Академический Документы
Профессиональный Документы
Культура Документы
Information is valuable when the benefits exceed the costs of gathering, maintaining, and
storing the data.
Benefit (i.e., improved decision making)
Cost (i.e., time and resources used to get the information)
Most organizations engage in many similar and repetitive transactions. These transaction
types can be grouped into the five basic cycles, each of which constitutes a basic subsystem
in the AIS:
• The expenditure cycle consists of the activities involved in buying and paying for goods
or services used by the organization.
• The human resources/payroll cycle consists of the activities involved in hiring and paying
employees. (part of expenditure cycle)
• The revenue cycle consists of the activities involved in selling goods or services and
collecting payment for those sales.
• The financing cycle consisted of those activities involved in obtaining the necessary
funds to run the organization and in repaying creditors and distributing profits to
investors.
• The production cycle consists of the activities involved in converting raw materials and
labor into finished products. (Only manufacturing companies have a production cycle;
retail
Interactions between AIS and Internal and External Parties
Organizational Decisions and Information Needed
• Business organizations use business processes to get things done.
• Business processes are a set of structured activities that are performed by people, machines,
or both to achieve a specific goal.
• Key decisions and information needed often come from these business processes.
A well thought out AIS can add value through effective and efficient decisions.
▫ Having effective decisions means quality decisions
▫ Having efficient decisions means reducing costs of decision making
Information Output
The data stored in the database files can be viewed
• Online (soft copy)
• Printed out (hard copy)
▫ Document (e.g., sales invoice)
▫ Report (e.g., monthly sales report)
▫ Query (question for specific information in a database, e.g., What division had the
most sales for the month?)
Enterprise Resource Planning (ERP) Systems
• Integrates activities from the entire organization
▫ Production
▫ Payroll
▫ Sales
▫ Purchasing
▫ Financial Reporting
Advantages of ERP System
• Integrated enterprise-wide allowing for better flow of the information as it’s stored in a
centralized database and can be accessed by various departments which also improve
customer service.
• Data captured once (i.e., no longer need sales to enter data about a customer and then
accounting to enter same customer data for invoicing)
• Improve access of control of the data through security settings
• Standardization of procedures and reports
Disadvantages of ERP System
• Costly
• Significant amount of time to implement
• Complex
• User resistance (learning new things is sometimes hard for employees)
Why Document Systems?
• Accountants must be able to read documentation and understand how a system works
(e.g., auditors need to assess risk)
• Sarbanes-Oxley Act (SOX) requires management to assess internal controls and auditors
to evaluate the assessment
• Used for systems development and changes
Data Flow Diagrams (DFD)
Focuses on the data flows for:
• Processes
• Sources and destinations of the data
• Data stores
DFD are visually simple, can be used to represent the same process at a high abstract or detailed
level.
Basic Data Flow Diagram Elements
Databases were developed to address the proliferation/increase of master files. For many years,
companies created new files and programs each time a need for information arose. Bank of
America once had 36 million customer accounts in 23 separate systems. This proliferation
created problems such as storing the same data in two or more master files.
DBMS software links the way data are physically stored with each user’s logical view of the
data. The DBMS allows users to access, query, or update the database without reference to how
or where data are physically stored. Separating the logical and physical views of data also means
that users can change their logical view of data without changing the way data are physically
stored. Likewise, the DBA can change physical storage to improve system performance without
affecting users or application programs.
Database system
- the database, the DBMS, and the application programs that access the database through the
DBMS.
Database administrator
– the person responsible for coordinating, controlling, and managing the database.
Data warehouse
In today’s fast-paced global economy, management must constantly reevaluate financial and
operating performance in light of strategic goals and quickly alter plans as needed. Since
strategic decision making requires access to large amounts of historical data, organizations are
building separate databases called data warehouses. A data warehouse is one or more very large
databases containing both detailed and summarized data for a number of years that is used for
analysis rather than transaction processing. It is not unusual for data warehouses to contain
hundreds or thousands of terabytes of data. Data warehouses do not replace transaction
processing databases; they complement them by providing support for strategic decision making.
Since data warehouses are not used for transaction processing, they are usually updated
periodically rather than in real time.
Business intelligence
Analyzing large amounts of data for strategic decision making is often referred to as business
intelligence. There are two main techniques used in business intelligence: online analytical
processing (OLAP) and data mining. Online analytical processing (OLAP) is using queries to
investigate hypothesized relationships among data. For example, a manager may analyze
supplier purchases for the last 3 years, followed by additional queries that “drill down” to lower
levels by grouping purchases by item number and by fiscal period. Data mining is – analyzing
large amounts of data for strategic decision making.
Data mining
- using sophisticated statistical analysis to “discover” unhypothesized relationships in the data.
• Designers of a database need to understand user’s needs and the conceptual level of the entire
database as well as the physical view. The conceptual view illustrates the different files and
relationships between the files.
• The data dictionary is a “blueprint” of the structure of the database and includes data elements,
field types, programs that use the data element, outputs, and so on.
DBMS Languages
Relational Database
Relational database – a set of table related to one another. A data- base built using the relational
data model.
• Represents the conceptual and external schema as if that “data view” was truly stored in one
table.
• Although the conceptual view appears to the user that this information is in one big table, it is
really a set of tables that relate to one another.
• Data stored in one large table can be redundant and inefficient causing the following problems:
▫ Update anomaly
▫ Insert anomaly
▫ Delete anomaly
Record layout
- Document that shows the items stored in a file, including the order and length of the data fields
and the type of data stored.
Schema
- A description of the data elements in a database, the relationships among them, and the logical
model used to organize and describe the data.
Conceptual-level schema
- the organization-wide view of the entire database that lists all data elements and the relation-
ships between them.
External-level schema
- An individual user’s view of portions of a database; also called a subschema.
Subschema
- A subset of the schema; the way the user defines the data and the data relationships.
Internal-level schema
- A low-level view of the entire database describing how the data are actually stored and
accessed.
Data dictionary
- information about the structure of the database, including a description of each data element.
Report writer
- DBMS language that simplifies report creation.
In an alternative design approach, called semantic data modeling, the designer uses knowledge
of business processes and information needs to create a diagram that shows what to include in
the database. This diagram is used to create a set of relational tables that are al- ready in 3NF.
Following these rules allows databases to be normalized and solves the update, insert, and delete
anomalies.
Entity integrity rule - A non- null primary key ensures that every row in a table represents
something and that it can be identified.
Referential integrity rule - foreign keys which link rows in one table to rows in another table
must have values that correspond to the value of a primary key in another table
Queries
• Users may want specific information found in a relational database and not have to sort through
all the files to get that information. So they query (ask a question) the data.
• An example of a query might be: What are the invoices of customer D. Ainge and who was the
salesperson for those invoices?
Conversion- replacing the old system with the new one. It can be one time or parallel.
Data model - an abstract representation of database contents.
Data Modeling
• Process of defining a database so that it faithfully represents all aspects of the
organization, including its interactions with the external environment.
REA Modeling
• Resources
▫ Things that have economic value to the organization (e.g., inventory, cash)
• Events
▫ Various business activities that management wants to collect information on (sale,
purchase…)
• Agents
▫ People and organizations that participate in events (both internal (e.g., employees) and
external (e.g., customers/vendors) to the organization)
Purchasing
• Select a vendor (from referrals, trade shows, etc.)
• Request for proposal (RFP) that meets needs
• Evaluate proposals
▫ Top vendors invited to give demonstrations on how their system will fit your needs
• Make a final selection based upon your criteria
Outsourcing
Advantages
• Allows companies to concentrate on core competencies
• Asset utilization
• Access to greater expertise and better technology
• Lower costs by standardizing user applications and splitting development and maintenance
costs between projects
• Less development time
• Elimination of peaks-and valleys usage
• Facilitates downsizing
Disadvantage
• Inflexibility
• Loss of control
• Reduced competitive advantage
• Locked-in system
• Unfulfilled goals
• Poor service
• Increased risk
System Design Implementation and Operation
Phase 2: Conceptual Systems Design
Conversion Approaches
• Direct conversion
▫ Terminates the old and begins with the new system
• Parallel conversion
▫ Operate old and new systems for a period of time
• Phase-in conversion
▫ Gradual replacement of old elements with new system elements
• Pilot conversion
▫ Implement a system in a part of an organization (e.g., a branch)
Internal Controls
• Processes implemented to provide assurance that the following objectives are achieved:
• Safeguard assets Maintain sufficient records
• Provide accurate and reliable information
• Prepare financial reports according to established criteria
• Promote and improve operational efficiency
• Encourage adherence with management policies
• Comply with laws and regulations
Internal Environment
• Management’s philosophy, and risk appetite
Risk appetite is the attitude you have about risk.
• Commitment to integrity, ethical values, and competence
• Organizing structure
It is believed that centralized organizational structure has better control since it has high
supervision.
• Methods of assigning authority and responsibility
• Human resource standards
Placing the appropriate person on the appropriate position.
The better your competency the lower the error you make but it may have negative effect.
Objective Setting
• Strategic objectives
▫ High-level goals
• Operations objectives
▫ Effectiveness and efficiency of operations
• Reporting objectives
▫ Improve decision making and monitor performance
• Compliance objectives
▫ Compliance with applicable laws and regulations
Event Identification
Identifying incidents both external and internal to the organization that could affect the
achievement of the organizations objectives
Key Management Questions:
• What could go wrong?
• How can it go wrong?
• What is the potential harm?
• What can be done about it?
Risk Assessment
Risk is assessed from two perspectives:
• Likelihood - Probability that the event will occur
• Impact - Estimate potential loss if event occurs
Types of risk
• Inherent - Risk that exists before plans are made to control it
• Residual - Risk that is left over after you control it
Risk Response
• Reduce - Implement effective internal control
• Accept - Do nothing; accept likelihood and impact of risk
• Share - Buy insurance, outsource, or hedge
• Avoid - Do not engage in the activity. In reality it is not practical.
Control Activities
• Proper authorization of transactions and activities
• Segregation of duties
• Project development and acquisition controls
• Change management controls
• Design and use of documents and records
• Safeguarding assets, records, and data
Monitoring
• Perform internal control evaluations (e.g., internal audit)
• Implement effective supervision
• Use responsibility accounting systems (e.g., budgets)
• Monitor system activities
• Track purchased software and mobile devices
• Conduct periodic audits (e.g., external, internal, network security)
• Employ computer security officer
• Engage forensic specialists
• Install fraud detection software
• Implement fraud hotline
Forensic accounting identifies wrong doing in the organization related to accounting operation.
Threats to AIS
• Natural and Political disasters
• Software errors and equipment malfunctions
• Unintentional acts
• Intentional acts
Fraud
• Any means a person uses to gain an unfair advantage over another person; includes:
▫ A false statement, representation, or disclosure
▫ A material fact, which induces a victim to act
▫ An intent to deceive
▫ Victim relied on the misrepresentation
▫ Injury or loss was suffered by the victim
Computer Fraud
• If a computer is used to commit fraud it is called computer fraud.
• Computer fraud is classified as:
▫ Input
▫ Processor
▫ Computer instruction
▫ Data
▫ Output
Organizational
Systems
▫ Develop security policies to guide and design specific control procedures
▫ Implement change management controls and project development acquisition controls
Systems
• Restrict access
• System authentication
• Implement computer controls over input, processing, storage and output of data
• Use encryption
• Fix software bugs and update systems regularly
• Destroy hard drives when disposing of computers
3. Improve Detection
Organizational
• Assess fraud risk
• External and internal audits
Systems
• Install fraud detection software
• Monitor system activities (user and error logs, intrusion detection)
Organizational
• Insurance
Systems
• Store backup copies of program and data files in secure, off-site location
Types of Attacks
Hacking
▫ Unauthorized access, modification, or use of an electronic device or some element of a
computer system
Social Engineering
▫ Techniques or tricks on people to gain physical or logical access to confidential information •
Malware
▫ Software used to do harm
Hacking
▫ Hijacking
Gaining control of a computer to carry out illicit activities ▫ Botnet (robot network)
▫ Botnet (robot network)
Denial of Service (DoS) Attack
Spoofing- makes the communication look as if someone else sent it so as to gain confidential
information.
Forms of Spoofing
• E-mail spoofing
• Caller ID spoofing
• IP address spoofing
• SMS spoofing
• Web-page spoofing (phishing)
Types of Malware
• Spyware
▫ Secretly monitors and collects information
• Key logger
▫ Software that records user key strokes
• Trap door
▫ Set of instructions that allow the user to bypass normal system controls
• Packet sniffer
▫ Captures data as it travels over the Internet
• Trojan Horse
▫ Malicious computer instructions in an authorized and properly functioning program
• Virus
▫ A section of self-replicating code that attaches to a program or file requiring a human to do
something so it can replicate itself
• Worm
▫ Stand alone self replicating program
Security Approaches
• Defense-in-depth
▫ Multiple layers of control (preventive and detective) to avoid a single point of failure
• Time-based model, security is effective if:
▫ P > D + C where
P is time it takes an attacker to break through preventive controls
D is time it takes to detect an attack is in progress
C is time it takes to respond to the attack and take corrective action
Detective Controls
• Log analysis
• Intrusion detection systems
• Penetration testing
• Continuous monitoring
Corrective
• Computer Incident Response Team (CIRT)
• Chief Information Security Officer (CISO)
Preventive: People
• Culture of security
▫ Tone set at the top with management
• Training ▫ Follow safe computing practices
▫ Follow safe computing practices
Never open unsolicited e-mail attachments
Use only approved software
Do not share passwords
Physically protect laptops/cellphones
▫ Protect against social engineering
Preventive: Process
• Authentication—verifies the person
1. Something person knows
2.Something person has
3.Some biometric characteristic
4.Combination of all three
• Authorization—determines what a person can access
Preventive: IT Solutions
• Antimalware controls
• Network access controls
• Device and software hardening controls
• Encryption
Preventive: Other
• Physical security access controls
▫ Limit entry to building
▫ Restrict access to network and data
• Change controls and change management
▫ Formal processes in place regarding changes made to hardware, software, or processes
Risk-Based Framework
• Identify fraud and errors (threats) that can occur that threaten each objective
• Identify control procedures (prevent, detect, correct the threats)
• Evaluate control procedures
▫ Review to see if control exists and is in place
▫ Test controls to see if they work as intended
• Determine effect of control weaknesses
▫ Compensating controls
Controls
• Limit physical access to computer equipment
• Use authentication and authorization controls
• Data storage and transmission controls
• Virus protection and firewalls
• File backup and recovery procedures
• Disaster recovery plan
• Preventive maintenance
• Insurance
Controls
• List program components to be modified
• Management authorization and approval for modifications
• User approval for modifications
• Test changes to program
• System documentation of changes
• Logical access controls
4. Accurate and Complete Processing of Transactions, Records, Files, and Reports
Threats
• Failure to detect incorrect, incomplete, or unauthorized input data
• Failure to correct errors identified from data editing procedures
• Errors in files or databases during updating
• Improper distribution of output
• Inaccuracies in reporting
Controls
• Data editing routines
• Reconciliation of batch totals
• Error correction procedures
• Understandable documentation
• Competent supervision
Threat
• Inaccurate source data
• Unauthorized source data
Controls
• User authorization of source data input
• Batch control totals
• Log receipt, movement, and disposition of source data input
• Turnaround documents
• Check digit and key verification
• Data editing routines
Threats
• Destruction of stored data from ▫ Errors
▫ Errors
▫ Hardware and software malfunctions
▫ Sabotage
• Unauthorized modification or disclosure of stored data
Controls
• Secure storage of data and restrict physical access
• Logical access controls
• Write-protection and proper file labels
• Concurrent update controls
• Data encryption
• Virus protection
• Backup of data files (offsite)
• System recovery procedures
Chapter 5
Introduction to e-commerce and e- business
Encompasses the entire online process of developing, marketing, selling, delivering, servicing,
and paying for products and services
Categories of e-Commerce
Business-to-Consumer (B2C) – businesses develop attractive electronic marketplaces to sell
products and services to consumers.
Business-to-Business (B2B) – involves both electronic business marketplaces and direct
market links between businesses.
Consumer-to-Consumer (C2C) – includes auction websites and electronic personal
advertising.
Infomediaries
Companies that serve as intermediaries in e-business and e-commerce transactions
Provide e-commerce marketplace software products and services to power business Web
portals for e-commerce transactions.
E-commerce enablers
Regulation
Infrastructure
Nature of economy
Level of education