Академический Документы
Профессиональный Документы
Культура Документы
INTRODUCTION
BBAS4103 Accounting Information System I is one of the courses offered at Open
University Malaysia (OUM). This course is worth 3 credit hours and should be
covered over 8 to 15 weeks.
COURSE AUDIENCE
This is a core course for all learners undertaking the Bachelor Degree in
Accountancy programme.
As an open and distance learner, you should be able to learn independently and
optimise the learning modes and environment available to you. Before you begin
this course, please confirm the course material, the course requirements and how
the course is conducted.
STUDY SCHEDULE
It is a standard OUM practice that learners accumulate 40 study hours for every
credit hour. As such, for a three-credit hour course, you are expected to spend
120 study hours. Table 1 gives an estimation of how the 120 study hours could be
accumulated.
Study
Study Activities
Hours
Briefly go through the course content and participate in initial discussions 3
Study the module 60
Attend 3 to 5 tutorial sessions 10
Online participation 12
Revision 15
Assignment(s), Test(s) and Examination(s) 20
TOTAL STUDY HOURS ACCUMULATED 120
COURSE OUTCOMES
By the end of this course, you should be able to:
1. Describe the meaning of accounting information system as compared to
management information system;
2. Discuss the development in accounting, the criticism, architecture and the
alternative information system architecture; and
3. Discuss business process modelling including control and audit in
accounting information system environment.
COURSE SYNOPSIS
This course is divided into 12 topics. The synopsis for each topic is presented
below:
Topic 1 gives the learners a brief overview of accounting information system and
discusses the subject of accounting information systems from the accountantÊs
perspectives.
Topic 4 describes the existence of a sound system for internal control in order to
ensure asset safeguarding, data integrity, system effectiveness and system
efficiency.
Topic 5 explains preliminary topics that are common to all three transaction
processing cycles, namely the revenue cycle, the expenditure cycle and the
conversion cycle.
Topic 6 describes the revenue cycle activities. This includes internal control
procedures, computer application system and controls in the computer
environment for revenue cycle activities.
Topic 8 discusses the production cycle activities internal controls, procedures for
production cycle, computer application system for production cycle and controls
in the computer environment for the production cycle activities.
Topic 9 discusses the general ledger and reporting activities. This includes
internal control procedures, computer application system, and controls in the
computer environment for the financial cycle activities.
Topic 11 highlights how the Internet and e-business activities bring security
issues and concerns. Operating system is the first line of defence to mitigate
security concerns. Integrity of the database management system also needs to be
preserved, via access and backup controls.
Topic 12 identifies risk in e-business and how we can manage it. This includes
ethics in risk management.
Learning Outcomes: This section refers to what you should achieve after you
have completely covered a topic. As you go through each topic, you should
frequently refer to these learning outcomes. By doing this, you can continuously
gauge your understanding of the topic.
Summary: You will find this component at the end of each topic. This component
helps you to recap the whole topic. By going through the summary, you should
be able to gauge your knowledge retention level. Should you find points in the
summary that you do not fully understand, it would be a good idea for you to
revisit the details in the module.
Key Terms: This component can be found at the end of each topic. You should go
through this component to remind yourself of important terms or jargon used
throughout the module. Should you find terms here that you are not able to
explain, you should look for the terms in the module.
section), at the end of every topic or at the back of the module. You are
encouraged to read or refer to the suggested sources to obtain the additional
information needed and to enhance your overall understanding of the course.
PRIOR KNOWLEDGE
No prior knowledge is required.
ASSESSMENT METHOD
Please refer to myINSPIRE.
REFERENCES
Boockholdt, J. L. (1999). Accounting information systems. Singapore: McGraw-Hill.
Nickerson, R. C. (2001). Business and information systems. New Jersey: Prentice Hall.
Robert, C. N. (2001). Business and information systems. New Jersey: Prentice Hall.
Romney, M. B., & Steinbart, P. J. Accounting information systems (9th ed). New
Jersey: Prentice Hall.
Ron, W. (1999). Information systems control and audit. New Jersey: Prentice Hall.
Wilkinson, J. W., Cerullo, M. J., Raval, V. & Wong-on-Wing, B., (2000). Accounting
information systems (4th ed.). New York: John Wiley and Sons.
INTRODUCTION
„To cope with the rapid growth of the company, a sophisticated accounting
software package, Sun Account, was installed in 1995. The result was radical
improvements in accounting procedures. Today, for example, it takes less
than 10 minutes rather than a day to produce an ad hoc special report. Many
reports are generated, helping functional managers make quicker and better
decisions. The system is also much more reliable, and internal and external
auditing is easier. Headquarters knows what is going on almost as soon as it
occurs. All these improvements have led to a substantial growth in revenue
and profits for the firm.‰
(Source: Condensed from IT Asia, August 1995)
Taken from Information Technology for Management, Second Edition
Update by Efraim Turban, Ephraim McLean and James Wetherbe.
John Wiley & Sons © 2001
ACTIVITY 1.1
Imagine you are in a grocery store like Carrefour or Giant. You are
there to buy household needs for the whole week. Suddenly, when you
arrive at the cashier, the whole transaction processing system crashed
down and you are not able to bring home any of the goods. How do
you think business information system directly affect your life?
Before we look at the framework, let us look at Table 1.1 for the definition of
system, subsystem and information system.
Term Definition
System Group of elements that are integrated with the common
purpose of achieving one objective.
Subsystem System within a system, or where the situations when there is a
system exist on more than one level.
Information Organised combination of people, hardware, software, and
System communication networks and data resources that stores,
retrieves, transforms and disseminates information in an
organisation.
Information System (IS) is divided into two subsystems (refer to Figure 1.1).
Let us look closely at the chart shown in Figure 1.2. Figure 1.2 shows an example
of Information System (IS) for a manufacturing firm. Obviously, we can see the
main difference between AIS and MIS is the type of transaction they processed.
The domain of the AIS can be identified by using the framework shown in Figure
1.2. We should note that the framework is just a conceptual view. The
organisation of a real IS could be different from Figure 1.2. Normally, in real
world environment, the AIS and MIS application will be integrated in order to
have an efficient business operation and to ensure the business operation runs
smoothly.
We talk about transaction all the time. However, what does it actually mean?
Transaction is an event that affects or is of interest to the organisation and that is
processed by its information system as a unit of work. According to Hall (2004),
transaction can be classified into two which are:
(a) Financial transaction; and
(b) Non-financial transaction.
Now, let us look at Table 1.2 for the definition of financial and non-financial
transaction.
Table 1.2: Two Classifications of Transaction
Classification Definition Examples
Financial Economic event that affects the assets Product sales; and
Transaction and equities of the organisation, Inventory purchase.
reflected in its accounts, and measured
in monetary items.
Non-financial All events processed by the Adding new customer
Transaction organisationÊs information system that to the list; and
do not meet the narrow definition of a Updating the supplierÊs
financial transaction, and measured in information log.
non-monetary items.
SELF-CHECK 1.1
Each cycle has various activities that differentiate themselves with each
other. However, we will discuss these cycles later in Topic 6, 7 and 8.
The payroll department will get personnel data from the Personnel/Human
Resource department. In Human Resource Department, they use MIS
application such as Human Resource Information Systems. Meanwhile, each
employeeÊs total working information will be supplied by the Production
Department which uses an AIS application, specifically in the Expenditure
Cycle. In situations where the manager requires any related reports like total
payout for the month for each employee and total overtime payment for
each employee, integration will have to take place. Hence, the coordination
between these two systems is very important since it may produce unreliable
information if executed wrongly.
Currently, most of the organisations have included both AIS and MIS features in
their information systems. This is to enhance the uses of the information systems
and at the same time to improve the operations of the organisation. Due to this
situation, the traditional role of accountants has changed as they are required to
provide the correct and reliable non-financial data.
However, this model is useful for learning the basic business concepts manually,
before moving on to the computer based system. Besides, the logic business
process is much easier to understand when we separate the technology with the
process. We can easily understand the internal control activities such as audit
trails and access controls through the understanding of manual process.
In this environment, each data files are not related to each other. For instance, in
an organisation, if there are 10 departments using one same file, the legacy
system will have 10 same files in it and the data will be processed individually.
Any changes of data must be updated in all files. Thus, it will make the process
more tedious. The individual/department must be aware of any updates and
promptly update the same files at all different locations/departments.
Copyright © Open University Malaysia (OUM)
TOPIC 1 ACCOUNTING INFORMATION SYSTEM: AN OVERVIEW 9
Now, let us look at Figure 1.6 which illustrates the flat file model.
Refer to Figure 1.6, there are three different users using their own stand-alone
system. Each system used specific files for their application.
(a) Accounting section through Billing/Accounts Receivable System uses
Customer Data, Sales Invoices and Cash Receipts;
(b) Marketing section through Product Promotion System uses Customer Data
and Sales Invoice; and
(c) Product Services through Service Scheduling System uses Customer Data
and Product Services Schedule.
If the Accounting section updates the data in Sales Invoice file, then the file in
Product Promotion System must be updated too. Data redundancies exist
because the same files exist in a different system in an organisation. This can lead
to three problems, as shown in Table 1.3.
Problem Explanation
Data Storage Unnecessary storage costs of paper documents and/or
magnetic form.
Data Updating Modifications must be performed several times.
Currency of Potential problem of failing to update all affected files.
Information
Based on the figure, the users are the Accounting, Marketing and Product
Services department. Those departments are using the same file, the Customer
Sales. But, the difference is that each department has a different user view. For
example, Accounting department only need to view Current Account Receivable.
The Customer Sales file is stored in the Database, which is managed and
controlled by the Database Management Systems (DBMS).
Each user has his own level of access to the database. When the user submits his
request for viewing the data, the DBMS will validate and authorise the access to
the database based on the userÊs level of authority. The request will be denied if
the user is trying to access the data that is not authorised for him.
This database model is slightly different with the flat file model, where it
promotes the data sharing concept. The data sharing can solve the problems
caused by the flat file model such as data redundancy.
The early database system is called traditional systems where at that time the
DBMS were designed to interface directly with the flat file programs. It will be
easier and cheaper when the organisation replaced their flat file with the
database systems. Nevertheless, this early database system has its limitations.
However, the existence of relational database model really improved the
database systems in terms of flexibility and reliability.
Although the REA model was proposed as a result of the study of accounting
theories, it can be applied to many other business domains. For instance, it can be
used for inventory control by assigning goods to resources, transfers to events
and owners to agent. Besides that, it can be used for payroll purposes by
assigning the lengths of time to resource, time cards to events and employees to
agents. This REA model is a promising modelling technique for developing
business applications because it has a solid foundation and it can be applied to
nearly all business domains.
Here the REA model is a conceptual modelling tool specifically designed to provide
structure for designing AIS databases. REA model provides structure in two ways:
(a) Identifying what entities should be included in the AIS database; and
(b) Prescribing how to structure the relationships among the entities in the AIS
database.
As we know the REA model is an alternative view of accounting the model is
built upon an organisationÊs resource, events and agents and how these are been
related. Application of the REA model yields a centralised (relational) database.
Here user views can be created for all users of organisational information; the
views are not just for the accountants. The key elements of the REA model are
summarised as follows:
(a) Resources
Resources obtained and used by an organisation. Resources can be defined
as the assets of the organisation that have economic values that can
generate profits such as inventory, factories and land.
(b) Events
Events are the various business activities that occur in an organisation and
affect the resources. Data are collected during the activities. Events can be
divided into three categories:
(i) Operating Events
Activities that produce goods and services.
(c) Agents
Agents are the people and departments inside or outside the organisation
that take part in the events and at the same time can affect resources.
Agents can decide whether to use or to remove those resources. Employees,
suppliers and customers are some of the examples of agents.
ERP is a complex and large size system which can take several years before it can
be implemented. Because of this, only few organisations take the risk to develop
in-house ERP system. Normally ERP system is sold to customer as commercial
products. This commercial ERP includes the standard processes only. Therefore,
problems may occur because it does not meet the organisationÊs requirements or
needs. Thus, the organisations have to modify their business activities or modify
the ERP system or sometimes could be both. This is to make sure the success in
the implementation of the ERP systems.
Characteristics of ERP
1. Facilitate data sharing.
2. Facilitate flows of information.
3. Introduces common business exercises.
4. Contains complex and large size system.
5. Requires several years of constructions before it can be completed.
6. Normally comes as commercial product.
7. Need to be tailored to individualÊs organisational needs/requirements.
SELF-CHECK 1.2
In the table provided below, write down at least two major
characteristics of each information system model as discussed earlier in
Section 1.2. Do a research on the Internet to find out real life example of
each model. Have fun!
Have you ever been in a bank? Whether you are withdrawing money,
depositing money, making payments etc, you are indirectly dealing
with accounting transactions. Now, try to list out the roles of
accountants.
In this section, we will examine the accountantsÊ role in the current business
environment. Basically, accountants involved in three roles/ways (refer to
Figure 1.8).
SELF-CHECK 1.3
What are the three roles played by accountants with respect to the
information system?
The main difference between AIS and MIS is the type of transaction they
processed.
The AIS process both financial and non-financial transactions, while the MIS
process the non-financial transaction only.
The evolution of the Information Systems shows that each new model has
been created to overcome the problems and limitations of the previous
models.
Finally, the role of accountants in the current business environment has
changed.
An accountant plays important role as a user, systems designer and also as a
system auditor.
INTRODUCTION
Information systems provide information to support the operations and
management of businesses and other organisations. In order to understand
information systems, it is first necessary to understand how businesses and other
types of organisation operate and are managed. It is also important for us to
know how businesses use information in their various functions, and how
common business activities process information. This topic shows how
information flows within a business to support business operations. Later, we
will explain how information helps in the management of a business. Lastly, this
topic will describe several basic business information processing activities.
ACTIVITY 2.1
In some industries, wholesalers are not used. The retailer buys directly
from the manufacturer. However in other industries, wholesalers are
used extensively. Why would a manufacturer want to use a wholesaler
to sell and distribute its products instead of passing the products
directly to a retailer?
The information will flow between people within a department as well as from
one department to another. The information could be submitted through a
document, voice or computer. The flow of information will be discussed in the
following paragraph.
Figure 2.1 shows the flow of information related to the sales of goods. The flow
starts once the customers submit order for items they want to purchase. The sales
department receives the customer orders information and sends the information
to the shipping department. This department views the information and pack the
goods based on the order and send it to the respective customer. The shipping
information will then be sent to the billing department. The billing department
prepares the billing information which includes the amount that the customer
needs to pay and send it to the customer and accounts receivable department.
Customers who receive the billing information will now send the payment to the
organisation which directly goes to the accounts receivable department.
Accounts receivable department manages the customer bills and sends reminder
to the customers who have not paid their bills within the stipulated time.
Figure 2.2 illustrates the flows of information for inventory control. The shipping
department sends the shipping information to the inventory control department.
This includes the quantity they have sent to the customer. The receiving
department sends information on the inventory received from vendors to the
inventory control department. The inventory reorder information will be sent to
purchasing department by the inventory control department. This happens when
the inventory level is below the required level.
Figure 2.3 shows the flow of information related to purchasing goods. The
purchasing department receives the information on inventory reorder from
inventory control department and prepares the purchasing information and sends
it to the respective supplier and also to accounts payable department. The supplier
sends the billing information to the organisation specifically the accounts payable
department. The receiving department sends information on which items they
have received from the supplier to the account payable department. Payment will
be made to the supplier by the accounts payable department.
The flow of information might be different for each organisation. This depends
on the type of business they operate.
Besides this, the management uses the information to manage the business such
as deciding which customer deserves to purchase from the organisation on credit
basis and which suppliers to choose for purchasing the inventories.
In general, information is really a crucial thing for the management since they are
the one who manage the organisation and need to make decisions and do the
planning. The information needed is produced from the information that flows
within the organisation. Refer to Figure 2.2 which shows the information flow for
inventory control. Here, the manager needs to do the inventory reordering
decision. The inventory control department keeps track of the quantity of
inventory that the organisation has in stock and when the inventory level is low,
the department is able to detect it. Customer order information received by the
sales department is then used by the department to forecast sales. Once the
manager receives the information on the low level of inventory, he or she can use
the information to decide on the quantity of inventory to reorder. Therefore, the
information flows to the manager in order for him or her to make decision.
ACTIVITY 2.2
Before setting up any businesses, do you think a market survey is
necessary to determine the success of the business? Also, why are
gathering potential customer requirements a good initial step to start
up any business?
Sales department must ensure that the inventory is sufficient according to the
order. Besides, the department also needs to determine whether credit should be
extended to the customer. After that, the sales order will be prepared by the sales
department. An example of sales order is shown in Figure 2.6. This document,
which is also called as shipping order is the output for this activity. It contains
the customerÊs particular, items ordered and the quantity. The sales department
sends the sales order to the shipping department.
write the actual quantity shipped in the copy of the sales order. Refer to Figure
2.7 for the example of the sales order with the actual quantity shipped. The
shipping department sends the copy of the sales order to the billing department.
Then, the billing department will prepare the customerÊs invoice based on the
information in the copy of the sales order.
The billing department then sends the invoice to the customer and another copy
to the account receivable department. The sales order in Figure 2.7 is the input
for the billing activity, while the customerÊs invoice in Figure 2.8 is the output.
The copy of the invoice and payment from customers are the input for this
activity. Outputs for the activity includes the statement which is the summary of
the invoice charges and payments, overdue notices or reminders and the reports
of accounts receivable. The accounts receivable department sends this report to
the general accounting department. Refer to Figure 2.9 for an example of the
statement and Figure 2.10 for a sample of an account receivable report.
The inputs for this activity are the sales order from the shipping department and
the receiving notice from the receiving department which indicates the quantity
of items received from suppliers. Figure 2.11 shows the example of receiving
notice. The inventory reorder report and the inventory value report are the
output for this activity. Figure 2.12 shows the example of the inventory reorder
report which is send to the purchasing department. The inventory value report as
shown in Figure 2.13 will be sent to the general accounting department.
Processing in this activity involves keeping track of the quantity on hand for each
item in inventory. The inventory control department updates this quantity from
data gathered from the sales orders and receiving notices.
The type of inventory described here is called finished goods inventory because
it deals with the final products which are ready for sale. Manufacturing,
wholesaling and retailing are some of the businesses which use this type of
inventory. However, manufacturers do not prepare the inventory reorder report.
Instead they produce a report indicating what items should be manufactured.
The input to this activity is the inventory reorder report which is from the
inventory control department and the output is the purchase order as shown in
Figure 2.14. The purchasing department sends one copy of the purchase order to
the supplier and another one to the accounts payable department.
The inputs for this activity are the copy of the purchase order from the
purchasing department, the invoice from supplier and a copy of the receiving
notice received from the receiving department. The outputs are the payment to
the supplier and the accounts payable report which summarise the supplier
charges and payments for the specific month. Refer Figure 2.15 for the example
of the accounts payable report which is sent to the general accounting
department.
The input for this activity is the employee work report. This report is based on
the type of the employee. If the employee is paid based on hourly basis, the
report prepared is the time sheet which shows the total of hours the employee
has accomplished for each day. Figure 2.16 shows the example of a time sheet.
For an employee who is paid a fixed salary, the report shows the attendance for
all working days and for the absent days, reasons must be provided.
The output includes the pay check received by the employee and the payroll
report. Refer to Figure 2.17 for the example of the payroll report. This report will
be sent to the general accounting department by the payroll department.
Revenue is obtained from sales and other resources such as investments, while
the expenses include purchasing the inventories and assets, paying the
employees, maintaining and disposal of the assets and others. Reports will be
prepared by the general accounting department, which is known as financial
statements. This report summarises the organisationsÊ accounts.
The inputs for this activity are reports on revenue, expenses, assets and liabilities.
The outputs are the financial statements such as the income statements and the
balance sheet, as shown in Figure 2.18.
SELF-CHECK 2.1
1. How does the Purchasing Department know when to purchase
more goods?
2. For what business information processing activities is a sales
order an input?
This topic has shown how information flows in business operations, how
managers use information in decision making and how businesses perform
basic information processing.
Manufacturer Retailer
Operations Reporting
Information flow Trackking
Information processing Wholesaler
INTRODUCTION
Traditionally in the accounting world, accountants require pencils, papers and a
basic calculator to perform their work. They record all accounting transactions on
T-accounts that represent Debit and Credit transactions. They then use calculator
to balance out the Debit side of their T-accounts to the Credit side of the same
account. As the result, they will post the difference (if any) to indicate the
imbalanced condition of the T-account.
The first section of this topic describes the relationship among accounting
records in forming an audit trail in both manual and computer based systems.
Then, we will examine the documentation techniques used to represent system.
At the end, we will look at documentation techniques for manual and
computer-based systems.
ACTIVITY 3.1
In a manual system, adequate documents and records are needed to
provide an audit trail of activities within a system. In computer systems,
documents might not be used to support the initiation, execution and
recording of some transactions. What is the effect of this on the internal
control of a company?
3.1.1 Documents
Previously, most organisations uses paper based documents as a common way
for data collection. These data will then be transferred to the computer for the
later use. Currently, these data will be directly stored in the computers through
the specific system.
It is a part of the revenue cycle. When customers make an order, the sales
clerk will prepare multiple copies of sales order. These documents then will
go into the sales system. The information in these documents will be used
by various departments or functions such as Credit, Billing and others.
Thus, it will cause other activities to start in those departments.
Now, let us look at an example below.
Example:
A copy of the Sales Order will be sent to the Credit Department. It will
cause the checking or approval process begins. The personnel in the
department will use the information in the sales order to verify the
customerÊs creditworthiness.
We can take other example like credit card monthly statement sent by the
credit card company to their customers. Most of the statements consist of
two parts:
(i) Statement of the account; and
(ii) Remittance advice.
The remittance advice contains the customerÊs name, account number, the
total credit and also the minimum payment required for that particular
month. Normally, the statement is produced by the Billing Department.
When customer makes payment, they will include the remittance advice
along with the cheque. The remittance advice will be received by the
accounts department. The information in remittance advice such as account
holder name and account number will be used as an input to the accounts
department.
SELF-CHECK 3.1
Can a turnaround document contain information that is
subsequently used as a source document? Why or why not?
3.1.2 Journal
A journal is an initial record in which the effects of transactions on accounts are
recorded. When transactions happen, we record all relevant facts in
chronological order. The data for journals come from the documents such as sales
order. The journal will keep all records of transactions and will be posted to the
specific account. Figure 3.5 shows the process of recording the sales order to the
sales journal.
The sales journal will only record the sales transactions. Each time
processing period ends, the sales clerk will post the amounts to the
specified ledger account. The frequency for processing could be either in
daily, weekly or monthly basis. From Figure 3.7, we can see that these
amounts are posted to account number 401.
Hence, in the journal voucher, there will be only two accounts stated along
with the amount in that journal voucher.
Figure 3.9 shows a chart of accounts example. It shows the account name along
with the account number. The account number consists of three digits. This is
one of the coding techniques for AIS application, called Block Codes. This
technique corresponds to the entire class of items by restricting each class to a
particular range within the coding scheme.
Another thing to be considered when building the chart of accounts is the scalability.
The chart of accounts should allow the insertion of new or additional accounts.
3.1.3 Ledgers
A ledger is sometimes called a book of financial records. We use a ledger to
summarise the financial status of an organisation such as the current balance of
accounts. Normally, the various journals will post the financial transaction
information to the ledgers. The information will be used to prepare the financial
statements, internal reports and also to support the daily transactions. Figures 3.10
show the flow of financial information from the source document and finally end at
the general ledger.
Figure 3.10: Flow of information from the economic event to the general ledger
Source: James (2001)
Copyright © Open University Malaysia (OUM)
44 TOPIC 3 ACCOUNTING RECORDS AND DOCUMENTATION TECHNIQUES
ACTIVITY 3.2
How about organising an event without a planner? How about
leading a nation without a minister? How about running a business
without a system? Respond to the questions above by posting your
answer in myINSPIRE.
Figure 3.12 illustrates the relationship of these files in forming an audit trail.
Figure 3.12 shows how computer files can function as audit trail in an
organisation. It begins by capturing the economic events. The sales are recorded
manually using source documents. Then the data in the source documents will
be transferred to the magnetic files, specifically the transaction files. However,
this will depend on the organisation because some organisations are no longer
using the physical source documents. Hence, the transactions are directly
captured on the magnetic media.
The next step is to update the related master file subsidiary and also the control
accounts. During this process, we may edit the account transactions. For
example, the available credit for each customer will be identified by the system
by referring to the credit file. Any credit problems will be rejected and stored in
the error file. The remaining records will be used to update the related master
files. Hence, only these transactions are added as the sales journal into the
archive file.
The original transaction file is not required for audit trail purposes because the
valid transactions have been copied to the journal. The file then can be deleted
and the system is now ready for the next batch of the sales orders.
SELF-CHECK 3.2
ACTIVITY 3.3
ERD can be used as a tool for communication during analysis phase in the
system development process. The three main components of an ERD and their
functions are summarised in the following Table 3.3.
Cardinality specifies the number of instances of one entity that can be associated
with each instance of another entity. A relationship can be one-to-one (1:1), one-
to-many (1: M) or many-to-many (M:N). Cardinality can reflect the policy of an
organisation.
A data flow diagram illustrates the processes, data stores and external entities in
a business or other system and the data flows between these things.
Four diagrammatical components are used to develop a DFD. Table 3.5 explains
these components.
Item Descriptions
Data Flow Data in motion, moving from one place to another in a system;
Represent the results of a query to a database, the contents of a
printed report or data on a data entry computer display form;
Should only represent data, not control;
Represented by an arrow; and
Should be named as a noun.
Process The work or action performed on data so that they are
transformed, stored or distributed;
Represents the transformation of data in the system. This
represents something that happens in the system;
Represented by a circle or rounded rectangle; and
Should be named as a verb.
External Entity The origin and/or destination of data;
Also called a „source/sink‰;
Represented by a square or oval; and
Should be named as a noun.
Data Store Repository for data;
Represented by two parallel lines, sometimes connected by a
vertical line; and
Should be named as a noun.
Basic data flow diagram elements are shown in Figure 3.15. The external entities
are A, J and K, where A is the source and J, K are the destinations. The system
starts at A where it generates data flow B which then goes to process C. The
outputs for process C are data flows D and E. E then goes to J, while D goes to
process F. Process F uses data flow D and G and later on process the data. The
process will then produce outputs G and I. The data flow I is sent to the external
entity or data destination, K. Figure 3.16 shows the data flow diagram of
customer payment which is related to Figure 3.15.
Data flow may consist of more than one data element. Therefore it is important to
decide on the number of lines required for the data flow. For example, sometimes
customers have made payment and would like to query regarding their
payment. So, here a different data flow should be used because the payment and
inquiries is different in terms of the purposes. Refer to Figure 3.17.
Decomposition of DFD can be defined as the act of going from a single system to
its component processes or in other words from the highest level DFD to the
lowest level. The highest level view of the system is a context diagram.
A context diagram is a special DFD that is designed to show the system and the
external entities that send data to and/or receive data from the information
system. It contains only one process, no data stores, data flows and the external
entities (sources/sinks). The sources/sinks represent its environmental
boundaries.
Figure 3.18 shows the context diagram of a payroll processing procedure. The
employee data is received from the human resource department, while the time
cards are received from various departments. These data then will be processed
and the system produces four different data that are:
(a) Tax report and payment for government agencies;
(b) Employee payment for employees;
(c) Payroll account deposit at the bank; and
(d) Payroll report for the management.
Table 3.6 shows the major processing activities and data flows involved in
payroll processing. Using the information in the table, the context diagram is
decomposed into lower level or we call it Level 0 diagram, as shown in Figure
3.19. The data coming from the human resource department were grouped
together and named as „employee data‰.
The level 1 for Process 2.0 (pay employees) is shown in Figure 3.20. It expands
employees pay process into more detail processes. Each of the process in Figure
3.19 can be decomposed into their own level 1 diagram to show the detail
processes.
3.3.3 Flowcharts
A flowchart is a formalised graphic representation of a program logic sequence,
work or manufacturing process. It describes the physical relationship between
the entities or components.
The following Figure 3.21 shows the symbols used to create flowcharts. Each
symbol represents different process or task. Flow charts also use special
connector symbols to jump between positions on a same page and from other
page to another page. These symbols are very useful to lessen the mess that will
occur when flow lines overlap each other.
Figure 3.23 shows the example of system flowchart for sales processing. Sales
terminals are used to capture sales. The terminals will edit the sales data and
print out receipts for the customers. The sales data will then be stored in the
sales data file on a disk. At the end of each day, the sales data will be
summarised and the batch totals will be printed. Example of batch total is the
total sales for all sales transactions. The summarised data will be processed
again and same goes to the batch total that will be generated and printed once
more. The amount of batch totals then will be compared with the batch totals
generated from the earlier processing. All errors and exceptions will be
reconciled. The accounts receivable, inventory, sales marketing databases and
the general ledger will be updated. Users can use the inquiry processing
system in order to know the account and inventory status and also to make the
sales analysis.
SELF-CHECK 3.3
Differentiate between System Flowchart and Program Flowchart. Fill in
the table below for your comparison.
INTRODUCTION
What can you conclude from the cartoon strip shown in Figure 4.1? What would
happen if a business uses the manual system of accounting and losses control of
their accounting transactions?
Computers perform much of the data processing required in both the private and
public sectors of our economies today. The accounting information systems are
now getting more complex in order to meet the increasing needs of information
by the society. Therefore, it is important to maintain data integrity while
processing it because people can always question the control implemented
during the data processing. Uncontrolled use of computers can have a
widespread impact on a society.
There are seven major reasons for establishing a function to examine controls
over computer-based data processing, as summarised by Figure 4.2.
Figure 4.2: Why we need to examine the controls computer-based data processing
For example, a large department store could face problems when something
unexpected happens such as the accounts receivable data has been destroyed.
Unless its customers are honest and can remember what they have purchased
from the store, the firm might suffer a big loss when customers fail to pay their
debts. If there are no proper back-ups for the computer data, the loss of data
through program error, natural disaster and others could happen. Thus, the data
cannot be recovered and as a result, the business operations of the organisations
could be disrupted. This can occur when existing controls for the computers are
taken for granted.
then the organisation might be unable to continue their business operations. The
personnel are also important to assist the organisation to achieve its missions and
goals. They are the ones who operate and maintain the information systems for
the organisation.
ACTIVITY 4.1
ACTIVITY 4.2
What do you think of replacing human toll operators at all lanes of PLUS
highway with the automatic toll booth lanes (like Touch Ân Go and Smart
Tag)? Will this affect the rate of unemployment in the country?
SELF-CHECK 4.1
1. What is the best way to prevent loss of data?
2. Computer abuse includes seven primary activities. Name four
of them.
The internal control structure consists of policies and procedures. These are used
to provide a reasonable level of assurance so that the organisationÊs objectives
will be accomplished.
ACTIVITY 4.3
Why do you think organisation needs auditor?
Controls Descriptions
Preventive Preventive controls are designed to avoid any possible future problems.
controls This is the most cost-effective method of control as compared to detective
controls. When implementing this control, it hinders errors and thus
avoids the cost of correction. Examples of preventive controls include
effective control of physical access to assets and data, proper segregation
of the employee tasks and competent personnel.
Detective These controls are needed because sometimes the problems cannot be
controls prevented. The controls will find out the problems once they occur.
Detective controls are usually more expensive than preventive controls.
Example is such as double checking of the calculations, confirmation of
bank balances and systems review (internal auditing).
Corrective These controls are designed to correct errors once they are detected. This
controls includes procedures taken to identify the cause of a problem, fix the
errors and do the modification to the system so that the future problems
are eliminated or at least minimised. Examples are such as
documentation and reporting systems to keep problems under
management observation until they have been solved or the defect has
been corrected and back-up procedures.
These controls have been implemented and tailored to fit in with a computer
environment. The following subsections will briefly explain these components.
items when stock level falls below a certain quantity. Thus, it is not possible
to trace the transaction. The non-existence of a visible audit trail is not a
problem for auditors, provided that system have been designed to maintain
a record for all events and the record can be easily accessed.
In a computer system, all records are normally maintained at one site where
the computer is located. Therefore the individual who intends to commit
fraud does not need to go to the different location to access the record.
SELF-CHECK 4.2
1. How can the use of computerised system affect the top
management decision making?
2. In manual systems, how do work personnel be given access to
important documents?
ACTIVITY 4.4
Think about a manager in your current or previous job. Why are
managers important in motivating subordinates to work?
The hardware and software used for the current information systems
are also provided in this assessment. Besides this, the current
personnel resources and the current threats and opportunities are also
included.
Content Descriptions
Progress report (a) List of achieved and failed current planned proposal;
(b) Changes on major hardware and software platform; and
(c) Additional ideas and plans to start the project.
Initiatives to be (a) Acquisition of personnel resources;
undertaken (b) Acquisition of financial resources;
(c) The systems that are going to be developed; and
(d) Changes on hardware and software platform.
Implementation This includes the timeline for the project/plan. It should have
schedule the estimated start and finish dates. The control procedures
that need to be applied are also included in the
implementation schedule.
Both the strategic and operational plans need to be reviewed frequently and
updated if necessary. Evaluation should take place few times a year to
ensure that any new systems component can be added and the current ones
can be maintained. During the evaluation process, the functionality,
stability, complexity, cost, strengths and weaknesses of the current system
need to be assessed. These criteria are assessed in order to know whether it
is sufficient to support the organisationÊs business needs. The user should
be asked on the systems they use, whether it meets their requirement or
they need any new technologies to be used. Therefore, the management
should prepare and approve the plan along with the sufficient budgets.
Besides, the management should allocate budget for an emergencies case
such as changes of new hard disk because of hard disk failure and also any
unexpected maintenance requirements.
The controlling functions by the top management are also very critical. The
controlling functions are involved in controlling the information systems
activities and also control the users of information services. This function
The management should carry out control towards the activities done by
the information systems personnel through the implementation of:
(i) Standards ă provide specific guidelines for behaviour; and
(ii) Policies ă provide broad and general guidelines for behaviour.
ACTIVITY 4.5
The Chief Information Officer requires the programmer to list down the
changes in the program change record. At the same time, programmer needs
to do changes in the documentation too. The Chief Information Officer then
reviews the changes and its documentation. This procedure prevents changes
that would cause errors or abnormalities.
Testing must be done by the people who are involved in the development
process. The new system must be tested and modified if necessary before
implementing it. This is to minimise errors after the system has been
installed. Some of the testing includes system testing, unit testing,
acceptance testing and others.
Both of the systems can present substantial control problems for the
management. System software is critical to an organisation; therefore errors
in system software can affect any application systems that use the system
software. Moreover, system software frequently has to run in privileged
mode to carry out its functions. The privilege mode here refers to a special
execution status that enables the system to avoid many standard controls,
which this status can be abused. For example, system software might be used
to gain unauthorised access to private data that can be sold to competitors.
Besides the above measures, actually the most important control that can be
implemented is to train the system programmers to follow the organisationÊs
policies. If the management exercise high ethical behaviour and inform all
employees that they must follow this standard, then the system
programmers might think it is difficult to abuse their power.
The management usually comes out with control policies that describe the
data backup procedures. These policies are stated in Figure 4.5.
The nature of these procedures depends on the processing method and on the
technology use by the accounting system. The backup procedures in batch
processing, online real time systems and local area networks is different as
explained in the following subsections:
Function Responsibility
System administration Systems administrators are responsible for ensuring that the
different parts of an information system operate smoothly
and efficiently.
Network management Network managers ensure that all applicable devices are
linked to the organisationÊs internal and external networks
and operate continuously and properly.
Security management Security management is in charge with ensuring that all
aspects of the system are secure and protected from all
internal and external threats.
Change management These individuals manage all changes to an organisationÊs
information system to ensure they are made smoothly and
efficiently and to prevent errors and fraud.
Users Users of departmentÊs record transactions, authorise data to
be processed and use system output.
System analysis Systems analyst helps users determine their information
needs and then design an information system to meet those
needs.
Programming Programmers take the design provided by systems analysts
and create an information system by writing the computer
programs.
Computer operations Computer operations run the software on the companyÊs
computers. They ensure that data are properly input to the
computer, processed correctly and needed output is
produced.
Information system The information system librarian maintains custody of
library corporate databases, files and programs in a separate
storage area called the information system library.
Data control The data control group ensures that source data have been
properly approved, monitors the flow of work through the
computer, reconciles input and output, maintains a record
of input errors to ensure their correction and resubmission,
and distributes systems output.
These physical access controls can be used to ensure the security of a system:
(i) Computer equipment should be kept in a locked room with access
restricted to authorised personnel;
(ii) The entrance to the computer room should be limited to a maximum
of two entrances. Security guards should be placed near the room and
closed circuit television system must be installed;
(iii) Personnel should be provided with an ID which is used to enter the
buildings or rooms. The entry and exit for each employee can be
recorded and traced;
(iv) Require visitors to sign a log as they enter and leave the site. Brief
them on company security policies, assign visitorÊs badges and escort
them to their destinations;
(v) Use a security alarm system to detect unauthorised access after
working hours;
(vi) Restrict access to private, secured telephone lines or to authorised
terminals or PCs;
(vii) Install locks on PCs and other computer devices;
(viii) Restrict access to off-line programs, data and equipments;
(ix) Locate hardware and other critical system components away from
dangerous or flammable materials; and
(x) Install fire and smoke detectors and fire extinguishers.
For logical access control, users should be allowed to access data they are
authorised to use and view. They also can perform specific functions only
such as viewing, copying, inserting and deleting data. It is also important to
protect data from those outside the organisation.
Operations management must ensure that each function has its own methods
and performance standards. Besides, expert personnel are hired to perform
each function and operations personnel are trained and managed properly.
Control over computer operations govern the activities that support the
daily execution of either test or production systems. Three types of controls
that must exist are:
(i) Those that prescribe the functions that either human operators or
automated operations facilities must perform;
(ii) Those that prescribe how jobs are to be scheduled on the
hardware/software platform; and
(iii) Those that prescribe how hardware is to be maintained in good
operating order.
Network operations govern the activities of wide area and local area
networks.
(i) In wide area networks, careful control should be exercised over
network control terminals. These terminals allow powerful access and
action privileges to be executed to monitor and maintain a network;
and
(ii) In local area networks, file servers must be secured. Unauthorised access
to a file server can allow an intruder to interrupt the operations of a local
area network or compromise data integrity within the network.
QA personnel must be well trained and competent. They must also have a
high level of interpersonal skills. Finding suitable people with the range
of skills required is quite difficult. Furthermore, many information
systems professionals prefer to work in development rather than quality
assurance roles.
Several major types of controls that are being used in the boundary
subsystem are summarised in Table 4.4.
Controls Descriptions
Cryptographic Controls can be used to protect the integrity of data used within
the boundary subsystem.
Access controls Can be used to prevent unauthorised access to and use of
resources.
Audit trail Events in the boundary subsystem must be recorded in an
accounting audit trail. An operations audit trail records
resource-oriented events.
Existence controls This is to restore the boundary subsystem in the event of failure.
Figure 4.10: Types of approaches used to enter data into an application system
Figure 4.11 summarises edit checks that are used in input validation
routines.
Figure 4.11: Edit checks that are used in input validation routines
Line controls and flow controls are combined within the link management
protocols applied over a communication line. Three widely used link
protocols are HDLC, SDLC and ATM protocols.
Control Description
Access controls Restrict the actions that users can do on the database.
Integrity Maintain the accuracy, completeness, and uniqueness of instances
constraints of the constructs used within the conceptual modelling or data
modelling approach used to design the database. Application
programs should use certain update and reporting protocols to
prevent and to detect data integrity violations.
Concurrency Must exist to prevent inconsistent updating or reading of the
controls database, when data is shared among multiple users.
Cryptographic Preserve the privacy of data in the database.
controls
File handling Reduce the likelihood of accidental removal of data.
controls
Audit trails Maintain a chronology of all events that occur in the subsystem.
controls
Existence controls Must be implemented to restore the database in the event of loss.
Common controls that help preserve the integrity of data processing and
stored data are as follows:
presented to users, and the ways data will be prepared for and routed to
users. Companies should establish, document and follow procedures
designed to ensure that all system outputs conform to the organisationÊs
integrity objectives, policies and standards.
The procedures would ensure that the company does the following:
(i) Reviews all output for reasonableness and proper format;
(ii) Reconciles corresponding output and input control totals on a daily
basis;
(iii) Distributes computer output to the appropriate user departments;
(iv) Protects sensitive or confidential outputs that are being delivered to
users from unauthorised access, modification and misrouting;
(v) Stores sensitive or confidential output in a secure and locked area;
(vi) Requires users to carefully review the completeness and accuracy of
all computer output that they receive;
(vii) Shreds or destroys highly confidential data such as list of outdated
customer; and
(viii) Corrects any errors found on the output reports.
Five sets of controls are exercised over these functions and they are:
(i) Inference controls
These controls are used to filter the output that users are allowed to
see. They are important in regulating access to statistical databases
where users are allowed to obtain summary information about data
but the privacy of persons about whom data is stored must be
preserved. Inference controls work by either restricting query set sizes
or disturbing the input or output of a statistical function.
(v) Audit trail controls and a set of existence controls for output
subsystem
Audit trail controls maintain the chronology of events from the time
the content of output is determined to the time the output is presented
to users. Existence controls enable either batch or online output to be
recovered in the event of loss.
SELF-CHECK 4.3
Ron, W. (1999). Information systems control and audit. New Jersey: Prentice Hall.
Romney, M. B., & Steinbart, P. J. (2003). Accounting information systems (9th ed.).
New Jersey: Prentice Hall.
INTRODUCTION
How do you think barter system can be implemented in the 21st century? In your
opinion, how does accounting system transactions help barter systems?
This topic presents an overview of accounting transaction cycles which form the
basis of Accounting Information Systems. There are three main cycles which
consist of the revenue cycle, the expenditure cycle and the production cycle.
Apart from that, we will also discuss another topic which is very important in
AIS called general ledger and reporting systems. Some authors consider the
general ledger and reporting system as another cycle called financial cycle. In this
topic, we will look at the cycles in general before proceeding to next topic which
gives detailed information on each cycle.
From Figure 5.1, we know that in whatever business activities, the main objective
is to increase the capital of the company. The cycle of business activities begin
when capital is invested in a business. These sources may come from the owners
of the business or they may come from creditors. If the source comes from the
owners, the investment is considered as the ownersÊ equity. If the source comes
from creditors, the investment is either long-term debt or current liabilities to the
company. In many businesses, most of the capital is used to purchase long-term
productive assets which help to increase the capital of the firm. The business
reports the results of its operations to the sources of its capital from time to time.
In short, capital investment comprises two significant economic events (see
Figure 5.2):
(i) Raising capital; and
(ii) Using capital to acquire productive assets.
Another event that occurs during this activity is producing business reports to its
sources of capital. It is necessary to maintain those sources especially when
additional capital is needed later.
The next step in the cycle of activities is the conversion of inputs into goods or
services (production). The business sells these goods or services to increase its
capital. The conversion/production process is different for each business.
For manufacturing companies, they buy raw material, apply labour and overhead
to them, and produce an output as the finished goods. On the other hand, service
companies convert inputs into outputs in the form of services. As for the
merchandising companies such as retailers and wholesalers, little labour is used
because they purchase inventories of goods, repackage them and then market
them. Nevertheless, all three businesses use inventories of supplies in their
conversion processes. Also, only one economic event occurs during this conversion
which is the consumption of labour, materials and overhead to produce products
or services that can be sold.
Finally, the last component in the figure is the sale of the goods or services that
were actually the outputs of the conversion process. When these are sold at a
profit, the capital investment of the business increases. Also, additional cash is
available for reinvestment, or for making payments to the sources of capital in
the form of dividends and interest. By providing a source of additional capital,
the sales component completes the cycle of business activities. In sum, the
activities involve in this cycle is receiving a customer order, delivering goods to
the customer, requesting payment for the goods and receiving payment.
Table 5.1 summarises the economic events in the cycle of business activities.
Table 5.2 summarises the relationship between business activity and their
respective cycles.
In this section, we will examine the accounting cycles in more detail. First, let us
start with the financial cycle.
Accurate recording must be done in this cycle in order to see the flow of
information. Transactions such as getting capital from owners or creditors,
using that capital to purchase assets and reporting back to owners and
creditors on how the capital is being used are important to be recorded.
Another event which is also important is periodic reporting to the sources of
capital. In financial cycle, the basic financial statement provides periodic
reporting. These statements include the balance sheet, the income statement
and the statement of cash flows. The summaries in these statements come
from the general ledger. Periodic reporting to the sources of capital is
important because it enables a business to raise additional capital. In Figure
5.4, we can see that there are three accounting application systems that record
the events in the financial cycles. They are the property, the journal entry and
the financial reporting systems. The relationship among these application
systems and the sources of capital is also illustrated in Figure 5.4.
billing and the cash receipts systems. Companies that sell on a cash basis
frequently use a point-of-sale system that combines the four economic events
in one transaction. Figure 5.8 provides a graphical representation of the
transactions in the revenue cycle.
Table 5.3: Economic Events and Application Systems that Process Them
SELF-CHECK 5.1
So far, we have learned the activities that form the processing of accounting
transactions.
We have looked at how the accounting transactions cycles are formed using
the business cycle activities.
We can also identify the four cycles in the accounting transaction processing
system which are the revenue, expenditure, conversion and financial cycles.
In each cycle, we have also learned the type of accounting application
systems associated with each cycle.
INTRODUCTION
In the previous topic, we have studied the accounting transaction cycles in
general. From this topic onwards, we will look into each transaction cycle in
more detail. We will start with the revenue cycle in this topic. Revenue cycle
involves selling of goods or services to customers and receiving payment for the
goods or services being purchased. This includes activities such as customer
orders, customer payments and sales of inventories or services. The process
begins when a customer makes an order to purchase a product or service from a
company. The company will then ship the products or perform the service. An
invoice will be shipped to the customers and the customers will settle the
payments using cash or credit. If it is a credit sale, the company will check the
customerÊs credit history before they approve the sale.
During these transactions, there are several accounts involved. In sales order
processing, the primary accounts involved include sales, from inventories or
services, accounts receivable and cash.
Apart from the above accounts, it is also possible to have other accounts when
certain activities such as goods returned, discount purchases and other related
activities occur in the revenue cycle. The accounts include:
(a) Sales returns and allowances;
(b) Sales discounts;
(c) Sales taxes;
(d) Unearned revenues; and
(e) Allowance for doubtful accounts.
After looking at the accounts involved, we will examine the activities that occur
in the revenue cycle. Table 6.1 below summarises the activities involved.
Activity Description
Customer orders This event occurs when customers want to purchase any goods
or services from the firm.
Verification of This event occurs when customers want to pay their invoices
customer credit and using credit. The customerÊs payment history and credit limit
credit limits will be verified by the credit department.
Determination of This event occurs to make sure that the inventory is available in
inventory the warehouse.
availability
Shipment of goods This event occurs when a company has to deliver the purchase
to customers products to the buyers.
Customer billing, This event occurs when purchases are made by customers. For
including handling any discount sales or any shipping charges, it will be included in
of discounts and the customerÊs bill.
shipping costs
Receipt of cash from This event occurs when customers pay the amount they owe to
customers the company
Determination of This event occurs when inspection is done to check for any
overdue accounts overdue payment.
Receipt of returned This event occurs when goods purchased are returned by the
goods customers due to damage or dissatisfaction.
Based on the events in revenue cycle, many reports and documentations are
prepared or generated. The documents can be seen in Table 6.2
Document Description
Sales orders Prepared by sales personnel in the sales department.
Packing and Prepared by shipping personnel in the shipping department.
shipping documents
Billing invoices Prepared by accounts receivable personnel in the account
receivable department.
Remittance advises Which often are part of billing invoices and are returned by
customers with payments.
Checks From customers for the payment of goods or services.
Deposit slips Prepared by cash receipts personnel in cash receipt department.
In revenue cycle business activities, customers can buy products using either
cash or credit. Several main functions normally occur in any sale as presented
graphically in Figure 6.2.
An example of a data flow diagram for sales order processing and cash receipt
processing is shown in the example in Figure 6.3. The processes start when a
customer places an order and firm checks for credit history. Once approved,
goods are picked from the warehouse and ship to the customer together with a
packing slip. The shipping department also sends another copy of packing slip as
well as bill-of-lading to the billing department. On the other hand, sales
department prepares several copies of sales order and sends them to the
warehouse and billing department. Billing department sends invoice to customer
and other information to be recorded in the sales journal, account receivable and
general ledger. Inventory account is also updated based on the information given
by the billing department. When customer makes payment, check and remittance
advice are sent to mail room and are then sorted by the clerk. The check is
deposited into the bank while the remittance advice is sent to account receivable.
Then, account receivable, general ledger and cash receipt journal are updated.
Another example shown is data flow diagram for goods that have been returned
(see Figure 6.4). The processes start when customer rejects or returns the goods
they purchased due to damage or dissatisfaction. When the returned good is
received, it is sent to warehouse together with a return slip for restocking
purpose. Another return slip is sent to sales department where several credit
memo copies are prepared. Copies of credit memo are used to update sales
journal on return sales, account receivable, inventory and general ledger.
Copyright © Open University Malaysia (OUM)
122 TOPIC 6 REVENUE CYCLE APPLICATIONS
Figure 6.3: Example of sales order processing and cash receipt processing system: DFD of
sales order processing and cash receipt processing subsystems
Below are detail summaries of all activities that are involved in revenue cycle.
The categories comprise:
(a) Processing customer orders;
(b) Delivery/shipping goods;
(c) Preparing invoices/billing; and
(d) Recording in accounts receivable ledger.
ACTIVITY 6.1
What makes some peopleÊs credit history becomes bad and further
been blacklisted by financial institution?
Terms:
(a) Two per cent discount if account is paid within seven days;
(b) Net amount payable within 30 days;
(c) Payment required within 10 days after the end of the month; and
(d) Payment required within 30 days of the end of the month in which delivery
is made.
Credit or adjustment notes were prepared when goods are returned. They are
recorded in the sales returns journals.
Bad debts are amounts owed by debtors that are unable to be collected.
Revenue cycle ends with customer payments that may take the form of:
(a) Cash ă from cash sales;
(b) Cheques ă most common form of payment;
(c) Bank transfers; and
(d) Direct deposits or electronic fund transfer.
Let us see the objectives of this system. The objectives are illustrated in Figure
6.5:
Figure 6.5: Objectives of computer application systems for the revenue cycle
Figure 6.6 contains a flowchart of an online real time order entry system. A
sales clerk enters data from a customerÊs purchase order. A computer
program validates the data entered by the clerk, verifies that the order is
within the customerÊs credit limit, and creates a sales order detail record.
The program produces two documents. An order acknowledgement is
mailed to the customer confirming acceptance of the order. The sales
register provides a list of all sales orders entered by the clerk.
Older accounting systems used batch processing for this application. With
such a system, a clerk prepared sales orders and accumulated them in
batches. The clerk also created a control total, called a batch total, for each
batch. The batch system then applied the processing steps described above
to transactions for a batch at a time. Clerks checked the batch total after
each processing step to ensure that no transactions were lost.
The flowchart of the system in Figure 6.8 shows these procedures. The
program creates a sales invoice and an invoice detail record for each
shipment record created in the billing application. It also allows a billing
clerk to enter data creating credit memos. The program adds invoice detail
records to the accounts receivable change log file and produces a record
summarising the transactions for the general ledger batch summary file.
The clerk prints a daily document register from the contents of the invoice
detail file. A clerk may query the invoice detail file to determine the status
of a specific unpaid sales invoice.
Every month, the system prints customer statements and an aged trial balance.
Many companies practice cycle billing, which means they print and mail
statements to their customers on certain day of the month. This avoids the
difficulties of producing all customer statements at the monthÊs end.
A clerk enters data from remittance advices and creates a cash receipts
detail record from each. The computer program matches each cash receipt
detail record with its appropriate invoice detail record, deletes the invoice
detail record and prints a register of deleted invoices. It posts the cash
receipt to the appropriate customer master record, adds a record for each
cash receipt to the accounts receivable change log file and produces a
record summarising these transactions for the general ledger batch
summary file. The clerk executes another program that prints a daily cash
receipt register from the cash receipts detail file.
In the next section, we will be looking at some control measures to validate data
in revenue cycle activities.
SELF-CHECK 6.1
The AIS should be designed to maximise the efficiency with which the basic
activities in the revenue cycle are performed.
INTRODUCTION
This topic describes an overview of the expenditure cycle in Accounting
Transaction Processing cycles. As you have learnt in Topic 5, expenditure cycle
involves the activities such as purchasing of raw materials, finished goods or
services from vendors, disbursing of cash for the goods being purchased, paying
salaries to employees and dealing with the fixed assets in a company. To make it
easier to understand, we will divide this topic into two sections: the purchase
and the cash disbursement subsystems, and the payroll and the fixed asset
subsystems. It is important to separate the payroll transactions because of two
reasons. First, payroll systems must withhold amounts for deductions and taxes
and summarise these in cumulative earnings reports. This is unnecessary when
doing other general purchasing. Second reason is because payroll systems
produce pay-cheques only to the employees. This is because if payroll cheques
and other general cheques are combined, it is easy to hide any fraud in payroll
system.
Copyright © Open University Malaysia (OUM)
138 TOPIC 7 EXPENDITURE CYCLE APPLICATIONS
ACTIVITY 7.1
The purchasing and cash disbursement activities are two separate subsystems in
the expenditure cycle.
Next, we will look at the processes involve in the cash disbursement subsystems.
A clerk will check for amount due in the account payable and prepare a payment
cheque. The cheque is sent to the vendor and concurrently, the general ledger
will be updated.
You will notice that these transactions involve several accounts. Among those
accounts are:
(a) Inventory
(b) Account payable
(i) Purchase account; and
(ii) VendorÊs account.
(c) Cash
You will also notice that there are various reports and documentations generated
during this process. The documents include:
(a) Purchase requisition ă a document that allows a purchase transaction to be
made;
(b) Purchase order ă a document that indicates the details of the items to be
purchased;
(c) Blind copy ă a blank copy of purchase order;
(d) Receiving report ă a document that indicates the details of items such as
quantity;
(e) VendorÊs invoice ă bills from the vendor on the items being purchased; and
(f) Voucher register ă a register that shows the companyÊs account payable.
Based on the above reports, let us look at the events that trigger them.
A purchase requisition is prepared when the inventory clerk detects that the
inventory level has dropped to a certain level.
The purchase requisition is then sent to the purchasing department and several
copies of purchase order will be prepared by the purchasing clerk and distribute to
several departments. One of the purchase order called blind copy which contains
no details, is sent to receiving department to force the receiving clerk to inspect the
Now that we know how the reports are produced, we will take a look at the
detail processes involve in the purchasing and cash disbursement subsystems in
the next section.
(d) Storekeeping
Goods received are stored in a secure place. There will be safeguarded by
authorised persons. Goods will only be released upon proper authorisation-
goods/materials requisition note. Authorised dispatch note is required for
dispatch of goods sold. Figure 7.2 summarises the storekeeping functions.
After looking at the above details, you might still want to know more about
the processes. There are seven processes involved in data flow diagram or
DFD:
(i) Review needs;
(ii) Purchase Inventory;
(iii) Receive goods;
(iv) Update inventory;
(v) Update control accounts;
(vi) Prepare cash disbursement; and
(vii) Update general ledger.
To help you understand better, Figure 7.3 shows the processes in a data
flow diagram.
(j) Inventory is protected and accounted for both physically and in term of
dollar value;
(k) Reorder levels are maintained;
(l) Proper authorisation procedure is applied before release of goods from
stores; and
(m) Segregate related departments such as inventory from warehouse and cash
from general ledger and account payable.
Validity test
Program checks for entered digit on VENDOR-NUMBER and
validate against a valid VENDOR-NUMBER list.
(ii) Processing:
Record count
(iii) Output:
Record count
Program verifies that the number of new records in the
purchase order detail file = the number of line items on
purchase orders.
(ii) Processing:
Record count
Program verifies that the quantity of goods received equal to
the number of quantity ordered.
(iii) Output:
Record count
Program verifies that the number of lines on the voucher
register = the number of records added to the voucher file.
Validity test
Program verifies that dates are of the form AA-BB-CCCC,
where AA<13,BB<32 and CCCC is numeric.
(ii) Processing:
Record count
Program verifies that the decease in the number of open
purchase order records = the increase in the number of
pending invoice records, the number of records in the old
pending invoice file = the number of records in the new
pending invoice file + the number of new voucher records,
decrease in the number of receipts records = the increase in the
number of pending invoice records.
(iii) Output:
Record count
Program verifies that the number of lines on the voucher
register = the number of records added to the voucher file.
(ii) Processing:
Record count
Program verifies that the number of records in the old voucher
file = the number of records in the new voucher file + the
number of cash disbursement transaction records.
(iii) Output:
Record count
Program verifies that the number of lines on the voucher
register = the number of records added to the voucher file.
Limit test
Program flags for review by data control group for
transactions amounting more than RM100,000.
Run-to-run controls
Data control group verifies that total amount of cheques =
total amounts of vouchers disclosed on control reports and
cheque register.
ACTIVITY 7.2
What are the three documents that must accompany the payment of an
invoice?
Discuss where these three documents originate and the resulting
control implications.
Imagine you own a small business with ten employees. What information
do you need in order to run a payroll system for your employees? How
would you go about the record keeping for your mini-payroll system?
Figure 7.8: Context diagram of the payroll portion of the HMR/payroll cycle.
Source: Romney and Steinbart (2003)
As for the output, cheques are the payroll systemÊs principal output. Based on
the dataflow in the context diagram, we know that employees receive individual
pay-cheques in compensation for their services. On the other hand, a payroll
cheque is sent to the bank to transfer funds from the companyÊs regular accounts
to its payroll account. Finally, cheques are also issued to government agencies,
insurance companies and other organisations to meet company obligations such
as paying for taxes and insurance premiums. In addition, the payroll system also
produces a variety of reports for internal and external use.
Now that we understand the inputs and outputs of the payroll system, let us
look at Figure 7.9 which shows the seven basic activities in the payroll cycle.
Before we proceed, it is a good idea to remember that payroll is one of AIS
applications that continues to be processed in batch mode. This is because pay-
cheques are prepared periodically either weekly or biweekly or monthly, and
most employees are paid at the same time which makes it appropriate to process
the transactions in batch.
The accounts involved in this transaction are account payable and fixed asset.
We have now completed the study of three tasks in the fixed asset system. As for
the internal controls and controls in the computer environment, the procedures
and processes are similar to purchase systems described above. Therefore, from
this section onwards, we will only look at the payroll system in particular.
register. After payroll clerks have reviewed the register for errors, another
program prints pay-cheques and creates records for the general ledger batch
summary file.
(a) Input
(i) Completeness test
Program verifies that all required input have been entered such as
EMPLOYEE-NUMBER, EMPLOYEE-NAME, HOURS-WORKED.
(b) Processing
(i) Record count
Number of input transaction records = number of output
transaction records.
(i) Control total
Total hours in input file = total hours in output file.
(c) Output
(i) Limit test
Program flags for review by data control group for any
transactions with amounts more than RM10,000.
(i) Record count
Program verifies that the number of pay-cheques = the number of
payroll transaction records.
(i) Control total
Program verifies that total amount of pay-cheques = total debits to
general ledger accounts = total credits to general ledger accounts.
ACTIVITY 7.4
Prepare a worksheet in MS Excel that tabulates all of possible
deductions a payroll system of a company may consider. You may
research the information needed from the Internet. Discuss and
exchange your answers with other course mates, and post them on
myVLE forum.
SELF-CHECK 7.1
INTRODUCTION
This topic provides you with detail information about production cycle in
Accounting Transaction Cycles. The activities in this cycle relates to operations
associated with the manufacturing of products. The main activity in production
cycle is to convert the inputs such as raw materials, labours and overhead into
finished product. That is why this cycle is also known as conversion cycle.
The revenue cycle provides information on customer orders and sales forecast to
the production cycle. This information is used to plan for the quantity of
inventory that will be produced. In return, the production cycle sends
information about quantity of finished goods that have been produced and
quantity that is available for sale. The production cycle also sends information
about the needs of raw materials to the expenditure cycle using purchase
requisition forms. In exchange, the expenditure cycle provides information about
the raw materials that have been purchased together with other expenditure as
the overhead costs. The production cycle also transmits information on labour
needs to payroll cycle while payroll cycle sends information on labour costs and
availability in return. Finally, production cycle transmits information on cost of
goods manufactured to the general ledger and reporting system, and summary
reports are sent to the management.
In sum, several functions are involved such as the acquisition of raw materials
and labours, the transfer of raw materials and overhead into production, the
transfer of finished goods into inventory and finally the sale of the inventory.
Next, we will look at Figure 8.2 which shows the four basic activities in the
production cycle:
(a) Product design;
(b) Planning and scheduling;
(c) Production operations; and
(d) Cost accounting.
Figure 8.2 also illustrates the information flows between each of those activities
and other AIS cycles.
So far, we have learnt the four basic functions of production cycle and their
objectives. The following Figure 8.3 illustrates a typical online AIS for the
production cycle. Let us look at the departments and the data storages involved
in this process.
The process begins when there is new order from customers or whenever there is
new sales forecast entered by the sales department. Then, production planning
department uses the information together with information on current inventory
level to develop the master production schedule and store in the database. To
authorise the production of specific goods, new records are added to the
production order file. At the same time, new records are also added to the work
in process file to accumulate data on cost. In the meantime, when the engineering
department enters product specification for new products, new records will be
created in the bill of materials and operation list files. The engineering
department accesses both files to examine the design of similar products in order
to develop the specification. The department also accesses the general ledger and
inventory files to get information about the costs of any alternative in designing
the products. When the list of operations to be performed is ready, it is displayed
at the appropriate workstations. Similar instructions are sent to the computer
integrated manufacturing (CIM) interface to guide the operation of computerised
machinery and robots. Finally, materials requisitions are sent to the inventory
stores department to authorise the release of raw materials into production.
During the process as illustrated in Figure 8.3, four types of cost data have been
accumulated which are raw materials, direct labour, machinery and equipment,
and manufacturing overhead. Let us now examine how these four categories of
cost data are collected.
First, we will learn how cost on raw materials is gathered. Whenever a material
requisition is being issued, the raw materials are sent to production and a debit
will be made in work in process account. If additional materials are needed,
another debit is made to work in process. On the other hand, work in process
account is credited whenever unused materials are returned to the inventory
department. The usage data to calculate the cost is collected by scanning the
materials when they are released from or returned to the inventory department
because most of the materials are bar coded. For those without bar code, the
inventory clerk uses online terminals to enter the usage data.
Next, we will examine how the cost for direct labour is collected. For direct
labour, a job time ticket can be used to accumulate data about labour activity.
This document records the amount of time a worker spent on each specific job
task. Alternatively, workers can also enter this data using online terminals at
each factory workstation. To improve the efficiency of this process, firms can also
introduce coded identification cards, which workers would be able to use using a
badge reader or bar code scanner when they start and finish any task.
Thus far, we have focused on accounting costs associated with the production of
inventory. However, the AIS also collects and processes information about
property, plant and equipment used in the production cycle. This is because such
fixed assets represent a significant portion of total assets for many companies,
and so it is important to monitor this investment. Some authors include fixed
assets system in the production cycle but some include this in the expenditure
cycle. For this module, fixed assets have been included in the expenditure cycle
as discussed in the earlier Topic 7.
ACTIVITY 8.1
Internal controls procedures in production cycle are use to make the processing
in the cycle run smoothly. Table 8.1 lists some of the procedures used in
production cycle.
No. Procedure
1 Improved information about the effects of product design on costs.
2 Detailed data about warranty and repair costs.
3 Better production planning systems.
4 Review and approval of fixed asset acquisitions; budgetary controls.
5 Restrict physical access to inventories and fixed assets.
6 Document all movement of inventory through the production process.
7 Identification of all fixed assets.
8 Periodic physical counts of inventory.
9 Adequate insurance.
10 Data entry edit controls; use of bar code scanning where feasible; reconciliation of
recorded amounts with periodic physical counts.
11 Backup and disaster recovery planning; restricting access to cost data.
12 Improved and timelier reporting.
(b) Processing
(i) Control total
In the online real time system, programme verifies that total costs
recorded in job cost file = total cost recorded in cost center file.
(c) Output
(i) Control totals
Data control group verifies that total cost of jobs on job purge
control report = total of job cost reports.
SELF-CHECK 8.1
In short, you should understand the four basic activities involved in the
production cycle that are
product design, production planning and scheduling, production operations
and cost accounting.
Companies must also invest in IT continuously in order to improve the
efficiency of these activities.
Apart from that, we have also listed the internal control procedures used in
the cycle and described the processes involved in this cycle using the
computer.
INTRODUCTION
As a future accountant, you must be able to know the basic accounting
transaction processing cycle. After we have completely discussed all accounting
transaction processing cycle in the previous topics, we will now discuss on the
general ledger and reporting system in this topic. It tells about the operations of
information processing involved in updating the general ledger and preparing
the reports that summarise the results of an organisationÊs activities.
ACTIVITY 9.1
What entities need to be recorded in a general ledger?
The treasurer provides information about financing and investing activities, such
as the issuance or retirement of debt and equity instruments and the purchase or
sale of investment securities. The budget department provides budget numbers.
The controller provides adjusting entries.
On the other hand, the outputs are reports which are sent to external and internal
users. The flow of this information is illustrated in Figure 9.2.
Figure 9.2: Context diagram of the general ledger and reporting system
Source: Romney and Steinbart (2003)
The information flows in this system must be organised and stored in a way that
meets the various information needs of the internal and external users. For
example, managers need detailed information about the results of operations in
their particular area of responsibility. Investors and creditors want periodic
financial statements to help them assess the organisationÊs performance.
Currently, the investors and creditors are demanding more detailed and frequent
reports from the system. Government agencies also have periodic information
requirements that must be met by a company. Therefore, the design of the
general ledger and reporting system must be able to produce regular periodic
reports and to support real time inquiry needs.
Now that we have studied the context diagram in Figure 9.2, we will look at the
detail processes in level 0 of DFD as shown in Figure 9.3.
Figure 9.3: Level 0 DFD for the general ledger and reporting system
Source: Romney and Steinbart (2003)
There are four basic activities performed in the general ledger and reporting
system as illustrated in Figure 9.3. The first three activities which are update
general ledger, post adjusting entries and prepare financial statements represent
the basic steps in the accounting cycle which end with the creation of the
traditional set of financial statements. The fourth activity which is produce
managerial reports indicates that, in addition to financial reports for external
users, the AIS also produces reports for internal management. Let us examine
each of these activities in more detail.
(b) Treasurer
The treasurerÊs office creates individual journal entries to update the
general ledger for non-routine transactions such as the issuance or
retirement of debt, the purchase or sale of investment securities, or the
acquisition of treasury stock.
Journal entries to update the general ledger may be documented on a form called
a journal voucher. Figure 9.3 shows that the individual journal entries used to
update the general ledger are then stored in the journal voucher file. Therefore,
we can find the information in general ledger located in a manual AIS as well.
However, notice that the journal voucher file is a by-product of, not an input to,
the posting process. The journal voucher file is also one of the important parts of
the audit trail.
reflects the fact that if all activities have been properly recorded, the total of all
debit balances in various accounts should equal the total of all credit balances. As
shown in Figure 9.3, information about these adjusting entries is stored in the
journal voucher file. After all adjusting entries have been made an adjusted trial
balance is prepared. The adjusted trial balance serves as the input to the next step
in the general ledger and financial reporting cycle which is the preparation of
financial statements.
These reports are used to verify the accuracy of the posting process. Several budgets
are produced for planning and evaluating performance of an organisation. The
operating budget depicts planned revenues and expenditures for each
organisational unit. The capital expenditures budget shows planned cash inflows
from operations with planned expenditures and is used to determine the
organisationÊs borrowing needs.
In sum, the processes described above form the general ledger and reporting
system, discussed in this topic. To have a better understanding of these
processes, Figure 9.4 illustrates the general ledger and reporting system in detail
using a flowchart.
The purpose of the journal entry system is to post to the general ledger all
transactions that are not processed by other application systems. These include
transactions that record the acquisition of capital from the issue of stocks and
bonds, the receiving of cash from bank loans, and the acquisition and disposition
of property. Meanwhile, the purpose of the financial reporting system is to close
the general ledger and to produce financial statements and performance reports.
It uses the journal entry system to record adjustments made to the accounts
during the closing process. That is why some accountants identify the two
systems as the general ledger system.
(b) Processing
(i) Record count
Program verifies that the number of changes to the property
master file = the number of vouchers + the number of retirement
orders + the number of capital work orders.
(c) Output
(i) Control total
Program verifies that total credits to general ledger batch
summary file = total of retirement work orders.
(b) Processing
(i) Record count
Number of records from input general ledger batch summary file
= number of records in detail postings file + number of records in
output general ledger batch summary file.
(c) Output
(i) Run-to-run control
Data control group reconciles totals on control report, error listing
and transaction register; and
Data control group uses transaction register to reconcile the
differences between the first and second trial balances.
SELF-CHECK 9.1
In general, the general ledger and financial reporting system integrates and
summarises the results of various accounting subsystems in revenue,
expenditure and production cycles.
As discussed before, the general ledger acts as a central master file in the AIS.
That is why, it is important to implement control procedures stated in this
topic in order to ensure its accuracy and security.
The controls include edit checks of the journal voucher records posted to the
general ledger, access controls, an adequate audit trail, and appropriate
backup and disaster recovery procedures.
This topic also discuss the main applications used in this system which are
Journal Entry and Financial Reporting System and Property System.
INTRODUCTION
The onset of information age and computerisation has provided us with more
options on how to communicate with each other, which helps to minimise
barriers to communication. For instance, besides telephone and face-to-face
communication, we can also make use of e-mails, instant messaging, Facebook
and even Twitter. Though the variety of technological options facilitates
communication, the quality of communication lacks human touch, e.g., an
individualÊs facial expressions at a point in time is not readily determinable from
e-mails, instant messages and/or tweets.
ACTIVITY 10.1
Imagine that you have completely forgotten about getting your spouse
a birthday present until you stumble upon a familiar-looking watch on
eBay while Internet-surfing. You have seen the same watch in a product
catalogue from your credit card company. The watch is now sold on
eBay at half the catalogue price.
Has your life changed for the better with access to the Internet and
online retail businesses?
What is e-business?
With the dawn of online retail businesses such as Amazon.com and eBay, it is
easy to perceive that e-business involves getting connected with external parties
like customers and suppliers via the use of various technology-based
communication options. Virtually any type of business involves exchange of
economic resources like goods, services and money. Such exchange of economic
resources is not feasible without the participation of external parties; i.e., you
need to exchange economic resources with somebody. How e-business affects
business processes that involve external parties is further discussed as follows.
Being able to transact on the Internet with customers, suppliers and other
trading partners facilitates development of dynamic business alliances to
fill unique market niches. For instance, your business expertise is in
marketing and selling home-made cookies on the website, whereas your
trading partners have the expertise in making such cookies. You share
product information, prices and expected delivery times on your website,
accept customer orders and dispatch customer orders to your trading
partners who make and ship the cookies directly to the customers. You do
not take ownership or custody of the cookies, which reduces costs and
shortens lead times from receipt of customersÊ orders for the delivery of
cookies.
However, the risks of transacting on the Internet are high, especially when
the external parties are complete strangers. Risks can be minimised
however when transactions are on a cash basis. For example, you require
customers to pay by credit cards or transfer payments into your bank
account when placing an order. However, you still need to address the
following concerns to benefit from e-business at the transaction level.
SELF-CHECK 10.1
The changes that e-business brings to internal business processes range from
automation to business process reengineering. Automation involves replicating
traditional, manual business processes with the use of technology to enhance
speed and cost effectiveness. However business process reengineering involve s
radical rethinking and reorganisation of existing business processes and
workflows.
Periodic mode and batch processing are suitable for high volume
transactions, such as sales and cash receipts. Both processing modes require
little dedicated processing resources, which minimises disruptions of other
tasks in times of scarce resources. In fact, both processing modes maximises
use of resources and minimises instances of idle resources. For example,
instead of entering each sales transaction as it occurs into the computer, all
sales transactions are accumulated till the end of the day when the shop is
closed for business. The owner-manager is able to concentrate on entering
all sales transactions for the day without the distractions of other tasks,
such as entertaining customersÊ enquiries. Being able to concentrate on
entering sales transactions alone also minimises data-entry errors.
You can find use of OLTE in a typical supermarket. At the check-out counter,
you will notice that the cashier scan each of the grocery items you want to buy.
Data is entered into the computer at each scan. The cashiers only manually key-in
data when the scanner fails to read the bar code.
OLTE can still be applied consistent with the periodic mode if such processing
mode is deemed suitable, where once data is entered; the remaining processing
steps such as update of master data take place at a later point in time. The
periodic mode is most suitable for payroll processing as employees are typically
paid a fixed amount at the end of each month. Payroll processing tasks are
routine and information about employeesÊ wages and salaries are somewhat
predictable. If you are earning a fixed income every month, do you know much
you will be paid on your next pay day? When timely information about wages
and salaries adds little value, immediate mode (opposite of periodic mode) of
processing is less suitable; i.e. periodic mode of processing is more suitable.
are entered at the time they occur and master data are updated immediately,
which in turn, minimizes delay in accessing up-to-date, real-time information.
ONRT processing typically involves three basic steps (Dull et al., 2012; ):
(a) Step 1: Enter data at the time business transactions occur. Similar to OLTE,
source documents are typically not used to avoid delay.
(b) Step 2: Data entered are processed ă e.g., calculations and summarisations ă
and master data are updated immediately. Unlike OLTE where processing
of data entered can be postponed in accordance with the periodic mode,
data entered are immediately processed and master data are updated
instantaneously.
(c) Step 3: While periodic reports will be generated as scheduled, ad-hoc and
unique reports are available through access to the information system at
any point in time. ONRT enables real-time information. The most current
status of master data items is available at any point in time.
OLTP systems are most useful for automatic teller machines (ATMs) and airline
reservation systems. Every time you withdraw cash at any ATM terminal, you
get the cash and know how much money is left in your account immediately at
the terminal. Every time you book a flight on the Internet, you pay with a credit
card and get a confirmation and/or flight itinerary almost immediately. All
processing steps are completed on the spot.
SELF-CHECK 10.2
Do you have access to the Internet at home and at work? How do you
access, or what do you need to get connected to the Internet to check
e-mails, chat and find out what your friends and relatives are doing
on Facebook and/or Twitter?
At the beginning of this topic, we have defined e-business as requiring the use of
technological advancements in communications for business organisations to get
connected with external people as well as internal to the organisation. E-business
is not possible without any form of connection and/or communication network.
(a) Internet
The Internet connects all computers in the world, which allows global
access to information resources.
(c) Intranet
The intranet connects all computers and databases in an organisation. The
intranet is accessible via web browsers and/or internally developed
software specifically designed to facilitate sharing of information resources
within an organisation. The intranet operates like the Internet except that
access to the intranet is only available for users internal to an organisation.
Internal information resources such as companyÊs mission statements,
instruction manuals and operational information can be shared via the
intranet.
(d) Extranet
The extranet allows external parties such as customers, suppliers and other
trading partners access to an organisationÊs intranet.
typical examples. Figure 10.4 illustrates use of EDM to store and share
large amount of information electronically.
Figure 10.4: Use of EDM to store and share large amount of information electronically
Alternatively, trading partners can make use of EDI service bureaus. EDI
service bureaus are intermediaries between trading partners. Among the
services that these service bureaus offer are translations of documents
into a standard EDI format as well as from EDI format to suit trading
partnersÊ application software. Another alternative is to use the Internet.
Though EDI simplifies and even eliminates processing steps, some of the
control mechanisms are also inadvertently eliminated. For instance,
source documents, which constitute evidence of business transactions is
eliminated for the seller. The seller loses audit trail. There has to be a
certain degree of trust between trading partners as the purchaser is
allowed to initiate and complete the sellerÊs OLTE. Trading partners can
have an agreement upfront. However, not everything can be foreseen and
included in the agreement.
As EDI brings trading partners closer together, it also gives rise to the
importance of close connection and coherence of internal business
processes. For information to flow instantaneously across business
organisations, information flow within business organisations also needs
to be done instantaneously. EDI together with other methods and
infrastructure that support e-business facilitate close internal as well as
external connection among trading partners.
SELF-CHECK 10.3
Electronic data
management (EDM)
Electronic data
interchange (EDI)
Dull, R. B., Gelinas, Jr, U. J., & Wheeler, P. R. (2012). Accounting information
systems: Foundations in enterprise risk management (9th ed). Mason, OH:
South-Western, Thomson Corporation.
Gelinas, Jr, U. J., Sutton, S. G., & Oram, A. E. (1999). Accounting Information
Systems (4th ed.). Mason, OH: South-Western, Thomson Corporation.
Hall, J. A. (2008). Accounting information systems (6th ed). Mason, OH: South-
Western, Thomson Corporation.
INTRODUCTION
The trend referred to as Bring Your Own Device (BYOD) allows employees to
use their personal devices such as tablets and smartphones to access company
resources including e-mails, files, databases and applications. While providing
convenience, it also opens up security issues that companies have to address.
"There is a massive requirement for quality content management," said Anand
Kekre, co-founder and chief executive of Pune-based Vaultize that provides
data security for employees' personal devices at large companies including the
DDB Mudra group and Tech Mahindra.
(Source: The Economic Times, 25 November 2013)
In the previous topic, we have covered how the Internet and e-business help to
manage a business better, but not without a price. The Internet and e-business
also give rise to concerns and worries, especially in terms of privacy and
security.
In this topic, we continue to discuss the security and control issues attributable to
the Internet and e-business. We will begin by discussing how the increasing use
of the Internet and e-business contributes toward security issues and concerns.
Next, we will discuss the control measures to mitigate these security issues and
concerns. We will discuss the control measures that protect four major areas of
concern:
(a) The operating system;
(b) Database management system;
(c) Internal and external communication; and
(d) Electronic data interchange (EDI) environment.
ACTIVITY 11.1
Imagine you receive a phone call from your bank asking for your
Internet-banking user ID and password for verification purposes. Will
you disclose your Internet-banking user ID and password the very
moment that you were asked? If you were to disclose such information,
what do you think can happen?
How e-business gives rise to various security issues and concerns are explained
in the remainder of this section.
The more you engage in e-business activities across borders, the more you need
to consider the following issues and concerns:
(a) National and international privacy requirements;
(b) National and international requirements for regulated industries, such as
banking and finance;
(c) Enforceability of contracts;
(d) Legality of particular activities, such as Internet gambling; and
(e) Intellectual property rights.
SELF-CHECK 11.1
1. What are the major security issues and concerns in the e-business
era?
ACTIVITY 11.2
How do you ensure that nobody knows your Internet banking user ID
and password? Write down a list of steps to safeguard your user ID and
password.
Do you follow the steps you have written down all the time? Do the
steps you have listed actually work?
Internal control can address security issues and concerns in the e-business era.
However, having internal control alone is not enough. Internal control needs to
be aligned with business processes and consistently monitored and revised in
line with changes in the e-business environment. Internal control at various
levels is discussed in the remainder of this section.
In order for the operating system to perform the above functions, there are five
control objectives to achieve.
(a) Protect the operating system from users, who can destroy data or cause the
operating system to cease functioning;
(b) Protect users from accessing, destroying and corrupting each otherÊs data
or programs;
(c) Protect usersÊ applications from accidental corruptions;
(d) Protect the operating systemÊs applications from accidental corruptions;
and
(e) Protect the operating system from destructions attributable to the
environment, such as power failure.
The control measures to ensure operating system security and to achieve the five
control objectives above are as tabulated by Table 11.1.
The following security and control issues have to be taken into consideration
when designing, assessing and testing controls to preserve the operating system.
Among the control plans that facilitate achieving the control objective of
access privileges are as follows.
(i) Separation of incompatible functions is specificed in organisational
policies;
(ii) Access rights of users are appropriate for usersÊ job descriptions and
positions;
Among the control plans to achieve the control objective are as follows.
(i) Passwords are required for all users;
(ii) New users are instructed on the use of passwords and importance of
password control;
(iii) Passwords are changed regularly as part of the control procedures;
(iv) Weak passwords are identified and disallowed, which may require
use of software to scan password files;
(v) Password files are encrypted and encryption key is properly secured;
(vi) Password standards are adequate, for instance in terms of length and
expiration interval of passwords; and
(vii) Adequate lockout policy and procedures, in terms of the number of
log-on attempts allowed before the account is locked and the duration
of lockout ranging from a few minutes to permanent lockout that
requires formal reactivation of the account.
Among the control plans to achieve the control objective are as follows:
(i) Purchase software only from reputable vendors and accept only
products in their original factory-sealed packages;
(ii) Establish and enforce policies pertaining to use of unauthorised or
illegal copies of copyrighted software;
(iii) All software upgrades are examined for viruses prior to being
implemented;
(iv) New software are verified and tested on stand-alone workstations
prior to being implemented on the host or network server;
(v) All public-domain software are inspected for viruses prior to using;
(vi) Establish and enforce procedures on making changes to production
programmes;
(vii) Establish educational programme to raise user awareness of threats
from viruses and malicious programmes;
(viii) Backup key files stored on mainframes, servers or workstations on a
routine basis;
(ix) Limit users to read and execute rights only, whenever possible. This
denies users the ability to write directly to mainframe and server
directories;
(x) Require protocols that explicitly invoke the operating systemÊs log-on
procedures to bypass Trojan horses. The log-on screen that is already
displayed for users to enter usernames and passwords has the
potential to be a Trojan horse. Requiring users to directly invoke log-
on procedure by entering a combination of keys, such as CTRL + ALT
+ DEL ensures that the log-on screen is legitimate; and
(xi) Maintain a current version of anti-viral software to examine
application and operation system programs for presence and removal
of virus. Anti-viral programs are used to safeguard mainframes,
network servers and personal computers.
There are two types of audit logs. First, logs of keystrokes record usersÊ
keystrokes and systemÊs responses, which is useful to reconstruct details of
an event and prevent unauthorised intrusion. Keystroke monitoring has to
be considered carefully due to possible legal and ethical implications.
Second, event-oriented logs record all users (based on usernames) accessing
the system, the time and duration of userÊs session, program executed
during a session, and files, databases, printers and other resources accessed.
System audit trails are adequate when the following control objectives are
achieved.
(i) Audit trails enable detection of authorised access to prevent breach of
system controls;
(ii) Audit trails enable reconstruction of events, especially events that
lead to system failures or security violations. Being able to reconstruct
events facilitates assigning responsibility and avoiding similar
circumstances in the future; and
(iii) Audit trails promote personal accountability, which is a preventive
control mechanism where individuals are less likely to violate
security policies when they know their actions are recorded in audit
logs.
Among the control plans to achieve the control objectives above are as
follows:
(i) Activate audit trail according to organisational policies.
(ii) Scan audit logs ă for instance, using data extraction tools ă for
unusual activities. Figure 11.1 depicts example of activities recorded
in an audit log organised by date, time, user and userÊs action.
(iii) The following defined conditions are useful for scanning audit logs.
Unauthorised or terminated users;
Periods of inactivity;
Activity by user, workgroup or department;
Log-on and log-off times;
Failed log-on attempts; and
Access to specific files or applications.
SELF-CHECK 11.2
(i) User views ă Defines usersÊ data domain and restrict access to the
data accordingly. Database administrator ensures access privileges
commensurate with usersÊ legitimate needs, based on job descriptions
and positions. This is also known as subschema. Figure 11.2 illustrates
the role of user view. Smith, Jones and Adams have access to the same
set of data, i.e., account number, customer name, account balance and
credit limit.
(ii) Database authorisation table ă Contains rules that limit the actions
users can take, such as read, write and delete. The table is used to
verify usersÊ action requests. Figure 11.3 provides an example of a
database authorisation table, where Jones, a user, is authorised to
read, insert, modify and delete.
(iv) Recovery module ă Uses the logs and backup files to restart the
system after a failure.
SELF-CHECK 11.3
Among the controls that facilitate achievement of the control objectives above are
as follows:
Figure 11.5 illustrates the use two firewall interfaces. One filters incoming
requests from the Internet;. the other controls access to the organisationÊs
intranet.
(b) Controlling denial of service (DoS) attacks ă Denial of service attacks clog
the Internet ports of the victim's server with fraudulently generated
messages. The victim becomes incapable of processing legitimate
transactions. Among the preventive steps of DoS attacks include:
Copyright © Open University Malaysia (OUM)
TOPIC 11 SECURITY AND CONTROL ISSUES IN E-BUSINESS 223
(c) Encryption ă Encryption converts data into a secret code for storage and
transmission. As illustrated in Figure 11.6, the sender uses an encryption
algorithm to convert original data, i.e., cleartext message, into ciphertext
prior to transmission. Even if computer criminals were to intercept the
ciphertext while being transmitted, the data contents are not readily
accessible. The ciphertext has to be decrypted or decoded back into
cleartext ă which only the receiver has access to the algorithm to decrypt or
decode ă for the data contents to be accessible.
Encryption algorithms use keys that are typically 56 to 128 bits in length.
More bits in the keys make the encrytion stronger. There are two general
approaches to encryption:
(i) Private key encryption ă The sender and the receiver use the same key
to encrypt and decrypt the message respectively. To enhance security,
triple-DES (data encryption standard) can be used. Two forms of
triple-DES are EEE3 and EDE3. EEE3 uses three keys to encrypt the
message three times. EDE3 uses the first key to encrypt the message,
second key to decrypt the same message into a garbled message (not
cleartext), and third key to encrypt the garbled message further.
Figure 11.7 illustrates EEE3 and EDE3 encryption. A common
problem with private key is when more people need to know the key
resulting in perpetrators discovering the key, coded messages can be
deciphered once intercepted.
(ii) Public key encryption. The sender and receiver use different keys to
encrypt and decrypt the messages, respectively. Each receiver has a
private key that is not shared and a public key that is published. The
sender uses the receiverÊs public key to encrypt the message. The
receiver uses his/her private key to decrypt the message.
digital signature. Third, the digest and message are encrypted with the
receiverÊs public key and transmitted to the receiver. The receiver
decrypted the message with the receiverÊs private key to produce the digital
signature and cleartext message. Then, the receiver uses the senderÊs public
key to decrypt the digital signature to produce the digest. The receiver
calculates a digest from the cleartext message, which is then compared with
the digest from the sender to ascertain whether the transmitted message
has been tampered with. Figure 11.8 summarises the process discussed
above.
(g) Message transaction log ă Incoming and outgoing messages and attempted
access are recorded in the log, together with user ID, time of access,
terminal location or telephone number from which access originates. Efforts
of hacker can be detected from the log.
SELF-CHECK 11.4
1. What is a firewall?
2. What are the ways to protect data and/or messages in the event
such data and/or messages fall into the wrong hands?
The following are control issues and how controls should be designed and
applied to achieve the control objectives in the EDI environment.
It is important to ensure valid customer and vendor file are accessible only
to authorised employees. Password file should also be encrypted.
Figure 11.9: EDI with transaction control log for audit trail
Source: Hall (2008)
SELF-CHECK 11.5
Ć The Internet and e-business activities have brought about security issues and
concerns. To what extent an organisation relies completely on e-business or
use e-business as a complement, the e-business strategies adopted, extent of
the use of e-business, and outsourcing arrangements, if any, all contribute
towards security issues and concerns.
Ć Operating system is the first line of defence to mitigate security concerns.
Access privileges to the information system, password protection, malicious
and destructive programs, and system audit trail are areas of concern in
preserving the integrity of the operating system.
Ć Integrity of the database management system also needs to be preserved, via
access and backup controls.
Ć Integrity of information communicated regardless of internal or external
communication, especially in the EDI environment where communication is
devoid of human intervention, also needs to be preserved.
INTRODUCTION
The Internet and e-business give rise to more opportunities for value creation
and adoption of business strategies that are previously not feasible. However, not
everybody manages to capitalise on such opportunities as evidenced by the fall
of dot-coms in the early 2000s.
The Internet and e-business help to manage a business better, but not without a
price. The Internet and e-business also bring us concerns and worries, especially
in terms of privacy and security. In this topic, we continue to discuss the security
and control issues attributable to the Internet and e-business.
ACTIVITY 12.1
Do you use Internet banking? Write down all the factors that
encourage as well discourage you from using Internet banking. Try to
reflect on all the factors you managed to identify.
12.1 RISKS
The future is uncertain due to many unforeseen circumstances. Future events can
have a positive impact, which presents opportunities, as well as negative impact,
which presents risks. Opportunities helps to attain organisational objectives and
supports value creation and/or preservation whereas risks hinder value creation
and may even erode existing values.
COSOÊs views of risks and how to manage risks suggests that anticipating,
assessing and managing risks have become part and parcel of everyday business
activities. Every individual at every level in the organisation is responsible for
anticipating, assessing and managing risks while going through everyday tasks of
operating the business.
As unforeseen circumstances come in many ways and have the potential to affect
any part of the business operations, COSO (2004) provided a risk management
framework to guide businesses on what to focus on in managing risks. Successful
risk management enables you to deal effectively with unforeseen circumstances
where you are able to minimise their negative effects and maximise their positive
effects, if any.
(h) Monitoring
The risk management process has to be evaluated, via management activities,
separate evaluations, or both. Modifications are made to any component of
the risk management process when required. For example, achievement of
strategic objectives is measured in terms of profitability and controls are
reviewed to determine whether a different response or additional actions are
required.
SELF-CHECK 12.1
Imagine that your best friend inherited a business from his relative. It is a
retail business in sports equipment and apparel, with a retail outlet in
Mid Valley Megamall. Your friend has requested for your participation
as a business partner and you have agreed.
Try to identify and assess risks associated with the business. Use your
knowledge to identify the circumstances capable of increasing and
decreasing risks for each of the eight components of risk management.
Complete the table below.
COSO and Statement on Auditing Standards No. 78 (SAS No. 78) define internal
control as consisting of five interrelated components that constitute a subset of
enterprise risk management components discussed earlier.
(e) Monitoring
Assessment of internal control performance over time, which serves as a
feedback to determine whether certain components of internal control
require adjustments.
Objectives
Compliance
Processes
Strategy Effectiveness Efficiency of Reliability with laws
(with
setting of operations operations of reporting and
controls)
regulations
Process 1 “ “
Process 2 √ “
Process 3 √ √ √
Process n “ “
Control plans are policies and procedures that assist in achieving control goals.
Control plans can be categorised based their breadth of coverage, as follows.
Control plans can also be categorised according to the timing of their occurrence,
which are as follows.
(a) Preventive control plans prevent problems from occurring;
(b) Detective control plans detect problems that occur; and
(c) Corrective control plans correct problems that occur.
Figure 12.3 provides an example of a control matrix that aligns control goals with
the relevant control plans. Control plans that are in place are indicated by a „P‰,
e.g. „P-1‰ and „P-2‰. Control plans that are missing are indicated by an „M‰, e.g.,
„M-1‰ and „M-2‰. You can assess to what extent control goals are aligned with
control plans by evaluating the control plans that are present and missing as
indicated in the control matrix.
SELF-CHECK 12.2
Management assessed the most significant risk to this objective ă that is, the high
level of uncertainty regarding actual demand from the OEM ă and assessed costs
and benefits of the following risk responses:
A Accept: Absorb the costs of having to respond to late changes in OEM
demand, and consider the extent to which it can produce and sell
product to other customers within the constraints of the OEM
relationship.
B Avoid: Exit the relationship with the OEM, and establish relationships
with new customers offering more stable demand.
Once you have decided on a choice of risk response, you need to make a choice
on control activities in a similar manner, i.e., based on evaluation of costs and
benefits of control alternatives. A control matrix, as discussed is the previous
section is helpful in making such evaluations. Control activities can support risk
responses. Control activities can also be risk responses in certain circumstances.
Figure 12.5 provides an example of the evaluation. Control activities and risk
responses are evaluated in terms of reduction in the likelihood and impact of
risks that obstruct achievement of reporting objectives in terms of completeness,
accuracy and validity. Notice that likelihood of residual risks is lower with
control activities, compared with likelihood of inherent risks.
Reporting Asset acquisitions and expenses incurred are entered for processing
objectives completely (C) and accurately (A) and are valid/occurred (V)
Unit of Financial reporting errors detected, measured in RM
measure
Target Errors in monthly financial statements are less than RM100,000
Tolerance Errors less than RM110,000
Risks Inherent risk assessment Risk Residual risk assessment
responses
Likelihood Impact Likelihood Impact
Vendor Possible Minor Almost Minor
invoice 50% RM5,000ă unlikely RM2,500ă
amounts are 20% RM7,500
RM15,000
captured
incorrectly
Vendor Almost Moderate Possible Minor
invoices are certain $10,000ă See below 50% RM2,500ă
not received for control
80% $25,000 RM7,500
prior to the activities
month end that serve
cutoff as the
responses
Vendors are Possible Minor Almost Minor
to risks
paid from 50% $5,000ă unlikely $5,000ă
statements as 20%
$15,000 $7,500
well as
invoices,
resulting in
duplicate
payments
SELF-CHECK 12.3
2. When residual risks are not any different compared with inherent
risks, in terms of both likehood and impact of risks, what does that
mean to you?
How do you decide what is right or wrong to do? Once you have decided what is
right to do, how do you do it? What is right or wrong, ethical and unethical is
subjective and there is no universally agreed upon answer. This is further
complicated by conflict of interests and responsibilities across stakeholders, i.e.,
board of directors, employees, customers, suppliers, shareholders, regulators, etc.
Every major decision has the potential to be harmful and beneficial to various
stakeholders. The quest for a balance between harmful versus beneficial
consequences, which is often easier said than done, is every business organisationÊs
ethical responsibility (Hall, 2008). Among the ethical principles that promote
ethical responsibility are as follows:
12.4.1 Fraud
Fraud is a major ethical issue that causes the downfall of large corporations.
Common law has defined the characteristics of fraud as follows (Hall, 2008).
(b) Material fact: There must be a fact that is substantial in inducing someone to
act.
(c) Intent: There must be an intent to deceive or the knowledge that oneÊs
knowledge is false.
(e) Injury or loss: The deception must have caused injury or loss to the victim of
the fraud.
(c) Personal characteristics: E.g., the cashier does not feel guilty if Giant were to
lose some cash due to the belief that Giant is resource-rich.
Large public accounting firms, especially the Big Four, have checklists to help
uncover fraudulent activities. Business organisations can also make use of such
checklists as part of risk assessment to determine possible risk responses that can
reduce inherent risks of fraud, by minimising the likelihood and impact of fraud.
Example questions in such checklists are as follows.
SELF-CHECK 12.4
1. What is ethics?
2. What are the ethical principles that promote ethical responsibility?
3. What is fraud?
4. How do you reduce the inherent risks of fraud in your business
organisation?
OR
Thank you.