Summary with the 13th edition of Accounting Information Systems by Romney & Steinbart


Accounting information systems: an overview - Chapter 1

In this chapter we begin by explaining important terms and discussing the kinds of information that organizations need and the business process used to produce that information. We continue with an explanation of what an accounting information system (AIS) is, how it adds value to an organization and more.

A system is a set of two or more interrelated components that interact to achieve a goal. Most systems are composed of smaller subsystems that support the larger system.

Goal conflict occurs when a subsystem is inconsistent with the goals of another subsystem or with the system as a whole.

Goal congruence occurs when a subsystem achieves its goals while contributing to the organization’s overall goal. The larger the organization and the more complicated the system, the more difficult it is to achieve goal congruence.

Data are facts that are collected, recorded, stored, and processed by an information system. Companies need to collect several kinds of data. Information is data that have been organized and processed to provide meaning and improve the decision making process.

There are limits to the amount of information the human mind can absorb and process. An information overload occurs when those limits are passed, resulting in a decline in decision making quality and an increase in the cost of providing that information. Information systems designers use information technology (IT) to help decision makers more effectively filter and condense information.

The value of information is the benefit produced by the information minus the cost of producing it. Benefits of information are reduced uncertainty, improved decisions, and improved ability to plan and schedule activities. The cost are the time and resources spent to produce and distribute the information.

All organizations have certain business processes that they are continuously engaged in. A business process is a set of related, coordinated, and structured activities and tasks that are performed by a person or by a computer or a machine, and that help accomplish a specific organizational goal. To make effective decisions, organizations must decide what decisions they need to make, what information they need to make the decisions, and how to gather and process the data needed to produce the information.

It’s possible to reorganize a business process into groups of related transactions. A transaction is an agreement between two entities to exchange goods or services or any other event that can be measured in economic terms by an organization. The process that begins with capturing transaction data and ends with informational output, such as the financial statements, is called transaction processing.

Many business activities are pairs of events involved in a give-get exchange. Most organizations engage in a small number of give-get exchanges, but each type of exchange happens many times.

These exchanges can be grouped into five business processes of transaction cycles:

  • Revenue cycle, where goods and services are sold for cash or a future promise to receive cash.

  • Expenditure cycle, where companies purchase inventory for resale or raw materials to use in producing products in exchange for cash or a future promise to pay cash.

  • Production or conversion cycle, where raw materials are transformed into finished goods.

  • Human resource/payroll cycle, where employees are hired, trained, compensated, evaluated, promoted, and terminated.

  • Financing cycle, where companies sell shares in the company to investors, and borrow money and where investors are paid dividends and interest is paid in loans.

It has often been said that accounting is the language of business. An accounting information system (AIS) is the intelligence, the information providing vehicle, of that language. Accounting is a data identification, collection, and storage process as well as an information development, measurement, and communication process. An AIS can be a paper-and-pencil manual system, a complex system using the latest in IT, or something in between. The AIS must collect, enter, process, store and report data and information. The paper and pencil are more the tools used to produce the information.

There are six components of an AIS:

  1. The people who use the system

  2. The procedures and instructions used to collect, process, and store data

  3. The data about the organization and its business activities

  4. The software used to process the data

  5. The information technology infrastructure

  6. The internal controls and security measures that safeguard AIS data

These components enable an AIS to fulfil three important business functions:

  1. Collect and store data about organizational activities, resources, and personnel.

  2. Transform data into information so management can plan, execute, control, and evaluate activities, resources and personnel.

  3. Provide adequate controls to safeguard the organization’s assets and data.

A well-designed accounting information system can add value to an organization by:

  1. Improving the quality and reducing the cost of products or services.

  2. Improving efficiency

  3. Sharing knowledge

  4. Improving the efficiency and effectiveness of its supply chain

  5. Improving the internal control structure

  6. Improving decision making

There are three factors that influence the design of an accounting information system (see figure 1.4 page 33).

  1. Organizational culture

  2. Business strategy

  3. Information technology

Predictive analysis is based on historical trends and calculated probabilities. Predictive analysis provides an educated guess of what one may expect to see in the near future allowing companies to make better business decisions and improve their process.

An organization’s AIS plays an important role in helping it adopt and maintain a strategic position. Achieving a close fit among activities requires that data be collected about each activity. It is also important that the information system collect and integrate both financial and non-financial data about the organization’s activities.

To provide value to their customers, most organizations perform a number of different activities. Figure 1-5 page 34 shows that those activities can be conceptualized as forming a value chain consisting of five primary activities that directly provide value to customers:

  1. Inbound logistics. Consists of receiving, storing, and distributing the materials an organization uses to create the services and products it sells.

  2. Operations. Activities transform inputs into final products or services.

  3. Outbound logistics. Activities distribute finished products or services to customers.

  4. Marketing and sales. Activities help customers buy the organization’s products or services.

  5. Service. Activities provide post-sale support to customers.

Primary Activities

Examples

Inbound logistics

Receiving and storing materials

Operations

Manufacturing and Repacking

Outbound logistics

Distribution and shipping

Marketing and sales

Advertising and selling

Service

Repair and Maintenance

Support activities allow the five primary activities to be performed efficiently and effectively. There are grouped into four categories:

  1. Firm infrastructure. Is the accounting, finance, legal, and general administration activities that allow an organization to function.

  2. Human resources. Activities include recruiting, hiring, training, and compensating employees.

  3. Technology. Activities improve a product or service.

  4. Purchasing. Activities procure raw materials, supplies, machinery, and the buildings used to carry out the primary activities.

An organization’s value chain is a part of a larger system, called the supply chain.

Overview of transaction processing and enterprise resource planning systems - Chapter 2

This chapter is divided into two major sections. The first section discusses the data processing cycle and its role in organizing business activities and providing information to users. The second section discusses the role of the information system in modern organizations and introduces the concept of an enterprise resource planning (ERP) system. An ERP can integrate all aspects of a company’s operations with its traditional AIS.

Accountants and other system users play a significant role in the data processing cycle. One important AIS function is to process company transactions effectively and efficiently. The operations performed on data to generate meaningful and relevant information are referred to collectively as the data processing cycle. This process consists of four steps: data input, data storage, data processing and information output.

Data input

The first step in processing input is to capture transaction data and enter them into the system. The data capture process is usually triggered by a business activity. Most business used paper source documents to collect data about their business activities. They later transferred that data into the computer. When the data is entered using computer screens, they often retain the same name and basic format as the paper source document it replaced.

Turnaround documents are company output sent to an external party, who often adds data to the document, and then are returned to the company as an input document. They are in machine-readable form to facilitate their subsequent processing as input records.

Source data automation devices capture transaction data in machine-readable form at the time and place of their origin.

The second step in processing input is to make sure captured data are accurate and complete.

Data storage

A company’s data are one of its most important resources. Accountants need to understand how data are organized and stored in an AIS and how they can be accessed. They need to know how to manage data for maximum corporate use.

Cumulative accounting information is stored in general and subsidiary ledgers. A general ledger contains summary-level data for every asset, liability, equity, revenue, and expense account. A subsidiary ledger contains detailed data for any general ledger account with many individual subaccounts. The general ledger account corresponding to a subsidiary ledger is called a control account.

Data in ledgers is organized logically using coding techniques.

Coding is the systematic assignment of numbers or letters to items to classify and organize them.

  • Sequence codes: items are numbered consecutively to account for all items.

  • Block codes: blocks of numbers are reserved for specific categories of data.

  • Group codes: which are two or more subgroups of digits used to code items, are often used in conjunction with block codes.

  • Mnemonic codes: letters and numbers are interspersed to identify an item.

A great example of coding is the chart of accounts, which is a list of the numbers assigned to each general ledger account.

Transaction data are often recorded in a journal before they are entered into a ledger. A journal entry shows the accounts and amounts to be debited and credited. A general journal is used to record infrequent or non-routine transactions. Specialized journals record large numbers of repetitive transactions.

An audit trail is a traceable path of a transaction through a data processing system from point of origin to final output, or backwards from final output to the point of origin.

An entity is something about which information is stored, such as employees, inventory items, and customers. Each entity has attributes, or characteristics of interest, that are stored. Each type of entity processes the same set of attributes. The fields containing data about entity attributes constitute a record.

A field within a record is called a data value.

See figure 2.2 page 52 for a visual display.

A file is a group related records. A master file stores cumulative information about an organization. the inventory and equipment master files store information about important organization resources.

A transaction file contains records of individual business transactions that occur during a specific time.

A set of interrelated, centrally coordinated files is referred to as a database.

Data processing

Once business activity data have been entered into the system, they must be processed to keep the databases current. The four different types or data processing activities are:

  1. Creating new data records, such as adding a newly hired employee to the payroll database.

  2. Reading, retrieving or viewing existing data

  3. Updating previously stored data

  4. Deleting data, such as purging the vendor master file of all vendors the company no longer does business with.

Updating done periodically is referred to as batch processing. Batch processing is cheaper and more efficient, but the data are current and accurate only immediately after processing. For that reason, batch processing is used only for applications, such as payroll, that do not need frequent updating and that naturally occur or are processed at fixed time periods.

Most companies update each transaction as it occurs, referred to as online, real-time, processing because it ensures that stored information is always current, thereby increasing its decision making usefulness. It is also more accurate because data input errors can be corrected in real time or refused. It also provides significant competitive advantages.

A combination of the two approaches is online batch processing, where transaction data are entered and edited as they occur and stored for later processing. Batch processing and online real time processing are summarized in figure 2.5 on page 55.

Information output

This is the final step in the data processing cycle. When displayed on a monitor, output is referred to as ‘soft copy’. When printed on paper, it is referred to as ‘hard copy’. Information is usually presented in three forms of ‘hard copy’: a document, a report or a query response.

Documents are records of transaction or other company data. Some, such as checks or invoices, are transmitted to external parties. Others, such as receiving reports and purchase requisitions, are used internally. Documents can be printed out, or they can be stored as electronic images in an computer. Eliminating paper documents it dramatically reduced the costs and errors. This has resulted in higher profits and more accurate information.

Reports are used by employees to control operational activities and by managers to make decisions and to formulate business strategies. External users need reports to evaluate the company. Some reports are produced on regular bases and others are produced on an exception basis to call attention to unusual conditions. The need for reports should be periodically assessed.

A database query is used to provide the information needed to deal with problems and questions that need rapid actions or answers. A user enters a request for a specific piece of information: it is retrieved, displayed or analysed as requested. Repetitive queries are often developed by information systems specialists. One time queries are often developed by users.

The existence of multiple systems creates a lot of problems and inefficiencies. It is difficult to integrate data from the various systems.

Enterprise resource planning (ERP) systems overcome these problems as they integrate all aspects of a company’s operations with a traditional accounting information system. Most large and medium sized organizations use ERP systems to coordinate and manage their data, business processes, and resources. The ERP system collects, processes, and stores data and provides the information managers and external parties need to assess the company.

ERP system uses a centralized database to share information across business processes and coordinate activities. This is important because an activity that is part of one business process often triggers a complex series of activities throughout many different parts if the organization.

ERP systems are modular, with each module using best business practices to automate a standard business process.

Typical ERP modules include:

  • Financial (general ledger and reporting system)

  • Human resources and payroll

  • Order to cash (revenue cycle)

  • Purchase to pay (disbursement cycle)

  • Manufacturing (production cycle)

  • Project management

  • Customer relationship management

  • System tools

A few advantages of an centralized database (ERP system)

  • An ERP provides an integrated, enterprise-wide, single view of the organization’s data and financial situation

  • Data input is captured or keyed once

  • Management gains greater visibility into every area of the enterprise and greater monitoring capabilities

  • The organization gains better access control

  • Manufacturing plants receive new orders in real time

  • Procedures and reports are standardized across business units

A few disadvantages of the ERP system

  • Amount of time required

  • Changes to the business process

  • Cost

  • Complexity

  • Resistance

Systems documentation techniques - Chapter 3

Documentation encompasses the narratives, flowcharts, diagrams, and other written materials that explain how the system works. This information covers the who, what, when, where, why, and how of data entry, processing, storage, information output, and system controls. Popular means of documenting a system include diagrams, flowcharts, tables, and other graphical representation of information. These are supplemented by a narrative description of the system, a written step by step explanation of the system components and interactions. In this chapter, we explain two common systems documentation tools: data flow diagrams and flowcharts.

Documentation tools are important on the following levels:

  1. At a minimum, you must be able to read documentation to determine how the system works.

  2. You may need to evaluate internal control systems documentation to identify strengths and weaknesses and recommend improvements.

  3. More skill is needed to prepare internal control documentation or documentation that shows how an existing or proposed system operates.

This chapter discusses the following documentation tools:

  • Data flow diagram (DFD). This is a graphical description of data sources, flows, processes, storage and destinations.

  • Document flowchart. This is a graphical description of the flow of documents and information between departments or areas of responsibility.

  • System flowchart. This is a graphical description of the relationship among the input, processing, and output in an information system.

  • Program flowchart. This is a graphical description of the sequence of logical operations a computer performs as it executes a program.

Accountants use documentation techniques extensively. Auditing standards require that independent auditors understand the automated and manual internal control procedures an entity uses. One good way to gain this understanding is to use flowcharts to documents the internal control system, because such graphic portrayals more readily reveal weaknesses and strengths.

Documentation tools are also used extensively in the system development process. In addition, the team members who develop information systems applications often change, and documentation tools help the new team members get up to speed quickly.

The documentation tools in this chapter are used throughout the book. They are also tested on professional examinations, and learning about them better prepares you for these examinations.

A data flow diagram (DFD) graphically describes the flow of data within an organization. It uses the symbols to represent the four basic elements: data sources, data flows, transformation process, and data stores.

A data source and data destination are entities that send or receive data that the system uses or produces. An entity can be both a source and a destination. Data sources and destinations are represented by square boxes. Data destinations are also referred to as data sinks.

A data flow is the movement of data among the processes, stores, and destinations. It is the flow of the data into or out of a process represented by curved or straight lines with arrows. Data that pass between data stores and a source or destination must go through a data transformation process. Data flows are labelled to show what information is flowing the only exception is data flow between a process and a data store. If two or more data flows move together, a single line is used.

Processes represent the transformation of data. An transformation process is the process that transform data from inputs to outputs are represented by circles. They are often referred to as bubbles.

A data store is a repository of data. Data flow diagrams do not show the physical storage medium used to store the data. The storage of data is represented by two horizontal lines, with the name of the file written inside the lines.

DFD’s are subdivided into successively lower levels to provide ever-increasing amounts of detail, because few systems can be fully diagrammed on one sheet of paper. The highest level DFD is referred to as a context diagram, because it provides the reader with a summary-level view of a system. It depicts a data processing system and the entities that are the sources and destinations of system inputs and outputs.

Example.

There are a few activities and data flows in a payroll process.

Activities

Data inputs

Data outputs

Update employee/ payroll file

New employee form

Employee change form

Updated employee/ payroll file

Pay employees

Time cards

Employee/ payroll file

Tax rates table

Employee checks

Payroll register

Updated employee/ payroll file

Payroll check

Payroll cash disbursements voucher

Prepare reports

Employee/ payroll file

Payroll report

Pay taxes

Employee/ payroll file

Tax report

Tax payment

Payroll tax cash disbursements voucher

Updated employee/ payroll file

Update general ledger

Payroll tax cash disbursements voucher

Payroll cash disbursements voucher

Updated general ledger

A flowchart is an analytical technique used to describe some aspect of an information system in a clear, concise, and logical manner. Flowcharts use a standard set of symbols to describe pictorially the transaction processing procedures a company uses and the flow of data through a system.

Flowcharting was introduced by industrial engineers in the 1950s as a way of recording how business processes are performed and documents flow and analysing how to improve processes and document flows.

Flowcharts have significant advantages. A pictorial representation is much easier to understand than a narrative description. Both the auditor and the business owner can use the flowchart as a working tool during discussions. For an experienced flowcharter using a computerized drawing tool, flowcharts provide an easy wat to capture and record data during interviews, and they can be easily and quickly revised.

Flowcharts also do have some disadvantages. Some people do not like or understand them. Many are poorly drawn and therefore not as helpful as they should be. They are time-consuming to prepare if the flowcharter is not trained properly.

Flowcharting symbols are divided into four categories:

  1. Input/output symbols represented devices or media that provide input to or record output from processing operations.

  2. Processing symbols show what types of devices used to process data or indicate when processing is performed manually.

  3. Storage symbols represent the devices used to store data.

  4. Flow and miscellaneous symbols indicate the flow of data, where flowcharts begin or end, where decisions are made, and when to add explanatory notes to flowcharts.

See figure 3.8 page 76 and page 77 for an overview of the common flowcharting symbols.

A document flowchart illustrates the flow of documents and information among areas of responsibility within an organization. They trace a document from its cradle to its grave, showing where each document originates, its distribution, its purpose, its disposition, and everything that happens as it flows through the system.

A document flowchart is particularly useful in analysing internal control procedures.

Document flowcharts that describe and evaluate internal controls are often referred to as internal control flowcharts. They can reveal system weaknesses or inefficiencies.

System flowcharts depict the relationships among system input, processing and output. A system flowchart begins by identifying system inputs and their origins. The input is followed by the processing performed on the data. The resulting new information is the output component, which can be stored for later use, displayed on a screen, or printed on paper.

System flowcharts are an important systems analysis, design and evaluation tool. A system flowchart begins by identifying system inputs and their origins. The input is followed by the processing performed on the data. The resulting new information is the output component, which can be stored for later use, displayed on a screen, or printed on paper. In many instances, the output from one process is an input to another.

System flowcharts are an important system analysis, design, and evaluation tool. They are universally employed in systems work and provide an immediate form of communication among workers. The system flowchart is an excellent vehicle for describing information flows and procedures within an accounting information system.

Program flowcharts illustrate the sequence of logical operations performed by a computer in executing a program. A program flowchart describes the specific logic used to perform a process shown on a system flowchart. Program flowcharts employ a subset of the symbols shown in figure 3.8. once designed and approved, the program flowchart serves as the blueprint for coding the computer program.

Computer fraud - Chapter 5

This chapter introduced the topic computer fraud. What is fraud? How was fraud perpetrated? How vulnerable is de company’s computer system?

As accounting information systems grow more complex to meet our escalating needs for information, companies face the growing risk that their systems may be compromised. Recent surveys show that 67% of companies had a security breach, over 45% were targeted by organized crime, and 60% reported financial losses.

There are four types of threats to accounting information systems.

  1. Natural and political disasters.

  2. For example: fire or excessive heat. Floods, earthquakes, landslides, hurricanes, tornadoes, blizzards, snowstorms, and freezing rain. Also, war and attacks by terrorists.

  3. Software errors and equipment malfunction.

  4. For example: hardware of software failure, software errors or bugs, operating system crashes, power outages and fluctuations, and undetected data transmissions errors.

  5. Unintentional acts.

  6. For example: accidents caused by human carelessness, failure to follow established procedures, and poorly trained or supervised personnel. Or innocent errors or omissions. Also logic errors, and lost, erroneous, destroyed, or misplaced data. Another example: systems that do not meet company needs or cannot handle intended tasks.

  7. Intentional acts (computer crimes).

  8. For example: sabotage, corruption, computer fraud, financial statement fraud, misappropriation of assets, and misappropriation, false use, or unauthorized disclosure of data.

A cookie contains data a website stores on your computer to identify the website to your computer so that you do not have to log on each time you visit the site.

Fraud is gaining an unfair advantage over another person. Legally, for an act to be fraudulent there must be:

  • A false statement, representation, or disclosure

  • A material fact, which is something that induces a person to act

  • A intent to deceive

  • A justifiable reliance. That is the person relies on the misrepresentation to take an action

  • A injury or loss suffered by the victim

An estimated 75% to 90% of computer fraud perpetrators are knowledgeable insiders with the requisite access, skills, and resources. Because employees understand a company’s system and its weaknesses, they are better able to commit and conceal a fraud. The controls used to protect corporate assets make it more difficult for an outsider to steal from a company. Fraud perpetrators are often referred to as white-collar criminals.

Fraud takes two forms

  • Misappropriation of assets: is the theft of company asset. The most significant contributing factor in most misappropriations is the absence of internal controls and/or the failure to enforce existing internal control.

  • Fraudulent financial reporting defined as intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements. Financial statements are falsified to deceive investors and creditors, increase a company’s stock price, meet cash flow needs, or hide company losses and problems.

The Treadway Commission recommended four actions to reduce fraudulent financial reporting:

  1. Establish an organizational environment that contributes to the integrity of the financial reporting process.

  2. Identify and understand the factors that lead to fraudulent financial reporting.

  3. Assess the risk of fraudulent financial reporting within the company.

  4. Design and implement internal controls to provide reasonable assurance of preventing fraudulent financial reporting.

The Association of Certified Fraud Examiners found that an asset misappropriation is 17 times more likely than fraudulent financial reporting but that the amounts involved are much smaller.

SAS No. 99 (Statement on Auditing Standards) was adopted to clarify the auditor’s responsibility to detect fraud. It requires auditors to:

  • Understand fraud

  • Discuss the risk of material fraudulent misstatements

  • Obtain information

  • Identify, assess, and respond to risks

  • Evaluate the results of their audit tests

  • Document and communicate findings

  • Incorporate a technology focus

When researches compared the psychological and demographic characteristics of white-collar criminals, violent criminals, and the public, they found significant differences between violent and white-collar criminals. Fraud perpetrators look just like you and me. Some are disgruntled and unhappy with their jobs and seek revenge against employers. Most have no previous criminal record. Some are motivated by curiosity, a quest for knowledge, the desire to learn how things work and the challenge of beating the system.

Three conditions are present when fraud occurs.

  1. Pressure. A pressure is a person’s incentive or motivation for committing fraud. There are three types of pressure. The first one is financial pressure. Financial pressure often motivate misappropriation frauds by employees. A second type of pressure is emotional. Many frauds are motivated by greed. Some employees turn to fraud because they have strong feelings or resentment or believe they have been treated unfair. A third type of employee pressure is a person’s lifestyle. The person may need funds to support a gambling habit or support a drug or alcohol addiction. Some people commit fraud to keep pace with other family members.

  2. Opportunities. This is the condition or situation that allows a person or organization to do three things.

    1. Commit the fraud

    2. Conceal the frand

      1. Lapping: a perpetrator steals the cash or checks customer A mails in to pay its accounts receivable.

      2. Kiting: cash is created using the lag between the time a check is deposited and the time it clears the bank.

    3. Convert the theft or misrepresentation to personal gain

  3. Rationalization. A rationalization allows perpetrators to justify their illegal behavior. Perpetrators rationalize that they are not being dishonest, that honesty is not required of them, or that they value what they take more than honesty and integrity.

Computer fraud is any fraud that requires computer technology knowledge to perpetrate, investigate, or prosecute it. Millions of dollars can be stolen in less than a second, leaving little or no evidence. Therefore, computer fraud can be much more difficult to detect than other types of fraud.

Computer systems are particularly vulnerable for the following reasons:

  • People who break into corporate databases can steal, destroy, or alter massive amounts of data in very little time.

  • Perpetrators can steal many more assets with much less time and effort.

  • Some organizations grant employees, customers, and suppliers access to their system.

  • Computer programs need to be modified illegally only once for them to operate improperly for as long as they are in use.

  • Personal computers are vulnerable to security risks.

  • Computer systems face a number of unique challenges.

The number of incidents, the total dollar losses, and the sophistication of the perpetrators and the schemes used to commit computer fraud are increasing rapidly for several reasons:

  1. Not everyone agrees on what constitutes computer fraud

  2. Many instances of computer fraud go undetected

  3. A high percentage of frauds is not reported

  4. Many networks are not secure

  5. Internet sites offer step-by-step instructions on how to perpetrate computer fraud and abuse

  6. Law enforcement cannot keep up with the growth of computer fraud

  7. Calculating losses is difficult

Computer fraud can be categorized using the data processing model

  • Input fraud. The simplest and most common way to commit a computer fraud is to alter of falsify computer input. It requires little skill. Perpetrators need only understand how the system operates so they can cover their tracks.

  • Processor fraud. It includes unauthorized system use, including the theft of computer time and services.

  • Computer instruction fraud. This type of fraud includes tampering with company software, copying software illegally, using software in an unauthorized manner, and developing software to carry out an unauthorized activity. The approach used to be uncommon, but today it’s more frequent.

  • Data fraud. This is illegally using, copying, browsing, searching, or harming company data. The biggest cause of data breaches is employee negligence. In the absence of controls, it is nog hard for employees to steal data.

  • Output fraud. Unless properly safeguarded, displayed or printed output can be stolen, copied, or misused. Fraud perpetrators use computers to forge authentic-looking outputs, such as a pay check.

Control and accounting information systems - Chapter 7

There are a few reasons why treats to accounting information systems are increasing. The first reason is that information available is to an unprecedented number of workers. Besides, information on distributed computer networks is hard to control. Information is often distributed among many systems and thousands of employees. Customers and suppliers have access to each other’s systems and data.

Any potential adverse occurrence is called a threat or an event. The potentially dollar loss from a threat is called the exposure or impact. The probability that it will happen is called the likelihood of the threat.

Internal control is the process implemented to provide reasonable assurance that the following control objectives are achieved. It is a process because it permeates an organization’s activities and is an integral part of management activities. Internal control provides reasonable assurances. Complete assurance is difficult to achieve and prohibitively expensive.

Internal control perform three important functions:

  1. Preventive controls deter problems before they arise.

  2. Detective controls discover problems that are not prevented.

  3. Corrective controls identify and correct problems as well as correct and recover from the resulting errors.

Internal controls are often segregated into two categories

  1. General controls. This type of control makes sure an organization’s control environment is stable and well managed.

  2. Application controls. This type of control makes sure transactions are processed correctly.

A Harvard business professor has espoused four levels of control to help management reconcile the conflict between creativity and controls.

  • Belief system. This system describes how the company creates value and helps the employees understand the management’s vision.

  • Boundary system. This system helps employees act ethically by setting boundaries on employee behavior.

  • Diagnostic control system. This type of system measures, monitors, and compares actual company progress to budgets and performance goals.

  • Interactive control system. This system helps managers to focus on key strategic issues and to be more involved in decisions.

The Foreign Corrupt Practices Act (FCPA) was passes to prevent companies from bribing foreign officials to obtain business. In the last 75 years, the SOX is the most important business-oriented legislation. After the SOX was passed, the SEC mandated that management must base its evaluation on a recognized control framework. They also must disclose all material internal control weaknesses and must conclude that a company does not have effective financial reporting internal controls if there are material weaknesses.

There are three frameworks used to develop internal control systems.

  • COBIT framework. The ISACA developed Control Objectives for Information and Related Technology (COBIT) framework. This framework addresses control from three vantage points.

    • Business objectives. This is to satisfy business objectives.

    • IT resources. These includes people, application systems, technology, facilities and data.

    • IT processes. These are broken in four domains: planning & organization, acquisition & implementation, delivery & support and monitoring & evaluation.

  • The Committee of Sponsoring Organizations (COSO) consist of a few organizations. The COSO issued internal control – integrated framework (IC), which is widely accepted as the authority on internal controls and is incorporated into policies, rules, and regulations used to control business activities.

  • COSO developed another control framework to improve the risk management process. It’s called Enterprise Risk Management – Integrated Framework (ERM). ERM is the process the board of directors and management use to set strategy, identify events that may affect the entity, assess management risks, and provide reasonable assurances that the company achieves its objectives and goals.

The internal environment, or company culture, influences how organizations establish strategies and objectives and structure business activities. A weak or deficient internal environment often results in breakdowns in risk management and control. An internal environment control consists of the following:

  • Management’s philosophy, operating style, and risk appetite

  • The board of directors

  • Commitment to integrity, ethical values, and competence

  • Organizational structure

  • Methods of assigning authority and responsibility

  • Human resource standards

  • External influences

Companies have a risk appetite, which is the amount of risk they are willing to accept to achieve their goals. To avoid undue risk, the risk appetite must be in alignment with company strategy. The more responsible management’s philosophy and operating style, the more clearly they are communicated, the more likely employees will behave responsibly.

An involved board of directors represents shareholders and provides an independent review of management that acts as a check and balance on its actions. Public companies has an audit committee of outside, independent directors. The audit committee is responsible for financial reporting, regulatory compliance, internal control and hiring and overseeing internal and external auditors.

The policy and procedures manual explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provide to carry out specific duties. The manual includes the chart of accounts and copies of forms and documents. It is a helpful tool for both current employees and new employees.

Employees should be hired based on educational background, experience, achievements, honesty and integrity, and meeting written job requirements. Sometimes there is a background check. A thorough background check includes talking to references, checking for a criminal record, examining credit records, and verifying educating and work experience.

One of the greatest control strengths is the honesty of the employees. Policies should convey the required level of expertise, competence, ethical behavior and integrity required. The following policies and procedures are important.

  • Hiring

  • Compensating, evaluating and promoting

  • Managing disgruntled employees

  • Discharging

  • Vacations and rotation of duties

  • Confidentiality agreements and fidelity bond insurance

  • Prosecute and incarcerate perpetrators

Objective setting is the second ERM component. Management determines what the company hopes to achieve, often referred to as the corporate vision or mission. The company determines what must go right to achieve the objectives and establishes performance measures to determine whether they are met.

  • Strategic objectives

  • Operation objectives

  • Reporting objectives

  • Compliance objectives

The risks of an identified event are assessed in several different ways.

Inherent risks exists before management takes any steps to control the likelihood or impact of an event.

The residual risk is what remains after management implements internal controls or some other response to risk. Companies should assess inherent risk, develop a response, and then assess residual risk.

Management can respond to risk in one of four ways

  • Reduce the likelihood and impact of risk by implementing internal controls

  • Accept the likelihood and impact of the risk

  • Share risk or transfer it to someone else

  • Avoid risk by not engaging in the activity that produces the risk

Accountants and systems designers help management design effective control systems to reduce inherent risk. They also evaluate internal control systems to ensure that they are operating effectively.

One way to estimate the value of the internal controls involves the expected loss, the mathematical product of impact and likelihood.

Expected loss = impact x likelihood

The value of a control procedure is the difference between the expected loss with the control procedure and the expected loss without it.

Control activities are policies and procedures that provide reasonable assurance that control objectives are met and risk responses are carried out. It is management’s responsibility to develop a secure and adequately controlled system.

Controls are much more effective when placed in the system as it is built, rather than as an afterthought. Managers need to involve systems analysts, designers, and end users when designing computer-based control systems.

Control procedures fall into the following categories

  • Proper authorization of transactions and activities

  • Segregation of duties

  • Project development and acquisition controls

  • Change management controls

  • Design and use of documents and records

  • Safeguarding assets, records and data

  • Independent checks on performance

Because management lacks the time and resources to supervise each company activity and decision, it establish policies for employees to follow and then empowers them. This empowerment, called authorization, is an important control procedure. Authorization are often documented by signing, initializing, or entering an authorization code on a document.

Computer systems can record a digital signature, a means of signing a document with data that cannot be forged.

Certain activities or transactions may be of such consequence that management grants specific authorization for them to occur. In contrast, there is a procedure known as general authorization. This is without special approval.

Good internal control requires that no single employee be given too much responsibility over business transactions and processes. An employee should not be in a position to commit and conceal fraud. Segregation of duties is discussed in two separate sections: segregation of accounting duties and segregation of system duties.

Effective segregation of accounting duties is achieved when the following functions are separated (see also figure 7.3 on page 217).

  • Authorization: approving transactions and decisions

  • Recording: preparing source documents

  • Custody: handling cash, tools, inventory, or fixed assets

With Segegration of system duties, authority and responsibility should be divided clearly among the following functions

  • Systems administration: make sure all information system components operate smoothly and efficiently.

  • Network management: ensure that devices are linked to the organization’s internal and external networks.

  • Security management: makes sure that systems are secured and protected from internal and external threats.

  • Change management: is the process of making sure that changes are made smoothly and efficiently.

  • Users: record transactions, authorize data to be processed and use system output.

  • Programming: take the analyst’ design and create a system

  • Computer operations: run the software on the company’s computers.

  • Information system library: maintains custody of corporate databases, files and programs in a separate storage area.

  • Data control

Important system development controls are the following

  1. A steering committee. This committee guides and oversees systems development and acquisition.

  2. A strategic masterplan. This is a plan developed and updated every year to align an organization’s information system with its business strategies.

  3. A project development plan. This is a plan that shows the tasks to be performed, who will perform them, project costs, completion dates, and project milestones.

  4. A data processing schedule. This schedule shows when each task should be performed.

  5. System performance measurements. These are established to evaluate the system. Measurements include throughput, utilization and response time.

  6. A post-implementation review. This review is performed after a development project is completed to determine whether the anticipated benefits were achieved.

Some companies hire a systems integrator to manage a systems development effort involving its own personnel, its client, and other vendors. Companies using systems integrators should use the same project management processes and controls as internal projects. They should develop clear specifications and monitor the project.

Independent checks on performance, done by someone other than the person who performs the original operation, help ensure that transactions are processed accurately. They include the following:

  • Top level reviews.

  • The management should monitor company results and periodically compare actual company performance to a planned, prior period or competitor’s performance.

  • Analytical reviews.

  • This is an examination of the relationship between different sets of data.

  • Reconciliation of independently maintained records.

  • Records should be reconciled to documents or records with the same balance.

  • Comparison of actual quantities with recorded amounts.

  • Significant assets are periodically counted and reconciled to company records.

  • Double-entry accounting.

  • The maximum that debits equal credits provides numerous opportunities for independent checks.

  • Independent review.

  • After a transaction is processes, a second person reviews the work of the first, checking for proper authorization etc.

Information and communication constitute the seventh component of the ERM and is also a very important component in the accounting information system. This relates directly to the primary purpose of an AIS, which is to gather, record, process, store, summarize, and communicate information about an organization.

An audit trail allows transactions to be traced back and forth between their origination and de financial statements.

Accounting systems generally consists of seven subsystems, each designed to process a particular type of transaction using the same sequence of procedures, called accounting circles.

ERM processes must be continuously monitored and modified as needed, and deficiencies must be reported to management. Key methods of monitoring performance include the following:

  • Perform ERM evaluations.

  • The effectiveness is measured using a formal or a self-assessment ERM evaluation.

  • Implement effective supervision.

This involves training and assisting employees, monitoring their performance, correcting errors, and overseeing employees who have access to assets.

  • Use responsibility accounting systems.

  • This systems include budgets, quotas, schedules, standard costs, and quality standards.

  • Monitor system activities.

  • For example risk analysis and management software packages review computer and network security measures, detect illegal access, test for weaknesses and vulnerabilities, report weaknesses found and suggests also improvements. The software also monitors and combats viruses, spyware, adware, spam etc.

  • Track purchased software and mobile devices

The business software alliance (BSA) tracks down and fines companies that violate software license agreements. The increasing number of mobile devices should be tracked and monitored, because their loss could represent a substantial exposure.

  • Conduct periodic audits.

  • External, internal and network securities audits can assets and monitor risk as well as detect fraud and errors. Informing employees of audits helps resolve privacy issues, deters fraud, and reduces erros. Auditors should regularly test susyem controls and periodically browse system usage files looking voor suspicious activities.

  • Employee a computer security officer and a chief compliance officer.

  • A computer security officer (CSO) is in charge of system security, independent of the information system function and reports to the chief operating officer (COO) of the CEO.

  • Engage forensic specialists

Forensic investigators who specialize in fraud are a fast-growing group in the accounting profession. Computer forensics specialists discover, extract, safeguard and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges.

  • Install fraud detection software

  • Neural networks are programs with learning capabilities. These networks can accurately identify fraud.

  • Implement a fraud hotline.

  • A fraud hotline is an effective way to comply with the law and resolve whistle-blower conflict.

Part 1: Information systems controls for system reliability - Chapter 8

Every organization relies on information technology. Management wants assurance that the information produced by its accounting system is reliable. It also wants to know that its investment in information technology is cost effective.

See figure 8.1 on page 240 for the COBIT framework. It shows the business and governance objectives. The information for the management has several requirements:

  • Effectiveness: the information must be relevant and timely

  • Efficiency: the information must be produced in a cost-effective manner

  • Confidentially: sensitive information must be protected from unauthorized disclosure.

  • Integrity: the information must be accurate, complete and valid

  • Availability: the information must be available whenever needed

  • Compliance: controls must ensure compliance with internal policies with external legal and regulatory requirements.

  • Reliability: management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.

Information must satisfy the seven criteria listed above. The processes to achieve this are grouped into four basic management activities, also called domains.

  1. Plan and Organize

  2. Acquire and Implement

  3. Deliver and Support

  4. Monitor and Evaluate

COBIT specifies 210 detailed control objectives for these 34 processes to enable effective management of an organization’s information resources. It also describes specific audit procedures for assessing the effectiveness of those controls and suggest metrics that management can use to evaluate performance.

The ‘Trust Service Framework’ is not a substitute for COBIT, because it addresses only a subset of the issues covered by the COBIT.

The ‘Trust Service Framework’ classifies information systems controls into five categories that most directly pertain to systems reliability:

  • Security

  • Confidentiality

  • Privacy

  • Processing integrity

  • Availability

Two fundamental information security concepts

  1. Security is a management issue, not a technology issue.

  2. The accuracy of an organization’s financial statements depends upon the reliability of its information systems. Information security is the foundation for systems reliability and the responsibility of the management.

  3. Defense-in-depth and time-based model of information security

  4. The idea of defense-in-depth is to employ multiple layers of control in order to avoid having a single point of failure. It typically involves the use of a combination of preventive, detective, and corrective controls. The goal of a time-based model of security is to employ a combination of detective and corrective controls that identify an information security incident early enough to prevent the loss or compromise of information.

The objective of time-based model of security can be expressed in a formula that uses the following three variables.

P = the time it takes an attacker to break through the organization’s preventive controls

D = the time it takes to detect that an attack is in progress

C = the time it takes to respond on the attack

If P > D + C, then the organization’s security procedures are effective. If its otherwise, then the procedures are not effective. The time-based model of security provides a means for management to identify the most cost-effective approach to improving security by comparing the effects of additional investment in preventive, detective, or corrective controls.

It is useful to understand the basic steps criminal use to attack an organization’s information system.

  1. Conduct reconnaissance.

  2. The goal is to learn as much as possible about the target and to identify potential vulnerabilities.

  3. Attempt social engineering

  4. Social engineering takes place when attackers try to use the information obtained during their initial reconnaissance to ‘trick’ an unsuspecting employee into granting them access. Social engineering attacks often take place over the telephone.

  5. Scan and map the target.

  6. Research

  7. Execute the attack

  8. Cover tracks

Preventive controls

  • Training. People play a critical role in information security and that is why employees must understand and follow the organization’s security policies. Thus, training is a critical preventive control. All employees should be taught why security measures are important and need to be trained to follow safe computing practices. Training is especially needed to educate employees about social engineering attacks. Employees also needed to be trained not to allow other people to follow them through restricted access entrances. We call this social engineering attack piggybacking. It can take place both at the main entrance to the building but also at any internal looked doors.

  • User access controls

  • Physical access controls

  • Network access controls

  • Device and software hardening controls

User access controls

There are two related but distinct type of user access controls that accomplish that objective. It consists of authentication and authorization.

Authentication controls restrict who can access the organization’s information system. Authentication is the process of verifying the identity of the person or device attempting to access the system. The objective is to ensure that only legitimate users can access the system. There are three methods of verifying a person’s identity:

  1. Something they know, such as passwords or personal identification numbers

  2. Something they have, such as smart cards or ID badges

  3. Some physical characteristics, such as fingerprints of voice

None of the three basis authentication credentials, by itself, is fool proof. The use of two or all types in conjunction is called the multifactor authentication process. It is quite effective. Using multiple credentials of the same type, a process is referred to as multiple authentication. It can improve security.

Authorization controls limit what those individuals can do once they have been granted access. Authorization is the process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform. Authorization controls are often implemented by creating an access control matrix. When an employee attempts to access a particular information systems resource, the system performs a compatibility test that matches the user’s authentication credentials against the access control matrix to determine whether that employee should be allowed to access the resource and perform the requested action.

Physical access controls

Physical access controls are very essential to information resources, because a skilled attacker needs only a few minutes of unsupervised direct physical access in order to bypass existing information security controls.

Network access controls

A device, called a border router, connects an organization’s information system to the internet. Behind the border router is the main firewall. The firewall is either a special-purposed hardware device or software running on a general-purpose computer.

The demilitarized zone (DMZ) is a separate network that permits controlled access from the internet to selected resources. The border router and the firewall acts as filters to control which information is allowed to enter and leave the organization’s information system.

The transmission control protocol (TCP) specifies the procedures for diving files and documents into packets to be sent over the internet and the methods for reassembly of the original document or file at the destination.

The internet protocol (IP) specifies the structure of those packets and how to route them to the proper destination.

Special-purpose devices called routers are designed to read the destination address fields in IP packet headers to decide where to send (route) the packet next.

A set of rules, called an access control list (ACL), determine which packets are allowed entry and which are dropped. Border routers typically perform static packet filtering, which screens individual IP packets, based solely on the contents of the source and/or destination fields in the packet header.

Deep packet inspection is a process of examining the data contents of a packet. The added control comes at the cost of speed. It takes more time to examine the body of an IP packet. Deep packet inspection is the heart of a new type of security technology called intrusion prevention systems (IPS) that monitors patterns in the traffic flow, rather than only inspecting individual packers, to identify and automatically block attacks. An IPS consists of a set of sensors and a central monitor unit that analyses the data collected. Sensors must be installed in several places to effectively monitor network traffic. IPSs use several different techniques to identify undesirable traffic patterns.

The Remote Authentication Dial-In User Service (RADIUS) is a standard method to verify the identity of users attempting to obtain dial-in access. Dial-in users connect to a remote access server and submit their log-in credentials. The remote access server passes those credentials to the RADIUS server, which perform compatibility tests to authenticate the identity of that user. Only after the user has been authenticated is access to the internal corporate network granted. The problem is that modems are cheap and easy to install, so employees are often tempted to install them on their desktop workstations without seeking permission or notifying anyone that they have done so. The most efficient and effective way to periodically check for the existence of rogue modems is to use war dialing software. This software calls every telephone number assigned to the organization to identify those which are connected to modems.

Device and software hardening controls

Endpoints is the collective term for workstations, servers, printers, and other devices that contains the network of the organization. There are three devices that are very important:

  1. Endpoint configuration. Endpoints can be made more secure by modifying their configurations. Every program that is running represents a potential point of attack because it probably contains flaws, called vulnerabilities. These vulnerabilities can be exploited to either crash the system or take control of it. Tools called vulnerability scanners can be used to identify unused and therefore unnecessary programs that represent potential security threats. This process of modifying the default configuration of endpoints to eliminate unnecessary settings and services is called hardening.

  2. User account management. This is the management of all the user accounts. Administrative rights are needed in order to install software and alter most configuration settings. These powerful capabilities make accounts with administrative rights prime targets for attackers. Many vulnerabilities affect only accounts with administrative rights. Therefore, employees also have another account.

  3. Software design. As organizations have increased the effectiveness of their perimeter security controls, attackers have increasingly targeted vulnerabilities in application programs. The common theme in all of the attacks is the failure to ‘scrub’ users input to remove potentially malicious code. Therefore, programmers must be trained to treat all input from external users as untrustworthy and to carefully check it before performing further actions.

Detective controls

Preventive controls are never 100% effective in blocking all attacks. The COBIT control objective stresses that organizations need to implement detective controls. Detective controls enhance security by monitoring the effectiveness of preventive controls and detecting incidents in which preventive controls have been successfully circumvented. There are four types of detective controls.

Log Analysis

most systems come with extensive capabilities for logging who accesses the system and what specific actions each user performed. A log analysis is the process of examining logs to identify evidence of possible attacks. These logs form an adit trail of system access. It is important to analyse logs of failed attempts to log on a system and failed attempts to obtain access specific information resources. It’s also important to analyse changes to the logs themselves and logs need to be analysed regularly to detect problems in a timely manner.

Intrusion Detection Systems

Intrusion detection systems (IDSs) consist of a set of sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyse those logs for signs of attempted or successful intrusions. An IDS can be installed on a specific device to monitor unauthorized attempts to change that device’s configuration. The main difference between a IDS and an IPS is that the former only produces a warning alert when it detects a suspicious pattern of network traffic, whereas the latter not only issues an alert but also automatically takes steps to stop a suspected attack.

Managerial Reports

It is really important that the management monitors and evaluates both system performance and controls. The COBIT framework provides management guidelines that identify critical success factors associated with each control objective and suggest key performance indicators.

Security Testing

A penetration test is an authorized attempt by either an internal audit team or an external security consulting firm to break into the organization’s information system. This test provide a more rigorous way to test the effectiveness of an organization’s information security.

Corrective controls

Organizations also need procedures to undertake timely corrective actions. Many corrective actions rely on human judgment. Their effectiveness depends on a great extent on proper planning and preparation.

Computer Incident Response Team

A computer incident response team (CIRT) is a team that is responsible for dealing with major incidents. The CIRT should not only include technical specialist but also senior operations management, because some potential responses to security incidents have significant economic consequences. The CIRT should lead the organization’s incident response process through the following four steps.

  • Recognition that a problem exist.

  • Containment of the problem.

  • Recovery. Damaged caused by the attack must be repaired.

  • Follow-up. Once recovery is in process, the CIRT should lead the analysis of how the incident occurred.

Chief Information Security Officer (CISO)

The CISO is responsible for information security. This person should be independent of other information systems functions and should report to either the chief operating officer (COO) or the (CEO).

Patch Management

once a vulnerability has been identified, the next step is to explore and document how to take advantage of it to compromise a system. The set of instructions for taking advantage of a vulnerability is called an exploit. Once an exploit is published on the internet it can be easily used by anyone who runts that code.

A patch is code released by software developers that fixes a particular vulnerability. Patch management is the process for regularly applying patches and updates to all software used by the organization.

Virtualization takes advantage of the power and speed of modern computers to run multiple systems simultaneously on one physical computer.

Cloud computing takes advantage of the high bandwidth of the modern global telecommunication network to enable employees to use a browser to remotely access software, data storage devices, hardware and entire application environments.

Virtualization and cloud computing alter risk of some information security threats, but they also offer the opportunity to significantly improve overall security.

Part 2: Information systems controls for system reliability - Chapter 9

This chapter covers two other important principles of reliable systems in the thrust services framework: preserving the confidentiality of an organization’s intellectual property and protecting the privacy of personal information it collects from customers. We also discuss the topic of encryption in detail because it is a critical tool to protecting both confidentiality and privacy.

Organizations possess a myriad of sensitive information, including strategic plans, trade secrets, cost information, legal documents and process improvements. This intellectual property often is crucial to the organization’s long-run competitive advantages and success. Consequently, preserving the confidentiality of the organization’s intellectual property, and similar information shared by its business partners, has long been recognized as a basic objective of information security. This section discusses the actions that must be taken to preserve confidentiality.

  1. Identification and classification of the information to be protected

  2. Encryption of sensitive information

  3. Controlling access to sensitive information

  4. Training

The first action is the identification and classification of information to be protected. The first step is to identify where such information resides and who has access to it. This sounds easy, but it’s harder than you think. It is time-consuming and costly, because it involves examining more than just the contents of the organization’s financial system. The next step is to classify the information in terms of its value to the organization.

Encryption is an important and effective tool to protect confidentiality. It is the only way to protect information in transit over the internet. Encryption is not a panacea. Some sensitive information may not be stored digitally and therefore cannot be protected by being encrypted. Strong authentication is needed, so that no one else can prove access to the computer. Physical access controls are also needed. Sensitive information is exposed in plain view whenever it is being processed by a program, displayed on a monitor of included in printed reports. Protecting confidentially requires application of the principle of defense-in-depth: supplementing encryption with access controls and training.

The third actions is to use Information rights management (IRM) software. This software provides an additional layer of protection to specific information resources offering the capability not only to limit access to specific files or documents, but also to specify the actions that individuals can perform (read, copy, print, download to USB devices etc.).

Today, organizations constantly exchange information with their business partners and customers. Therefore, protecting confidentiality also requires controls over outbound communications. One tool for accomplish that is data loss prevention (DLP) software. This software works like antivirus programs in reverse, blocking outgoing messages that contain key words or phrases associated with the intellectual property or other sensitive data the organization wants to protect.

A digital watermark is a detective control that enables organizations to identify confidential information that has been disclosed. When an organization discovers documents containing its digital watermark on the internet, it has evidence that the preventive controls designed to protect its sensitive information have failed. It should then investigate how compromise occurred and take appropriate corrective action.

The last action is training, which is arguably the most important control for protecting confidentiality. Employees need to know what information they can share with outsides and what information needs to be protected. They also need to be taught how to protect these confidentiality data. For example, know how to use encryption software. They also should be aware of the fact they always need to log out before leaving a laptop or workstation unattended.

Privacy

The ‘Trust Services Framework’ privacy is closely related to the confidentiality principle. They only differ in that it focus on protecting personal information about customers rather than organizational data. the controls that need to be implemented to protect privacy are the same ones used to protect confidentiality.

The first step is to protect the privacy of personal information collected from customers to identify what information is collected, where it is stored, and who has access to it. Furthermore, it is important to implement controls to protect that information because incidents involving the unauthorized disclosure of customers’ personal information, whether intentional or accidental, can be costly.

Encryption is a fundamental control for protecting privacy of personal information from customers. That information needs to be encrypted both while it is in transit over the internet and while it is in storage. Encrypting information also can save money for the company.

To protect privacy, organizations should run data masking programs. This kind of programs replace customers’ personal information with fake values before sending that data to the program development and testing system.

Organizations also need to train employees on how to manage and protect personal information from customers. This is especially important for medical and financial personal information.

Two major privacy related concerns are spam and identity theft.

Spam is unsolicited e-mail that contains either advertising or offensive content. Spam is a privacy related issue, because recipients are often targeted as a result of unauthorized access to e-mail address lists and databases containing personal information. Spam is also a source of many viruses, worms, spyware programs, and other types of malware. There are a few key provisions. The sender’s identity must be clearly displayed in the head of the message. The subject in the field in the header must be clearly identify the message. The body of the message must provide recipients with a working link that can be used to opt out of future e-mail. The body of the message must also include the sender’s valid postal address. At last, organizations should not send commercial e-mail to randomly generated addresses.

Identity theft on the other hand is the unauthorized use of someone’s personal information for the perpetrator’s benefit. Identity theft is often a financial crime. Perpetrators obtain loans or opens new credit cards in the victim’s name and sometimes loots the victim’s bank accounts. A growing portion of identity theft cases involve fraudulently obtaining medical care and services, which can have life threatening consequences.The Generally Accepted Privacy Principles (GAPP) identifies and defines the following ten internationally recognized best practices for protecting the privacy of customer’s personal information.

  1. Management. Organizations need to establish a set of procedures and policies for protecting the privacy of customers. They should assign responsibility and accountability for implementing those policies to a specific person or group.

  2. Notice. An organization should provide notice about its privacy policies and practices. The notice should clearly explain what information is being collected, the reasons why, and how it will be used.

  3. Choice and consent. Organizations should explain the choices available to individuals and obtain their consent prior to the collection and use of their personal information. The nature of the choices offered differs across countries.

  4. Collection. An organization should collect only the information needed to fulfil the purposes stated in its privacy policy. Some use cookies on websites. A cookie is a text file created by a website and stored on a visitor’s hard disk. They store information about what the user has done on the site.

  5. Use and retention. Organization should use customers’ personal information only in the manner described in their stated privacy policies and retain that information only as long as needed to fulfil a legitimate business purpose.

  6. Access. An organizations should provide individuals with the ability to access, review, correct, and delete personal information stored about them.

  7. Disclosure to third parties. Organizations should disclose their customers’ personal information to third parties only in the situation and manners described in the organizations privacy policies and only to third parties who provide the same level of privacy protection.

  8. Security. An organization must take reasonable steps to protect its customers’ personal information from loss or unauthorized disclosure. The organization must use the preventive, detective and corrective controls to restrict access to this personal information.

  9. Quality. Organizations should maintain the integrity of their customers’ personal information and employ procedures to ensure that it is reasonably accurate.

  10. Monitoring and enforcement. An organization should assign one or more employees to be responsible for ensuring compliance with its stated privacy policies. They must periodically verify that their employees are complying with stated privacy policies.

Encryption is a preventive control that can be used to protect both confidentially and privacy. Encryption protects data that is being sent over the internet and it provides one last barrier that must be overcome by an intruder who has obtained unauthorized access to stored information. Accountants, auditors and system professionals should understand encryption.

So encryption is the process of transforming normal content, called plain text, into unreadable gibberish, called cipher text. See figure 9.1 on page 278 for the steps in the encryption and decryption process.

Decryption reverses this process, transforming cipher text into plaintext. Both involve use of a key and an algorithm. Computers represent both as a series of binary digits (0s and 1s).

The key is also a string of binary digits of a fixed length.

The algorithm is a formula for combining the key and the text.

Most documents are longer than the key, so the encryption process begins by dividing the plaintext into blocks, each block being of equal length to the key. Then the algorithm is applied to the key and the block of plaintext.

Three important factors determine the strength of any encryption system.

  • Key length: longer keys provide stronger encryption by reducing the number of repeating blocks in the cipher text. This makes it harder to spot patterns in the cipher text that reflect patterns in the original plaintext.

  • Encryption algorithm: the nature of the algorithm used to combine the key and the plaintext is important. A strong algorithm is difficult to break by using brute force guessing techniques.

  • Policies for managing cryptographic keys. No matter how long the keys are, or how strong an encryption algorithm is, if the keys have been compromised, the encryption can be easily broken. There is also a process called key escrow. This process involves making copies of all encryption keys used by employees and storing those copies securely.

There are two basic types of encryption systems. The first one is symmetric encryption systems. This type use the same key both to the encrypt and decrypt. The other type is the asymmetric encryption system, which uses two keys. One is called the public key. This key is widely distributed and available to everyone. The other one is called the private key and is kept secret and known only to the owner of that pair of keys.

Symmetric encryption is much faster than asymmetric encryption, but it has two major problems. First, both parties need to know the shared secret key. This means that the two parties need to have some method for securely exchanging the key that will be used to both encrypt and decrypt.

The second problem is that a separate key needs to be created for use by each party with whom the use of encryption is desired.

Asymmetric encryption systems solve these problems. It does not matter who knows the public key, because any text encrypted with it can be decrypted only by using the corresponding private key.

The main drawback to asymmetric encryption systems is speed. Asymmetric encryption is thousands of times slower than symmetric encryption, making it impractical for use to exchange large amounts of data over the internet. Symmetric encryption is used to encode most of the data being exchanged, add asymmetric encryption is used to safely send the symmetric key to the recipient for use in decrypting the cipher text.

Hashing is a process that takes plaintext of any length and transforms it into a shirt code, called a hash. Hashing differs from encryption in two important aspects. The first one is that encryption always produces cipher text similar in length to the original plaintext, but hashing always produces a hash that is of a fixed short length, regardless of the length of the original plaintext.

The second difference is that encryption is reversible, but hashing is not. Given the decryption key and the algorithm, cipher text can be decrypted back into the original plaintext. By hashing, it is not possible to transform a hash back into the original plaintext, because hashing throws away information.

Comparison of hashing and encryption

Hashing

Encryption

One-way function (cannot reverse or unhash)

Reversible (can decrypt back to plaintext)

Any size input yields same fixed-size output

Output size approximately the same as the input size

An important issue for business transactions has always been nonrepudiation, or how to create legally binding agreements that cannot be unilaterally repudiated by either party. The answer is to use both hashing and asymmetric encryption to create a digital signature. A digital signature is a hash if a document or a file that is encrypted using the document creator’s key.

A digital certificate is an electronic document that contains an entity’s public key and certifies the identity of the owner of that particular public key. Digital certificates functions like the digital equivalent of a driver’s licence or passport.

A certificate authority is a trusted independent party, like the government, that issue the passports and driving licences and contain the certificate authority’s digital signature to prove that they are genuine.

The system for issuing pairs of public and private keys and corresponding digital certificates is called a public key infrastructure (PKI). The entire PKI system hinges on trusting the certificate authorities that issue the keys and the certificates.

Encrypting information while it traverses the internet creates a virtual private network (VPN), so named because it provides the functionality of a privately owned secure network without the associated costs of leased telephones, satellites, and other communication equipment.

See figure 9.4 on page 284 for the virtual private networks.

Part 3: Information systems controls for system reliability - Chapter 10

This chapter addresses the remaining two principles of the reliable system: processing integrity and availability.

The processing integrity principle of the Trust Services Framework states that a reliable system is one that produces information that is accurate, complete, timely, and valid. See table 10.1 for the application controls discussed in the COBIT framework to ensure processing integrity. It requires controls over the input, processing, and output of data.

Input Controls

Forms designs, cancellation and storage of source documents, and automated data entry controls are needed to verify the validity of input data.

Source documents and other forms should be designed to minimize the chances for errors and omissions. Two particularly important forms are:

  • Sequentially prenumbering source documents. Prenumbering improves control by making it possible to verify that no documents are missing.

  • Turnaround documents. This is a record of company data sent to an external party and the returned by the external party to the system as input. Turnaround documents are prepared in machine-readable form to facilitate their subsequent processing as input records.

Source documents that have been entered into the system should be cancelled so they cannot be inadvertently of fraudulently re-entered into the system. Electronic documents can be similarly ‘cancelled’ by setting a flag field to indicate that the document has already been processed. Cancellation does not mean disposal.

Source documents should be scanned for reasonableness and propriety before being entered into the system.

  • Field check determines whether the characters in a field are of the proper type.

  • Sign check determines whether the data in a field have the appropriate arithmetic sign.

  • Limit check tests a numerical amount against a fixed value.

  • Range check tests whether a numerical amount falls between predetermined lower and upper limits.

  • Size check ensures that the input data will fit into the assigned field.

  • Completeness check on each input record determines whether all required data items have been entered.

  • Validity check compares the ID code or account number in transaction data with similar data in the master file to verify that the account exists.

  • Reasonableness test determines the correctness of the logical relationship between two data items.

  • Check digit is computed from other digits. The system could assign each new employee a nine-digit number then calculate a tenth digit from the original nine and append that calculated number to the original nine to form a ten-digit ID number.

Additional batch processin data entry controls

  • Batch processing works more efficiently if the transactions are sorted so that the accounts affected are in the same sequence as records in the master file. A sequence check tests whether a batch of input data is in the proper numerical or alphabetical sequence.

  • An error log that identifies data input errors facilitates timely review and resubmission of transactions that cannot be processed.

  • Batch totals summarize important values for a batch of input records. The following are three commonly used batch totals:

    • Financial batch sums a field that contains monetary values

    • Hash total sums a nonfinancial numeric field

    • Record count is the number of records in a batch

Additional online data entry controls

  • Prompting, in which the system requests each input data item and waits for an acceptable response, ensures that all necessary data are entered.

  • Closed-loop verification checks the accuracy of input data by using it to retrieve and display other related information.

  • A transaction log includes a detailed record of all transactions, including a unique transaction identifier, the date and time of entry, and who entered the transaction.

Processing controls

Controls are also needed to ensure that data is processed correctly. There are a few processing controls.

  • Data matching. Two or more items of data must be matched before an action can take place.

  • File labels. They need to be checked to ensure that the correct and most current files are being updated. Both internal and external files should be used. A header record (internal label) is located at the beginning of each file and contains the name of the file, the expiration date, and other data. the trailer record, also an internal label, is located at the end of the file and contains batch totals calculated during input.

  • Recalculation of batch totals. Batch totals should be recomputed as each transaction record is processed, and the total for the batch should then be compared to the values in the trailer record. A transposition error is an error in which two adjacent digits were inadvertently reversed. They may appear to be trivial but can have enormous financial consequences.

  • Cross-footing and zero-balances tests. Often totals can be calculated in multiple ways. A cross-footing test compares the results produced by each method to verify accuracy. The zero-balance test applies this same logic to control accounts.

  • Write-protection mechanisms. These protect against overwriting or erasing of data files stored on magnetic media. These mechanisms have long been used to protect master files from accidentally being damaged.

  • Concurrent update controls. This controls prevent errors by locking out one user until the system has finished processing the transaction entered by the other. The error is that two or more users attempt to update the same record.

Output controls

  • User review of output. Users should carefully examine system output to verify that it is reasonable, that it is complete, and that they are intended recipients.

  • Reconciliation procedures. Periodically, all transactions and other system updates should be reconciled to control reports, file status/update reports, or other control mechanisms.

  • External data reconciliation. Database totals should periodically be reconciled with data maintained outside the system.

  • Data transmission controls. Organizations also need to implement controls designed to minimize the risk of data transmission errors. There are two common data transmission controls.

    • Checksums. When data are transmitted, the sending device can calculate a hash of the file. We call this a checksum. The receiving device performs the same calculation and sends the result to the sending device.

    • Parity bits. Computers represent characters as a set of binary digits, called bits. A parity bit is an extra digit added to the beginning of every character that can be used to check transmission accuracy. Two basic schemes are referred to as even parity and odd parity. The receiving device performs parity checking.

Availability

Interruptions to business processes due to the unavailability of systems or information can cause significant financial losses. The primary objective is to minimize the risk of system downtime. Another objective is quick and complete recovery and resumption of normal operations.

The first objective can be arranged by

  • Preventive maintenance. An example is cleaning disk drives and properly storing magnetic and optical media, to reduce the risk of hardware and software failure.

  • Fault tolerance. This is the ability of a system to continue functioning in the event that a particular component fails. For example, many organizations use redundant arrays of independent drives (RAID) instead of just one disk drive. With RAID data is written to multiple disk drives simultaneously.

  • Data centre location and design. Common design features include the following. Raised floors provide protection from damage caused by flooding. Fire detection and suppression devices reduces the likelihood of fire damage and more. An uninterruptible power supply (UPS) system provides protection in the event of a prolonged power outage, using battery power to enable the system to operate long enough to back up critical data and safely shut down.

  • Training. Well-trained operations are less likely to make mistakes and will know how to recover, with minimal damage, from errors they do commit.

  • Patch management and antivirus software

The second objective has the following key controls

  • Back up procedures. A backup is an exact copy of the most current version of a database, file, or software program that can be used in the event that the original is no longer available.

  • Disaster recovery plan (DRP)

  • Business continuity plan (BCP)

The recovery point objective (RPO) represents the maximum amount of data that the organization is willing to potentially lose.

The recovery time objective (RTO) represents the length of time that the organization is willing to attempt to function without its information system.

Real-time mirroring involves maintaining two copies of the database at two separate data centers at all times and updating both copies in real-time as each transaction occurs.

There are two types of daily backups

  1. An incremental backup involves copying only the data items that have changed since the last partial backup.

  2. A differential backup copies all changes made since the last full back up.

A disaster recovery plan (DRP) outlines the procedures to restore an organisation’s IT function in the event that its data center is destroyed by a natural disaster or act of terrorism. A cold site is an empty building that is prewired for necessary telephone and internet access, plus a contract with one or more vendors to provide all necessary equipment within a specific period of time.

A business continuity plan (BCP) specifies how to resume not only IT operations, but all business processes, including relocating to new offices and hiring temporary replacements, in the event that major calamity destroys not only an organization’s data center but also its main headquarters. Having both a DRP and a BCP can mean the difference between surviving a major catastrophe.

Change control is the formal process used to ensure that modifications to hardware, software, or processes do not reduce system reliability. Good change control often results in overall better operating performance: careful testing prior to implementation reduces the likelihood of making changes that cause system downtime, and thorough documentation facilitates quicker ‘trouble shooting’ and resolution of any problems that do occur. Companies with a good change control process are also less likely to suffer financial or reputational harm from security incidents.

Effective change control procedures require regularly monitoring for unauthorized changes and sanctioning anyone who intentionally introduces such changes. Other principles of a well-designed change control process include the following:

  • All changes requests should be documented and follow a standardized format that clearly identifies the nature of the change, the reason for the request, the date of the request, and the outcome of the request.

  • All changes should be approved by appropriate levels of management.

  • To assess the impact of the proposed change on all five principles of systems reliability.

  • All documentation should be updated to reflect authorized changes to the system.

  • Emergency changes or deviations from standard operating policies must be documented and subjected to a formal review and approval process as soon after the implementation as practicable. All emergency changes need to be logged to provide an audit trail.

  • Backout plans need to be developed for reverting to previous configurations in case approved changes need to be interrupted or abandoned.

  • User rights and privileges must be carefully monitored during the change process to ensure that proper segregation of duties is maintained.

Revenue cycle: sales to cash collections - Chapter 12

The revenue cycle is a recurring set of business activities and related information processing operations associated with providing goods and services to customers and collecting cash in payment for those sales. Information about revenue cycle activities also flows to other accounting cycles. The general ledger and reporting functions uses information produced by the revenue cycle to prepare financial statements and financial reports.

The revenue cycle’s primary objective is to provide the right product in the right place at the right time for the right price. To accomplish this objective, the management must make a few decisions. There are four basic revenue cycle activities:

  1. Sales order entry

  2. Shipping

  3. Billing

  4. Cash collections

This chapter explains how an organization’s information system supports each of those activities. See page 353 figure 12.3 for the level 0 data flow diagram from the revenue cycle.

Most large organizations use an enterprise resource planning (ERP) system. The process starts when an organization receives customer orders via the internet from various retail websites. The sales department enters customer orders received over the phone, by fax, or email. The system quickly verifies customer creditworthiness, checks inventory availability, and notifies the warehouse and shipping departments about approved sale. This is only a small part of the entire sales process.

  • The first general threat is inaccurate or invalid master data. Errors in customer master data could result in shipping merchandise to the wrong location, delays in collecting payments or making sales to customers that exceed their credit limits. One way to mitigate this threat is to use the various processing integrity to minimize the risk of data input errors. It is also important to restrict access to that data and configure the system so that only authorized employees can make changes to master data.

  • The second general threat is unauthorized disclosure of sensitive information. One way to mitigate the risk is to configure the system to employ strong access controls that limit who can view such information. It is also important to configure the system to limit employees’ ability to use the system’s built-in query capabilities to access only those specific tables and field relevant to performing their assigned duties.

  • The third general threat is concerns the loss or destruction of master data. The best way to mitigate this risk is to employ the backup and disaster recovery procedures. A best practice is to implement the ERP system as three separate instances.

The revenue cycle begins with the receipt of orders from customers. The sales departments typically performs the sales order entry process. There are three steps in this process: taking customer’s orders, checking and approving customer credit and checking inventory availability.

Today, most organizations use sales order documents. This is usually an electronic form displayed on a computer monitor screen. The sales order contains information about item numbers, quantities, prices, and other terms of the sale.

Customers can use electronic data interchange (EDI) to submit the order electronically in a format compatible with the company’s sales order processing system. This improve efficiency and cut costs.

Websites also provide opportunities to increase sales. It is possible to use history information to create marketing messages tailored to the individual customer. Another useful technique involves the use of interactive sales order entry systems that allow customers to customize products to meet their exact needs.

  • A basic threat during sales order entry is that important data about the order will be either missing or inaccurate. This not only creates inefficiencies, but also may have an negative affect customer perceptions and affect future sales.

  • The second threat is concerns the legitimacy of orders. If a company ships merchandise to a customer and the customer later denies having placed the order, there is a potential loss of assets.

  • Another revenue cycle threat is the possibility of making sales that later turn out to be uncollectible. Requiring proper authorization for each credit sale diminishes this threat. A credit limit is the maximum allowable account balance that management wishes to

allow for a customer based on that customer’s past credit history and ability to pay.

Careful monitoring of accounts receivable is very important, because some customers will and up not paying off their accounts. A useful report for doing this is an account receivable aging report, which lists customer account balances by length of time outstanding. The information provided by such reports is useful for projecting the timing of future cash inflows related to sales, deciding whether to increase the limit for specific customers, and for estimating bad debts.

In addition to checking a customer’s credit, salespeople also need to determine whether sufficient inventory is available to fill the order, so that customers can be informed of the expected delivery date. If there is not sufficient inventory on hand to fill the order, a back order for those items must be created.

Once the inventory availability has been determined, the system then generates a picking ticket that lists the items and quantities of each item that the customer ordered. The picking ticket authorizes the inventory control function to release merchandise to the shipping department. Picking tickets today are often electronic forms that may be displayed on portable handheld devices or on monitors built into forklifts.

Accurate inventory records are important to prevent both stock outs and excess inventory. Stock outs may result in lost sales if customers are not willing to wait and instead purchase from another source. Excess inventory increases carrying cost and may even require significant markdowns that reduce profitability.

Customer service is so important that many companies use special software packages, called customer relationship management (CRM) systems, to support this vital process. Customer relationship management systems help organize detailed information about customers to facilitate more efficient and more personalized service. CRM systems also help generate additional sales.

The second basic activity in the revenue cycle is filling customer orders and shipping desired merchandise. The first step in filling a customer order involves removing the correct items from inventory and packaging them for delivery.

The picking ticket generated by the sales order entry process triggers the pick and pack process. Warehouse workers use the picking ticket to identify which products, and the quantity of each product, to remove from inventory. When the quantity was recorded, the inventory transferred to the shipping department.

One potential problem is the risk of picking the wrong items or in the wrong quantity. The automated warehousing technologies can minimize the chance of such errors. Another threat involves the theft of inventory. theft losses can be extremely large, and the perpetrators can be either outsiders or employees. Theft also makes inventory records inaccurate, which can lead to problems in filling customers’ orders.

The inventory master file also produces a packing slip and multiple copies of the bill of lading. The packing slip lists the quantity and description of each item included in the shipment. The bill of lading is a legal contract that defines responsibility for the goods in transit. It identifies the carrier, source, destination, and any special shipping instructions.

A copy of the bill of lading and the packing slip accompany the shipment. If the customer is to pay the shipping charges, this copy of the bill of lading may serve as a freight bill, to indicate the amount the customer should pay to the carrier.

The third basic activity in the revenue cycle involves billing customers. It is about invoicing and updating accounts receivable.

Accurate and timely billing for shipped merchandise is crucial. The invoicing activity is just an information processing activity that repackages and summarizes information from the sales order entry and shipping activities.

The basic document created in the billing process is the sales invoice. This invoice notifies customers of the amount to be paid and where to send the payment. A well designed accounting system can entirely eliminate the need to create and store invoices, at least with customers that have sophisticated systems of their own.

One threat associated with the invoicing process is a failure to bill customers, which results in the loss of assets and erroneous data about sales, inventory and accounts receivable. segregating the shipping and billing functions is an important control to reduce the risk that this occurs intentionally.

Another potential threat is a billing error. Overbilling can result in customer dissatisfaction, and under billing results in the loss of assets. Pricing mistakes can be avoided by having the system retrieve appropriate data from the pricing master file and by restricting the ability of employees to make changes to that data.

The accounts receivable function performs two tasks. It uses the information on the sales invoice to debit customer accounts and subsequently credit those accounts when payments are received.

The two basic ways to maintain accounts receivable are the open-invoice and the balance forward methods. The two methods differ in terms of when customers remit payments, how those payments are applied to update the accounts receivable master file.

Under the open invoice method, customers typically pay according each invoice. Two copies of the invoice are mailed to the customers, who is requested to return one copy with the payment. This copy is a turnaround document called a remittance advice. Customer payments are then applied against specific invoices.

Under the balance forward method, customers typically pay according the amount shown on a monthly statement, rather than by individual invoices. The monthly statement lists all transactions that occurred during the past month and informs customers of their current account balances.

One advantage of the open invoice method is that it is conductive to offering discounts for prompt payment, as invoices are individually tracked and aged. A disadvantage of the open invoice method is the added complexity required to maintain information about the status of each individual invoice for each customer. The open invoice method is typically used by business whose customers are primarily other businesses, because the number of individual transactions is relatively small and the dollar value of those transactions is high.

Many companies that use the balance forward method use a process called cycle billing to prepare and mail monthly statements to their customers. Under cycle billing, monthly statements are prepared for subsets of customers at different times. Cycle billing produces a more uniform flow of cash collections throughout the month and reduces the time that the computer system is dedicated to printing monthly statements.

To credit a customer’s account for returned goods, the credit managet must obtain information from the receiving dock that the goods were actually returned and placed back in inventory. Upon notification from the receiving department that the goods have been returned, the credit manager issues a credit memo. This memo authorizes the crediting of the customer’s account.

Errors in maintaining customer accounts can lead to the loss of future sales and also may indicate possible theft of cash. The data entry edit checks can minimize the risk of errors in maintaining customer accounts.

Another threat is that an employee may issue credit memos to write-off account balances for friends or to cover up theft of cash or inventory. Proper segregation of cuties can reduce the risk of this threat. To prevent employees making sales to friends are then written off.

The final step in the revenue cycle is collecting and processing payments from customers.

Because cash and customer checks can be stolen so easily, it is important to take appropriate measures to reduce the risk of theft. This means that the accounts receivable function should not have physical access to cash or checks.

One method to identify the source of any remittances involves mailing the customer two copies of the invoice and requesting that one be returned with the payment. This remittance advice is then routed to accounts receivable, and the actual customer payment is sent to the cashier.

Another option is to have mailrooms personnel prepare a remittance list, which is a document identifying the names and the amounts of all customer remittances, and send it to accounts receivable.

An alternative option is to photocopy all customer remittances and send the copies to accounts receivable while forwarding the actual remittances to the cashier for deposit.

Another way to speed up the processing of customer payments involves the use of a lockbox arrangement with a bank. A lockbox is a postal address to which customer send their remittances. The participating bank picks up the checks from the post office box and deposits them in the company’s account. Establishing lockbox agreements with foreign banks reduces the time it takes to collect the payments from sales to international customers.

Information technology can provide additional efficiencies in the use of lockboxes. In an electronic lockbox arrangement, the bank electronically sends the company information about the customer account number and the amount remitted as soon as it receives and scans those checks.

With electronic funds transfer (EFT) customers send their remittances electronically to the company’s bank and thus eliminate the delay associated with the time the payment is in the mail system. EFT also reduces the time lag before the bank makes the deposited funds available to the company.

Financial electronic data interchange (FEDI) solves problems by integrating the exchange of funds (EFT) with the exchange of remittance data (EDI). The customer send both remittance data and funds transfer instructions together. The seller receives both pieces of information simultaneously. FEDI completes the automation of both the billing and the cash collection process.

Companies can also speed the collection process by accepting credit cards or procurement cards. The benefit is that the card issuer usually transfers the funds within two days of the sale.

The primary objective of the cash collections function is to safeguard customer remittances. Segregation of duties is the most effective control procedure for reducing the risk of theft. There are three pair of duties that should be segregated.

The first one is handling cash or checks and posting remittances to customer accounts. A person performing both of these duties could commit the special type of embezzlement called lapping.

The other one is handling cash or checks and authorizing credit memos. A person performing both of these duties could conceal theft of cash by creating a credit memo equal to the amount stolen.

The last one is handling cash or checks and reconciling the bank statements. An important detective control is reconciliation of the bank account statement with the balance of cash recorded in the company’s information system.

The best control procedures to reduce the risk of unanticipated cash shortfalls is to use a cash flow budget, which provides estimates of cash inflows and outflows. A cash flow budget can alert an organization to a pending short term cash, thereby enabling it to plan ahead to secure short-term loans at the best possible rates.

Read more on the revenue circle on JoHo WorldSupporter.org

Expenditure cycle: purchasing to cash disbursements - Chapter 13

The expenditure cycle is a recurring set of business activities and related information processing operations associated with the purchase of and payment for goods and services. This focuses on the acquisition of raw materials, finished goods, supplies and services.

In the expenditure cycle, the primary external exchange of information is with suppliers (vendors). Expense data also flow from the expenditure cycle to the general ledger and reporting function for inclusion in financial statements and various management reports. The primary objective in the expenditure cycle is to minimize the total cost of acquiring and maintaining inventories, supplies, and the various services the organization needs to function.

The four basic expenditure cycle activities

  1. Ordering materials, supplies, and services

  2. Receiving materials, supplies, and services

  3. Approving supplier invoices

  4. Cash disbursements

We begin by describing the design of the expenditure cycle information system and the basic controls necessary to ensure that it provides management with reliable information to assess operational efficiency and effectiveness.

The linkages between the buyer’s expenditure cycle activities and the seller’s revenue cycle activities have important implications for the design of both parties’ accounting information system.

The first major business activity in the expenditure cycle is ordering inventory, supplies, or services. This involves first identifying what, when, and how much to purchase, and then choosing from which supplier to purchase. Accountants and systems professionals need to understand best practices for managing inventory.

The traditional approach to managing inventory is to maintain sufficient stock so that production can continue without interruption even if inventory use is greater than expected or if suppliers are late in making deliveries. This traditional approach is often called the economic order quantity (EOQ) approach because it is based on calculating an optimal order size to minimize the sum of ordering, carrying, and stock out costs. Ordering costs include all expenses associated with processing purchase transactions. Carrying costs are those associated with holding inventory. Stockout costs are those that result from inventory shortages.

The EOQ formula is used to calculate how much to order. The reorder point specifies when to order. Companies typically set the reorder point based on delivery time and desired levels of safety stock to handle unexpected fluctuations in demand. The traditional EOQ approach to inventory control often results in carrying significant amounts of inventory. The money invested in carrying inventory earns nothing.

Materials requirements planning (MRP) seeks to reduce required inventory levels by improving the accuracy of forecasting techniques to better schedule purchases to satisfy production needs. MRP systems reduce uncertainties about when raw materials are needed and therefore enable companies to carry less inventory.

A just in time (JIT) inventory system attempts to minimize finished foods inventory by purchasing and producing goods only in response to actual sales. JIT systems are characterized by frequent deliveries of small amounts of materials, parts, and supplies directly to the specific locations that require them when they are needed.

A major difference between MRP and JIT systems is production scheduling. MRP systems schedule production to meet forecasted sales, thereby creating an optimal quantity of finished goods inventory. JIT systems schedule production in response to customer demands. MRP systems are more effectively used with products that have predictable patterns of demand. JIT inventory systems are especially useful for products that have relatively short life cycles and for which demand cannot be accurately predicted.

The need to purchase goods or supplies often results in the creation of a purchase requisition that identifies the requisitioner. The requisitioner specifies the delivery location and date needed. It identifies the item numbers, descriptions, quantity, and price of each item requested.

One threat is that inaccurate inventory records can result in stock outs that lead to lost sales or to carrying excess inventory that increases costs. To reduce the risk of these problems, the perpetual inventory method should be used to ensure that information about inventory stocks is always current. Using information technology to eliminate the need for manual data entry can improve the accuracy of perpetual inventory records.

Another threat is purchasing items that are not currently needed. Accurate perpetual inventory records ensure the validity of purchase requisitions that the inventory control system automatically generates.

The next step is to select a supplier. Purchasing agents usually perform this task. The crucial operating decision in the purchasing activity is selecting suppliers for inventory items. Several factors should be considered:

  • Price

  • Quality of materials

  • Dependability in making deliveries

A purchase order is a document or electronic form that formally requests a supplier to sell and deliver specified products at designated prices. It also promise to pay and becomes a contract once the supplier accepts it.

Many companies maintain special purchasing arrangements with important suppliers. A blanket purchase order is a commitment to purchase specified items at designated prices from a particular supplier for a set time period, often one year.

Vendor managed inventory programs provide another means of reducing purchase and inventory costs. A vendor-managed inventory program essentially outsources much of the inventory control and purchasing function. Suppliers are given access to sales and inventory data and are authorized to automatically replenish inventory when stocks fall to predetermined reorder points.

A threat is a kickback. Kickbacks are gifts from suppliers to purchasing agents for the purpose of influencing their choice of suppliers. To prevent kickbacks, companies should prohibit purchasing agents from accepting any gifts from potential or existing suppliers. These policies should apply not only to gifts of tangible goods, but also to services.

The second major business activity in the expenditure cycle is the receipt and storage of ordered items. The receiving department is responsible for accepting deliveries from suppliers. Information about the receipt of ordered merchandise must be communicated to the inventory control function to update the inventory records.

When a delivery arrives, a receiving clerk compares the purchase order number referenced on the supplier’s packing slip with the open purchase order file to verify that the goods were ordered.

The receiving report documents about each delivery, including the date received, shipper, supplier, and purchase order number. The receiving report also contains space to identify the persons who received and inspected the goods as well as for remarks concerning the quality of the items received.

In the case of damaged or poor-quality goods, a debit memo is prepared after the supplier agrees to take back the goods or to grant a price reduction. The debit memo records the adjustment being requested.

The third main activity is approving supplier invoices for payment. The accounts payable department approves supplier invoices for payments. A legal obligation to pay suppliers arises at the time goods are received. When a supplier’s invoice is received, the accounts payable department is responsible for matching it with a corresponding purchase order and receiving report. This combination of the suppliers invoice and associated supporting documentation creates what is called a voucher package.

There are two ways to supplier invoices, referred to as non-voucher or voucher systems.

  1. Non-voucher system. Each approved invoice is posted to individual supplier records in the accounts payable file and is then stored in an open invoice file. When a check is written to pay for an invoice, the voucher package is removed from the open-invoice file to the paid-invoice file.

  2. Voucher system. An additional document (disbursement voucher) is also created when a supplier invoice is approved for payment. The disbursement voucher identifies suppliers, lists the outstanding invoices, and indicates the net amount to be paid after deducting any applicable discounts and allowances.

Voucher systems offer three advantages over non-voucher systems. First, they reduce the number of checks that need to be written, because several invoices may be included on one disbursement voucher. Second, because the disbursement voucher is an internally generated document, it can be prenumbered to simplify tracking all payables. Third, because the voucher provides an explicit record that a vendor invoice has been approved for payment, it facilitates separating the time of invoice approval from the time of invoice payment.

As soon as receipt of goods or services is verified, all the information required to pay the supplier is already know. The invoiceless approach is called evaluated receipt settlement (ERS). ERS replaces the traditional three-way (vendor invoice, receiving report, and purchase order) matching process with a two-way match of the purchase order and receiving report.

Procurement cards provide one way to eliminate the need for accounts payable to process many such small invoices. A procurement card is a corporate credit card that employees can use only at designated suppliers to purchase specific kinds of items.

The final activity is paying suppliers. The cashier, who reports to the treasurer, is responsible for paying suppliers. Payments are made when accounts payable sends the cashier a voucher package. Although many payments continue to be made by check, the use of EFT and FEDI is increasing.

It is often more convenient to pay for minor purchases, such as coffee or pencils, in cash. The pretty cash fund should be set up as an imprest fund. An imprest fund has two characteristics: it is set at a fixed amount and it requires vouchers for every disbursement. The sum of the cash plus vouchers should equal the preset fund balance.

Production cycle - Chapter 14

The production cycle is a recurring set of business activities and related information processing operations associated with the manufacture of products. The production cycle contains four basic activities: product design, planning and scheduling, production operations, and cost accounting.

The first step in the production cycle is product design. The objective is to create a product that meets customer requirements in terms of quality, durability, and functionality while simultaneously minimizing production costs.

The product design activity creates two outputs. The first, a bill of materials specifies the part number, description, and quantity of each component used in a finished product. The second is an operation list. This list specifies the sequence of steps to follow in making the product, which equipment to use, and how long each step should take.

The second step in the production cycle is planning and scheduling. The objective is to develop a production plan efficient enough to meet existing orders and anticipated short-term demand while minimizing inventories of both raw materials and finished goods.

Two common methods of production planning are manufacturing resource planning and lean manufacturing. Manufacturing resource planning (MRP-II) is an extension of materials resource planning that seeks to balance existing production capacity and raw materials need to meet forecasted sales demand. MRP-II systems are often referred to as push manufacturing, because goods are produced in expectation of customer demand.

Lean manufacturing extends the principles of just-in-time inventory systems to the entire production process. The goal of lean manufacturing is to minimize or eliminate inventories of raw materials, work in progress, and finished goods. Lean manufacturing is often referred to as pull manufacturing, because goods are produced in response to customer demand.

Both lean manufacturing and MRP-II systems plan production in advance. They differ, in the length of planning horizon.

Information about customer orders, sales forecasts, and inventory levels of finished goods is used to determine production levels. The result is a master production schedule (MPS), which specifies how much of each product is to be produced during the planning period and when that production should occur.

A production order authorizes the manufacture of a specified quantity of a particular product. It lists the operations that need to be performed, the quantity to be produced, and the location where the finished product should be delivered.

A materials requisition authorizes the removal of the necessary quantity of raw materials from the storeroom to the factory location where they will be used. Subsequent transfers of raw materials throughout the factory are documented on move tickets, which identify the parts being transferred, the location to which they are transferred, and the time of transfer.

The third step in the production cycle is the actual manufacture of products. The manner in which this activity is activity is accomplished varies greatly across companies, differing according to the type of product being manufactured and the degree of automation used in the production process.

Using various forms of information technology (IT) in the production process is referred to as computer-integrated manufacturing (CIM). CIM can significantly reduce production costs. Accountants need not be experts on every facet of CIM, but they must understand how it affects both operations and cost accounting. CIM requires redesign of inventory management systems and work flows to facilitate quick changes in production.

Orders for machinery and equipment almost always involve a formal request for competitive bids by potential suppliers. A document called a request for proposal (RFP), which specifies the desired properties of the asset, is send to each prospective supplier. The capital investment committee should review the responses and select the best bid.

The final step is cost accounting. The three principal objective of the cost accounting systems are to provide information for planning, controlling, and evaluating the performance of production operations. The systems also provide accurate cost data and collect and process the information used to calculate the inventory and cost of goods sold values that appear in the company’s financial statements.

Most companies use either job-order of process costing to assign production costs. Job order costing assigns costs to specific production batches, or jobs, and is used when the product or service being sold consists of discretely identifiable items.

Process costing assigns costs to each process, or work center, in the production cycle and then calculates the average cost for all units produced. Process costing is used when similar goods or services are produced in mass quantities and discrete units cannot be readily identified.

The choice of job-order or process costing affects only the method used to assign cost to products, not the method used to collect that data. A job-time ticket is a paper document to collect data about labor activity. This document recorded the amount of time a worker spent on each specific job task.

Manufacturing costs that are not economically feasible to trace directly to specific jobs or processes are considered manufacturing overhead. For example the cost of water, power and other utilities.

Activity based costing can refine and improve cost allocations under both job-order and process cost systems. It attempts to trace costs to the activities that create them. Corporate strategy is an underlying objective and results in decisions about what goods and services to produce.

Activity based costing systems differ from conventional cost accounting systems in three important ways:

  1. Activity based costing systems attempts to directly trace a larger proportion of overhead costs to products.

  2. Activity based costing systems use a greater number of cost pools to accumulate indirect costs. It distinguish three separate categories of overhead.

    1. Batch-related overhead

    2. Product-related overhead

    3. Companywide overhead

  3. Activity based costing systems attempt to rationalize the allocation of overhead to products by identifying cost drivers. A cost driver is anything that has a cause-and-effect relationship on costs.

A few other advantages of activity based costing

  • Better control

  • Better decisions

  • Improved cost management. Proponents argue that another advantage of activity based costing is that it clearly measures the results of managerial actions on overall profitability.

Throughput represents the number of goods units produced in a given period of time. Its shown in the following formula.

Throughput = (total units produced/processing time) x (processing time/total time) x (goods units/total units)

Information about quality costs can help companies determine the effects of actions taken to improve the yield and identify areas for further improvement. Quality control costs can be divided into four areas:

  • Prevention costs are associated with changes to production processes designed to reduce the production defect rate.

  • Inspection costs are associated with testing to ensure that products meet quality standards.

  • Internal failure costs are associated with reworking, or scrapping, products identified as being defective prior to sale.

  • External failure costs result when defective products are sold to customers.

The human resources management and payroll cycle - Chapter 15

The human resources management (HRM)/ payroll cycle is a recurring set of business activities and related data processing operations associated with effectively managing the employee workforce. The more important tasks include the following: recruiting and hiring new employees, training, job assignment, compensation (payroll), performance evaluation, and discharge of employees due to voluntary or involuntary termination.

The HRM-related activities and the collection of information about the use of employee time occur daily. The actual processing of payroll occurs only periodically because in most organizations employees are paid on a weekly, biweekly, or monthly basis rather than every day.

The HRM/payroll master database provide descriptive information. To more effectively use employees’ knowledge and skills, many organizations have invested in knowledge management systems. Knowledge management systems not only serve as a directory identifying the areas of expertise possessed by individual employees, but also capture and store that knowledge so that it can be shared and used by others. These systems can significantly improve productivity.

The payroll system has five major sources of inputs. The HRM department provides information about hiring, terminations, and pay-rate changes due to raises and promotions. The checks are the payroll system’s principal output. Employees receive individual pay checks in compensation for their services. A payroll check is sent to the bank to transfer funds from the company’s regular accounts to its payroll account. The payroll system produces a variety of reports for internal and external use.

We explain the controls necessary to ensure not only the reliability of that information but also the safeguarding of the organization’s resources.

  • Update payroll master database. An organization need to update their master database to reflect various types of internally initiated changes. It’s also necessary to reflect changes in tax rates and deductions for insurance.

  • Validate time and attendance data. For employees paid on an hourly basis, many companies use a time card to record the employee’s daily arrival and departure times. Professionals in such service organizations as accounting, law, and consulting firms similarly track the time they spend performing various tasks and for which clients, recording that data on time sheets. Their employers use the time sheets to assign costs and accurately bill clients for services provided.

  • Prepare payroll.

Every employee receives a few documents.

  • Payroll register. This register lists each employee’s gross pay, pay deductions, and net pay in a multicolumn format.

  • Deduction register. This register lists the miscellaneous voluntary deductions for each employee.

  • Earnings statement. This statement lists the amount of gross pay, deductions, and net pay for the current period and year-to-date totals for each category.

  • Disburse payroll. Most employees are paid either by check or by direct deposit of the net pay amount into their personal bank account. Both methods provide a means to document the amount of wages paid.

  • Calculate and disburse employer-paid benefit taxes and voluntary employees deductions. This is the final payroll activity. Many employers offer their employees flexible benefit plans, under which each employee chooses some minimum coverage in medical insurance, retirement plans, and charitable contributions. Flexible benefit plans place increased demands on a company’s HRM/payroll system.

There are three types of data processing integrity controls that can mitigate the threat of payroll errors.

  • Batch totals. If the original and subsequent hash totals of employees numbers agree, it means that all payroll records have been processed. It also means that data input was accurate, and no bogus time cards were entered during processing.

  • Cross footing the payroll register. The total of the net pay column should equal the total of gross pay less total deductions. If it does not, an error occurred in processing that needs to be promptly investigated and corrected.

  • A payroll clearing account. This is a general ledger account that is used in a two-step process to check the accuracy and completeness of recording payroll costs and their subsequent allocation to appropriate cost centers.

A payroll service bureau maintains the payroll master data for each of its clients and process payroll for them. A professional employer organization (PEO) not only processes payroll, but also provides HRM services. Payroll service bureaus are generally less expensive than PEO’s, because they provide a narrower range of services.

Payroll services bureaus and PEOs are especially attractive to small and midsized businesses for the following reasons.

  • Reduced costs. They both benefit from the economies of scale associated with preparing pay checks for a large number of companies.

  • Wider range of benefits. PEOs pool the costs of administering benefits across all their clients. A PEO enables smaller companies to offer the same wide range of benefits that large companies typically provide.

  • Freeing up of computer resources. A payroll service bureau or PEO eliminates one or more AIS applications. The freed up computing resources can then be used to improve service in other areas.

General Ledger and Reporting System - Chapter 16

This chapter discusses the information processing operations involved in updating the general ledger and preparing reports that summarize the results of an organization’s activities. The general ledger and reporting system plays a central role in a company’s accounting information system. Its primary function is to collect and organize data from the following sources:

  • Each of the accounting cycle subsystems provides information about regular transactions.

  • The treasurer provides information about financing and investing activities.

  • The budget department provides budget numbers.

  • The controller provides adjusting entries.

Figure 16.3 on page 485 shows the typical design of an online general ledger and reporting system.

The centralized database must be organized in a manner that facilitates meeting the varied information needs of both internal and external users. Managers need timely detailed information about the results of operations in their particular area of responsibility. Investors and creditors want periodic financial statements and timely updates to help them assess the organization’s performance.

The most important threats for a general ledger are:

  • Inaccurate of invalid general ledger data

  • Unauthorized disclosure of financial information

  • The loss or destruction of master data

See table 16.1 on page 486 for the threats and controls in the general ledger and reporting system.

The first activity in the general ledger system is updating the general ledger. Updating consists of posting journal entries that originate from two sources.

  • Accounting subsystems. Each of the accounting subsystems creates a journal entry to update the general ledger. The general ledger could be updated for each individual transaction.

  • Treasurer. The treasurer’s office provides information for journal entries to update the general ledger for non-routine transactions.

The individual journal entries used to update the general ledger are stored in the journal voucher file. The journal voucher file contains the information that would be found in the general journal in a manual accounting system: the date of the journal entry, the accounts debited and credited, and the amounts.

Journal entries made by the treasurer are original data entry. The following types of input edit and processing controls are needed to ensure that they are accurate and complete:

  • A validity check to ensure that general ledger accounts exists for each account number referenced in a journal entry

  • Field (format) checks to ensure that the amount field in the journal entry contains only numeric data.

  • A zero balance check to verify that total debits equal total credits in a journal entry.

  • A completeness test to ensure that all pertinent data are entered.

  • Closed-loop verification matching account numbers with account descriptions, to ensure that the correct general ledger account is being accessed.

  • A sign check of the general ledger account balance to verify that the balance is of the appropriate nature.

  • Calculating run-to-run totals to verify the accuracy of journal voucher batch processing.

Reconciliations and control reports can detect whether any errors were made during the process of updating the general ledger. One form of reconciliation is the preparation of a trial balance. A trail balance is a report that lists the balances for all general ledger accounts.

The audit trail is a traceable path that shows how a transaction flows through the information system to affect general ledger account balances. It is an important detective control that provides evidence about the causes of changes in general ledger account balances.

The second activity in the general ledger system is posting various adjusting entries. Adjusting entries originate from the controller’s office, after the initial trial balance has been prepared. Adjusting entries fall into five basic categories.

  1. Accruals are entries make at the end of the accounting period to reflect events that have occurred but for which cash has not yet been received or disbursed.

  2. Deferrals are entries made at the end of the accounting period to reflect the exchange of cash prior to performance of the related event.

  3. Estimates are entries that reflect a portion of expenses expected to occur over a number of accounting periods.

  4. Revaluations are entries made to reflect either differences between the actual and recorded value of an asset or a change in accounting principle.

  5. Corrections are entries made to counteract the effects of errors found in the general ledger.

The third activity in the general ledger and reporting system is preparing financial statements. Most organizations close the books to produce financial statements both monthly and annually. A closing journal entry zeroes out all revenue and expense accounts in the adjusted trail balance and transfers the net income to retained earnings.

In 2010, the SEC reaffirmed its commitment to decide in 2011 whether it will require American companies to switch from US based Generally Accepted Accounting Principles (GAAP) to International Financial Reporting Standards (IFRS) as the basis for preparing financial statements.

The XBRL file containing the tagged data that is delivered to users is called an instance document. The instance document contains facts about specific financial statement line items, including their values and contextual information. Each specific item in an XBRL document is called an element. An element’s specific value is displayed in an instance document between tags. An instance document is created by applying a taxonomy to set of data. A taxonomy is a set of files that defines the various elements and the relationships between them. One part of the taxonomy is called the schema, which is a file that contains the definitions of every element that could appear in an instance document.

The following are some of the basic attributes used to define each element.

  • A unique identifying name used by the software

  • A description that can be used to correctly interpret the element

  • The element’s data type

  • The element’s normal balance type

  • The element’s period type

The taxonomy also includes a set of files called linkbases, which define the relationships among elements. Important linkbases include the following.

  • The reference linkbase identifies relevant authoritative pronouncements

  • The calculation linkbase specifies how to combine elements

  • The definition linkbase indicates hierarchical relationships among elements

  • The presentation linkbase describes how to group elements

  • The label linkbase associates human-readable labels with elements

The final activity in the general ledger and reporting system is to produce various managerial reports, including budgets. ERP systems can produce a number of budgets to help managers plan and evaluate performance. An operating budget depicts planned revenues and expenditures for each organizational unit. A capital expenditure budget shows planned cash inflows and outflows for each capital project. Cash flow budgets compare estimated cash inflows from operations with planned expenditures and are used to determine borrowing needs.

To properly evaluate performance, reports should be highlight the results that can be directly controlled by the person or unit being evaluated. Responsibility accounting does this by producing a set of correlated reports that break down the organization’s overall performance by the specific subunits which can most directly control those activities.

A flexible budget, in which the budgeted amounts vary in relation to some measure of organizational activity, mitigates problems. Flexible budgeting would entail dividing the budget for each line item in the general superintendent’s department into its fixed and variable cost components.

A balance scorecard is a report that provides a multidimensional perspective of organizational performance. A balanced scorecard contains measures reflecting four perspectives of the organization: financial, customer, internal operations, and innovation and learning.

 

Page access
Public
Comments, Compliments & Kudos

Add new contribution

CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.