptions quantity and price of each item requested and may suggest a supplier ABC cost analysis should be used to classify items according to their importance Most critical items A items should be counted most frequently and least critical items C less often Crucial operating decision in the purchasing activity 2 selecting suppliers for inventory items Several factors Price Quality of materials Dependability in making deliverables A purchase order document or electronic form that formally requests a supplier to sell and deliver speci ed products at designated prices Blanket purchase order commitment to purchase speci ed items at designated prices from a particular supplier for a set time period often 1 yr Vendor managed inventory essentially outsources much of the inventory control and purchasing function suppliers are given access to sales and inventory data and are authorized to automatically replenish inventory when stocks fall to predetermined reorder points Reverse auction another technique to reduce purchasing related expenses Best suited to the purchase of commodity items rather than critical components for which quality vendor reliability and delivery performance are important Preward audit typically used for large purchases that involve formal bids by suppliers internal auditor visits each potential supplier often identify simple mathematical errors in complex pricing formulas m cost saving Numerous policy related threats also arise With EDI each of Which must be covered in the trading agreement EX At What point in the process can the order be canceled Which party is responsible for the cost of return freight if contract terms are not followed Which party is responsible for errors in bar codes RFID tags and labels Kickbacks gifts from suppliers to purchasing agents for the purpose of in uencing their choice of suppliers are another threat Supplier audits may be one of the best tools for assessing the effectiveness of expenditure cycle controls Red ags that indicate potential problems include 1 A large of the supplier s gross sales Was to the company conducting the supplier audit 2 The supplier s pricing methods differ from standard industry practice 3 The supplier does not own the equipment it rents but is itself renting that equipment from a 3rd party 4 Entertainment expenses are high in terms of a of supplier s gross sales 5 The supplier submits altered or ctitious 3 party invoices 6 The supplier s address on its invoices its ctitious Receiving report document details about each delivery including the date received shipper supplier and purchase order number 2 possible exception to this process 2 1 Receiving a qty of goods different from the amount ordered 2 Receiving damaged goods 3 Receiving goods of inferior quality that fail inspection Debit memo record the adjustemet being requested Voucher package combination of the supplier invoice and associated supporting documentation Nonvoucher system each approved invoice along W the supporting documentation is posted to individual supplier records in the AP le and is then stored in an open invoice le Voucher system an additional document called a disbursement voucher is also created When a supplier invoice is approved for payment Disbursement voucher identi es the supplier lists the outstanding invoices and indicates the net amount to be paid after deducting any applicable discounts and allowances Voucher system adv 1 They reduce the number of checks that need to be Written bc several invoices may be included on one disbursement voucher 2 bc disbursement voucher is an internally generated document it can be prenumbered to simplify tracking all payables 3 bc the voucher provides an explicit record that a vendor invoice has been approved for pmt it facilitates separating the time of invoice approval from the time of invoice pmt Evaluated receipt settlement ERS invoiceless approach replaces the traditional 3 Way matching process vendor invoice receiving report and purchase order With a 2Way match of the purchase order and receiving report Procurement card corporate credit card that employees can use only at designated suppliers to purchase speci c kinds of items Cash Disbursements Embedded audit modules can be designed into the system to monitor all transactions and identify any that possess speci c characteristics Imprest fund has 2 characteristics it is set at a xed amount and it requires vouchers for every disbursement ACCTG32O Notes 511 Ch 10 Information Systems Controls for System s Reliability Part 3 Processing Integrity and Availability 2 particularly important form design controls involve sequentially prenumbering source documents and using turnaround documents 1 All sources documents should be sequentially prenumbered 2 Turnaround document record of company data sent to an external party and then returned by the external party to the system as input Data entry controls 0 Field check determines whether the characters in the eld are of the proper type 0 Sign check determines whether the data in a eld have the appropriate arhitmetic sign 0 Limit check tests a numerical amount against a xed value 0 Range check tests whether a numerical amount falls between predetermined lower and upper limits 0 Size check ensures that the input data will t into the assigned eld 0 Completeness check on each input record determines whether all required data items have been entered 0 Validity check compares the ID code or account number in transaction data with similar data in the master le to verify that the account exists 0 Reasonable test determines the correctness of the logical relationship between 2 data items 0 Authorized ID numbers can contain a check digit that is computed from the other digits Data entry device then can be programmed to perform check digit Veri cation by using the 1 9 digits to calculate the 10th digit each time an ID number is entered Additional batch processing data entry controls 0 Batch processing works more ef ciently if the transactions are sorted so that the accounts affected are in the same sequence as records in the master le Sequence check tests whether a batch of input data is in the proper numericalalphabetical sequence 0 An error log that identi es data input errors facilitates timely review and resubmission of transactions that cannot be processed 0 Batch totals summarize important values for a batch of input records Following are 3 commonly used batch totals 1 Financial total sums a eld that contains monetary values 2 Hash total sums a non nancial numeric eld 3 Record unit number of records in a batch Additional online data entry controls 0 Prompting in which the system requests each input item and waits for an acceptable response ensures that all necessary data are entered 0 Closed loop Veri cation checks the accuracy of input data by using it to retrieve and display other related information 0 Transaction log includes a detailed record of all transactions including a unique transaction identi er the date and time of entry and who entered the transaction Processing Controls 0 Data matching in certain cases 2 or more items of data must be matched before an action can take place 0 File labels header record is located at the beginning of each le and contains the le name expiration date and other identi cation data Trailer record located at the end of the le and contains the batch totals calculated during input Recalculation of batch totals transposition error two adjacent digits were inadvertently reversed Crossfooting and zerobalance tests cross footing balance test compares the results produced by each method to verify accuracy Zero balance test nonzero balance indicates a processing error Write protection mechanisms protect against overwriting or erasing of data les stored on magnetic data Concurrent update controls prevent errors when 2 or more users attempt to update the same record simultaneously by locking out one user until the system has nished processing the transaction entered by the other Output controls User review of output users should carefully examine system output to verify that it is reasonable it is complete and that they are the intended recipients Reconciliation procedures External data reconciliation Data transmission controls ltgt TCP ltgt Checksums when data are transmitted the sending device can calculate a hash of the le called a checksum ltgt Parity bits an extra digit added to the beginning of every character that can be used to check transmission accuracy Even parity parity bit is set so that each character has an even number of bits with the value 1 in odd parity the parity bit is set so that an odd number of bits in the character have the value 1 Parity checking entails verifying that the proper number of bits are set to the value 1 in each character received Batch processing integrity controls 1 quot39 Prepare batch totals sum of all sales amounts is calculated as a nancial total and recorded on batch control forms that accompany each group of sales documents Deliver the transactions to the computer operations department for processing Enter the transaction data into the system Sort and edit the transaction le Update the master les Prepare and distribute output User review Online data entry controls When an employee access the online system logical access controls con rm the identity of the data entry device and the validity of the employee s user ID number and password A compatibility test ensures that the employee is authorized to perform that task The system automatically assigns the transaction the next sequential sales order number and the current date as the date of the invoice The system prompts for all required input After each prompt the system waits for a response Each response is tested using one or more of the following controls validity checks eld and sign checks and limit or range checks When the customer number is entered the system retrieves the corresponding customer name from the database and displays it on the screen The operator visually examines the customer name if it matches the name on the sale order document the operator signals the system to proceed with the transaction If not rechecks the customer number and enters the correct value 0 When the inventory item number is entered the system and the operator go through the same procedures as they do with the customer number Online processing controls 0 These test often include the following 0 Validity checkcs on the customer and inventory item numbers 0 Sign checks on inventory on hand balances after subtracting qty sold 0 Limit checks that compare each customer s total amount due with the credit limit 0 Range checks on the sale price of each item sold relative to the permissible range of prices for that item 0 Reasonableness tests on the qty sold of each item relative to normal sales qty for that customer and that item Online output controls 0 Billing and shipping docs are forwarded electronically only to preauthorized users 0 Users in the shipping and billing dept perform a limited review of the docs by visually inspecting them for incomplete data or other obvious errors 0 The control report is sent automatically to its intended recipients or the recipients can query the system for the report If the query the system logical access controls con rm the identity of the device making the query and the validity of the user s ID number and password Hardwiring where formulas contain speci c numerical values instead of referencing a cell that contains the current value for that variable 2 when the hardwired variable changes the formula may no be corrected Fault tolerance ability of a system to continue functioning in the event that a particular component fails Redundant arrays of independent drives RAID data is written to multiple disk drives simultaneously Uninterruptible power supply UPS provides protection in the event of a prolonged power outage using battery power to enable the system to operate long enough to back up critical data and safely shut down 1 To minimize risk of system downtime 7 Preventive maintenance f Fault tolerance 397 Data center location and design 11 Training 7j Patch mgmt and antivirus software 2 Quick and complete recovery and resumption of normal operations 77 Backup procedures f Disaster recovery plan DRP 397 Business continuity plan BCP Backup exact copy of the most current version of a database le or software program that can be used in the event that the original is no longer available An organization s backup procedures and disaster recovery and business continuity plans reflect mgmt s answers to 2 fundamental questions 1 How much data are we willing to recreate from source documents if they exist or potentially lose if no source documents exist 2 How long can the organization function without its IS Recovery point objective RPO represents the maximum amount of data that the organization is willing to potentially lose Recovery time objective RTO length of time that the organization is willing to attempt to function without its IS Real tie mirroring involves maintaining 2 copies of the database at 2 separate data centers at all times and updating both copies in real times as each transaction occurs Data backup procedures Full backup exact copy of entire database 2 types of daily partial backups 1 An incremental backup involves copying only the data items that have changed since the last partial backup 2 Differential backup copies all changes made since the last full backup Thus each new differential backup le contains the cumulative effects of all activities since the last full backup Archive copy of database master le or software that is retained inde nitely as an historical record usually to satisfy legal and regulatory requirements Disaster recovery plan DRP outlines the procedures to restore an organization s IT function in the event that its data center is destroyed by a natural disaster or act of terrorism 1 Contract ofr use of a cold site an empty building that is prewired for necessary telephone and Internet access plus a contract with 1 or more vendors to provide all necessary equipment within a speci ed period of time 2 Hot site facility that is not only prewired for telephone and Internet access but also contains all the computing and of ce equipment the organization needs to perform its essential business activities 3 Establish a second data center as a backup and use it to implement real time mirroring Business continuity plan BCP speci es how to resume not only IT operations but all business processes including relocating to new of ces and hiring temporary replacements in the event that a major calamity destroys not only an organization sdata center but also its main HQ Change control formal process used to ensure that modi cations to hardware software or processes do not reduce systems reliability Effective change ctrl procedures require regularly monitoring for unauthorized changes and sanctioning anyone who intentionally introduces such changes Other principles include 0 All change requests should be documented and follow a standardized format that clearly identi es the nature of the change the reason for the request the date of the request and the outcome of the request 0 All change should be approved by appropriate levels of mgmt 0 To assess the impact of the proposed change on all 5 principles of systems reliability changes should be thoroughly tested prior to implementation in a separate nonproduction environment not the system actually used for daily business processes 0 All documentation should be updated to reflect authorized changes to the system 0 Emergency changes or deviations from standard operating policies must be documented and subjected to a formal review and approval process as soon after implementation as practicable 0 Backout plans need to be developed for reverting to previous con gurations in case approved changes need to be interrupted or abandoned 0 User rights and privileges must be carefully monitored during the change process to ensure that proper segregation of duties is maintained Probably the most important change control adequate monitoring and reviewing by top mgmt to ensure that proposed and implemented changes are consisten with the organization s multiyear strategic plan ACCTG32O Notes 518 Chll Auditing Computer Based Information Systems Auditing systematic process of obtaining and evaluating evidence regarding assertions about economic actions and events in order to determine how Well they correspond With established criteria Internal auditing independent objective assurance and consulting activity designed to add value and improve organizational effectiveness and ef ciency including assisting in the design and implementation of an AIS Different types of internal audits 1 Financial audit examines the reliability and integrity of nancial transactions accounting records and nancial statements 2 Information systems or internal control audit revises the controls of an AIS to assess its compliance With internal control policies and procedures and its effectiveness in safeguarding assets The audit usually evaluate system input and output processing controls backup and recovery plans system security and computer facilities 3 Operational audit concerned With the economical and ef cient use of resources and the accomplishment of established goals and objectives 4 Compliance audit determines Whether entities are complying With applicable laws regulations policies and procedures These audits often result in recommendations to improve processes and ctrls used to ensure compliance With regulations 5 Investigative audit examines incidents of possible fraud misappropriation of assets Waste and abuse or improper governmental activities In contrast external auditors are responsible to corporate sh and are mostly concerned With gathering the evidence needed to express an opinion on the nancial statements External auditors may need specialized skills to 1 Determine how the audit will be affected by IT 2 Assess and evaluate IT controls and 3 Design and perform both tests of IT controls and substantive tests Audits may be divided into 4 stages planning collecting evidence evaluating evidence and communicating audit results Audit planning determines Why how When and by Whom the audit will be performed 1 step establish the audit s scope and objectives 3 types of audit risk 1 Inherent risk susceptibility to material risk in the absence of controls 2 Control risk the risk that a material misstatement will get through the internal control structure and into the nancial statements Control risk can be determined by reviewing the ctrl environment testing internal ctrls and considering ctrl Weaknesses identi ed in prior audits and evaluating how they have been recti ed 3 Detection risk the risk that auditors and their audit procedures will fail to detect a material error or misstatement Most common Ways to collect audit evidence 0 Observation of activities being audited 0 Review of documentation to understand how a particular processinternal control system is supposed to function 0 Discussion With employees about jobs and about how they carry out certain procedures 0 Questionnaires that gather data 0 Physical examination of the qty andor condition of tangible assets such as equipment and inventory 0 Con rmation of the accuracy of information such as customer account balances through communication With independent 3 parties 0 Reperformance of calculations to verify quantitative information eg recalculating the annual depreciation expense 0 Vouching for the validity of a transaction by examining supporting documents such as the purchase order receiving report and vendor invoice supporting an AP transaction 0 Analytical review of relationships and trends among information to detect items that should be further investigated Determining Materiality what is and is not important is a matter of professional judgment Materiality more important in external audits emphasis is fairness of nancial statement than internal audits focus on adherence to mgmt policies Auditor seeks reasonable assurance that no material error exists in the information or process audited Risk based audit approach 1 Determine the threats fraud and errors facing the company 2 Identify the ctrl procedures that prevent detect or correct the threats 3 Evaluate control procedures 77 Systems review determines whether ctrl procedure are actually in place f Tests of controls conducted to determine whether existing ctrl work as intended 4 Evaluate control weaknesses to determine their effect on the nature timing or extent of auditing procedures 77 Control weakness in one area may be acceptable if there are compensating ctrls in other areas Information systems audits 6 objectives 1 Security provisions protect computer equipment programs communications and data from unauthorized access modi cation or destruction 2 Program development and acquisition are performed in accordance with mgmt s general and speci c authorization 3 Program modi cations have mgmt s authorization and approval 4 Processing of transactions les reports and other computer records is accurate and complete 5 Source data that are inaccurate or improperly authorized are identi ed and handled according to prescribed managerial policies 6 Computer data les are accurate complete and con dential Framework for audit of overall computer security 0 Types of errors and fraud 0 Theft of or accidental or intentional damage to hardware 0 Loss theft or unauthorized access to programs data and other system resources 0 Loss theft or unauthorized disclosure of con dential data 0 Unauthorized modi cation or use of programs and data les 0 Interruption of crucial business activities Control procedures 0 Information securityprotection plan 0 Limiting of physical access to computer equipment 0 Limiting of logical access to system using authentication and authorization controls 0 Data storage and transmission controls 0 Virus protection procedures 0 File backup and recovery procedures 0 Fault tolerant systems design 0 Disaster recovery plan 0 Preventive maintenance 0 Firewalls 0 Casualty and business interruption insurance Audit procedures system review 0 Inspect computer sites 0 Review the information securityprotection and disaster recovery plans 0 Interview information system personnel about security procedures 0 Review physical and logical access polices and procedures 0 Review le backup and recover policies and procedures 0 Review data storage and transmission policies and procedures 0 Review procedures employed to minimize system downtime 0 Review vendor maintenance contracts 0 Examine system access logs 0 Examine casualty and business interruption insurance policies Audit procedures test of controls 0 Observe and test computer site access procedures 0 Observe the preparation of and off site storage of backup les 0 Test assignment and modi cation procedures for user IDs and passwords 0 Investigate how unauthorized access attempts are dealt with 0 Verify the extent and effectiveness of data encryption 0 Verify the effective use of data transmission controls 0 Verify the effective use of rewalls and virus protection procedures 0 Verify the use of preventive maintenance and an uniterruptible power supply 0 Verify amounts and limitations on insurance coverage 0 Examine the results of disaster recovery plan test simulations Compensation controls 0 Sound personnel policies including segregation of incompatible duties 0 Effective user controls To maintain objectivity auditors should not help develop the system 2 things can go wrong in program development 1 Inadvertent programming errors due to misunderstanding the system speci cations or careless programming 2 Unauthorized instructions deliberately inserted into the programs Framework for Audit of Program Development Types of Errors and Fraud 0 Inadvertent programming errors or unauthorized program code Control procedures 0 Review of software license agreements 0 Mgmt authorization of program development and software acquisition 0 Mgmt and user approval of programming speci cations 0 Thorough testing of new programs including user acceptance tests 0 Complete systems documentation including approvals Audit procedures system review 0 Independent review of the systems development process 0 Review of systems developmentacquisition policies and procedures 0 Review of systems authorization and approval policies and procedures 0 Review of programming evaluation standards 0 Review of program and system documentation standards 0 Review of test speci cations test data and test results 0 Review of test approval policies and procedures 0 Review of acquisition of copyright license agreement policies and procedures 0 Discussions with mgmt users and information system personnel regarding development procedures Audit procedures Tests of Controls 0 Interview users about their systems acquisitiondevelopment and implementation involvement 0 Review minutes of development team meetings for evidence of involvement 0 Verify mgmt and user sign off approvals at development milestone points 0 Review test speci cations test data and systems test results 0 Review software license agreements Compensating controls 0 Strong processing controls 0 Independent processing of test data by auditor Framework for Audit for Program Modi cations Types of errors and fraud Inadvertent programming errors or unauthorized program code Control Procedures 0 List program components to be modi ed 0 Mgmt authorization and approval of program modi cations 0 User approval of program change speci cations 0 Thorough test of program changes including user acceptance tests 0 Complete program change documentation including approvals 0 Separate development test and production versions of programs 0 Changes implemented by personnel independent of users and programmers 0 Logical access controls Audit procedure system review 0 Review program modi cation policies standards and procedures 0 Review documentation standards for program modi cation 0 Review nal documentation of program modi cations 0 Review program modi cation testing and test approval procedures 0 Review test speci cations test data and test results 0 Review test approval policies and procedures 0 Review programming evaluation standards 0 Discuss modi cation policies and procedure with mgmt users and systems personnel 0 Review logical access control policies and procedures Audit procedures tests of controls Verify user and mgmt signoff approval for program changes Verify that program components to be modi ed are identi ed and listed Verify that program change test procedures and documentation comply w standards Verify that logical access controls are in effect for program changes Observe program change implementation Verify that separate development test and production versions are maintained Verify that changes are not implemented by user or programming personnel Test for unauthorizederroneous program changes using a source code comparison program reprocessing and parallel simulation Compensating controls Independent audit tests for unauthorizederroneous program changes Strong processing controls 3 ways auditors test for unauthorized program changes 1 After testing a new program auditors keep a copy of its source code Auditors use a source code comparison program to compare the current version of the program with the source code In the reprocessing technique auditors reprocess data using the source code and compare the output with the company s output In parallel simulation the auditor writes a program instead of using the source code compares the outputs and investigates any differences Can be used to test a program during the implementation process Framework for audit of computer processing controls Types of Errors and Fraud Failure to detect incorrect incomplete or unauthorized input data Failure to properly correct errors agged by data editing procedures Introduction of errors into les or databases during updating Improper distribution or disclosure of computer output Intentional or unintentional inaccuracies in reporting Control procedures Data editing routines Proper use of internal and external le labels Reconciliation of batch totals Effective error correction procedures Understandable operating documentation and run manuals Competent supervision of computer operations Effective handling of data input and output by data control personnel Preparation of le change listing and summaries for user department review Maintenance of proper environmental conditions in computer facility Audit procedures system review Review administrative documentation for processing control standards Review systems documentation for data editing and other processing controls Review operating documentation for completeness and clarity Review copies of error listing batch total reports and le change lists Observe computer operations and data control function s Discuss processing and output controls with operators and information system supervisors Audit procedures tests of controls 0 Evaluate adequacy of processing control standards and procedure 0 Evaluate adequacy and completeness of data editing controls 0 Verify adherence to processing control procedures by observing computer and data control operations 0 Verify that application system output is properly distributed 0 Reconcile a sample of batch totals follow up on discrepancies 0 Trace a sample of data edit routines errors to ensure proper handling 0 Verify processing accuracy of sensitive transactions 0 Verify processing accuracy of computer generated transactions 0 Search for erroneous or unauthorized code via analysis of program logic 0 Check accuracy and completeness of processing controls using test data 0 Monitor online processing systems using concurrent audit techniques 0 Recreate selected reports to test for accuracy and completeness Compensating controls 0 Strong user controls and effective controls of source data Resources helpful when preparing test data 0 List of actual transactions 0 The test transactions the company used to test the program 0 A test data generator which prepares test data based on program speci cations Processing test transactions have 2 disadvantages 1 Auditor must spend considerable time understanding the system and preparing the test transactions 2 The auditor must ensure that test data do not affect company les and databases Concurrent audit techniques used to continually monitor the system and collect audit evidence while live data are processed during regular operating hours Concurrent audit techniques use embedded audit modules which are program code segments that perform audit functions report test results and store the evidence collected for auditor review Auditors commonly use 5 concurrent audit techniques 1 Integrated test facility ITF inserts ctitious records that represent a ctitious division department customer or supplier in company master les Snapshot technique selected transactions are marked with a special code 3 System control audit review le SCARF uses embedded audit modules to continuously monitor transaction activity collect data on transactions with special audit signi cance and store it in a SCARF le or audit log 4 Audit hooks audit routines that notify auditors of questionable transactions often as they occur 5 Continuous and intermittent simulation CIS embeds an audit module in a database management system DBMS that examines all transactions that update the database using criteria similar to those of SCARF Detailed analysis of program logic time consuming and requires pro ciency in appropriate programming language 2 last resort Auditors analyze development operating and program documentation as well as a printout of the source code Also use following software packages 0 Automate owcharting programs interpret source code and generate a program owchart 0 Automated decision table programs interpret source code and generate a decision table 0 Scanning routines search a program for all occurrences of speci ed items E 0 Mapping programs identify unexecuted program code It could have uncovered the program code that an unscrupulous programmer inserted to erase all computer les when he was terminated 0 Program tracing sequentially prints all program steps executed when a program runs intermingled with regular output so the sequence of program execution events can be observed Helps detect unauthorized program instructions incorrect logic paths and unexecuted program code Input controls matrix used to document the review of source data controls Framework for Audit of Source Data Controls Types of Errors and Fraud 0 Inaccurate or unauthorized source data Control procedures 0 Effective handling of source data input by data control personnel 0 User authorization of source data input 0 Preparation and reconciliation of batch control totals 0 Logging the receipt movement and disposition of source data input 0 Check digit veri cation 0 Key veri cation 0 Use of turnaround documents 0 Data editing routines 0 User department review of le change listing and summaries 0 Effective procedures for correcting and resubmitting erroneous data Audit procedures system review 0 Review documentation about data control function responsibilities 0 Review administrative documentation for source data control standards 0 Review authorization methods and examine authorization signatures 0 Review documentation to identify processing steps and source data content and controls 0 Document source data controls using an input control matrix 0 Discuss source data controls with data control personnel system users and managers Audit procedures tests of controls 0 Observe and evaluate data control department operations and control procedures 0 Verify proper maintenance and use of data control log 0 Evaluate how error log items are dealt with 0 Examine source data for proper authorization 0 Reconcile batch totals and follow up on discrepancies 0 Trace disposition of errors agged by data edit routines Compensating controls 0 Strong user and data processing controls Framework of audit of data le controls Types of errors and fraud 0 Destruction of stored data due to errors hardwaresoftware malfunctions and intentional acts of sabotagevandalism 0 Unauthorized modi cationdisclosure of stored data Control procedures 0 Storage of data in a secure le library and restriction of physical access to data les 0 Logical access controls and an access control matrix 0 Proper use of le labels and write protection mechanisms 0 Concurrent update controls 0 Data encryption for con dential data 0 Virus protection software 0 Off stie backup of all data les 0 Checkpoint and rollback procedures to facilitate system recovery Audit procedures system review 0 Review documentation for le library operation 0 Review logical access policies and procedures 0 Review standards for virus protection off site data storage and system recovery procedures 0 Review controls for concurrent updates data encryption le conversion and reconciliation of master le totals with independent control totals 0 Examine disaster recovery plan 0 Discuss le control procedures with managers and operators Audit procedures tests of controls 0 Observe and evaluate le library operations 0 Review records of password assignment and modi cation 0 Observe and evaluate le handling procedures by operations personnel 0 Observe the preparation and off site storage of backup les 0 Verify the effective use of virus protection procedures 0 Verify the use of concurrent update controls and data encryption 0 Verify completeness currency and testing of disaster recovery plans 0 Reconcile master le totals with separately maintained control totals 0 Observe the procedures used to control le conversion Compensating controls 0 Strong use and data processing controls 0 Effective computer security controls Audit Software Computerassisted audit techniques CAATS refer to audit software often called generalized audit software GAS that uses auditor supplied speci cations to generate a program that performs audit functions thereby automating or simplifying the audit process Some of the more important uses of CAATS 0 Querying data les to retrieve records meeting speci ed criteria 0 Creating updating comparing downloading and merging les 0 Summarizing sorting and ltering data 0 Accessing data in different formats and converting the data into a common format 0 Examining records for quality completeness consistency and correctness 0 Stratifying records selecting and analyzing statistical samples 0 Testing for speci c risks and identifying how to control for that risk 0 Performing calculations statistical analyses and other mathematical operations 0 Performing analytical tests such as ratio and trend analysis looking for unexpected or unexplained data patterns that may indicate fraud Identifying nancial leakage policy noncompliance and data processing errors Reconciling physical counts to computed amounts testing clerical accuracy of extensions and balances testing for duplicate items Formatting and printing reports and documents Creating electronic work papers Operational audits of an AIS Basic difference between audits of IS and n statements is audit scope encompasses all aspects of systems mgmt First step audit planning during which the scope and objectives of the audit are established a preliminary stem review is performed and a tentative audit program is prepared Next step evidence collection includes the following activities Reviewing operating polices and documentation Con rming procedures with mgmt and operating personnel Observing operating functions and activities Examining nancial and operating plans and reports Testing the accuracy of operating information Testing controls Results of mgmt policies and practices are more signi cant than the policies and practices themselves
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'