BBAS4103 Accounting Information System I

BBAS4103
Accounting Information System I
Copyright © Open University Malaysia (OUM)

BBAS4103
ACCOUNTING
INFORMATION
SYSTEM I
Rina Md Anwar
Hasniza Yahya
Bong Kit Siang
Lau Yeng Wai

Project Director: Prof Dato’ Dr Mansor Fadzil
Open University Malaysia
Module Writers: Rina Md Anwar

Hasniza Yahya
Universiti Tun Abdul Razak
Bong Kit Siang
Universiti Tenaga Nasional
Lau Yeng Wai

Universiti Putra Malaysia
Moderator: Norhaslinda Zakaria

Management & Science University
Developed by: Centre for Instructional Design and Technology

Open University Malaysia
First Edition, August 2017
Copyright © Open University Malaysia (OUM), August 2017, BBAS4103

All rights reserved. No part of this work may be reproduced in any form or by any means
without the written permission of the President, Open University Malaysia (OUM).

Table of Contents
Course Guide xiăxvi
Topic 1 Accounting Information System: An Overview 1

1.1 A Framework for Information System 2
1.1.1 The Accounting Information System (AIS) 5
1.1.2 The Management Information System (MIS) 5
1.2 The Revolution of Telecommunications Infrastructure 6
1.2.1 The Manual Process Model 7
1.2.2 The Flat File Model 8
1.2.3 The Database Model 10
1.2.4 The REA Model 12
1.2.5 ERP Systems 13
1.3 The Role of the Accountant 14
1.3.1 Accountants as the Users 15
1.3.2 Accountants as the System Designers 15
1.3.3 Accountant as the System Auditors 15
Summary 16
Key Terms 16
References 16
Topic 2 Information and Business Operation 17

2.1 Information and Business Operations 18
2.2 Information and Business Management 22
2.3 Basic Business Processing 22
2.4 Business Processing Activities 23
2.4.1 Entering Customer Orders 23
2.4.2 Billing Customers 24
2.4.3 Collecting Customer Payments 26
2.4.4 Keeping Track of Inventory 27
2.4.5 Purchasing Stock and Materials 29
2.4.6 Paying Bills 29
2.4.7 Paying Employees 30
2.4.8 Reporting Financial Information 31
Summary 33
Key Terms 33
References 33

iv  TABLE OF CONTENTS
Topic 3 Accounting Records and Documentation Techniques 34

3.1 Accounting Records In Manual Systems 35
3.1.1 Documents 35
3.1.2 Journal 39
3.1.3 Ledgers 43
3.2 Accounting Records in Computer-Based Systems 44
3.3 Documentation Technique 47
3.3.1 Entity Relationship Diagram 47
3.3.2 Data Flow Diagrams 49
3.3.3 Flowcharts 57
Summary 62
Key Terms 62
References 62
Topic 4 Control and Accounting Information Systems 64

4.1 Need for Control and Audit of Computers 65
4.1.1 Organisational Costs of Data Loss 66
4.1.2 Incorrect Decision Making 67
4.1.3 Costs of Computer Abuse 67
4.1.4 Value of Computer Hardware, Software and Personnel 67
4.1.5 High Costs of Computer Error 68
4.1.6 Maintenance of Privacy 68
4.1.7 Controlled Evolution of Computer Use 68
4.2 Overview of Control Concepts 69
4.2.1 Functions of Internal Control 70
4.2.2 Effects of Computers on Internal Controls 70
4.3 Computer-Based Information Systems Control 74
4.3.1 The Management Control Framework 74
4.3.2 The Application Control Framework 91
Summary 103
Key Terms 104
References 104
Topic 5 Accounting Transaction Cycles 105

5.1 Economic Events 106
5.2 Economic Events and Accounting Transactions 109
Summary 116
Key Terms 117
References 117

TABLE OF CONTENTS  v
Topic 6 Revenue Cycle Applications 118

6.1 Revenue Cycle Business Activities 119
6.1.1 Processing Customer Orders 123
6.1.2 Delivery/Shipping of Goods or Providing a Service 124
6.1.3 Invoicing and Recording Accounts Receivable 124
6.1.4 Accounts Receivable Ledger 125
6.2 Internal Controls Procedures for the Revenue Cycle 126
6.3 Computer Application Systems for the Revenue Cycle 126
6.4 Controls in the Computer Environment 131
6.4.1 Order Entry System 132
6.4.2 Shipping System 133
6.4.3 Billing System 133
6.4.4 Cash Receipts System 134
Summary 135
Key Terms 135
References 136
Topic 7 Expenditure Cycle Applications 137

7.1 Purchasing and Cash Disbursement Subsystems 138
7.1.1 Purchasing Subsystems 140
7.1.2 Cash Disbursement Subsystems 142
7.1.3 Internal Controls for Purchase and Cash
Disbursement Activities 144
7.1.4 Computer Application Systems for Purchase and
Cash Disbursement Activities 145
7.1.5 Controls in the Computer Environment 148
7.2 Payroll and Fixed Asset Subsystems 151
7.2.1 Payroll Subsystems 151
7.2.2 Fixed Asset Subsystems 155
7.2.3 Internal Controls Procedures for the Payroll
Subsystem 157
7.2.4 Computer Application Systems for Payroll Activities 157
7.2.5 Controls in the Computer Environment 159
Summary 160
Key Terms 161
References 161

vi  TABLE OF CONTENTS
Topic 8 Production Cycle Applications 162

8.1 Production Cycle Activities 162
8.1.1 Product Design 164
8.1.2 Planning and Scheduling 165
8.1.3 Product Operations 165
8.1.4 Cost Accounting 165
8.2 Internal Controls Procedures for Production Cycle 168
8.3 Computer Application Systems for the Production Cycle 169
8.3.1 Inventory System 169
8.3.2 Cost Accounting System 169
8.4.1 Inventory System 170
8.4.2 Cost Accounting System 170
Summary 171
Key Terms 172
References 172
Topic 9 General Ledger and Reporting System 173

9.1 General Ledger and Reporting Activities 174
9.1.1 Updating General Ledger 177
9.1.2 Post Adjusting Entries 177
9.1.3 Prepare Financial Statements 178
9.1.4 Produce Managerial Reports 178
9.2 Internal Controls for General Ledger and Reporting System 179
9.3 Computer Application Systems 180
9.3.1 Journal Entry and Financial Reporting System 180
9.3.2 Property System 183
9.4.1 Property System 184
9.4.2 Journal Entry and Financial Reporting Systems 185
Summary 186
Key Terms 186
References 186

TABLE OF CONTENTS  vii
Topic 10 E-Business 187

10.1 Electronic Business (E-Business) 188
10.1.1 Business Processes Involving External Parties 188
10.1.2 Internal Business Processes 191
10.2 Changes in Business Processes 194
10.2.1 Online Transaction Entry (OLTE) 194
10.2.2 Online Real-time (ONRT) Processing 194
10.2.3 Online Transaction Processing (OLTP) 195
10.3 Infrastructure for E-Business 196
10.3.1 Communication Networks 196
10.3.2 Methods for Conducting E-Business 199
Summary 204
Key Terms 205
References 205
Topic 11 Security and Control Issues in E-Business 206

11.1 Security issues and concerns 207
11.1.1 Reliance on E-Business 208
11.1.2 E-Business Strategy 209
11.1.3 Extent of E-Business Activities 210
11.1.4 Outsourcing Arrangements 210
11.1.5 Legal and Regulatory Issues 210
11.2 Internal Control Considerations 211
11.2.1 Operating System 212
11.2.2 Database Management System 218
11.2.3 The Internet and Communication 221
11.2.4 Electronic Data Interchange (EDI) Controls 226
Summary 229
Key Terms 229
References 230
Topic 12 Risk Assessment and Management 231

12.1 Risks 232
12.1.1 Risk Management 232
12.2 Internal Control 237
12.2.1 Assessing Internal Control 238
12.2.2 Control Matrix 239
12.3 Cost-Benefit Considerations 243
12.4 Ethical Issues In Business 248
12.4.1 Fraud 249
Summary 250
Key Terms 251
References 251

viii  TABLE OF CONTENTS

COURSE GUIDE

COURSE GUIDE  xi
COURSE GUIDE DESCRIPTION

You must read this Course Guide carefully from the beginning to the end. It tells
you briefly what the course is about and how you can work your way through
the course material. It also suggests the amount of time you are likely to spend in
order to complete the course successfully. Please keep on referring to the Course
Guide as you go through the course material as it will help you to clarify
important study components or points that you might miss or overlook.
INTRODUCTION
BBAS4103 Accounting Information System I is one of the courses offered at Open
University Malaysia (OUM). This course is worth 3 credit hours and should be
covered over 8 to 15 weeks.
COURSE AUDIENCE
This is a core course for all learners undertaking the Bachelor Degree in
Accountancy programme.
As an open and distance learner, you should be able to learn independently and
optimise the learning modes and environment available to you. Before you begin
this course, please confirm the course material, the course requirements and how
the course is conducted.
STUDY SCHEDULE
It is a standard OUM practice that learners accumulate 40 study hours for every
credit hour. As such, for a three-credit hour course, you are expected to spend
120 study hours. Table 1 gives an estimation of how the 120 study hours could be
accumulated.

xii  COURSE GUIDE
Table 1: Estimation of Time Accumulation of Study Hours
Study
Study Activities
Hours
Briefly go through the course content and participate in initial discussions 3
Study the module 60
Attend 3 to 5 tutorial sessions 10
Online participation 12
Revision 15
Assignment(s), Test(s) and Examination(s) 20
TOTAL STUDY HOURS ACCUMULATED 120
COURSE OUTCOMES
By the end of this course, you should be able to:
1. Describe the meaning of accounting information system as compared to
management information system;
2. Discuss the development in accounting, the criticism, architecture and the
alternative information system architecture; and
3. Discuss business process modelling including control and audit in
accounting information system environment.
COURSE SYNOPSIS
This course is divided into 12 topics. The synopsis for each topic is presented
below:
Topic 1 gives the learners a brief overview of accounting information system and
discusses the subject of accounting information systems from the accountantÊs
perspectives.
Topic 2 explains how information flows within a business to support business

operations and how Information System might help in managing a business. This
topic also describes several basic business information processing activities.
Topic 3 describes the relationship between accounting records to documentation

techniques used in both manual and computer-based systems.

COURSE GUIDE  xiii
Topic 4 describes the existence of a sound system for internal control in order to
ensure asset safeguarding, data integrity, system effectiveness and system
efficiency.
Topic 5 explains preliminary topics that are common to all three transaction
processing cycles, namely the revenue cycle, the expenditure cycle and the
conversion cycle.
Topic 6 describes the revenue cycle activities. This includes internal control
procedures, computer application system and controls in the computer
environment for revenue cycle activities.
Topic 7 describes the expenditure cycle activities (purchasing and cash

disbursement and payroll). This includes internal control procedures, computer
application system and controls in the computer environment for expenditure
cycle activities.
Topic 8 discusses the production cycle activities internal controls, procedures for
production cycle, computer application system for production cycle and controls
in the computer environment for the production cycle activities.
Topic 9 discusses the general ledger and reporting activities. This includes
internal control procedures, computer application system, and controls in the
computer environment for the financial cycle activities.
Topic 10 describes how e-business improves coherence, operational efficiency

and effectiveness of internal business processes. Learners will also learn on how
e-business facilitates connection across organisations with suppliers, customers
and other trading partners.
Topic 11 highlights how the Internet and e-business activities bring security
issues and concerns. Operating system is the first line of defence to mitigate
security concerns. Integrity of the database management system also needs to be
preserved, via access and backup controls.
Topic 12 identifies risk in e-business and how we can manage it. This includes
ethics in risk management.

xiv  COURSE GUIDE
TEXT ARRANGEMENT GUIDE

Before you go through this module, it is important that you note the text
arrangement. Understanding the text arrangement will help you to organise your
study of this course in a more objective and effective way. Generally, the text
arrangement for each topic is as follows:
Learning Outcomes: This section refers to what you should achieve after you
have completely covered a topic. As you go through each topic, you should
frequently refer to these learning outcomes. By doing this, you can continuously
gauge your understanding of the topic.
Self-Check: This component of the module is inserted at strategic locations

throughout the module. It may be inserted after one sub-section or a few sub-
sections. It usually comes in the form of a question. When you come across this
component, try to reflect on what you have already learnt thus far. By attempting
to answer the question, you should be able to gauge how well you have
understood the sub-section(s). Most of the time, the answers to the questions can
be found directly from the module itself.
Activity: Like Self-Check, the Activity component is also placed at various

locations or junctures throughout the module. This component may require you
to solve questions, explore short case studies, or conduct an observation or
research. It may even require you to evaluate a given scenario. When you come
across an Activity, you should try to reflect on what you have gathered from the
module and apply it to real situations. You should, at the same time, engage
yourself in higher order thinking where you might be required to analyse,
synthesise and evaluate instead of only having to recall and define.
Summary: You will find this component at the end of each topic. This component
helps you to recap the whole topic. By going through the summary, you should
be able to gauge your knowledge retention level. Should you find points in the
summary that you do not fully understand, it would be a good idea for you to
revisit the details in the module.
Key Terms: This component can be found at the end of each topic. You should go
through this component to remind yourself of important terms or jargon used
throughout the module. Should you find terms here that you are not able to
explain, you should look for the terms in the module.
References: The References section is where a list of relevant and useful

textbooks, journals, articles, electronic contents or sources can be found. The list
can appear in a few locations such as in the Course Guide (at the References

COURSE GUIDE  xv
section), at the end of every topic or at the back of the module. You are
encouraged to read or refer to the suggested sources to obtain the additional
information needed and to enhance your overall understanding of the course.
PRIOR KNOWLEDGE
No prior knowledge is required.
ASSESSMENT METHOD
Please refer to myINSPIRE.
REFERENCES
Boockholdt, J. L. (1999). Accounting information systems. Singapore: McGraw-Hill.
Dunn, C., Cherrington, J. O., & Hollander, A. S. (2005). Enterprise information

systems: A pattern-based approach (3rd ed.). Singapore: McGraw-Hill.
Hall, J. A. (2001). Accounting information systems. Ohio: Thomson Learning.
Nickerson, R. C. (2001). Business and information systems. New Jersey: Prentice Hall.
OÊbrien, J. A. (2003). Introduction to information system. New York: McGraw-

Hill Irwin.
Robert, C. N. (2001). Business and information systems. New Jersey: Prentice Hall.
Romney, M. B., & Steinbart, P. J. Accounting information systems (9th ed). New
Jersey: Prentice Hall.
Ron, W. (1999). Information systems control and audit. New Jersey: Prentice Hall.
Wilkinson, J. W., Cerullo, M. J., Raval, V. & Wong-on-Wing, B., (2000). Accounting
information systems (4th ed.). New York: John Wiley and Sons.

xvi  COURSE GUIDE
TAN SRI DR ABDULLAH SANUSI (TSDAS) DIGITAL

LIBRARY
The TSDAS Digital Library has a wide range of print and online resources for
the use of its learners. This comprehensive digital library, which is accessible
through the OUM portal, provides access to more than 30 online databases
comprising e-journals, e-theses, e-books and more. Examples of databases
available are EBSCOhost, ProQuest, SpringerLink, Books247, InfoSci Books,
Emerald Management Plus and Ebrary Electronic Books. As an OUM learner,
you are encouraged to make full use of the resources available through this
library.

Topic  Accounting
1 Information
System:
an Overview
LEARNING OUTCOMES
By the end of this topic, you should be able to:
1. Define system, subsystem and Information System;
2. Distinguish the differences between Accounting Information System
(AIS) and Management Information Systems (MIS);
3. Explain two classifications of transaction;
4. Discuss the evolution of information system model; and
5. Explain three roles of accountant in AIS.
 INTRODUCTION
„To cope with the rapid growth of the company, a sophisticated accounting
software package, Sun Account, was installed in 1995. The result was radical
improvements in accounting procedures. Today, for example, it takes less
than 10 minutes rather than a day to produce an ad hoc special report. Many
reports are generated, helping functional managers make quicker and better
decisions. The system is also much more reliable, and internal and external
auditing is easier. Headquarters knows what is going on almost as soon as it
occurs. All these improvements have led to a substantial growth in revenue
and profits for the firm.‰
(Source: Condensed from IT Asia, August 1995)
Taken from Information Technology for Management, Second Edition
Update by Efraim Turban, Ephraim McLean and James Wetherbe.
John Wiley & Sons © 2001

2  TOPIC 1 ACCOUNTING INFORMATION SYSTEM: AN OVERVIEW
1.1 A FRAMEWORK FOR INFORMATION

SYSTEM
ACTIVITY 1.1
Imagine you are in a grocery store like Carrefour or Giant. You are
there to buy household needs for the whole week. Suddenly, when you
arrive at the cashier, the whole transaction processing system crashed
down and you are not able to bring home any of the goods. How do
you think business information system directly affect your life?
Before we look at the framework, let us look at Table 1.1 for the definition of
system, subsystem and information system.
Table 1.1: Definition of System, Subsystem and Information System
Term Definition
System Group of elements that are integrated with the common
purpose of achieving one objective.
Subsystem System within a system, or where the situations when there is a
system exist on more than one level.
Information Organised combination of people, hardware, software, and
System communication networks and data resources that stores,
retrieves, transforms and disseminates information in an
organisation.
Information System (IS) is divided into two subsystems (refer to Figure 1.1).
Figure 1.1: Two major subsystems of IS

TOPIC 1 ACCOUNTING INFORMATION SYSTEM: AN OVERVIEW  3
Let us look closely at the chart shown in Figure 1.2. Figure 1.2 shows an example
of Information System (IS) for a manufacturing firm. Obviously, we can see the
main difference between AIS and MIS is the type of transaction they processed.
The domain of the AIS can be identified by using the framework shown in Figure
1.2. We should note that the framework is just a conceptual view. The
organisation of a real IS could be different from Figure 1.2. Normally, in real
world environment, the AIS and MIS application will be integrated in order to
have an efficient business operation and to ensure the business operation runs
smoothly.
Figure 1.2: Framework for information system

Source: Hall, J. (2001)
As we know, the basic configuration of an IS is input resources transformed into

outputs resources by going through certain processes. Figure 1.3 shows the type
of transactions processed by the IS. The transactions (financial and non-financial)
are considered as inputs, and will go through various processes. Later the
outputs will be received by users.

Figure 1.3: Transactions processed by the information system

We talk about transaction all the time. However, what does it actually mean?
Transaction is an event that affects or is of interest to the organisation and that is
processed by its information system as a unit of work. According to Hall (2004),
transaction can be classified into two which are:
(a) Financial transaction; and
(b) Non-financial transaction.
Now, let us look at Table 1.2 for the definition of financial and non-financial
transaction.
Table 1.2: Two Classifications of Transaction
Classification Definition Examples
Financial Economic event that affects the assets  Product sales; and
Transaction and equities of the organisation,  Inventory purchase.
reflected in its accounts, and measured
in monetary items.
Non-financial All events processed by the  Adding new customer
Transaction organisationÊs information system that to the list; and
do not meet the narrow definition of a  Updating the supplierÊs
financial transaction, and measured in information log.
non-monetary items.
SELF-CHECK 1.1
Distinguish between financial and non-financial transactions. Give

three examples of each category.

1.1.1 The Accounting Information System (AIS)

The accounting information system (AIS) involved in processing both financial
and non-financial transactions. The AIS consists of three major subsystems.
(a) Transaction Processing System (TPS)

A Transaction Processing System records and processes data from business
operations on a daily basis. This system produces productÊs information for
internal and external use. Within a TPS, there are three (3) transaction cycles:
(i) Revenue cycle;
(ii) Expenditure cycle; and
(iii) Production/conversion cycle.
Each cycle has various activities that differentiate themselves with each
other. However, we will discuss these cycles later in Topic 6, 7 and 8.
(b) General Ledger (GL)/Financial Reporting System (FRS)

GL/FRS produces traditional financial statements. They are normally
viewed as a single system although they were actually two different
subsystems. Generally, General Ledger System (GLS) will get the input
mostly from the transaction cycles. Summary of the general ledger control
accounts will be updated after GLS has processed the summary of the
transaction cycle activities. The Financial Reporting System (FRS) will
measure and report the status and changes of the financial resources such
as income statement, tax returns and other reports required by the law.
(c) Management Reporting System (MRS)

MRS provides financial reports and information needed by the management
during the decision making phase. Examples of the reports are budgets,
variance reports and others.
1.1.2 The Management Information System (MIS)

The management information system (MIS) is involved in processing non-
financial transactions that are not processed by traditional AIS. In certain cases,
sometimes it requires to integrate both financial and non-financial data. This
involves both AIS and MIS. Let us look at an example of AIS and MIS integration
in a payroll system.

The payroll department will get personnel data from the Personnel/Human
Resource department. In Human Resource Department, they use MIS
application such as Human Resource Information Systems. Meanwhile, each
employeeÊs total working information will be supplied by the Production
Department which uses an AIS application, specifically in the Expenditure
Cycle. In situations where the manager requires any related reports like total
payout for the month for each employee and total overtime payment for
each employee, integration will have to take place. Hence, the coordination
between these two systems is very important since it may produce unreliable
information if executed wrongly.
Currently, most of the organisations have included both AIS and MIS features in
their information systems. This is to enhance the uses of the information systems
and at the same time to improve the operations of the organisation. Due to this
situation, the traditional role of accountants has changed as they are required to
provide the correct and reliable non-financial data.
1.2 THE REVOLUTION OF

TELECOMMUNICATIONS INFRASTRUCTURE
Before the existence of the current AIS, there were a few models that have been
used. The new models have been created because of the drawbacks and
limitations of the previous models. The newest model usually did not
immediately replace the older models. In some cases, different organisations may
have different generations of the models.
The Information System comprises five models, as shown in Figure 1.4.

Figure 1.4: Evolution of information system model
1.2.1 The Manual Process Model

The manual process model is the oldest and the most traditional systems.
Manual systems represent the physical resources, events and staff that involved
in business processes. This model also includes the physical task of record
keeping. Nowadays, the manual models are seldom used in an organisation.
Figure 1.5 illustrates the elements needed in manual process model.

Figure 1.5: The manual process model
However, this model is useful for learning the basic business concepts manually,
before moving on to the computer based system. Besides, the logic business
process is much easier to understand when we separate the technology with the
process. We can easily understand the internal control activities such as audit
trails and access controls through the understanding of manual process.
1.2.2 The Flat File Model

The flat file model is also known as legacy systems. This model does not promote data
sharing. Thus, any same data/file needed by different individuals or departments
must be provided for each of them. This is contrast to the database management
systems. Although the legacy systems are being replaced by the database
management systems, there are organisations that are still utilising the systems.
In this environment, each data files are not related to each other. For instance, in
an organisation, if there are 10 departments using one same file, the legacy
system will have 10 same files in it and the data will be processed individually.
Any changes of data must be updated in all files. Thus, it will make the process
more tedious. The individual/department must be aware of any updates and
promptly update the same files at all different locations/departments.
Now, let us look at Figure 1.6 which illustrates the flat file model.
Figure 1.6: Flat file model


Refer to Figure 1.6, there are three different users using their own stand-alone
system. Each system used specific files for their application.
(a) Accounting section through Billing/Accounts Receivable System uses
Customer Data, Sales Invoices and Cash Receipts;
(b) Marketing section through Product Promotion System uses Customer Data
and Sales Invoice; and
(c) Product Services through Service Scheduling System uses Customer Data
and Product Services Schedule.
If the Accounting section updates the data in Sales Invoice file, then the file in
Product Promotion System must be updated too. Data redundancies exist
because the same files exist in a different system in an organisation. This can lead
to three problems, as shown in Table 1.3.
Table 1.3: Problems That Will Occur Due to Data Redundancies
Problem Explanation
Data Storage Unnecessary storage costs of paper documents and/or
magnetic form.
Data Updating Modifications must be performed several times.
Currency of Potential problem of failing to update all affected files.
Information
1.2.3 The Database Model

This database model is widely used in most of the organisation. It was designed
to overcome the problems caused by the flat file model. Database is a set of
interrelated files or a collection of data arranged for ease and speed of search and
retrieval. Figure 1.7 shows the example of database model for an organisation.

Figure 1.7: Database model

Based on the figure, the users are the Accounting, Marketing and Product
Services department. Those departments are using the same file, the Customer
Sales. But, the difference is that each department has a different user view. For
example, Accounting department only need to view Current Account Receivable.
The Customer Sales file is stored in the Database, which is managed and
controlled by the Database Management Systems (DBMS).
Each user has his own level of access to the database. When the user submits his
request for viewing the data, the DBMS will validate and authorise the access to
the database based on the userÊs level of authority. The request will be denied if
the user is trying to access the data that is not authorised for him.
This database model is slightly different with the flat file model, where it
promotes the data sharing concept. The data sharing can solve the problems
caused by the flat file model such as data redundancy.
The early database system is called traditional systems where at that time the
DBMS were designed to interface directly with the flat file programs. It will be
easier and cheaper when the organisation replaced their flat file with the
database systems. Nevertheless, this early database system has its limitations.
However, the existence of relational database model really improved the
database systems in terms of flexibility and reliability.

1.2.4 The REA Model

REA is an acronym signifying that the data model contains information about
three fundamental types of objects that are resources, events and agents.
McCarthy introduced REA model in 1982 as a domain specific theory for the
design of accounting information system. The REA model is also known as a
technique for capturing information about economic phenomena. It describes a
business as a set of economic resource, economic events and economic agents as
well as relationship among them.
Although the REA model was proposed as a result of the study of accounting
theories, it can be applied to many other business domains. For instance, it can be
used for inventory control by assigning goods to resources, transfers to events
and owners to agent. Besides that, it can be used for payroll purposes by
assigning the lengths of time to resource, time cards to events and employees to
agents. This REA model is a promising modelling technique for developing
business applications because it has a solid foundation and it can be applied to
nearly all business domains.
Here the REA model is a conceptual modelling tool specifically designed to provide
structure for designing AIS databases. REA model provides structure in two ways:
(a) Identifying what entities should be included in the AIS database; and
(b) Prescribing how to structure the relationships among the entities in the AIS
database.
As we know the REA model is an alternative view of accounting the model is
built upon an organisationÊs resource, events and agents and how these are been
related. Application of the REA model yields a centralised (relational) database.
Here user views can be created for all users of organisational information; the
views are not just for the accountants. The key elements of the REA model are
summarised as follows:
(a) Resources
Resources obtained and used by an organisation. Resources can be defined
as the assets of the organisation that have economic values that can
generate profits such as inventory, factories and land.
(b) Events
Events are the various business activities that occur in an organisation and
affect the resources. Data are collected during the activities. Events can be
divided into three categories:
(i) Operating Events
Activities that produce goods and services.

(ii) Information Events

Activities related to any recorded/stored information.
(iii) Decision/Management Events
Activities which resulted in decision making and its implementation.
(c) Agents
Agents are the people and departments inside or outside the organisation
that take part in the events and at the same time can affect resources.
Agents can decide whether to use or to remove those resources. Employees,
suppliers and customers are some of the examples of agents.
1.2.5 ERP Systems

Enterprise resource planning (ERP) is an information system that provides the
integration of an organisationÊs business processes/activities. It facilitates data
sharing and flows of information. In addition ERP introduces the common
business exercises/practices to all users in the organisation.
ERP is a complex and large size system which can take several years before it can
be implemented. Because of this, only few organisations take the risk to develop
in-house ERP system. Normally ERP system is sold to customer as commercial
products. This commercial ERP includes the standard processes only. Therefore,
problems may occur because it does not meet the organisationÊs requirements or
needs. Thus, the organisations have to modify their business activities or modify
the ERP system or sometimes could be both. This is to make sure the success in
the implementation of the ERP systems.
Table 1.4 summarises the characteristics of ERP.

Table 1.4: Characteristics of ERP
Characteristics of ERP
1. Facilitate data sharing.
2. Facilitate flows of information.
3. Introduces common business exercises.
4. Contains complex and large size system.
5. Requires several years of constructions before it can be completed.
6. Normally comes as commercial product.
7. Need to be tailored to individualÊs organisational needs/requirements.

SELF-CHECK 1.2
In the table provided below, write down at least two major
characteristics of each information system model as discussed earlier in
Section 1.2. Do a research on the Internet to find out real life example of
each model. Have fun!
Model Characteristics Example

Manual Process 1.
2.
Flat File 1.
2.
Database 1.
2.
REA 1.
2.
ERP 1.
2.
1.3 THE ROLE OF THE ACCOUNTANT

ACTIVITY 1.2
Have you ever been in a bank? Whether you are withdrawing money,
depositing money, making payments etc, you are indirectly dealing
with accounting transactions. Now, try to list out the roles of
accountants.
In this section, we will examine the accountantsÊ role in the current business
environment. Basically, accountants involved in three roles/ways (refer to
Figure 1.8).

Figure 1.8: Role of accountants in business environment
1.3.1 Accountants as the Users

The accounting function is one of the largest users of computer systems. An
accountant need to know their expectations and needs for the systems. They have
to provide the details and clear information to the people who are involved in the
system development. This is really important as any incomplete or vague
information will give impact to the implementation and use of the systems.
1.3.2 Accountants as the System Designers

An accountant should actively involve during system development process.
Besides providing the needs of the systems, an accountant must also involve as a
system designer. Normally they will involve in designing the conceptual model.
Besides, they have to monitor and do the testing process. This is to ensure that
the controls are implemented and functioning properly. The sufficient controls
are needed in order to make sure the data is reliable and accurate.
1.3.3 Accountant as the System Auditors

Information Technology (IT) auditing is one of the types of audits that are
commonly performed. The purpose of IT auditing is to review and evaluate the
internal controls that protect the system. As a system auditor, an accountant will
evaluate and check the integrity of the selected components of the system. This is
to ensure that the system conform to the organisations objectives and also the
internal control standards.

SELF-CHECK 1.3
What are the three roles played by accountants with respect to the
information system?
 The main difference between AIS and MIS is the type of transaction they
processed.
 The AIS process both financial and non-financial transactions, while the MIS
process the non-financial transaction only.
 The evolution of the Information Systems shows that each new model has
been created to overcome the problems and limitations of the previous
models.
 Finally, the role of accountants in the current business environment has
changed.
 An accountant plays important role as a user, systems designer and also as a
system auditor.
Database model Flat file model

Database management systems (DBMS) Manual process model
ERP systems REA model
Hall, J. (2001). Accounting information systems. Ohio: Thomson Learning.
OÊbrien, J. A. (2005). Introduction to information system. Boston: McGraw-Hill.

Topic  Information
2 and Business
Operation
LEARNING OUTCOMES
1. Diagram the typical flow of information in business operations;
2. Explain how the information is being used by the management in an
organisation;
3. Explain eight business processing activities used in businesses;
4. Differentiate between sales order and invoice;
5. Recognise statements as compared to account receivable reports;
6. Describe how to keep track of inventories; and
7. Determine the input and output of purchasing activities.
 INTRODUCTION
Information systems provide information to support the operations and
management of businesses and other organisations. In order to understand
information systems, it is first necessary to understand how businesses and other
types of organisation operate and are managed. It is also important for us to
know how businesses use information in their various functions, and how
common business activities process information. This topic shows how
information flows within a business to support business operations. Later, we
will explain how information helps in the management of a business. Lastly, this
topic will describe several basic business information processing activities.

18  TOPIC 2 INFORMATION AND BUSINESS OPERATION
2.1 INFORMATION AND BUSINESS

OPERATIONS
ACTIVITY 2.1
In some industries, wholesalers are not used. The retailer buys directly
from the manufacturer. However in other industries, wholesalers are
used extensively. Why would a manufacturer want to use a wholesaler
to sell and distribute its products instead of passing the products
directly to a retailer?
Why would a retailer want to purchase goods from a wholesaler rather

than directly from a manufacturer?
Business operation is defined as all activities involved in producing finished

goods and providing services to an organisation. These activities need to ensure
that the organisation makes profit. Examples of business operation activities are
manufacturing products, processing orders and purchasing raw materials. For
these purposes, we need information to ensure the business operations run
smoothly. The information needed in these operations include what service to
provide, when to reorder inventory and how much we owe the suppliers.
The information will flow between people within a department as well as from
one department to another. The information could be submitted through a
document, voice or computer. The flow of information will be discussed in the
following paragraph.

TOPIC 2 INFORMATION AND BUSINESS OPERATION  19
Figure 2.1: Information flow related to sales

Source: Robert (2001)
Figure 2.1 shows the flow of information related to the sales of goods. The flow
starts once the customers submit order for items they want to purchase. The sales
department receives the customer orders information and sends the information
to the shipping department. This department views the information and pack the
goods based on the order and send it to the respective customer. The shipping
information will then be sent to the billing department. The billing department

prepares the billing information which includes the amount that the customer
needs to pay and send it to the customer and accounts receivable department.
Customers who receive the billing information will now send the payment to the
organisation which directly goes to the accounts receivable department.
Accounts receivable department manages the customer bills and sends reminder
to the customers who have not paid their bills within the stipulated time.
Figure 2.2: Information flow related to inventory control

Figure 2.2 illustrates the flows of information for inventory control. The shipping
department sends the shipping information to the inventory control department.
This includes the quantity they have sent to the customer. The receiving
department sends information on the inventory received from vendors to the
inventory control department. The inventory reorder information will be sent to
purchasing department by the inventory control department. This happens when
the inventory level is below the required level.

Figure 2.3: Information flow related to purchasing

Figure 2.3 shows the flow of information related to purchasing goods. The
purchasing department receives the information on inventory reorder from
inventory control department and prepares the purchasing information and sends
it to the respective supplier and also to accounts payable department. The supplier
sends the billing information to the organisation specifically the accounts payable
department. The receiving department sends information on which items they
have received from the supplier to the account payable department. Payment will
be made to the supplier by the accounts payable department.
The flow of information might be different for each organisation. This depends
on the type of business they operate.

2.2 INFORMATION AND BUSINESS

MANAGEMENT
Besides supporting the business operations, information is also used by the
management of the organisation. Normally, management uses information to
assist them in the decision making process. They are also involved in preparing
short-term or long-term planning for the organisation. Thus, the information is
really important to the management.
Besides this, the management uses the information to manage the business such
as deciding which customer deserves to purchase from the organisation on credit
basis and which suppliers to choose for purchasing the inventories.
In general, information is really a crucial thing for the management since they are
the one who manage the organisation and need to make decisions and do the
planning. The information needed is produced from the information that flows
within the organisation. Refer to Figure 2.2 which shows the information flow for
inventory control. Here, the manager needs to do the inventory reordering
decision. The inventory control department keeps track of the quantity of
inventory that the organisation has in stock and when the inventory level is low,
the department is able to detect it. Customer order information received by the
sales department is then used by the department to forecast sales. Once the
manager receives the information on the low level of inventory, he or she can use
the information to decide on the quantity of inventory to reorder. Therefore, the
information flows to the manager in order for him or her to make decision.
2.3 BASIC BUSINESS PROCESSING

The business operations and management use the information for various
information processing activities. These activities involve people and computers (if
any) which receive the data and process it, then store the data using various type of
storage media and later on produce information based on the processed data.
Businesses perform many information processing activities, but in this section,

only eight common activities will be discussed (see Figure 2.4).

Figure 2.4: Information flow

2.4 BUSINESS PROCESSING ACTIVITIES

In this section, we will discuss the eight business processing activities. Let us
begin with the first activity: entering customerÊs orders.
2.4.1 Entering Customer Orders
ACTIVITY 2.2
Before setting up any businesses, do you think a market survey is
necessary to determine the success of the business? Also, why are
gathering potential customer requirements a good initial step to start
up any business?
Entering customer order is the first activity of the business information

processing which occurs in the sales department. This activity receives orders
from customers indicating the type and quantity of the goods requested.
Customers may place their order through telephone, by mail or even by filling in
an order form either manually or electronically. Hence, the orders are usually
not in a standard format. Figure 2.5 shows the example of customer order form.

Figure 2.5: A customer order form

Sales department must ensure that the inventory is sufficient according to the
order. Besides, the department also needs to determine whether credit should be
extended to the customer. After that, the sales order will be prepared by the sales
department. An example of sales order is shown in Figure 2.6. This document,
which is also called as shipping order is the output for this activity. It contains
the customerÊs particular, items ordered and the quantity. The sales department
sends the sales order to the shipping department.
Figure 2.6: A sales order

2.4.2 Billing Customers

Sales order is used to verify the items that should be delivered to the customer.
Sometimes when the items are not sufficient, the quantity shipped is different
from the quantity ordered. For that reason, the shipping department need to
write the actual quantity shipped in the copy of the sales order. Refer to Figure
2.7 for the example of the sales order with the actual quantity shipped. The
shipping department sends the copy of the sales order to the billing department.
Then, the billing department will prepare the customerÊs invoice based on the
information in the copy of the sales order.
Figure 2.7: The sales order from the shipping department

The billing department then sends the invoice to the customer and another copy
to the account receivable department. The sales order in Figure 2.7 is the input
for the billing activity, while the customerÊs invoice in Figure 2.8 is the output.
Figure 2.8: An invoice


2.4.3 Collecting Customer Payments

The copy of the invoice received from the billing department is used to keep
track of the customerÊs record. Payment from customers will be recorded and
reminders will be sent to the customers who have not paid their bills within the
stipulated time. The accounts receivable department sends the summary of
invoice's charges and payments to the customers and prepare the reports of
accounts receivable to other departments or functions of the organisation.
The copy of the invoice and payment from customers are the input for this
activity. Outputs for the activity includes the statement which is the summary of
the invoice charges and payments, overdue notices or reminders and the reports
of accounts receivable. The accounts receivable department sends this report to
the general accounting department. Refer to Figure 2.9 for an example of the
statement and Figure 2.10 for a sample of an account receivable report.
Figure 2.9: A statement


Figure 2.10: An accounts receivable report

2.4.4 Keeping Track of Inventory

An organisation must keep track of its inventory in order to meet the customerÊs
requirements or orders. Once the inventory level is low, the person in charge
should be aware of it and quickly reorder the items. The department involve in
this activity is the inventory control department.
The inputs for this activity are the sales order from the shipping department and
the receiving notice from the receiving department which indicates the quantity
of items received from suppliers. Figure 2.11 shows the example of receiving
notice. The inventory reorder report and the inventory value report are the
output for this activity. Figure 2.12 shows the example of the inventory reorder
report which is send to the purchasing department. The inventory value report as
shown in Figure 2.13 will be sent to the general accounting department.
Figure 2.11: A receiving notice


Figure 2.12: An inventory reorder report

Figure 2.13: An inventory value report

Processing in this activity involves keeping track of the quantity on hand for each
item in inventory. The inventory control department updates this quantity from
data gathered from the sales orders and receiving notices.
The type of inventory described here is called finished goods inventory because
it deals with the final products which are ready for sale. Manufacturing,
wholesaling and retailing are some of the businesses which use this type of
inventory. However, manufacturers do not prepare the inventory reorder report.
Instead they produce a report indicating what items should be manufactured.

In general, manufacturers have three types of inventory:

(a) Finished goods inventory ă final products;
(b) Raw materials inventory ă materials and parts used for manufacturing
process; and
(c) Work-in-process inventory ă involves partially manufactured items.
2.4.5 Purchasing Stock and Materials

The purchasing department will handle the purchasing process from the
suppliers. The department needs to identify the best suppliers before they
purchase the items. The best suppliers are chosen based on various criteria such
as the best price offered, sales terms and delivery time. Once the suppliers have
been selected, the purchasing department prepares the purchase order which
contains the items need to be purchased.
The input to this activity is the inventory reorder report which is from the
inventory control department and the output is the purchase order as shown in
Figure 2.14. The purchasing department sends one copy of the purchase order to
the supplier and another one to the accounts payable department.
Figure 2.14: A purchase order

2.4.6 Paying Bills

The copy of the purchase order received from the purchasing department is used
to keep track of the purchase record. The accounts payable department is the one
who handles this activity. Once the supplier has sent the items, this department
will pay the supplier based on the invoice sent by the supplier.

The inputs for this activity are the copy of the purchase order from the
purchasing department, the invoice from supplier and a copy of the receiving
notice received from the receiving department. The outputs are the payment to
the supplier and the accounts payable report which summarise the supplier
charges and payments for the specific month. Refer Figure 2.15 for the example
of the accounts payable report which is sent to the general accounting
department.
Figure 2.15: An accounts payable report

2.4.7 Paying Employees

The payroll department is responsible for this activity. The employee will be paid
and the payroll report will be prepared by this department.
The input for this activity is the employee work report. This report is based on
the type of the employee. If the employee is paid based on hourly basis, the
report prepared is the time sheet which shows the total of hours the employee
has accomplished for each day. Figure 2.16 shows the example of a time sheet.
For an employee who is paid a fixed salary, the report shows the attendance for
all working days and for the absent days, reasons must be provided.

Figure 2.16: A time sheet

The output includes the pay check received by the employee and the payroll
report. Refer to Figure 2.17 for the example of the payroll report. This report will
be sent to the general accounting department by the payroll department.
Figure 2.17: A payroll report

2.4.8 Reporting Financial Information

The last activity is the reporting of financial information which is normally found
in all businesses. The purpose of this activity is to provide financial reports to the
management and the stakeholder/stockholder. An organisation keeps the
financial accounts for each revenue it receives and expenses it pays.

Revenue is obtained from sales and other resources such as investments, while
the expenses include purchasing the inventories and assets, paying the
employees, maintaining and disposal of the assets and others. Reports will be
prepared by the general accounting department, which is known as financial
statements. This report summarises the organisationsÊ accounts.
The inputs for this activity are reports on revenue, expenses, assets and liabilities.
The outputs are the financial statements such as the income statements and the
balance sheet, as shown in Figure 2.18.
Figure 2.18: Financial statements


SELF-CHECK 2.1
1. How does the Purchasing Department know when to purchase
more goods?
2. For what business information processing activities is a sales
order an input?
 This topic has shown how information flows in business operations, how
managers use information in decision making and how businesses perform
basic information processing.
 Although a business could handle this flow, use and processing of

information without the aid of computers and related technology, using
computer information systems for these activities can greatly increase a
businessÊ efficiency and effectiveness.
Manufacturer Retailer
Operations Reporting
Information flow Trackking
Information processing Wholesaler
Boockholdt, J. L. (1999). Accounting information systems. Singapore: McGraw-

Hill.
Robert, C. N. (2001). Business and information systems. New Jersey: Prentice

Hall.

3 Records and
Documentation
Techniques
LEARNING OUTCOMES
1. Describe the documents and procedures used in AIS to collect and
process transaction data;
2. Describe the relationship among accounting records in forming an
audit trail in both manual and computer-based systems;
3. Explain three types of document used in AIS;
4. Compare the function of journal with ledgers;
5. Examine the documentation techniques used to represent systems;
and
6. Develop flowcharts based on given scenario.
 INTRODUCTION
Traditionally in the accounting world, accountants require pencils, papers and a
basic calculator to perform their work. They record all accounting transactions on
T-accounts that represent Debit and Credit transactions. They then use calculator
to balance out the Debit side of their T-accounts to the Credit side of the same
account. As the result, they will post the difference (if any) to indicate the
imbalanced condition of the T-account.

TOPIC 3 ACCOUNTING RECORDS AND DOCUMENTATION TECHNIQUES  35
However, this traditional approach has gradually been replaced by computerised

system, which eliminates most of manual record-keeping process done by
human beings. In spite of this, the knowledge of how a manual system should
operate is vital so that the computerised documentation techniques will have
minimal flaw after they are implemented.
The first section of this topic describes the relationship among accounting
records in forming an audit trail in both manual and computer based systems.
Then, we will examine the documentation techniques used to represent system.
At the end, we will look at documentation techniques for manual and
computer-based systems.
3.1 ACCOUNTING RECORDS IN MANUAL

SYSTEMS
ACTIVITY 3.1
In a manual system, adequate documents and records are needed to
provide an audit trail of activities within a system. In computer systems,
documents might not be used to support the initiation, execution and
recording of some transactions. What is the effect of this on the internal
control of a company?
3.1.1 Documents
Previously, most organisations uses paper based documents as a common way
for data collection. These data will then be transferred to the computer for the
later use. Currently, these data will be directly stored in the computers through
the specific system.
Basically there are three types of documents, as mentioned in Figure 3.1.

36  TOPIC 3 ACCOUNTING RECORDS AND DOCUMENTATION TECHNIQUES
Figure 3.1: Types of documents in accounting systems
(a) Source Document

Source document is the initial input to the accounting process and normally
serve as an original record of a transaction. It is an early document in the
accounting cycle and it captures the key data of a transaction. The examples
of source documents are Purchase Orders, Time Cards, Cash Receipts and
others.
Figure 3.2 shows the creation of a source document.
Figure 3.2: Creation of a source document

Source: James (2001)
It is a part of the revenue cycle. When customers make an order, the sales
clerk will prepare multiple copies of sales order. These documents then will
go into the sales system. The information in these documents will be used
by various departments or functions such as Credit, Billing and others.
Thus, it will cause other activities to start in those departments.
Now, let us look at an example below.

Example:
A copy of the Sales Order will be sent to the Credit Department. It will
cause the checking or approval process begins. The personnel in the
department will use the information in the sales order to verify the
customerÊs creditworthiness.
(b) Product Document

Product documents are the document that is being prepared after a
transaction had happened. Product document can serve as an output for
one system. Refer to Figure 3.3, the source document act as an input for
Sales System while the product document which is customerÊs bill will act
as an output.
Figure 3.3: A product development

(c) Turnaround Document

The final document is turnaround document. Turnaround document is a
document which acts as an output for one system and become an input for
another system. Figure 3.4 shows the example of turnaround document. It
is based on the previous example of source and product document.

We can take other example like credit card monthly statement sent by the
credit card company to their customers. Most of the statements consist of
two parts:
(i) Statement of the account; and
(ii) Remittance advice.
The remittance advice contains the customerÊs name, account number, the
total credit and also the minimum payment required for that particular
month. Normally, the statement is produced by the Billing Department.
When customer makes payment, they will include the remittance advice
along with the cheque. The remittance advice will be received by the
accounts department. The information in remittance advice such as account
holder name and account number will be used as an input to the accounts
department.
Figure 3.4: A turnaround document

SELF-CHECK 3.1
Can a turnaround document contain information that is
subsequently used as a source document? Why or why not?

3.1.2 Journal
A journal is an initial record in which the effects of transactions on accounts are
recorded. When transactions happen, we record all relevant facts in
chronological order. The data for journals come from the documents such as sales
order. The journal will keep all records of transactions and will be posted to the
specific account. Figure 3.5 shows the process of recording the sales order to the
sales journal.
Figure 3.5: Sales order recorded in sales journal

There are two types of journal, as shown in Figure 3.6.
Figure 3.6: Types of journal
(a) Special Journal

This is used to record specific categories/classes of transactions. The
specific categories/classes will be grouped in a special journal, thus can be
processed efficiently. Figure 3.7 shows an example of special journal,
specifically sales journal.

The sales journal will only record the sales transactions. Each time
processing period ends, the sales clerk will post the amounts to the
specified ledger account. The frequency for processing could be either in
daily, weekly or monthly basis. From Figure 3.7, we can see that these
amounts are posted to account number 401.
Another example of special journal includes cash receipts journal, where it

will record the cash receipts transaction such as cash and credit sales.
Figure 3.7: Sales journal

Source: Boockholdt (1999)
(b) General Journal
The general journal is a journal which is used to record the infrequent and
different transactions. Figure 3.8 shows the example of the general journal.
Currently, most of the organisations have been using journal voucher
system to replace the general journal. A journal voucher is a source
document which contains a single entry of each account specified in the
general ledger. It is used to record summaries of routine and non routine
transactions. We also use this document to record the summary of adjusted
and closed entries.

For example, there are two accounts in the general journal:

(i) Accounts receivable; and
(ii) Sales account.
Hence, in the journal voucher, there will be only two accounts stated along
with the amount in that journal voucher.
Figure 3.8: A general journal

Another document to be considered is the chart of accounts. Chart of accounts

lists all account name and number for an organisation. During the process of
recording event into journals, accountant will refer to the chart of accounts. This
is to make sure accounts chosen by the accountant are listed in the Accounting
Information Systems.
The chart of accounts is one of the most important documents we need to

consider in Accounting Information Systems. The chart provides complete
reference for the accounts in an organisation. Hence, it is important to make sure
the chart of accounts is well designed.
The chart of accounts could be different within an organisation since the

functions and business activities might vary from one organisation to another.

Figure 3.9 shows a chart of accounts example. It shows the account name along
with the account number. The account number consists of three digits. This is
one of the coding techniques for AIS application, called Block Codes. This
technique corresponds to the entire class of items by restricting each class to a
particular range within the coding scheme.
Figure 3.9: A chart of accounts


Table 3.1 summarises the Block Codes representation.

Table 3.1: Block Codes Representation
Digit Representation Example

First Account Classification 100 = Current Assets
200 = Fixed Assets
500 = Revenue
Second Primary financial sub-accounts within each 110 = petty cash
category. 120 = petty cash
Numbers were assigned to accounts to match 130 = accounts receivable
the order of their appearance in financial
statements
Third Specific account to which the transaction data 611 = cash revenue
will be posted 612 = credit revenue
Another thing to be considered when building the chart of accounts is the scalability.
The chart of accounts should allow the insertion of new or additional accounts.
3.1.3 Ledgers
A ledger is sometimes called a book of financial records. We use a ledger to
summarise the financial status of an organisation such as the current balance of
accounts. Normally, the various journals will post the financial transaction
information to the ledgers. The information will be used to prepare the financial
statements, internal reports and also to support the daily transactions. Figures 3.10
show the flow of financial information from the source document and finally end at
the general ledger.
Figure 3.10: Flow of information from the economic event to the general ledger
Basically, there are two types of ledgers, as shown in Figure 3.11.
Figure 3.11: Types of ledger
(a) General Ledgers

General ledgers have the summary of activities for each account in the
organisation.
(b) Subsidiary Ledgers

Subsidiary ledger records the details for any account in the general ledger
that owns many subaccounts. For example, one of the accounts in the
general ledger is the account receivable. Subsidiary ledger for the accounts
receivable could be the separate account for each customer. The total of
account balance in the subsidiary ledger must be the same with the balance
in the accounts receivable in the general ledger.
3.2 ACCOUNTING RECORDS IN COMPUTER-

BASED SYSTEMS
ACTIVITY 3.2
How about organising an event without a planner? How about
leading a nation without a minister? How about running a business
without a system? Respond to the questions above by posting your
answer in myINSPIRE.

Planning to record transactions in specific location may help to organise

accounting transactions better. In computer-based systems, the accounting
records are represented by four different types of magnetic files as summarised
by Table 3.2.
Table 3.2: Different Types of Magnetic Files
No. Type of Files Description Example

1 Master File A master file contains all accounts data. General and subsidiary
When transactions occur, the related ledgers.
data in the master files will be updated.
2 Transaction A temporary file which contains Sales orders and cash
File transaction records. These records will receipts.
be used to change and update data in
the master file.
3 Reference File A file which has a collection of data Product price lists
used as standards or reference for used for preparing
processing the transactions. the customer
invoices.
4 Archive File Files which have records of past Lists of former
transactions. employees, lists of
These files will be used for future preceding sales
reference in the organisation. transactions.

Figure 3.12 illustrates the relationship of these files in forming an audit trail.
Figure 3.12: Accounting records in a computer-based system

The accounting records described in the manual system or computer-based

system provide an audit trail for tracing transactions from source documents to
the financial statements. The audit trails in computer-based system is still exist,
although it is less noticeable than in traditional manual system.
Figure 3.12 shows how computer files can function as audit trail in an
organisation. It begins by capturing the economic events. The sales are recorded
manually using source documents. Then the data in the source documents will
be transferred to the magnetic files, specifically the transaction files. However,
this will depend on the organisation because some organisations are no longer
using the physical source documents. Hence, the transactions are directly
captured on the magnetic media.

The next step is to update the related master file subsidiary and also the control
accounts. During this process, we may edit the account transactions. For
example, the available credit for each customer will be identified by the system
by referring to the credit file. Any credit problems will be rejected and stored in
the error file. The remaining records will be used to update the related master
files. Hence, only these transactions are added as the sales journal into the
archive file.
The original transaction file is not required for audit trail purposes because the
valid transactions have been copied to the journal. The file then can be deleted
and the system is now ready for the next batch of the sales orders.
SELF-CHECK 3.2
What is meant by „Audit Trail?‰
3.3 DOCUMENTATION TECHNIQUE
ACTIVITY 3.3
How do you relate DFD to Activity Diagram in Unified Modelling

Language? You may go to the Internet and find the answers to this
question.
3.3.1 Entity Relationship Diagram

ERD describe information needed and/or the type of information that is to be
stored in the database.
Entity Relationship Diagram (ERD) is a documentation technique used to

construct conceptual data model and it describes the data needed and also the
type of data that is to be stored in the database. It acts as a data modelling
technique that creates a graphical representation of the entities, and the
relationships between entities, within an information system.
ERD can be used as a tool for communication during analysis phase in the
system development process. The three main components of an ERD and their
functions are summarised in the following Table 3.3.

Table 3.3: Main Components of ERD and Their Functions
No. Item Symbol Descriptions

1. Entity Entity is an object in the real world
environment.
In AIS, an entity is a resource (cash), an

event (receiving cash) or an agent
(customer).
2. Relationship A relationship captures how two or more
entities are related to one another.
3. Attributes Attributes are the properties or

characteristics of an entity.
Relationships may also have attributes.
Attributes are drawn as ovals connected

to their owning entity sets by a line.
Figure 3.13 shows the symbols used for an ERD.
Figure 3.13: Entity relationship diagram symbols

The relationship between entities can also be described in terms of cardinality.

Cardinality specifies the number of instances of one entity that can be associated
with each instance of another entity. A relationship can be one-to-one (1:1), one-
to-many (1: M) or many-to-many (M:N). Cardinality can reflect the policy of an
organisation.
Table 3.4 explains the symbols used for an ERD.

Table 3.4: Symbols Used for an ERD
No. Symbol Relationship Cardinality Explanation

1 Assigned (1 : 1) Each salesperson
is assigned to one
automobile. Each
Entities:
automobile is
Salesperson, Automobile assigned to one
salesperson.
2 Places (1: M) Each customer
placed more than
one order Each
Entities:
order is placed by
Customer, Order one customer.
3
Supply (M: N) Each vendor
Entities: supplied more
than one items.
Vendor, Inventory. Each item is
supplied by more
than one vendor.
3.3.2 Data Flow Diagrams

A Data Flow Diagram (DFD) is a graphical representation of the data flow
through an information system. We also use DFD to visualise the data processing
known as structural design. It is a common practice for a system
analyst/designer to firstly draw a context-level DFD which shows the interaction
between the system and outside entities. This context-level DFD is then
decomposed to show more detail of the system being modelled.
A data flow diagram illustrates the processes, data stores and external entities in
a business or other system and the data flows between these things.

Four diagrammatical components are used to develop a DFD. Table 3.5 explains
these components.
Table 3.5: Diagrammatic Components Used to Develop a DFD
Item Descriptions
Data Flow  Data in motion, moving from one place to another in a system;
 Represent the results of a query to a database, the contents of a
printed report or data on a data entry computer display form;
 Should only represent data, not control;
 Represented by an arrow; and
 Should be named as a noun.
Process  The work or action performed on data so that they are
transformed, stored or distributed;
 Represents the transformation of data in the system. This
represents something that happens in the system;
 Represented by a circle or rounded rectangle; and
 Should be named as a verb.
External Entity  The origin and/or destination of data;
 Also called a „source/sink‰;
 Represented by a square or oval; and
Data Store  Repository for data;
 Represented by two parallel lines, sometimes connected by a
vertical line; and

Figure 3.14 shows the symbols used for DFD.
Figure 3.14: Data flow diagram symbols

Source: Romney and Steinbart (2003)
Basic data flow diagram elements are shown in Figure 3.15. The external entities
are A, J and K, where A is the source and J, K are the destinations. The system
starts at A where it generates data flow B which then goes to process C. The
outputs for process C are data flows D and E. E then goes to J, while D goes to
process F. Process F uses data flow D and G and later on process the data. The
process will then produce outputs G and I. The data flow I is sent to the external
entity or data destination, K. Figure 3.16 shows the data flow diagram of
customer payment which is related to Figure 3.15.

Figure 3.15: Basic data flow diagram elements

Figure 3.16: Data flow diagram of customer payment process


Data flow may consist of more than one data element. Therefore it is important to
decide on the number of lines required for the data flow. For example, sometimes
customers have made payment and would like to query regarding their
payment. So, here a different data flow should be used because the payment and
inquiries is different in terms of the purposes. Refer to Figure 3.17.
Figure 3.17: Splitting customer payments and inquiries

Decomposition of DFD can be defined as the act of going from a single system to
its component processes or in other words from the highest level DFD to the
lowest level. The highest level view of the system is a context diagram.
A context diagram is a special DFD that is designed to show the system and the
external entities that send data to and/or receive data from the information
system. It contains only one process, no data stores, data flows and the external
entities (sources/sinks). The sources/sinks represent its environmental
boundaries.
Figure 3.18 shows the context diagram of a payroll processing procedure. The
employee data is received from the human resource department, while the time
cards are received from various departments. These data then will be processed
and the system produces four different data that are:
(a) Tax report and payment for government agencies;
(b) Employee payment for employees;
(c) Payroll account deposit at the bank; and
(d) Payroll report for the management.

Figure 3.18: Context diagram for payroll processing


Table 3.6 shows the major processing activities and data flows involved in
payroll processing. Using the information in the table, the context diagram is
decomposed into lower level or we call it Level 0 diagram, as shown in Figure
3.19. The data coming from the human resource department were grouped
together and named as „employee data‰.
Table 3.6: Activities and Data Flows in Payroll Processing
Activity Data Inputs Data Outputs

Update  New employee form  Updated employee/payroll file
employee/payroll  Employee change form
file
 Employee/payroll file
Pay employees  Time cards  Employee checks
 Employee/payroll file  Payroll register
 Tax rates table  Updated employee/payroll file
 Payroll check
 Payroll cash disbursements
voucher
Prepare reports  Employee/payroll file  Payroll report
Pay taxes  Employee/payroll file  Tax report
 Tax payment
 Payroll tax cash disbursements
voucher
 Updated employee/payroll file
Update general  Payroll tax cash  Updated general ledger
ledger disbursements voucher
 Payroll cash
disbursements voucher

Figure 3.19: DFD for payroll processing


The level 1 for Process 2.0 (pay employees) is shown in Figure 3.20. It expands
employees pay process into more detail processes. Each of the process in Figure
3.19 can be decomposed into their own level 1 diagram to show the detail
processes.
Figure 3.20: DFD for process 2.0 in payroll processing

3.3.3 Flowcharts
A flowchart is a formalised graphic representation of a program logic sequence,
work or manufacturing process. It describes the physical relationship between
the entities or components.
The following Figure 3.21 shows the symbols used to create flowcharts. Each
symbol represents different process or task. Flow charts also use special
connector symbols to jump between positions on a same page and from other
page to another page. These symbols are very useful to lessen the mess that will
occur when flow lines overlap each other.

Figure 3.21: Common flowcharting symbols


Basically there are three types of flowchart:
(a) Document Flowchart

Document flowchart shows the flow of documents through the system. It
illustrates the relationship among processes and the documents that flow
between them. This flowchart is much more detail as compared to data
flow diagram because we can see the separation of functions in one system.
The flowchart is very useful to refer to when analysing whether the control
procedures are sufficient or not. It can disclose any weakness in the system
such as lack of communication flows. Figure 3.22 is an example of a
flowchart which clearly shows the departments/functions involved in a
system.
Figure 3.22: Flowchart showing areas of activity

(b) System Flowchart

System flowchart is used to represent the relationship between parts of a
system that are the inputs, processes and outputs. It also shows the type
of media that is being used for a particular system such as magnetic disks
and file.

Figure 3.23 shows the example of system flowchart for sales processing. Sales
terminals are used to capture sales. The terminals will edit the sales data and
print out receipts for the customers. The sales data will then be stored in the
sales data file on a disk. At the end of each day, the sales data will be
summarised and the batch totals will be printed. Example of batch total is the
total sales for all sales transactions. The summarised data will be processed
again and same goes to the batch total that will be generated and printed once
more. The amount of batch totals then will be compared with the batch totals
generated from the earlier processing. All errors and exceptions will be
reconciled. The accounts receivable, inventory, sales marketing databases and
the general ledger will be updated. Users can use the inquiry processing
system in order to know the account and inventory status and also to make the
sales analysis.
Figure 3.23: System flowcharts of sales processing


(c) Program Flowchart

A program flowchart illustrates the logic used in programs. This flowchart
shows the detail of each process for each program that exists in a system
flowchart. Figure 3.24 shows the relationship between system and program
flowcharts.
Figure 3.24: Relationship between system and program flowcharts

SELF-CHECK 3.3
Differentiate between System Flowchart and Program Flowchart. Fill in
the table below for your comparison.
SystemÊs Flowchart ProgramÊs Flowchart

 Previously, most businesses used paper source document to initially collect

data about their business activities and then transferred the data into the
computer. However, it has changed now where most of the data about
business activities are recorded directly through computer data entry screens.
 Documentation includes the narratives, flowcharts, diagrams and other
written material that explain how a system works.
 Each one of the documentation serves different functionality for the
organisation.
Archive file General ledgers

Attributes Journal
Batch Master file
Cardinality Product document
Chart of accounts Reference file
Data flow diagram Sales journal
Document flowcharts Source document
Entity Special journal
ERD Subsidiary ledgers
Flowcharts System flowcharts
General journal Transaction file

Hill.
Dunn, C., Cherrington, J. O., & Hollander, A. S. (2005). Enterprise information
systems: A pattern-based approach (3rd ed.). McGraw-Hill.

James, A. H. (2001). Accounting information systems. Ohio: Thomson Learning.

Romney, M. B., & Steinbart, P. J. (2003). Accounting information systems
(9th ed.). New Jersey: Prentice Hall.

Topic  Control and
Accounting
4 Information
Systems
LEARNING OUTCOMES
1. Discuss the need for control and audit of accounting information
systems;
2. Examine the effects of computers on traditional internal control
principles; and
3. Identify the general control and application control of computer
based control.
 INTRODUCTION
Figure 4.1: Computerised system vs. manual system

TOPIC 4 CONTROL AND ACCOUNTING INFORMATION SYSTEMS  65
What can you conclude from the cartoon strip shown in Figure 4.1? What would
happen if a business uses the manual system of accounting and losses control of
their accounting transactions?
Computers perform much of the data processing required in both the private and
public sectors of our economies today. The accounting information systems are
now getting more complex in order to meet the increasing needs of information
by the society. Therefore, it is important to maintain data integrity while
processing it because people can always question the control implemented
during the data processing. Uncontrolled use of computers can have a
widespread impact on a society.
In this topic, we will discuss on why we need control in accounting information

system (AIS) at the first place. Secondly, we will explore the control concepts
including its objectives, types of functions and the nine major effects of internal
control in AIS. Then, we will learn about management framework on computer-
based control in AIS. Finally, we will discuss on the applications of computer-
based information system controls in AIS.
4.1 NEED FOR CONTROL AND AUDIT OF

COMPUTERS
Let us begin by looking at why we need to have audit for computers in the first
place. Nowadays, computers are being used extensively to help as well as
facilitate the business operations of an organisation. It is also provides data for
the decision making process. Due to the many useful functions of the computers
and also the decreasing cost of computer technology, more organisations are
keen to use the computers to process their data. Therefore, it is significant to
control the use of the computers.
There are seven major reasons for establishing a function to examine controls
over computer-based data processing, as summarised by Figure 4.2.

66  TOPIC 4 CONTROL AND ACCOUNTING INFORMATION SYSTEMS
Figure 4.2: Why we need to examine the controls computer-based data processing
These seven points will be explained in the next subsections.
4.1.1 Organisational Costs of Data Loss

Data is one of the major and important resources needed by an organisation to
continue with their business operations. If anything happened to the data, it can
affect the smooth running of the entire organisation.
For example, a large department store could face problems when something
unexpected happens such as the accounts receivable data has been destroyed.
Unless its customers are honest and can remember what they have purchased
from the store, the firm might suffer a big loss when customers fail to pay their
debts. If there are no proper back-ups for the computer data, the loss of data
through program error, natural disaster and others could happen. Thus, the data
cannot be recovered and as a result, the business operations of the organisations
could be disrupted. This can occur when existing controls for the computers are
taken for granted.

4.1.2 Incorrect Decision Making

The decision making process is part of the task for the managers. Managers
normally require data for this process. The quality of the decisions depends on
the quality of the data. Therefore, it is important for an organisation to have
control over their computers and data.
Figure 4.3: Quality decisions depends on the quality of data
The importance of accurate data in a computer system depends on the types of

decisions made. If managers are dealing with the strategic planning decisions,
some errors of the data can be tolerated. If managers are making the
management and operational control decisions, any errors could not be tolerated.
4.1.3 Costs of Computer Abuse

Computer abuse is the negligent unauthorised activity that affects the
availability, confidentiality or integrity of computer resources. Computer abuse
includes fraud, theft, malicious damage, viruses, unauthorised use, denial of
service and abuse of privileges. If this happens, the business operations could
also be disrupted.
4.1.4 Value of Computer Hardware, Software and

Personnel
Besides data, computer hardware, software and personnel are part of the
components of an information system. Thus, it is important to take great care of
these components. An organisation might invest millions of dollars in hardware
and software alone. If the hardware crashes or the software becomes corrupted,

then the organisation might be unable to continue their business operations. The
personnel are also important to assist the organisation to achieve its missions and
goals. They are the ones who operate and maintain the information systems for
the organisation.
4.1.5 High Costs of Computer Error

Nowadays, computers have carried out many important and vital functions in
the organisation. For example, computers monitor the condition of patients
during surgical procedure, direct the flight of a missile and others. Thus, any
computer error can lead to damage to the environment, harm to people or even
loss of lives. These are among the consequences of computer error.
ACTIVITY 4.1
Imagine you are in a supermarket buying a packet of sugar. The price

listed on the display rack shows RM 1.40 per packet. However, when
the cashier scans the item, the monitor displays RM14.00 per packet.
How do you think human error can contribute to computer error?
4.1.6 Maintenance of Privacy

Data is one of the important resources for the organisation. Today, people tend to
give their data to any organisation for taxation, medical, educational, banking
and employment purposes. When submitting the data to the respective
organisation, people should be questioning whether those organisations protect
their data or not. People are concerned about the privacy of their own data. This
include whether the data has been passed to other parties, the data has been used
for other malicious purposes or the data is being used to represent other people.
This could happen when there is no control on the data and this can lead to a
disastrous situation.
4.1.7 Controlled Evolution of Computer Use

Occasionally, people are concern about the use of computer technology in the
society. Examples include the use of computers to support the nuclear weapons
command control systems and the use of computers in the workplace to replace
human beings.

ACTIVITY 4.2
What do you think of replacing human toll operators at all lanes of PLUS
highway with the automatic toll booth lanes (like Touch Ân Go and Smart
Tag)? Will this affect the rate of unemployment in the country?
SELF-CHECK 4.1
1. What is the best way to prevent loss of data?
2. Computer abuse includes seven primary activities. Name four
of them.
4.2 OVERVIEW OF CONTROL CONCEPTS

Internal control is broadly defined as a process designed to provide reasonable
assurance regarding the achievement of objectives in the following categories:
(a) Effectiveness and efficiency of operations;
(b) Reliability of financial reporting;
(c) Compliance with applicable laws and regulations; and
(d) Safeguarding of assets.
The internal control structure consists of policies and procedures. These are used
to provide a reasonable level of assurance so that the organisationÊs objectives
will be accomplished.
ACTIVITY 4.3
Why do you think organisation needs auditor?

4.2.1 Functions of Internal Control

Internal controls carry out three important functions as summarised by Table 4.1.
Table 4.1: Three Important Functions of Internal Controls
Controls Descriptions
Preventive Preventive controls are designed to avoid any possible future problems.
controls This is the most cost-effective method of control as compared to detective
controls. When implementing this control, it hinders errors and thus
avoids the cost of correction. Examples of preventive controls include
effective control of physical access to assets and data, proper segregation
of the employee tasks and competent personnel.
Detective These controls are needed because sometimes the problems cannot be
controls prevented. The controls will find out the problems once they occur.
Detective controls are usually more expensive than preventive controls.
Example is such as double checking of the calculations, confirmation of
bank balances and systems review (internal auditing).
Corrective These controls are designed to correct errors once they are detected. This
controls includes procedures taken to identify the cause of a problem, fix the
errors and do the modification to the system so that the future problems
are eliminated or at least minimised. Examples are such as
documentation and reporting systems to keep problems under
management observation until they have been solved or the defect has
been corrected and back-up procedures.
4.2.2 Effects of Computers on Internal Controls

The implementation of internal control in an organisation can assure the
organisation achieve the goals of asset safeguarding, data integrity, system
effectiveness and system efficiency.
The use of computers affects the implementation of these internal control

components (refer Figure 4.4).

Figure 4.4: Effects of internal control implementation
These controls have been implemented and tailored to fit in with a computer
environment. The following subsections will briefly explain these components.
(a) Separation of Duties

In a manual system, different personnel should be responsible for the
authorisation of transactions, recording transactions and custody of the
assets. With the separation of duties, it can prevent or detect errors and
abnormalities.
In a computer system, this idea of separation of duties does not always

apply. For example, a program can reconcile a vendor invoice against a
receiving document and print a cheque for the amount to be paid to a
creditor. These functions are considered as incompatible in the manual
system. However, it might be inefficient and ineffective to put these
functions in separate programs. As an alternative, separation of duties must
be presented in a different form. Once it is confirmed, the program executes
properly, the capability/ability to run the program in production mode and
the capability/ability to change the program must be separated.

(b) Delegation of Authority and Responsibility

Both manual and computer systems require a clear delegation of authority
and responsibility. In computer systems, some resources are shared among
multiple users, therefore the delegation process is not so easy. When
multiple users access the same data and the integrity of the data is violated,
then the respective personnel have to trace who is responsible for violating
the data, identifying and correcting the error.
Most of the organisations have tried to overcome this problem by assigning

a single user as the owner of the data. This user is responsible for the
integrity of the data in the organisation.
In end user computing, users are involved in developing, modifying,

operating and maintaining their own systems. Therefore, the delegation of
authority and responsibility is unclear for end user computing.
(c) Competent and Trustworthy Personnel

It is not easy to find good and well-trained information system personnel.
Due to high turnover rate, it is difficult to evaluate the competency and
integrity of the personnel. With the emerging of technology, it has reduced
the managementÊs ability to evaluate the skills of information systems
personnel.
(d) System of Authorisations

In a manual system, the work of personnel are being examined in order to
evaluate whether the procedures of authorisation is sufficient or not.
In a computer system, the authorisation procedures and computer program

are embedded together. For example, in the sales system, the order entry
module might determine the price to be charged to the customer. Therefore,
auditors need to examine both the work of personnel and authenticity of
the program processing.
(e) Adequate Documents and Records

In a manual system, an audit trail of activities within the system requires
sufficient documents and records.
In a computer system, the initiation, execution and recording of some

transactions does not need any documents. For example, customerÊs order
received by telephone in the online system will be entered directly into the
system. So, no document is required to initiate the order transaction. In
certain cases, some transactions can be activated automatically by the
system. For example, the inventory program could automatically reorder

items when stock level falls below a certain quantity. Thus, it is not possible
to trace the transaction. The non-existence of a visible audit trail is not a
problem for auditors, provided that system have been designed to maintain
a record for all events and the record can be easily accessed.
(f) Physical Control over Assets and Records

Physical control over access to assets and records is crucial in both manual
and computer systems. However, it differs between both systems.
In a manual system, an individual who wishes to commit fraud may need

to go to a different physical location to access the records.
In a computer system, all records are normally maintained at one site where
the computer is located. Therefore the individual who intends to commit
fraud does not need to go to the different location to access the record.
(g) Adequate Management Supervision

In a manual system, the supervision of personnel activities and work is a
simple and easy task. It is because the managers and personnel are often at
the same site.
In a computer system, the supervision of personnel activities and work

needs to be carried out distantly. The computer system must have a built-in
administrative control to monitor the employee through observation and
inquiry. It also makes the personnel activities less observable/noticeable.
From time to time managers must access the audit trail of their personnel
activities and observe it for unauthorised activities.
(h) Independent Checks on Performance

In a manual system, independent checks are carried out because normally
personnel tend to forget the procedures, make actual mistakes and fail to
follow the given procedures. This activity is done by an independent party.
It helps to discover any errors or abnormalities.
In a computer system, an independent check on performance normally

does not have so much value. Usually the program code in a computer
system is authorised, accurate and complete, thus the procedures will be
always followed by the computer system. As an alternative, the controls
will put more focus on the authenticity of the program code.
(i) Comparing Recorded Accountability with Assets

Data and the assets that the data claim to represent should be compared
periodically to determine its incompleteness and accuracies.

In a manual system, independent personnel prepare the data for comparison

and evaluation purposes.
In a computer system, the data is prepared using the software embedded in

the computer system. For example, sorting an inventory file by warehouse
location and preparing counts by inventory item at the different
warehouses can be done by implementing a program into the computer
system. Abnormalities might not be discovered if unauthorised changes
happen to the program or data files the program uses. Example when
someone steals an inventory item from a warehouse. Hence, the internal
controls must be applied to make sure the authenticity of program code.
This is because the data prepared for comparison purposes cannot be
applied with the traditional separation of duties.
SELF-CHECK 4.2
1. How can the use of computerised system affect the top
management decision making?
2. In manual systems, how do work personnel be given access to
important documents?
4.3 COMPUTER-BASED INFORMATION

SYSTEMS CONTROL
In this section, we will discuss eight types of the management control framework
and five types of the application control framework.
ACTIVITY 4.4
Think about a manager in your current or previous job. Why are
managers important in motivating subordinates to work?
4.3.1 The Management Control Framework

The management control framework in computer-based information systems
consists of:
(a) Top Management Control;
(b) System Development Control;

(c) Programming Management Control;

(d) Data Resource Management Control;
(e) Security Management Control;
(f) Operations Management Control; and
(g) Quality Assurance Management Controls.
Now, let us look at these frameworks in more detail.

(a) Top Management Control
An organisationÊs information system must be aligned with a company's
business vision and strategic business goals. Thus, the management needs
to prepare a master plan for the information systems function. The plan
consists of short-term and long-term goals. All projects which the
organisation needs to complete in order to enable the organisation achieve
its long and short range goals must be included in the plan.
A strategic plan is normally related to the long-term planning, which is

three to five years into the future. The contents of a strategic plan are as
follows:
(i) Current information assessment

This includes the information on the existing or current information
systems such as the functions, the capabilities of the system as well as
the advantages and disadvantages of the system.
The hardware and software used for the current information systems
are also provided in this assessment. Besides this, the current
personnel resources and the current threats and opportunities are also
included.
(ii) Strategic directions

This includes the information on the future information systems and
also intra-organisational and inter-organisational strategies.
(iii) Development strategy

The development strategy consists of:
 The vision statement for information technology;
 The databases required for the future information systems;
 The hardware and software for the future information systems;
 The future personnel resources;

 The future financial resources; and

 The methods required for monitoring the implementation of the
strategy.
The operational plan is normally the short-term planning, which can be

weeks, months or years (maximum to three years) into the future. The
contents of an operational plan are summarised in Table 4.2.
Table 4.2: Content of Operational Plan
Content Descriptions
Progress report (a) List of achieved and failed current planned proposal;
(b) Changes on major hardware and software platform; and
(c) Additional ideas and plans to start the project.
Initiatives to be (a) Acquisition of personnel resources;
undertaken (b) Acquisition of financial resources;
(c) The systems that are going to be developed; and
(d) Changes on hardware and software platform.
Implementation This includes the timeline for the project/plan. It should have
schedule the estimated start and finish dates. The control procedures
that need to be applied are also included in the
implementation schedule.
Both the strategic and operational plans need to be reviewed frequently and
updated if necessary. Evaluation should take place few times a year to
ensure that any new systems component can be added and the current ones
can be maintained. During the evaluation process, the functionality,
stability, complexity, cost, strengths and weaknesses of the current system
need to be assessed. These criteria are assessed in order to know whether it
is sufficient to support the organisationÊs business needs. The user should
be asked on the systems they use, whether it meets their requirement or
they need any new technologies to be used. Therefore, the management
should prepare and approve the plan along with the sufficient budgets.
Besides, the management should allocate budget for an emergencies case
such as changes of new hard disk because of hard disk failure and also any
unexpected maintenance requirements.
The controlling functions by the top management are also very critical. The
controlling functions are involved in controlling the information systems
activities and also control the users of information services. This function

also involves determining when the actual activities of the information

systems vary from the planned activities.
The management should carry out control towards the activities done by
the information systems personnel through the implementation of:
(i) Standards ă provide specific guidelines for behaviour; and
(ii) Policies ă provide broad and general guidelines for behaviour.
Both standards and policies should be documented, reviewed frequently

and updated if necessary. Then these documents must be disseminated
among the staff. Existing staff must always be reminded and the new staff
must be informed of the policies and standards. The management should
also develop policies and implement procedures that encourage users to
use the information services effectively and efficiently.
Another control that is important is the implementation of documentation

and procedures. Quality documentation assists in communication and
progress review during the system development process. It can also be
used by the new staff who are involved with the system development.
Besides that, documentation is useful when it comes to the system
maintenance especially when the original programmer resigns and other
people took over his or her work.
ACTIVITY 4.5
Write a short paragraph on what you understand about „Standard

Operating Procedures‰. Post your opinion in myVLE forum and
compare your answer with other coursemates.
(b) System Development Control

Preventive controls are appropriate procedures for system and program
changes. Those controls lessen the errors and abnormalities created by new
systems or when changes happened to the existing system.
An organisation should form a steering committee to be involved in reviewing

the proposed new system. This is to prevent the implementation of new systems
that are inefficient, ineffective and did not meet the organisationÊs requirements.
Documentation is an essential thing to be considered. All manual and

computerised procedures should have sufficient documentation. It enables
programmers and analysts to understand the existing procedures before
performing any changes. Documentation provides auditors with the necessary
information during the auditing activity. The organisation should have

required procedures for authorising and documenting changes to existing
programs and systems. When the maintenance process takes place, the
programmer does the changes to the system.
The Chief Information Officer requires the programmer to list down the
changes in the program change record. At the same time, programmer needs
to do changes in the documentation too. The Chief Information Officer then
reviews the changes and its documentation. This procedure prevents changes
that would cause errors or abnormalities.
Testing must be done by the people who are involved in the development
process. The new system must be tested and modified if necessary before
implementing it. This is to minimise errors after the system has been
installed. Some of the testing includes system testing, unit testing,
acceptance testing and others.
(c) Programming Management Control

A programmer is one of the personnel who are involved in the
development process. Programmers are often classified as:
(i) Application programmers

Develop and maintain programs for application systems.
(ii) System programmers

Develop and maintain system software. System software is a software
such as operating systems, database management systems and
communications software, which provides general functions useful to
a wide range of application software.
Both of the systems can present substantial control problems for the
management. System software is critical to an organisation; therefore errors
in system software can affect any application systems that use the system
software. Moreover, system software frequently has to run in privileged
mode to carry out its functions. The privilege mode here refers to a special
execution status that enables the system to avoid many standard controls,
which this status can be abused. For example, system software might be used
to gain unauthorised access to private data that can be sold to competitors.
It is a difficult task to control the system programmers, where they

normally work individually or in a small group. Therefore, it is difficult to
implement the controls such as separation of duties and independent
checks on performance. Sometimes, the programmers need power for
producing the best work especially in the situation where they are working
under tight deadlines. Some of the following measures can be implemented

to minimise the controlling problems towards the programmers:
(i) Hire only high-quality system programming staff

Management needs to be strict during checking the candidateÊs
background and interviewing when hiring system programmers.
(ii) Separate duties as much as possible

Separation of duties should be implemented if more than one system
programmer is employed. For example, one programmer will do the
coding and another one will do the testing.
(iii) Develop and document methods and performance standards

System programmers should know what is expected from them and
understand that they should follow the organisationÊs approach, so
that it is similar to the organisationÊs control objectives.
(iv) Restrict the powers of system programmers

During production periods, system programmers should only have
the same powers as application programmers, meaning that they
should not be allowed to play around with the system software. In
addition, they should be allowed to develop and test system software
that runs in privileged mode only during special test periods.
(v) Keep a manual and machine log of system programmer activities

Each system programmer should have secure logs of his or her
activities. These logs should be analysed frequently to verify whether
unauthorised activities have occurred.
(vi) Employ outside consultants to evaluate system programming work

If internal expertise is not available to evaluate the work of system
programmers, outside experts might be hired from time to time to
review the work of system programmers.
(vii) Have application programmers periodically evaluate system

programmers
The quality of work carried out by the system programmer could be
evaluated by the system programming group.
Besides the above measures, actually the most important control that can be
implemented is to train the system programmers to follow the organisationÊs
policies. If the management exercise high ethical behaviour and inform all

employees that they must follow this standard, then the system
programmers might think it is difficult to abuse their power.
(d) Data Resource Management Controls

Information systems process many sets of data every day. When an event
occurs that destroys one or more of them, data backup procedures can be
used to prevent the loss of data. Such events are like floods, lightning,
hacking and others. For these reasons, computer operators regularly make
backup copies of all computer data, which is stored later in a different
location with the original data. If the data is destroyed or loss, the person in
charge can retrieve the data from the backup copy.
The management usually comes out with control policies that describe the
data backup procedures. These policies are stated in Figure 4.5.
Figure 4.5: Control policies of data backup procedures
The nature of these procedures depends on the processing method and on the
technology use by the accounting system. The backup procedures in batch
processing, online real time systems and local area networks is different as
explained in the following subsections:
(i) Data backup in batch processing systems

The standard method for backing up data in a batch processing
system, or a batch system with online update, uses the grandfather-
father-son technique (see Figure 4.6). It requires the data centre to be
available at all times three generations for each master file. The most
recent version of the master file is the „son‰. Employees use this
generation in daily processing, and it requires a backup copy. The
previous generation master file, the „father‰, is the version that was
updated to produce the current one. If the current file is destroyed,
computer operators can recreate it from the father. The „grandfather‰
is the version that was updated to produce the father. Computer
operators can use it to recreate both the father and the son.

Figure 4.6: Grandfather-father-son technique
The grandfather-father-son technique works well in batch processing

systems because these systems update master files daily, weekly or
monthly. An online real time system updates its master files
continually and it is not cost effective for these systems.
(ii) Data backup in online real-time systems

The standard method of file backup in online real-time systems uses a
transaction log with periodic master file dumps. A file dump occurs
when the computer operator copies the contents of an online data set to
a removable device. This serves as a backup of the data set in case the
original online copy is destroyed. Management establishes policies that
determine how frequently file dumps should occur, but they are
commonly done once or twice each day. The file dump provides a
backup data set as of the time of the dump. However because
transactions occur continually in an online real-time system, the backup
copy quickly becomes out of date. As a result, the computer operator
also maintains a transaction log. This contains a copy of all transactions
posted to the data set since the last file dump. While posting a
transaction to the data set, the system also copies it to the transaction
log. If the online data set is accidentally destroyed, the operator
recreates it from the transaction log and the most recent file dump.

(iii) Data backup in local area networks

Local area networks (LANs) store data on workstations and on file
servers. Making regular backups is important in these systems because
these data devices are less protected than those in a data centre.
A file server frequently has attached to it a backup disk or tape drive.

The LAN administrator periodically copies the contents of all files to a
magnetic disk or tape mounted in this drive. The same drive may
contain another disk or tape used as a transaction log while the LAN
is in operation. Procedures for routine backups at the file server are
important because users of individual workstations frequently forget
to make backup copies.
Workstation users, like operators of all personal computers, should make

regular backup copies of files stored at their locations. Many use
magnetic diskettes for this purpose, although individual workstations
may also include backup drives. The following are good procedures for
making data backups with workstations and personal computer systems
(see Figure 4.7).
Figure 4.7: Good procedures for making data backups

 Make full backups

Most backup system can, if the user wishes, backup only files that
have changed since the last backup. However, backing up all files
(including those that have not changed) makes the process of
restoring damaged files much easier.
 Backup applications programs
This avoids having to reinstall and customise a program from its
original diskettes.
 Use the verify option
Most of the backup systems can copy the file and then read it to
verify that the copy is correct. This is to ensure that the backup file
is similar to the original file.
 Backup every day
Most of the backup systems can do this automatically.
 Test the backups
The only way to be sure the backup system works properly is to
periodically restore the backups and test the restored files.
 Store backup copies off-site
This protects from loss of data due to unavoidable circumstances
at the user location.
 Maintain a boot disk
This is a copy of the computerÊs start-up configuration and
operating system made by a utility program. It can be used to
recreate the hardware settings in case of a complete hard drive
failure.
 Save some tapes or disks permanently
A common practice is to save all data each month. This is useful if
someone wants to recreate a file that was erased several months
before.
 Rotate new tapes and disks
Tapes and disks have a limited life time; therefore the current ones
can be used for certain periods only. By changing to the new ones,
it can reduce the chance of tape or disk failure.
A contingency plan is a formal document that describes procedures to

deal with unusual events that are not part of the normal daily routine.
Contingency plans describe the response necessary to deal with the
types of event that may occur such as fires, explosions, floods and
others. A contingency plan affects several crucial accounting

applications; therefore it can be considered a general control. Proper

segregation of duties at the data centre requires that critical functions
performed at the data centre be separated.
Figure 4.8 shows what is included in a contingency plan.
Figure 4.8: Contingency plan
 Provide adequate insurance coverage

Insurance should be adequate to replace equipments and software
destroyed during unexpected events. Management should also
purchase business loss insurance, which compensates the
organisation for the costs of reconstructing the database and for
any revenues lost due to computer downtime.
 Designate an alternative processing location
If a data centre is destroyed, the MIS activity may require many
months to place it in operation again. Therefore, it is important for
the organisation to have another data centre at a different location.
The alternative site must have similar processing capacity to
process all crucial applications.
 Identify vital applications
Vital applications are the applications that the organisation
requires to continue operating. If a data centre is destroyed, the
MIS activity must implement these applications first at an
alternative processing location. Management must identify vital
applications and ensure that they can be implemented quickly at

the alternative site.
 Designate an off-site storage location
Management should find a new place at a different location from
the data centre. This is to store items necessary to continue
operating the vital applications. These include copies of system
software, programs, backup data files, documentation and
operating instructions.
 Assign responsibility
Management should assign responsibility to an individual for
maintaining and implementing an up to date contingency plan.
Someone must be appointed and how they can be contacted if
something happens. If the key personnel are unavailable, a list of
alternative personnel and how they can be contacted must be
included. The plan should also identify and assign other
responsibilities necessary to begin operation at the alternative site.
(e) Security Management Control

Information security administrators are responsible for ensuring that
information systems assets are secure. Assets are secure when the expected
losses that will occur over some time are at an acceptable level. There are
two types of information security:
(i) Physical security
Protects the physical information system assets of an organisation
such as personnel, hardware, facilities, supplies and documentation.
(ii) Logical security
Protects data/information and software.
Security administrators have responsibility for controls over malicious and

non- malicious threats to physical security and malicious threats to logical
security. A major task of security administrators is to conduct a security
program, which is a series of ongoing, regular, periodic reviews conducted to
ensure that assets associated with the information systems functions are
safeguarded adequately.
Authority and responsibility must be clearly divided among various

functions in an organisation. Table 4.3 summarises various functions and
their responsibility.

Table 4.3: Authority and Responsibility among Various Functions
Function Responsibility
System administration Systems administrators are responsible for ensuring that the
different parts of an information system operate smoothly
and efficiently.
Network management Network managers ensure that all applicable devices are
linked to the organisationÊs internal and external networks
and operate continuously and properly.
Security management Security management is in charge with ensuring that all
aspects of the system are secure and protected from all
internal and external threats.
Change management These individuals manage all changes to an organisationÊs
information system to ensure they are made smoothly and
efficiently and to prevent errors and fraud.
Users Users of departmentÊs record transactions, authorise data to
be processed and use system output.
System analysis Systems analyst helps users determine their information
needs and then design an information system to meet those
needs.
Programming Programmers take the design provided by systems analysts
and create an information system by writing the computer
programs.
Computer operations Computer operations run the software on the companyÊs
computers. They ensure that data are properly input to the
computer, processed correctly and needed output is
produced.
Information system The information system librarian maintains custody of
library corporate databases, files and programs in a separate
storage area called the information system library.
Data control The data control group ensures that source data have been
properly approved, monitors the flow of work through the
computer, reconciles input and output, maintains a record
of input errors to ensure their correction and resubmission,
and distributes systems output.
It is important to ensure that different people carry out these functions.

Allowing a person to do two or more jobs exposes the company to the
possibility of fraud.

These physical access controls can be used to ensure the security of a system:
(i) Computer equipment should be kept in a locked room with access
restricted to authorised personnel;
(ii) The entrance to the computer room should be limited to a maximum
of two entrances. Security guards should be placed near the room and
closed circuit television system must be installed;
(iii) Personnel should be provided with an ID which is used to enter the
buildings or rooms. The entry and exit for each employee can be
recorded and traced;
(iv) Require visitors to sign a log as they enter and leave the site. Brief
them on company security policies, assign visitorÊs badges and escort
them to their destinations;
(v) Use a security alarm system to detect unauthorised access after
working hours;
(vi) Restrict access to private, secured telephone lines or to authorised
terminals or PCs;
(vii) Install locks on PCs and other computer devices;
(viii) Restrict access to off-line programs, data and equipments;
(ix) Locate hardware and other critical system components away from
dangerous or flammable materials; and
(x) Install fire and smoke detectors and fire extinguishers.
For logical access control, users should be allowed to access data they are
authorised to use and view. They also can perform specific functions only
such as viewing, copying, inserting and deleting data. It is also important to
protect data from those outside the organisation.
To restrict logical access, a system must be able to differentiate between

authorised and unauthorised users, utilise what the user knows or possesses,
where the user is accessing the system or some personal characteristics. Refer
to the following:
(i) User IDs and passwords

A password mechanism is the most popular method used to
authenticate a user. Anyway this mechanism cannot guarantee that
the real user is who the system acknowledges him/her to be. When
signing on to a system, users identify themselves by entering a unique
user ID. Users then enter password. If the user-entered ID and

password match those in the computer, then the system assumes it is

an authorised user. In addition, the user could be asked personal
questions such as motherÊs maiden name, favourite car and others.
This normally has been set during the registration of user ID.
(ii) Physical possession identification

People can be identified by ID cards that contain a personÊs name, ID
number, picture and other related information. Some of the cards can
be read by computer and/or security devices such as door locks.
Security can be increased significantly if a user is required to have
both an ID card and a password before accessing to the system.
(iii) Biometric identification

Biometrics is an automated method of recognising a person based on a
physiological or behavioural characteristic such as fingerprints, voice
patterns, retina prints, facial patterns and others. Biometric technologies
are becoming the foundation of an extensive array of highly secure
identification and personal verification solutions. When a person needs
to access the system, he or she needs to use the biometric identification,
which is matched against those stored in the computer.
(iv) Compatibility tests

Compatibility test uses an access control matrix, which is a list of
authorised user ID numbers and passwords, a list of all files, data and
programs; and the access each user has to them. When an individual
tries to access data or programs or operate the system, a compatibility
test should be performed to determine if the user is authorised to
perform the desired action. This procedure is to prevent both
unintentional errors and deliberate attempts to manipulate the
system.
(f) Operations Management Control

Operations management is responsible for the daily running of hardware
and software facilities so that:
(i) Production application systems can accomplish their work; and
(ii) Development staff can design, implement and maintain application
systems.
Specifically, operations management performs nine major functions:

(i) Managing day-to-day operations of an organisationÊs hardware/
software platform. Managing wide area and local area network
operations;

(ii) Managing data preparation and entry;

(iii) Operating a production control section to manage input/output,
schedule jobs, manage user service-level agreements, manage charge
out and acquire consumables;
(iv) Managing an organisationÊs library of machine readable files;
(v) Managing the documentation that supports the information systems
function and the inventory of acquired and licensed software held by
an organisation;
(vi) Operating a help desk and technical support function for users of the
information systems function;
(vii) Monitoring performance and ensuring adequate hardware/software
capacity is available; and
(viii) Managing operations that are outsourced.
Operations management must ensure that each function has its own methods
and performance standards. Besides, expert personnel are hired to perform
each function and operations personnel are trained and managed properly.
Control over computer operations govern the activities that support the
daily execution of either test or production systems. Three types of controls
that must exist are:
(i) Those that prescribe the functions that either human operators or
automated operations facilities must perform;
(ii) Those that prescribe how jobs are to be scheduled on the
hardware/software platform; and
(iii) Those that prescribe how hardware is to be maintained in good
operating order.
Network operations govern the activities of wide area and local area
networks.
(i) In wide area networks, careful control should be exercised over
network control terminals. These terminals allow powerful access and
action privileges to be executed to monitor and maintain a network;
and
(ii) In local area networks, file servers must be secured. Unauthorised access
to a file server can allow an intruder to interrupt the operations of a local
area network or compromise data integrity within the network.

Data preparation and data entry facilities should be designed to promote

speed and accuracy. The data entry operators should be well trained to
perform data preparation and data entry tasks. Suitable backup must exist
for input data and data preparation and data entry devices.
In production control, the control must be exercised over receipt of input

and dispatch of output. This is to ensure the input is accepted only from
authorised parties, input is submitted on a timely basis and output is
provided only to authorised parties. Job schedules must be prepared to
ensure only authorised production jobs are performed.
(g) Quality Assurance Management Controls

Quality assurance personnel within the information systems function are
concerned with ensuring that the information systems achieved certain
quality goals and that the development, implementation, operation and
maintenance of information systems comply with a set of quality standards.
The QA function associated with the information systems functions has

taken place for six reasons:
(i) Increasing on organisations producing safety critical systems where
high levels of quality must be achieved;
(ii) Users are becoming more demanding about the quality of software
they use;
(iii) Organisations are undertaking more ambitious projects when they
build software;
(iv) Organisations have become more worried about their liabilities if
they produce and sell malfunctioning software;
(v) Poor control over the development, implementation, operation and
maintenance of information systems can be costly; and
(vi) Improving the quality of the goods and services so that they can
compete more effectively with their competitors.
Quality assurance personnel perform the following major functions:

(i) Developing quality goals for the information system function overall
and for individual information systems projects;
(ii) Developing, disseminate and maintaining standards for the
information systems function;
(iii) Monitoring compliance with QA standards;
(iv) Identifying areas for improvement;

(v) Reporting to management; and

(vi) Training personnel in QA standards and procedures.
QA personnel must be well trained and competent. They must also have a
high level of interpersonal skills. Finding suitable people with the range
of skills required is quite difficult. Furthermore, many information
systems professionals prefer to work in development rather than quality
assurance roles.
4.3.2 The Application Control Framework

The main objective of application controls is to ensure the integrity of a specific
applicationÊs inputs, stored data, programs, data transmissions and outputs.
General controls and application controls are necessary because application
controls will be much more effective in the presence of strong general controls. If
application controls are weak, the information system output is likely to contain
errors. Incorrect data can lead to poor management decision making and can
negatively affect a companyÊs relationship with customers, suppliers and other
external parties.
Figure 4.9 show us the application control framework.

Figure 4.9: Application control framework
Now, let us look at these framework in more details.
(a) Boundary Control

The boundary subsystem establishes the interface between the prospective
user of a computer system and the computer system itself. Controls in the
boundary subsystem have three major purposes:
(i) To establish the identity and authenticity of prospective users of a
computer system;
(ii) To establish the identity and authenticity of the resources that users
wish to utilise. Users must ensure that they are given valid resources;
and
(iii) To restrict the actions taken by users who obtain computer resources
to a set of authorised actions. Users may be allowed to utilise
resources only in restricted ways.

There is a marked increase in the use of and strength of boundary controls

today due to:
(i) Widespread deployment of distributed systems has resulted in many
users being isolated physically; and
(ii) The rapid growth of electronic commerce systems has resulted in
substantial work being undertaken on measures to identify and
authenticate the parties who exchange monies via these systems.
Several major types of controls that are being used in the boundary
subsystem are summarised in Table 4.4.
Table 4.4: Types of Controls Being Used in Boundary Subsystem
Controls Descriptions
Cryptographic Controls can be used to protect the integrity of data used within
the boundary subsystem.
Access controls Can be used to prevent unauthorised access to and use of
resources.
Audit trail Events in the boundary subsystem must be recorded in an
accounting audit trail. An operations audit trail records
resource-oriented events.
Existence controls This is to restore the boundary subsystem in the event of failure.
(b) Input Controls

Components in the input subsystem are responsible for bringing both data
and instructions into an application system. Both types of input must be
validated. Any errors detected must be controlled to ensure the input is
accurate, complete, unique and timely.
There are different types of approaches used to enter data into an

application system as you can see in Figure 4.10.
Figure 4.10: Types of approaches used to enter data into an application system

The following source data controls regulate the integrity of input:
(i) Form design

Source documents and other forms should be designed to help in
minimising errors and exceptions. Forms are normally pre-numbered
to ensure better control.
(ii) Pre-numbered forms sequence test

When sequentially pre-numbered forms are used, the system should
be programmed to identify and report missing or duplicate form
numbers.
(iii) Turnaround documents

A turnaround document is a record of company data sent to an
external party and then returned by the external party to the system
as an input. Turnaround documents are prepared in machine-
readable form to facilitate their subsequent processing as input
records. Since turnaround documents are system outputs that come
back as machine-readable input records, they are much more accurate
than input records prepared by manual keying. An example is a
utility bill that requires a special scanning device to read the bar code
when the bill is returned with a payment.
(iv) Cancellation and storage of documents

Documents that have been entered into the system previously should
be cancelled so they cannot be unintentionally or illegally reentered
into the system. Paper documents can be destroyed, such as stamping
them "Paid". For an electronic document, a flag can be placed in the
database as an indicator that the document has been cancelled.
Original source documents should be retained for as long as needed
to satisfy legal requirements.
(v) Authorisation and segregation of duties

Sufficient segregation of duties should be maintained to ensure the
source documents are prepared by authorised personnel.
(vi) Visual scanning

Source documents should be scanned for accuracy before being
entered into the system.
(vii) Check digit verification

A check digit that is computed from the other digits is contained in an
authorised ID numbers.

(viii) Key verification

It is expensive and used only for crucial input. It consists of an
employee re-keying data into the computer, which compares the two
sets of keystrokes and highlights inconsistencies for correction.
Figure 4.11 summarises edit checks that are used in input validation
routines.
Figure 4.11: Edit checks that are used in input validation routines
Now let us look at each checks.

(i) A sequence check tests if a batch of input data is in the proper
numerical or alphabetical sequence;
(ii) A field check determines if the characters in a field are of the proper
type. For example, a check on a numerical field would indicate an
error if it contained blanks or alphabetic characters;
(iii) A sign check determines if the data in a field have the appropriate
arithmetic sign. For example, data in an inventory balance field
should never possess a negative sign;

(iv) A validity check compares ID numbers or transaction codes with

those already authorised. For example, if a sale to customer 12345 is
entered, the computer must locate customer 12345 in the customer
database to confirm that the sale was indeed made to a valid
customer;
(v) A limit check tests a numerical amount to ensure that it does not
exceed a pre-determined upper or lower limit. For example, the
hours-worked field in weekly payroll input can be compared with a
maximum amount, such as 60 hours;
(vi) A range check is similar to a limit check except that it has both upper
and lower limits. Range checks are used on transaction date fields,
since a date should be within a few days of the current date;
(vii) A reasonableness test determines the logical correctness of input and
stored data. For example, a RM1,000 monthly salary increase is
reasonable for an executive with a current salary of RM15,000 per
month but not for a data entry clerk making RM1,000 per month;
(viii) A redundant data check uses two identifiers in each transaction
record to confirm that the correct database record has been updated.
For example, the customer account number and the first five letters of
the customerÊs name can be used to retrieve the correct customer
master record from the accounts receivable file; and
(ix) A capacity check ensures that the data will fit into the assigned field.
For example, „2323421112‰ will not fit in an eight digit field.
(c) Communication Controls

The communication subsystem is responsible for transmitting data among
all the other subsystem within a system or for transmitting data to or
receiving data from another system. The integrity of data within the
subsystem can be damaged by destructions in transmission media such as
attenuation, distortion and noise, hardware and software component
failure, active subversive threats such as insertion, deletion, modification,
and duplication of messages, changes to the order of messages or denial of
messages services and others.
Two important controls that must be executed within the communication

subsystems are:
(i) Line error controls

Line errors can be detected via loop checks, parity checks, and cyclic
redundancy checks. They can be corrected using forward error
correction techniques or retransmission.

(ii) Flow controls

Flow controls are needed because two nodes in a network could be
different in terms of the rate at which they receive and process data.
The examples of flow control are:
 Stop-and-wait flow control ă the simplest form; and
 The sliding window flow control ă more complex, but makes
better use of the available channel capacity.
Line controls and flow controls are combined within the link management
protocols applied over a communication line. Three widely used link
protocols are HDLC, SDLC and ATM protocols.
Figure 4.12 illustrate several types of control can be used in the

communication subsystem to reduce exposure from subversive threats.
Figure 4.12: Types of control used in the communication

subsystem to reduce exposure from subversive threat
Now let us look at each control in detail.

(i) Link encryption ă used to protect the integrity of data traversing a
communication line between two nodes;

(ii) End-to-end encryption ă used to protect the integrity of data passing

between a sender and receiver;
(iii) Stream ciphers ă used to make it more difficult to analyse patterns in
cipher text;
(iv) Error propagation codes ă used to detect unauthorised changes to
blocks of data in a message;
(v) Message authentication codes ă used to identify changes to the
content of a message;
(vi) Message sequence numbers ă used to identify subversive attacks that
deny message services; and
(vii) Request-response mechanisms ă used to identify subversive attacks
that deny message services.
(d) Data Processing and Storage Controls

The database subsystem provides functions to define, create, modify, delete
and read data in an information system. Several major types of controls
must be implemented in the database subsystem to improve the reliability
of its components and to protect the integrity of data stored in the database
are summarised in Table 4.5.
Table 4.5: Types of Control Must be Implemented in Database Subsystem

to Improve Reliability and Integrity of Data Stored
Control Description
Access controls Restrict the actions that users can do on the database.
Integrity Maintain the accuracy, completeness, and uniqueness of instances
constraints of the constructs used within the conceptual modelling or data
modelling approach used to design the database. Application
programs should use certain update and reporting protocols to
prevent and to detect data integrity violations.
Concurrency Must exist to prevent inconsistent updating or reading of the
controls database, when data is shared among multiple users.
Cryptographic Preserve the privacy of data in the database.
controls
File handling Reduce the likelihood of accidental removal of data.
controls
Audit trails Maintain a chronology of all events that occur in the subsystem.
controls
Existence controls Must be implemented to restore the database in the event of loss.

Common controls that help preserve the integrity of data processing and
stored data are as follows:
(i) Policies and procedures

These should be established for the following aspects of data
processing and storage (see Figure 4.13).
Figure 4.13: Five aspects of data processing
Employees should sign contracts that require them to maintain the

privacy and confidentiality of the company data.
(ii) Data control function

Application in which a large number of paper forms are entered into
the system should have a data control function set up. Data control logs
the data as they are received, checks for user authorisations, monitors
processing, reconciles control totals after each processing step, notifies
users of incorrect inputs and reenters all error corrections.
(iii) Reconciliation procedures

All transactions and other system updates should be reconciled to
control reports, file status/update reports, or other control
mechanisms. This is done by the end of each day, or occasionally if

there is continuous processing happening. Besides, general ledger
accounts should be reconciled to subsidiary account totals on a regular
basis.
(iv) External data reconciliation

Database totals should periodically be reconciled with data maintained
outside the system. For example, the number of employee records in
the payroll file can be compared with the total from human resources to
detect attempts to add bogus employees to the payroll database.
(v) Exception reporting

When files are scanned or processed, all unusual conditions should be
listed.
(vi) Data currency checks

A „date of last transaction‰ field can be scanned periodically to
identify records that are more than a year old. This is to trace any
outdated data. This happens when suppliers or customers go out of
business, employees have resigned and others.
(vii) Default values

In certain cases, fields are left blank if a standard default value is to be
used. For example, if the hours worked field in the payroll input is left
blank, an employee could be paid for 160 hours.
(viii) Data matching

In certain cases, two or more items of data must be matched before an
action can take place. For example, the system could verify that
information on the vendor invoice matches on both the purchase
order and the receiving report before paying a vendor.
(ix) File labels

These labels can protect data files from unintended misuse. There are
few examples of labels:
 An external label such as paper label attached to a storage device
contains the file name, contents and date processed.
 Internal labels are written in machine-readable form on the data
recording media. There are three different internal labels:
 A volume label identifies the entire contents of each separate
data recording medium, such as a hard disk, diskette or tape
reel.
 A header label located at the beginning of each file contains

the file name, expiration date and other identification data.
 A trailer label located at the end of the file contains file control
totals, which are checked against those accumulated during
processing.
(x) Write protection mechanisms

These protect against the accidental writing over or erasing of data
files.
(xi) Database protection mechanisms

Database systems use these mechanisms to provide data protection:
 Database administrators ă establish and enforce procedures for
accessing and updating the database;
 Data dictionaries ă ensure that data items are defined and used
consistently; and
 Concurrent update controls ă protect records from errors that
occur when two or more users attempt to update the same record
concurrently. This is done by locking out one user until the system
has finished processing the update entered by the other user.
(xii) Data conversion controls

Conversion controls are needed to ensure that the new data storage
mediums are free of errors when the data from old files and databases
entered into new data structures. The old and new systems should be
run in parallel at least once and the results should be compared to
identify inconsistencies. Besides, this is to make sure the new systems
run smoothly before the old system is shut down. Data conversion
should be carefully supervised and reviewed by internal auditors.
(xiii) Data security

A properly supervised data library is one essential means of preventing
loss of data. A librarian logs data files in and out, internal and external
labels, write protection mechanisms, and backup copies of data files
stored at a secure off-site location to ensure data integrity. The data file
storage area also should be protected against fire, dust, excess heat or
humidity, and other conditions that could harm stored data.
(e) Output Controls

The output subsystem provides functions that determine the content of
data that will be provided to users, the ways data will be formatted and

presented to users, and the ways data will be prepared for and routed to
users. Companies should establish, document and follow procedures
designed to ensure that all system outputs conform to the organisationÊs
integrity objectives, policies and standards.
The procedures would ensure that the company does the following:
(i) Reviews all output for reasonableness and proper format;
(ii) Reconciles corresponding output and input control totals on a daily
basis;
(iii) Distributes computer output to the appropriate user departments;
(iv) Protects sensitive or confidential outputs that are being delivered to
users from unauthorised access, modification and misrouting;
(v) Stores sensitive or confidential output in a secure and locked area;
(vi) Requires users to carefully review the completeness and accuracy of
all computer output that they receive;
(vii) Shreds or destroys highly confidential data such as list of outdated
customer; and
(viii) Corrects any errors found on the output reports.
Five sets of controls are exercised over these functions and they are:
(i) Inference controls
These controls are used to filter the output that users are allowed to
see. They are important in regulating access to statistical databases
where users are allowed to obtain summary information about data
but the privacy of persons about whom data is stored must be
preserved. Inference controls work by either restricting query set sizes
or disturbing the input or output of a statistical function.
(ii) Batch output production and distribution controls

Ensure that batch output is not lost or corrupted or that the privacy of
data is not violated during its preparation and routing to users.
(iii) High quality design of batch reports facilitates controls

Has been employed over batch output as it passes through the various
production and distribution phases. For example, the title page can be
used to show important control information like the authorised
recipients of the report, the security classification of information
contained in the report, and the period of time during which the report
must be retained.

(iv) Online output production and distribution controls

Ensure that online output is not lost or corrupted and that the privacy
of data is not violated during its preparation and routing to users.
(v) Audit trail controls and a set of existence controls for output
subsystem
Audit trail controls maintain the chronology of events from the time
the content of output is determined to the time the output is presented
to users. Existence controls enable either batch or online output to be
recovered in the event of loss.
SELF-CHECK 4.3
1. Why is there a need for control and audit of computer systems?

2. What are the implications of a company losing its:
(a) Personnel master file; and
(b) Inventory master file.
3. Differentiate between standards and policies.
4. Explain grandfather-father-son technique in your own words.
 A sound system of internal control must exist in order to ensure asset

safeguarding, data integrity, system effectiveness and system efficiency.
 Use of computers does not affect the basic objectives of internal control.
 However, it affects how these objectives must be achieved.

Audit trail Limit check

Authorisation Policies
Compatibility tests Preventive controls
Contingency plan Progress report
Corrective controls Sequence check
Detective controls Sign check
Edit checks Standards
Edit programs Validity check
Field check
Ron, W. (1999). Information systems control and audit. New Jersey: Prentice Hall.
Romney, M. B., & Steinbart, P. J. (2003). Accounting information systems (9th ed.).
New Jersey: Prentice Hall.

5 Transaction
Cycles
LEARNING OUTCOMES
1. Explain how economic events are recorded as accounting
transactions;
2. Describe four transaction cycles that make up an accounting
transaction processing system;
3. Describe four input acquisition activities;
4. Categorise business activities into their respective cycles; and
5. Discuss the application systems constituting each transaction cycle.
 INTRODUCTION
„Net4Barter pioneered the Indian corporate barter industry, when it

commenced operations in June 2000. The company developed a huge
opportunity for barter transactions among Indian companies. It enabled
companies to buy products and services ă without spending cash ă by paying
in kind, which in turn can resolve their excess stock problems.
The solution Net4Barter needed revolved around the creation of an organised

trade exchange at a national level which facilitates trade among a network of
companies.

106  TOPIC 5 ACCOUNTING TRANSACTION CYCLES
The implementation of Microsoft® Business SolutionsăNavision® has helped

Net4Barter to restructure business processes. It has enabled the company to
automate its bartering transaction processes and also to integrate transaction
workflow and processes with accounting. The company is now competent to
maintain its barter balances and manage transaction status updates in real
time, which has helped the company to save as much as 40 per cent on
operating costs.‰
Source: http://www.microsoft.com/india/casestudies/net4barter.aspx
How do you think barter system can be implemented in the 21st century? In your
opinion, how does accounting system transactions help barter systems?
This topic presents an overview of accounting transaction cycles which form the
basis of Accounting Information Systems. There are three main cycles which
consist of the revenue cycle, the expenditure cycle and the production cycle.
Apart from that, we will also discuss another topic which is very important in
AIS called general ledger and reporting systems. Some authors consider the
general ledger and reporting system as another cycle called financial cycle. In this
topic, we will look at the cycles in general before proceeding to next topic which
gives detailed information on each cycle.
5.1 ECONOMIC EVENTS

Economic events such as receipt of payment or pay for purchases occur in
business activities cycle. It is recorded as accounting transactions in accounting
systems. Accounting systems are designed to record, summarise and report the
results of economic events for organisations. Although all organisations differ in
their operations, all of them still engage in the business activities. Figure 5.1
below summarises the business activities in most organisations.

TOPIC 5 ACCOUNTING TRANSACTION CYCLES  107
Figure 5.1: The cycle of basic business activities

From Figure 5.1, we know that in whatever business activities, the main objective
is to increase the capital of the company. The cycle of business activities begin
when capital is invested in a business. These sources may come from the owners
of the business or they may come from creditors. If the source comes from the
owners, the investment is considered as the ownersÊ equity. If the source comes
from creditors, the investment is either long-term debt or current liabilities to the
company. In many businesses, most of the capital is used to purchase long-term
productive assets which help to increase the capital of the firm. The business
reports the results of its operations to the sources of its capital from time to time.
In short, capital investment comprises two significant economic events (see
Figure 5.2):
(i) Raising capital; and
(ii) Using capital to acquire productive assets.
Figure 5.2: Economic events in a capital investment

Another event that occurs during this activity is producing business reports to its
sources of capital. It is necessary to maintain those sources especially when
additional capital is needed later.
The second component of the cycle of business activities is the acquisition of

materials and overhead items such as supplies. These inputs are used to increase
the capital of the business too. However, business transactions are usually done
on credit basis. Therefore, when the business purchases inputs, it receives the
inputs on the condition that the payment will be made at a certain date. Basically,
the business records an obligation to pay and pays when the due date arrived.
The activities involved in input acquisition are summarised by Figure 5.3.
Figure 5.3: Input acquisition activities
The next step in the cycle of activities is the conversion of inputs into goods or
services (production). The business sells these goods or services to increase its
capital. The conversion/production process is different for each business.
For manufacturing companies, they buy raw material, apply labour and overhead
to them, and produce an output as the finished goods. On the other hand, service
companies convert inputs into outputs in the form of services. As for the
merchandising companies such as retailers and wholesalers, little labour is used
because they purchase inventories of goods, repackage them and then market
them. Nevertheless, all three businesses use inventories of supplies in their
conversion processes. Also, only one economic event occurs during this conversion
which is the consumption of labour, materials and overhead to produce products
or services that can be sold.

Finally, the last component in the figure is the sale of the goods or services that
were actually the outputs of the conversion process. When these are sold at a
profit, the capital investment of the business increases. Also, additional cash is
available for reinvestment, or for making payments to the sources of capital in
the form of dividends and interest. By providing a source of additional capital,
the sales component completes the cycle of business activities. In sum, the
activities involve in this cycle is receiving a customer order, delivering goods to
the customer, requesting payment for the goods and receiving payment.
Table 5.1 summarises the economic events in the cycle of business activities.
Table 5.1: Events in the Business Activity Cycle
Business Cycle Activity Events

Capital investment  Raise capital
 Use capital to acquire property
 Periodic reporting
Input acquisition  Request inputs to the conversion process
 Receive inputs
 Record obligation to pay
 Pay for inputs
Conversion sales  Consume labour, material and overhead
 Receive request for goods and services
 Deliver to customer
 Request payment
 Receive payment
5.2 ECONOMIC EVENTS AND ACCOUNTING

TRANSACTIONS
Economic events exist in any business activities. They are recorded as accounting
transactions by an accounting system. The system then summarises the
transaction and creates useful reports to the company. Meanwhile, the business
activities that trigger the economic events are called cycles of accounting
transactions.

These accounting cycles consists of accounting transactions that occur in a normal

and routine sequence. For example, a sales transaction is normally followed by a
shipping process, a billing transaction and a cash receipts transaction. These are
normal business activities in a revenue cycle. Table 5.1 above shows all the events
included in four basic business cycle activities. From these business cycle activities,
we can identify the four accounting transaction cycles accordingly:
(a) The capital investment can be identified as the financial/general ledger and
reporting cycle;
(b) The input acquisition can be identified as the expenditure cycle;
(c) The conversion can also be identified as the conversion/production cycle; and
(d) The sales activity can be identified as the revenue cycle.
Table 5.2 summarises the relationship between business activity and their
respective cycles.
Table 5.2: Business Activities and Their Respective Cycles
Business Activity Cycle

Capital Investments Financial/General Ledger
Input Acquisition Expenditure Cycle
Conversion Conversion/Production cycle
Sales Activity Revenue Cycle
In this section, we will examine the accounting cycles in more detail. First, let us
start with the financial cycle.
(a) Financial/General Ledges Cycle

The financial cycle also known as the general ledger and reporting system
consists of two main functions:
(i) To raise capital; and
(ii) To use the capital to purchase assets such as property, plant and
equipment.
Accurate recording must be done in this cycle in order to see the flow of
information. Transactions such as getting capital from owners or creditors,
using that capital to purchase assets and reporting back to owners and
creditors on how the capital is being used are important to be recorded.
Another event which is also important is periodic reporting to the sources of
capital. In financial cycle, the basic financial statement provides periodic

reporting. These statements include the balance sheet, the income statement
and the statement of cash flows. The summaries in these statements come
from the general ledger. Periodic reporting to the sources of capital is
important because it enables a business to raise additional capital. In Figure
5.4, we can see that there are three accounting application systems that record
the events in the financial cycles. They are the property, the journal entry and
the financial reporting systems. The relationship among these application
systems and the sources of capital is also illustrated in Figure 5.4.
Figure 5.4: The financial cycle

(b) Expenditure Cycle

The expenditure cycle consists of transactions to acquire raw materials and
overhead items for the production cycle. The events include in the
expenditure cycle are requesting the items, receiving the items, recording
the obligation to pay for the items and paying for the items. Most
businesses use a purchasing department to purchase raw materials and
supplies. It starts with a purchasing agent who orders material from a
selected vendor. The vendor delivers the materials and mails an invoice.
The business uses the invoice to record the payable and later pays the
vendor when the payment is due. When the vendor is paid according to the
terms of the sale, the vendor again sells items to the business. This causes
the sequence of the transactions to form a cycle. The application systems in
the expenditure cycle execute these transactions. They include the
purchasing, receiving, voucher and cash disbursement systems. Figure 5.5
shows the relationship among vendors and the subsystems in the
expenditure cycle.

Figure 5.5: The expenditure cycle

(c) Conversion/Production Cycle

The conversion cycle contains transactions incurred when raw materials are
transformed into finished goods for sale. Only one economic event exists in
the production cycle which is consuming materials, labour and overhead. In
manufacturing and service companies, either actual or standard material and
labour costs are recorded in a cost ledger as conversion occurs. Overhead
costs are allocated in the cost ledger, usually based on the amount of labour
used. These costs become associated with the products and are matched with
revenue when the products are sold. However, in merchandising companies,
costs of conversion are recorded when incurred and matched against
revenue in the same period. In conversion cycle, there are three main
application systems which are cost accounting system to record material,
labour and overhead cost; payroll system to generate and calculate pay check
to each employee; and inventory system to maintain record of inventory on
hand. Depending on the type of organisation, the conversion cycle may
contain either two or three application systems. For example, payroll system
is needed by all type of organisations, while cost accounting system is
needed by manufacturing and service companies, and inventory system is
needed by manufacturing and merchandising companies. In merchandising
and manufacturing companies, the systems in the production cycle provide
interfaces between the expenditure and revenue cycles. However, the
production cycle cannot be represented as a circle like other cycles since it
contains only one event.
In Figure 5.6, an example of a merchandising company is used to show the

interfaces between the expenditure and revenue cycles and the inventory
and payroll system in the company. Originally, the company maintains a

merchandise inventory for sale. When the expenditure cycle makes a

purchase and receives the products, the inventory will increase. However,
when there is a sale and the revenue cycle ships the products, the inventory
will decrease. These transactions are recorded by the inventory system.
Meanwhile, the payroll system in a merchandising company compensates
sales and administrative personnel for their work.
Figure 5.6: The conversion cycle in a merchandising company

On the other hand, a manufacturing company has different activities. We

will look at this example based on the following Figure 5.8. A
manufacturing company always has raw materials, work in process and
finished goods inventories. The production process uses raw materials and
converts them into finished goods. Raw materials are obtained from the
expenditure cycle and finished goods are sent to the revenue cycle to be
sold. The cost accounting, payroll and inventory systems provide interfaces
by recording transactions during the production process. Figure 5.7 shows

a graphical representation of the production cycle in a manufacturing

company.
Figure 5.7: The conversion cycle in a manufacturing company

(d) Revenue Cycle

The revenue cycle records all sales made by the company and all payment
received. The sales are in terms of services provided or finished goods, which
is the product of production cycle. As mentioned earlier, there are four
economic events involved in this cycle: receiving an order from a customer,
delivering goods or services to the customer, requesting payment from the
customer, and receiving the payment. These transactions may occur
separately or at the same time based on the type of sale. If the sale is a cash
sale, then sales order, delivery, request for payment and payment occur at
the same time. Therefore, accounting systems normally record these four
events with one transaction. However, when companies sell goods or
services on credit, each of the events occurs at separate times. When a
customer pays and the accounting system records the cash receipt, the
business is willing to sell again to the customer. This causes the cycle of
transactions to repeat. Companies that sell in credit use four application
systems in the revenue cycle. The applications are the order entry, shipping,
billing and the cash receipts systems. Companies that sell on a cash basis
frequently use a point-of-sale system that combines the four economic events
in one transaction. Figure 5.8 provides a graphical representation of the
transactions in the revenue cycle.
Figure 5.8: The revenue cycle

Just as accounting transaction cycles were identified with basic business

activities, accounting application systems can be identified with economic
events, as shown in Table 5.3. The table shows a list of 12 application
systems, which will be described in the following topics.
Table 5.3: Economic Events and Application Systems that Process Them
Transaction Cycles Economic Event Application System

Financial Raise capital Journal entry
Consume capital Property
Periodic reporting Financial reporting
Expenditure Request inputs Purchasing
Receive inputs Receiving
Obligation to pay Voucher
Payment Cash disbursement

Conversion Consume labour, material, Cost accounting, payroll and

overhead inventory
Revenue Receive request Order entry
Deliver Shipping
Request payment Billing
Receive payment Cash receipts
SELF-CHECK 5.1
1. Name the three transaction cycles that exist in all businesses.

2. Name the major subsystems of the expenditure cycle.
3. Name the major subsystems of the conversion cycle.
4. Name the major subsystems of the revenue cycle.
 So far, we have learned the activities that form the processing of accounting
transactions.
 We have looked at how the accounting transactions cycles are formed using
the business cycle activities.
 We can also identify the four cycles in the accounting transaction processing
system which are the revenue, expenditure, conversion and financial cycles.
 In each cycle, we have also learned the type of accounting application
systems associated with each cycle.

Application system Expenditure cycle

Capital investment Financial cycle
Conversion Input acquisition
Conversion cycle Revenue cycle
Cycle of business Sales
Economic event activities Transaction cycle

Hill.
Nickerson, R. C. (2001). Business and information systems. New Jersey: Prentice
Hall.

Topic  Revenue
6 Cycle
Applications
LEARNING OUTCOMES
1. Describe the business activities involved in the revenue cycle;
2. Employ the flow chart of revenue cycle;
3. Interpret the process of revenue cycle transactions using computer;
4. Describe the internal control procedure needed in revenue cycle; and
5. Construct the DFD for revenue cycle.
 INTRODUCTION
In the previous topic, we have studied the accounting transaction cycles in
general. From this topic onwards, we will look into each transaction cycle in
more detail. We will start with the revenue cycle in this topic. Revenue cycle
involves selling of goods or services to customers and receiving payment for the
goods or services being purchased. This includes activities such as customer
orders, customer payments and sales of inventories or services. The process
begins when a customer makes an order to purchase a product or service from a
company. The company will then ship the products or perform the service. An
invoice will be shipped to the customers and the customers will settle the
payments using cash or credit. If it is a credit sale, the company will check the
customerÊs credit history before they approve the sale.

TOPIC 6 REVENUE CYCLE APPLICATIONS  119
6.1 REVENUE CYCLE BUSINESS ACTIVITIES

As mentioned in the introduction, the revenue cycle is used to record
transactions involved in selling and shipping of goods and the receipt of cash
from customers. It is also useful to monitor and summarise the activities which
occur in the revenue cycle. In any types of firms, revenue cycle comprises two
subsystems as shown in Figure 6.1.
Figure 6.1: Two subsystem involved in revenue cycle
During these transactions, there are several accounts involved. In sales order
processing, the primary accounts involved include sales, from inventories or
services, accounts receivable and cash.
Apart from the above accounts, it is also possible to have other accounts when
certain activities such as goods returned, discount purchases and other related
activities occur in the revenue cycle. The accounts include:
(a) Sales returns and allowances;
(b) Sales discounts;
(c) Sales taxes;
(d) Unearned revenues; and
(e) Allowance for doubtful accounts.
After looking at the accounts involved, we will examine the activities that occur
in the revenue cycle. Table 6.1 below summarises the activities involved.

120  TOPIC 6 REVENUE CYCLE APPLICATIONS
Table 6.1: Activities Involved in Revenue Cycle
Activity Description
Customer orders This event occurs when customers want to purchase any goods
or services from the firm.
Verification of This event occurs when customers want to pay their invoices
customer credit and using credit. The customerÊs payment history and credit limit
credit limits will be verified by the credit department.
Determination of This event occurs to make sure that the inventory is available in
inventory the warehouse.
availability
Shipment of goods This event occurs when a company has to deliver the purchase
to customers products to the buyers.
Customer billing, This event occurs when purchases are made by customers. For
including handling any discount sales or any shipping charges, it will be included in
of discounts and the customerÊs bill.
shipping costs
Receipt of cash from This event occurs when customers pay the amount they owe to
customers the company
Determination of This event occurs when inspection is done to check for any
overdue accounts overdue payment.
Receipt of returned This event occurs when goods purchased are returned by the
goods customers due to damage or dissatisfaction.
Based on the events in revenue cycle, many reports and documentations are
prepared or generated. The documents can be seen in Table 6.2
Table 6.2: Documents Generated in Revenue Cycle
Document Description
Sales orders Prepared by sales personnel in the sales department.
Packing and Prepared by shipping personnel in the shipping department.
shipping documents
Billing invoices Prepared by accounts receivable personnel in the account
receivable department.
Remittance advises Which often are part of billing invoices and are returned by
customers with payments.
Checks From customers for the payment of goods or services.
Deposit slips Prepared by cash receipts personnel in cash receipt department.

In revenue cycle business activities, customers can buy products using either
cash or credit. Several main functions normally occur in any sale as presented
graphically in Figure 6.2.
Figure 6.2: Several main functions normally occur in any sale
However, if sales are based on credit, additional functions are involved:

(a) Firm checks on customerÊs credit history and credit limit before approving
or rejecting the credit requests;
(b) Records the accounts receivable;
(c) Sends periodical statements to customers; and
(d) Deals with bad debts.
An example of a data flow diagram for sales order processing and cash receipt
processing is shown in the example in Figure 6.3. The processes start when a
customer places an order and firm checks for credit history. Once approved,
goods are picked from the warehouse and ship to the customer together with a
packing slip. The shipping department also sends another copy of packing slip as
well as bill-of-lading to the billing department. On the other hand, sales
department prepares several copies of sales order and sends them to the
warehouse and billing department. Billing department sends invoice to customer
and other information to be recorded in the sales journal, account receivable and
general ledger. Inventory account is also updated based on the information given
by the billing department. When customer makes payment, check and remittance
advice are sent to mail room and are then sorted by the clerk. The check is
deposited into the bank while the remittance advice is sent to account receivable.
Then, account receivable, general ledger and cash receipt journal are updated.
Another example shown is data flow diagram for goods that have been returned
(see Figure 6.4). The processes start when customer rejects or returns the goods
they purchased due to damage or dissatisfaction. When the returned good is
received, it is sent to warehouse together with a return slip for restocking
purpose. Another return slip is sent to sales department where several credit
memo copies are prepared. Copies of credit memo are used to update sales
journal on return sales, account receivable, inventory and general ledger.
Figure 6.3: Example of sales order processing and cash receipt processing system: DFD of
sales order processing and cash receipt processing subsystems
Figure 6.4 illustrates an example of DFD for sales return process.

Figure 6.4: DFD of sales returned process
Below are detail summaries of all activities that are involved in revenue cycle.
The categories comprise:
(a) Processing customer orders;
(b) Delivery/shipping goods;
(c) Preparing invoices/billing; and
(d) Recording in accounts receivable ledger.
6.1.1 Processing Customer Orders

Let us look at the activities involved in processing customer orders:
(a) Accepting requests from customers;
(b) Preparing sales order; and
(c) Preparing picking list.
Activities involved in approving credit request and credit limits include:

(a) Screening for new customers by checking on their background;
(b) Setting maximum limit based on the customerÊs income or payment
capability;
(c) Processing requests to increase limit for customerÊs with good credit
history; and
(d) Periodic checks on existing customers.
ACTIVITY 6.1
What makes some peopleÊs credit history becomes bad and further
been blacklisted by financial institution?
6.1.2 Delivery/Shipping of Goods or Providing a

Service
Activities involved in delivery/shipping of goods:
(a) Receiving sales order and picking list; and
(b) Preparing the dispatch order and necessary documents such as packing
slip, bill-of-lading and shipping notice.
There is only one activity involved in providing a service, that is recording

labour and materials used (job card).
6.1.3 Invoicing and Recording Accounts Receivable

Activities involved in billing:
(a) Receiving shipping notice; and
(b) Preparing batch totals and invoice.
Details on sales invoice:

(a) Invoice number;
(b) Name of supplier;
(c) ABN;
(d) Date of invoice;
(e) Description of goods;

(f) Quantity of goods;

(g) GST inclusive price; and
(h) Discount allowed.
Terms:
(a) Two per cent discount if account is paid within seven days;
(b) Net amount payable within 30 days;
(c) Payment required within 10 days after the end of the month; and
(d) Payment required within 30 days of the end of the month in which delivery
is made.
Types of invoicing are summarised in Table 6.3 below.
Table 6.3: Types of Invoices
Types of Invoicing Description

Pre-invoicing Invoice prepared when sales order is approved
Post-invoicing Invoice prepared and dispatched after delivery of goods or
services
6.1.4 Accounts Receivable Ledger

Customers are referred to as debtors. Accounts receivable is an asset. Subsidiary
ledger maintains asset details. The source document for this ledger is sales
invoice issued. Statement of accounts sent to customers at the end of each period
shows details of account transactions and outstanding balance.
Credit or adjustment notes were prepared when goods are returned. They are
recorded in the sales returns journals.
Bad debts are amounts owed by debtors that are unable to be collected.
Revenue cycle ends with customer payments that may take the form of:
(a) Cash ă from cash sales;
(b) Cheques ă most common form of payment;
(c) Bank transfers; and
(d) Direct deposits or electronic fund transfer.
Details of all payments are recorded in the cash receipts journal.

6.2 INTERNAL CONTROLS PROCEDURES FOR

THE REVENUE CYCLE
In this section, we will describe the internal controls procedure needed in
revenue cycle:
(a) Prompt transfer of customer orders to sales orders.
(b) Strict procedures for granting credit.
(c) Set policy on credit amounts and terms and discounts.
(d) Prompt invoicing in separate department.
(e) Segregation of duties on
(i) Dispatch; and
(ii) Invoice preparation.
(f) Proper authorisation procedures for discounts, returns and allowances and
bad debt write offs.
(g) Sequentially pre-numbered invoices, receipts etc.
(h) Cash registers with sealed till roles.
6.3 COMPUTER APPLICATION SYSTEMS FOR

THE REVENUE CYCLE
Routine activities in sales order processing and cash receipts can be done
manually or automatically using computer. In this section, we will focus on
routine transactions that have been automated.
Let us see the objectives of this system. The objectives are illustrated in Figure
6.5:

Figure 6.5: Objectives of computer application systems for the revenue cycle
A computer-based accounting system in the revenue cycle uses four application

systems:
(a) Order Entry Application

The purpose of the order entry application is to record a customerÊs request
for goods or services, to obtain credit approval for the customer, and to
ensure that the order is filed. Procedures for credit approval usually require
the credit department to establish a credit limit for each customer. This
credit limit is the maximum unpaid balance the customer is allowed to
have. Whenever an order is received from a customer, the order entry
system determines if the order would cause the outstanding balance to
exceed the credit limit. If so, the customerÊs order is disapproved.
Figure 6.6 contains a flowchart of an online real time order entry system. A
sales clerk enters data from a customerÊs purchase order. A computer
program validates the data entered by the clerk, verifies that the order is
within the customerÊs credit limit, and creates a sales order detail record.
The program produces two documents. An order acknowledgement is
mailed to the customer confirming acceptance of the order. The sales
register provides a list of all sales orders entered by the clerk.

Figure 6.6: An order entry application

Older accounting systems used batch processing for this application. With
such a system, a clerk prepared sales orders and accumulated them in
batches. The clerk also created a control total, called a batch total, for each
batch. The batch system then applied the processing steps described above
to transactions for a batch at a time. Clerks checked the batch total after
each processing step to ensure that no transactions were lost.
Online real time systems provide query capability, allowing users to

examine the contents of specific records in the file. In this order entry
application, a sales clerk may query the customer master file to determine a
customerÊs balance, credit limit or terms of sale. The clerk may also query
the order entry detail file to determine the status of a past order.
(b) Shipping Application

The purposes of the shipping application are to ensure that merchandise is
shipped prior to the date desired by the customer and that the customer is
promptly billed for the merchandise. Figure 6.7 shows an online real time
shipping system. A shipping clerk examines the contents of the sales order
detail file and identifies orders that are due for shipment. The program
creates a record in the shipments file for each order that is due and reduces
the quantity on hand for that item in the inventory master file. It produces
two copies of the shipping notice. One serves as a bill-of- lading and
another goes to the warehouse as a packing list.

Figure 6.7: A shipping application

(c) Billing Application

The purposes of the billing application are to prepare sales invoices for
merchandise that has been shipped and to record the sale in the
appropriate accounts. This application also produces credit memos to
document sales returns and sales allowances. These credit memos, similar
to sales invoices, are mailed to the affected customers.
The flowchart of the system in Figure 6.8 shows these procedures. The
program creates a sales invoice and an invoice detail record for each
shipment record created in the billing application. It also allows a billing
clerk to enter data creating credit memos. The program adds invoice detail
records to the accounts receivable change log file and produces a record
summarising the transactions for the general ledger batch summary file.
The clerk prints a daily document register from the contents of the invoice
detail file. A clerk may query the invoice detail file to determine the status
of a specific unpaid sales invoice.
Every month, the system prints customer statements and an aged trial balance.
Many companies practice cycle billing, which means they print and mail
statements to their customers on certain day of the month. This avoids the
difficulties of producing all customer statements at the monthÊs end.

Figure 6.8: A billing application

(d) Cash Receipt Application

The purpose of the cash receipts application is to record payments made by
customers for credit sales. It also deletes paid invoice records from the
invoice detail file. Figure 6.9 shows these procedures.

Figure 6.9: A cash receipts application

A clerk enters data from remittance advices and creates a cash receipts
detail record from each. The computer program matches each cash receipt
detail record with its appropriate invoice detail record, deletes the invoice
detail record and prints a register of deleted invoices. It posts the cash
receipt to the appropriate customer master record, adds a record for each
cash receipt to the accounts receivable change log file and produces a
record summarising these transactions for the general ledger batch
summary file. The clerk executes another program that prints a daily cash
receipt register from the cash receipts detail file.
6.4 CONTROLS IN THE COMPUTER

ENVIRONMENT
There are many risks associated with transactions in revenue cycle which may
expose a company to certain problems. Risks such as incorrect posting of
accounts, errors in invoices or sales to customers with bad credit history may
affect the companyÊs revenue. In order to mitigate these risks, general controls
and application controls must be set up by a company.
General controls involve segregations of units, proper documentations, proper

authorisations for transactions such as credit sales or change of procedures and
also access controls such as password requirements for accessing certain ledgers
or files and restricted terminal functions.

Application controls in revenue cycle can be categorised by the following

categories:
(a) Input controls
Detect and prevent errors when data is input.
(b) Processing controls
Detect and prevent errors while processing is in progress.
(c) Output controls
Detect and prevent errors in outputs from processing.
In the next section, we will be looking at some control measures to validate data
in revenue cycle activities.
6.4.1 Order Entry System

Let us now look at the controls in order entry system.
(a) Input control
(i) Completeness tests
The program verifies that all data have been entered in each field. For
example:
TRANSACTION-CODE, TRANSACTION-DATE, SALES-ORDER-

NUMBER, SALES-TERMS, PRODUCT-CODE, PRODUCT-PRICE,
PRODUCT-QUANTITY, TRANSACTION-AMOUNT
(ii) Validity test

The program checks entered data for customer number against lists of
existing valid CUSTOMER-NUMBER.
(b) Processing control

(i) Limit test
The program verifies that sale does not exceed pre-established credit
limit.
(c) Output control

(i) Visual verification
The data control group examines documents for proper preparation.

(ii) Record count

The data control group verifies that number of order acknowledgements
equals the number of valid sales order transactions shown on the error
listing.
6.4.2 Shipping System

The controls in the shipping system are as follows.
(a) Input control
(i) Validity test
The program verifies that cut off date is in the form of AA-BB-CCCC,
where AA<13, BB<32, and CCCC is numeric.

(i) Completeness test
The program verifies that each record contains SHIPPING-NOTICE-
NUMBER.
(c) Output control

(i) Record count
The data control group verifies that the number of shipping notices
equals the number of records in shipments file shown on shipments
register.
6.4.3 Billing System

The controls for billing system are as follows.
(a) Input control
(i) Validity test
The program checks for valid CUSTOMER-NUMBER.
(ii) Completeness test

The program verifies that all data have been entered in all required
fields such as:
TRANSACTION-CODE, TRANSACTION-DATE, SALES-ORDER-

NUMBER, SALES-TERMS, PRODUCT-CODE, PRODUCT-PRICE,
PRODUCT-QUANTITY, TRANSACTION-AMOUNT


The program verifies that INVOICE-NUMBER has been entered for
each record.
(ii) Reasonableness test

The program verifies that on a document, TRANSACTION-
AMOUNT<RM99, 999.
(iii) Control total

The program verifies that the total postings to the customer master
file = total amounts in the accounts receivable change log file = total
debits and total credits in general ledger batch summary file.
(c) Output control

(i) Record Count
The data control group verifies that the number of credit memo and
invoices printed are the same as the numbers shown on the credit
memo and invoice registers.
(ii) Visual verification

The data control group examines invoices and credit memos for
proper preparation.
6.4.4 Cash Receipts System

The following are controls for cash receipts system.
(a) Input control
The program verifies that all data have been entered in all required
fields.
(ii) Validity test

The program checks for valid CUSTOMER-NUMBER.

(i) Control total
The program verifies that total postings to the customer master file
must equal the total amounts in the accounts receivable log file equal
the total debits and total credits in general ledger batch summary file.

(c) Output control

(i) Control total
The data control group verifies that total amount of listings on deleted
invoice register = total listings on cash receipts register.
SELF-CHECK 6.1
1. Distinguish between a packing slip, shipping notice and a bill-of-

lading.
2. At which point in the revenue cycle are independent verification

controls necessary?
 The AIS should be designed to maximise the efficiency with which the basic
activities in the revenue cycle are performed.
 The AIS must also incorporate adequate internal control procedures to

mitigate threats such as uncollectible sales, billing errors and lost or
misappropriated inventory and cash.
 Control procedures are also needed to ensure that the information

provided for decision making is both accurate and complete.
Bill-of-lading Remittance advice

Credit limit Sales invoice
Credit memo Sales order
Packing slip


Hill.
Wilkinson, J. W., Cerullo, M. J., Raval, V. & Wong-On-Wing, B. (2000). Accounting
information systems (4th ed.). New York: John Wiley and Sons, Inc.

Topic  Expenditure
7 Cycle
Applications
LEARNING OUTCOMES
1. Explain four types of subsystems in the expenditure cycle;
2. Describe the activities involve in each subsystems;
3. Analyse and develop the flow-chart of expenditure cycle;
4. Explain the computer processes involve in expenditure cycle; and
5. Describe the control practices and procedures relevant to expenditure
cycle.
 INTRODUCTION
This topic describes an overview of the expenditure cycle in Accounting
Transaction Processing cycles. As you have learnt in Topic 5, expenditure cycle
involves the activities such as purchasing of raw materials, finished goods or
services from vendors, disbursing of cash for the goods being purchased, paying
salaries to employees and dealing with the fixed assets in a company. To make it
easier to understand, we will divide this topic into two sections: the purchase
and the cash disbursement subsystems, and the payroll and the fixed asset
subsystems. It is important to separate the payroll transactions because of two
reasons. First, payroll systems must withhold amounts for deductions and taxes
and summarise these in cumulative earnings reports. This is unnecessary when
doing other general purchasing. Second reason is because payroll systems
produce pay-cheques only to the employees. This is because if payroll cheques
and other general cheques are combined, it is easy to hide any fraud in payroll
system.
138  TOPIC 7 EXPENDITURE CYCLE APPLICATIONS
7.1 PURCHASING AND CASH DISBURSEMENT

SUBSYSTEMS
ACTIVITY 7.1
What are the differences between purchasing and cash disbursement?
The purchasing and cash disbursement activities are two separate subsystems in
the expenditure cycle.
First, we will discuss on purchasing subsystems in the expenditure cycle. When

an inventory level has dropped to a certain level, a clerk will make a purchase.
The company will review several vendors before deciding on which vendor to
buy from. When the vendor delivers the inventory, the company will store the
inventory in the warehouse. The vendor will send an invoice to the company
stating the amount due and the vendorÊs account payable is updated. The
purchasing process is complete here.
Next, we will look at the processes involve in the cash disbursement subsystems.
A clerk will check for amount due in the account payable and prepare a payment
cheque. The cheque is sent to the vendor and concurrently, the general ledger
will be updated.
You will notice that these transactions involve several accounts. Among those
accounts are:
(a) Inventory
(b) Account payable
(i) Purchase account; and
(ii) VendorÊs account.
(c) Cash

TOPIC 7 EXPENDITURE CYCLE APPLICATIONS  139
Figure 7.1: Accounts involved in the cash disbursement subsystems
You will also notice that there are various reports and documentations generated
during this process. The documents include:
(a) Purchase requisition ă a document that allows a purchase transaction to be
made;
(b) Purchase order ă a document that indicates the details of the items to be
purchased;
(c) Blind copy ă a blank copy of purchase order;
(d) Receiving report ă a document that indicates the details of items such as
quantity;
(e) VendorÊs invoice ă bills from the vendor on the items being purchased; and
(f) Voucher register ă a register that shows the companyÊs account payable.
Based on the above reports, let us look at the events that trigger them.
A purchase requisition is prepared when the inventory clerk detects that the
inventory level has dropped to a certain level.
The purchase requisition is then sent to the purchasing department and several
copies of purchase order will be prepared by the purchasing clerk and distribute to
several departments. One of the purchase order called blind copy which contains
no details, is sent to receiving department to force the receiving clerk to inspect the

inventories upon arrival. After inspection, a receiving report is prepared. An

invoice will be sent by the vendor separately and once receive, the account payable
will be updated. The clerk in accounts payable department prepares a voucher in a
voucher register in order to show the liability of the company.
Now that we know how the reports are produced, we will take a look at the
detail processes involve in the purchasing and cash disbursement subsystems in
the next section.
7.1.1 Purchasing Subsystems

We will now discuss purchasing subsystems.
(a) Request for Purchase
Purchasing department is responsible for any purchases. Goods can be
categorised as general goods and special items. Purchase requisition is used
to ensure control and accuracy.
(b) Vendor Selection and Order Placement

This can be achieved by following the steps below:
(i) Identifying the best vendor from a list of potential vendors
 Check for price and quantity available.
 Check for delivery time.
 Check for terms of delivery.
(ii) Place order with selected vendor

 Includes description such as quantity, unit price, total price, trade
discount and delivery date.
(c) Goods Received

The arrival of goods is accompanied by a delivery note indicating:
(i) Description, source and quantity that has been delivered;
(ii) Space for signature of the person accepting the goods;
(iii) Goods have been checked for quantity and quality; and
(iv) Goods received note raised and attached to delivery note for filing. A
copy is sent to accounts payable department.

(d) Storekeeping
Goods received are stored in a secure place. There will be safeguarded by
authorised persons. Goods will only be released upon proper authorisation-
goods/materials requisition note. Authorised dispatch note is required for
dispatch of goods sold. Figure 7.2 summarises the storekeeping functions.
Figure 7.2: Storekeeping functions
Within stock levels, the storekeeper must maintain appropriate level to

facilitate production and sales functions as well as maintain a ÂbufferÊ of
stock for emergencies.
(i) Physical stock verification

 Inventory is counted and amounts and other details are recorded
on stock sheets.
 Verification objectives are:
 Accounting valuation;
 Loss through theft or misuse;
 Physical state of stock; and

 Allow proper cut-off procedures to be carried out.
(ii) Perpetual inventory system

 Maintains a set of records that ensure stock movements are
recorded on a continuous and consistent basis by competent staff;
 Stock cards maintain a record of stock movements in the stores;
 Accuracy is verified by a stocktaking; and
 Physical stock is compared to records to identify errors.
(e) Processing invoice by supplier

(i) Tax invoice is received and checked for accuracy using goods received
note; and
(ii) Liability is recorded when tax invoice is received and verified.
(f) Account payable and general ledger update

(i) Accounts payable may be adjusted by adjustment or credit notes
received for returned goods.
7.1.2 Cash Disbursement Subsystems

Next, we will move on to cash disbursement subsystems.
(a) Check for payment of items that is due

Clerk checks the account payable for any amount due.
(b) Prepare cheques to vendors

(i) If any amount is due, payment cheque will be prepared and
distributed to the vendor.
(ii) Supplier payments can be in the form of:
 Cash;
 Cheques (most common form of payment);
 Bank transfers; or
 Direct deposits or EFT.
(c) Control accounts and general ledger update

Control accounts for account payable and cash as well as general ledger
will be updated once payment has been made.

However, we know that sometimes a company prefers to make a purchase

based on the credit term. In credit term, there are additional functions
involved such as:
(i) Applying for credit facility from vendors;
(ii) Recording accounts payable;
(iii) Requesting adjustment notes;
(iv) Checking periodical statements from vendors; and
(v) Approving vendor invoices.
After looking at the above details, you might still want to know more about
the processes. There are seven processes involved in data flow diagram or
DFD:
(i) Review needs;
(ii) Purchase Inventory;
(iii) Receive goods;
(iv) Update inventory;
(v) Update control accounts;
(vi) Prepare cash disbursement; and
(vii) Update general ledger.
To help you understand better, Figure 7.3 shows the processes in a data
flow diagram.

Figure 7.3: Example of purchase and cash disbursement processes:

DFD of purchasing and cash disbursement processes
7.1.3 Internal Controls for Purchase and Cash

Disbursement Activities
This section states the internal controls needed in purchasing and cash
disbursement processes.
(a) Pre-numbered purchase orders;
(b) Authorised personnel to initiate all purchases;
(c) Deliveries accepted on verification of purchase order;
(d) Invoices, purchase orders and receiving reports are matched to verify
invoice for processing and payment;
(e) Expected refunds are followed up;
(f) Paid invoices are cancelled with a stamp („paid‰) or a hole is punched;
(g) Cheque signatories have limits;
(h) Only authorised person is responsible for petty cash fund;
(i) Accounts payable is reconciled on a regular basis;

(j) Inventory is protected and accounted for both physically and in term of
dollar value;
(k) Reorder levels are maintained;
(l) Proper authorisation procedure is applied before release of goods from
stores; and
(m) Segregate related departments such as inventory from warehouse and cash
from general ledger and account payable.
7.1.4 Computer Application Systems for Purchase and

Cash Disbursement Activities
Routine activities in purchasing and cash disbursement can be done manually or
automatically using computer. However, in this section we will focus on routine
transactions that have been automated.
(a) Purchasing Application

The purpose of the purchasing application is to identify materials, supplies
and equipment for requisition; to select a vendor for these items; and to
ensure that the items are requested and received. Figure 7.4 shows the
sources for inputs to an online real time computerised purchasing system.
Figure 7.4: A purchasing application

(b) Receiving Application

The purpose of the receiving application is to ensure that all receipts of
materials, supplies and equipment are authorised, and to record their

receipts in the accounting records. A system flowchart of an online real

time receiving system is shown in Figure 7.5.
Figure 7.5: A receiving application

(c) Voucher Application

The purpose of the voucher application is to record the obligation to pay a
supplier. Inputs to this system are vendor invoices and records from the
receipts, open purchase order and purchase order detail files. Figure 7.6
shows the procedures in a voucher system.
Figure 7.6: A voucher application

(d) Cash Disbursement Application

The purpose of this application system is to ensure that payments are made
to vendors in the proper amount and at the proper time. Figure 7.7 shows a
flowchart for this system.
Figure 7.7: A cash disbursements application


7.1.5 Controls in the Computer Environment

As we have discussed in previous topics, there are many risks associated with
transaction cycles including the expenditure cycle. Therefore, certain controls
need to be implemented. This section describes the application controls
applicable to the activities described in this topic only. They are stated according
to categories, which are input, processing and output. Let us look at the
application controls below that validate the input data in a computer-based
system.
(a) Purchasing System

(i) Input:
 Completeness test
 Program verifies that all data has been entered such as
REQUISITION-NUMBER, INVENTORY-ITEM-NUMBER, ITEM-
DESCRIPTION, ITEM-QUANTITY, DELIVERY-DUE-DATE.
 Purchasing agent enters all required data such as VENDOR-
NUMBER, PURCHASING-AGENT-NAME, VENDOR-
PRODUCT-NUMBER, ITEM-UNIT-PRICE.
 Validity test
 Program checks for entered digit on VENDOR-NUMBER and
validate against a valid VENDOR-NUMBER list.
(ii) Processing:
 Record count
Program verifies that the number of new purchase numbers = the

number of purchase requisitions + the number of records from order
entry, production control and inventory systems.
(iii) Output:
 Record count
 Program verifies that the number of new records in the
purchase order detail file = the number of line items on
purchase orders.

(b) Receiving System

(i) Input:
 Completeness test
 Program verifies that all required data has been entered such
as PURCHASE-ORDER-NUMBER, RECEIVED-QUANTITY,
ITEM-NUMBER, ITEM-DESCRIPTION, VENDOR-NAME.
(ii) Processing:
 Record count
 Program verifies that the quantity of goods received equal to
the number of quantity ordered.
(iii) Output:
 Record count
 Program verifies that the number of lines on the voucher
register = the number of records added to the voucher file.
(c) Voucher System

(i) Input:
 Consistency test
 Program verifies that total of GENERAL-LEDGER-AMOUNT
fields equals NET-AMOUNT field.
 Validity test
 Program verifies that dates are of the form AA-BB-CCCC,
where AA<13,BB<32 and CCCC is numeric.
(ii) Processing:
 Record count
 Program verifies that the decease in the number of open
purchase order records = the increase in the number of
pending invoice records, the number of records in the old
pending invoice file = the number of records in the new
pending invoice file + the number of new voucher records,
decrease in the number of receipts records = the increase in the
number of pending invoice records.

(iii) Output:
 Record count
(d) Cash Disbursement System

(i) Input:
 Consistency test
 Program verifies that the amount of cash disbursement
transaction entered is equal to vendorÊs account payable.
(ii) Processing:
 Record count
 Program verifies that the number of records in the old voucher
file = the number of records in the new voucher file + the
number of cash disbursement transaction records.
(iii) Output:
 Record count
 Limit test
 Program flags for review by data control group for
transactions amounting more than RM100,000.
 Run-to-run controls
 Data control group verifies that total amount of cheques =
total amounts of vouchers disclosed on control reports and
cheque register.

ACTIVITY 7.2
What are the three documents that must accompany the payment of an
invoice?
Discuss where these three documents originate and the resulting
control implications.
7.2 PAYROLL AND FIXED ASSET SUBSYSTEMS

So far, we have looked at the first part of expenditure cycle which comprise
purchasing subsystem and cash disbursement subsystem. This section discusses
on the second part of expenditure cycle which are payroll subsystem and fixed
asset subsystem. First, we will look at the activities involved in the payroll
subsystem. Then we will discuss the fixed asset subsystems.
7.2.1 Payroll Subsystems

ACTIVITY 7.3
Imagine you own a small business with ten employees. What information
do you need in order to run a payroll system for your employees? How
would you go about the record keeping for your mini-payroll system?
The payroll subsystem is a part of the human resource management system. It

includes activities to effectively manage the employee workforce. The input for
the payroll processing is obtained from the job ticket or time card of an
employee. Then, the payroll department calculates the amount payable for each
employee and prepares the pay-cheques. Account payable will authorise the cash
disbursement and finally, the general ledger will be updated.
There are several accounts involved in this transaction such as account payable,
cash and wages.
Figure 7.8 presents a context diagram for the payroll system which shows the
relationships between the HRM system and other parts of the AIS. This figure
shows five major sources of inputs to the payroll system and one output.

Figure 7.8: Context diagram of the payroll portion of the HMR/payroll cycle.
The inputs come from HRM department, various departments, government

agencies, employees and insurance and other companies. On the other hand, the
output comes from the bank. We will discuss on the sources of input first.
(a) The HRM department gives information on any payroll changes such as
new hiring, firing or any pay rate changes due to raises or promotions;
(b) The various departments provide data about actual hours the employees
work such as time and attendance data;
(c) Government agencies provide tax rates and instructions for meeting
regulatory requirements;
(d) Employees provide information on any withholdings and deductions such
as pension, housing loan deduction or any donations; and
(e) Finally, insurance companies and other organisations provide instructions
for calculating and remitting various withholdings.
As for the output, cheques are the payroll systemÊs principal output. Based on
the dataflow in the context diagram, we know that employees receive individual
pay-cheques in compensation for their services. On the other hand, a payroll
cheque is sent to the bank to transfer funds from the companyÊs regular accounts
to its payroll account. Finally, cheques are also issued to government agencies,
insurance companies and other organisations to meet company obligations such
as paying for taxes and insurance premiums. In addition, the payroll system also
produces a variety of reports for internal and external use.
Now that we understand the inputs and outputs of the payroll system, let us
look at Figure 7.9 which shows the seven basic activities in the payroll cycle.
Before we proceed, it is a good idea to remember that payroll is one of AIS
applications that continues to be processed in batch mode. This is because pay-
cheques are prepared periodically either weekly or biweekly or monthly, and

most employees are paid at the same time which makes it appropriate to process
the transactions in batch.
Figure 7.9: Level 0 DFD for the payroll cycle

Below are the descriptions of all processes shown in Figure 7.9.
(a) Update Payroll Master File

The first activity in the HRM/payroll cycle involves updating the payroll
master file to reflect various types of payroll changes: new hiring,
terminations, changes in the pay rates, or changes in discretionary
withholdings (circle 1.0 in Figure 7.9). The HRM department provides this
information. Although payroll is processed in batch mode, Figure 7.8 shows
that the HRM department has online access to make these changes to the
payroll master file. Appropriate edit checks, such as validity checks on
employee number and reasonableness tests for the changes being made, are
applied to all payroll change transactions. It is important that all payroll
changes are entered in a timely manner and are properly reflected in the next
pay period. Records of employees who quit or are fired should not be deleted
immediately, however because some year-end reports require data about all
employees who worked for the organisation at any time during the year.
(b) Update Tax Rates and Deductions

The second activity in the HRM/payroll cycle is updating information
about tax rates and other withholdings (circle 2.0 in Figure 7.9). The payroll
department makes these changes, but the changes occur in frequently. They
happen when the payroll department receives updates about changes in tax
rates and other payroll deductions from various government units and
insurance companies.
(c) Validate Time and Attendance Data

The third step in the payroll cycle is to validate each employeeÊs time and
attendance data (circle 3.0 in Figure 7.9). This information comes in various
forms, depending on an employeeÊs pay status.
(d) Prepare Payroll

The fourth step in the payroll cycle is preparing payroll (circle 4.0 in Figure
7.9). The department in which the employee works provides data about the
hours worked and a supervisor usually confirms the data. Pay rate
information is obtained from the payroll master file.
(e) Disburse Payroll

The next step is actual disbursement of pay-cheques to employees (circle 5.0
in Figure 7.9). Most employees are paid either by cheque or by direct
deposit of the net pay amount into their personal bank account. Unlike cash
payments, both methods provide a means to document the amount of
wages paid.
(f) Calculate Employer ă Paid Benefits and Taxes

The employer pays some payroll taxes and employee benefits directly
(circle 6.0 in Figure 7.9). For example, employers must pay social security
taxes, in addition to the amounts withheld from employee pay-cheques.
(g) Disburse Payroll Taxes and Miscellaneous Deductions

The final activity in the payroll process is paying the payroll tax liabilities
and other voluntary deductions of each employee (circle 7.0 in Figure 7.9).
An organisation must periodically prepare cheques or use electronic funds
transfer to pay the various tax liabilities incurred.
In Figure 7.10, a typical batch-oriented HRM/payroll system is presented. This

document flowchart shows two types of activities: daily and periodical activities.

Figure 7.10: HRM/payroll chart

7.2.2 Fixed Asset Subsystems

The fixed asset subsystem is used to record the property, plant and equipment
used in an organisation. Some of the examples of fixed assets are building,
furniture, machinery and land. These fixed assets are depreciable, therefore,
accurate recording for these assets are needed. There are three main functions of
fixed asset systems which are the acquisition, the maintenance and the disposal
of fixed assets.

The accounts involved in this transaction are account payable and fixed asset.
The DFD of fixed asset system is similar to purchase subsystems where it

involves purchase department, accounts payable, receiving, cash disbursement
and general ledger. The only difference is in fixed asset an authorisation is
needed whenever the asset acquisition and asset disposal are about to be done.
Let us examine the tasks involved in the fixed asset system.
(a) Asset Acquisition

The first task in fixed asset is asset acquisition. This process begins when
there is a need to get a new or to replace an existing fixed asset. After
considering the cost and other benefits, an approval will be given before the
asset can be purchased. The purchase process is similar to purchase
subsystem described above.
(b) Asset Maintenance

As we know, assets such as machinery and motor vehicles will depreciate
over time because of the usage. Therefore, it is important for a company to
adjust its asset account based on certain calculation since the value has been
depreciated. The information is recorded in a document called depreciation
schedule.
(c) Asset Disposal

The last task in fixed asset system is asset disposal. Asset will be removed
or disposed of when it is no longer useful, damage or become obsolete. A
manager in charge will first request the asset to be disposed of and wait for
the approval. Once it has been approved, a disposal report is prepared and
sent to the accounting systems and removed from the related account.
We have now completed the study of three tasks in the fixed asset system. As for
the internal controls and controls in the computer environment, the procedures
and processes are similar to purchase systems described above. Therefore, from
this section onwards, we will only look at the payroll system in particular.

7.2.3 Internal Controls Procedures for the Payroll

Subsystem
In payroll subsystem, several internal controls should be implemented to prevent
exposure to certain risks associated with this cycle. Some of the controls needed are:
(a) Sound hiring procedures, including verification of job applicantÊs skills,
references and employment history.
(b) Thorough documentation of hiring procedures.
(c) Training on current developments in employment law.
(d) Segregation of duties: HRM versus payroll and pay-cheque distribution.
(e) Reconciliation of time card data with job-time ticket data.
(f) Direct deposit.
(g) Updated employee list and pay rates provided by personnel department
(h) Pay-cheque
(i) Prepared only based on properly prepared payroll register;
(ii) Pre-numbered;
(iii) Signed only if properly prepared;
(iv) Imprest bank account used;
(v) Distributed by persons not involved in payroll process;
(vi) Voided cheques kept; and
(vii) Unclaimed cheques listed and investigated.
7.2.4 Computer Application Systems for Payroll

Activities
Figure 7.11 contains a system flowchart of a payroll system. Similar to cash
disbursement system, the payroll application uses batch processing. In this
system, a supervisor approves timecards for payment, batches them and
establishes a control total over the total hours worked in a batch. A data entry
clerk enters the timecard data in a computer file. Some systems validate each
data record during its data entry. Others create the transaction file and then
validate them one batch at a time, producing an error listing. The validation
programme produces a payroll transaction file, which the system sorts into
employee number sequence. A program calculates pay and deductions, updates
the cumulative earnings data in the employee master file, and prints the payroll

register. After payroll clerks have reviewed the register for errors, another
program prints pay-cheques and creates records for the general ledger batch
summary file.
Figure 7.11: A payroll application


7.2.5 Controls in the Computer Environment

This section describes similar data validation techniques and divides them
according to input, processing and output categories.
(a) Input
 Program verifies that all required input have been entered such as
EMPLOYEE-NUMBER, EMPLOYEE-NAME, HOURS-WORKED.
(ii) Control total

 Program verifies that total number of hours on batch transactional
form = total number of hours on valid payroll transactions + total
number of hours on erroneous payroll transactions.
(b) Processing
(i) Record count
 Number of input transaction records = number of output
transaction records.
(i) Control total
 Total hours in input file = total hours in output file.
(c) Output
(i) Limit test
 Program flags for review by data control group for any
transactions with amounts more than RM10,000.
(i) Record count
 Program verifies that the number of pay-cheques = the number of
payroll transaction records.
(i) Control total
 Program verifies that total amount of pay-cheques = total debits to
general ledger accounts = total credits to general ledger accounts.
(i) Run-to-run controls

 Data control group compares control totals taken on pay-cheque
amounts and disclosed on control report and payroll register.

ACTIVITY 7.4
Prepare a worksheet in MS Excel that tabulates all of possible
deductions a payroll system of a company may consider. You may
research the information needed from the Internet. Discuss and
exchange your answers with other course mates, and post them on
myVLE forum.
SELF-CHECK 7.1
1. What documents are included in the audit trail for payroll?

2. List out two accounts that are involved in Fixed Asset Subsystem.
3. What are the five possible input sources that were fed into the
payroll subsystem?
 As a summary, we can understand that the efficiency and effectiveness of the

activities in the expenditure cycle can significantly affect a companyÊs overall
performance.
 IT can help improve the efficiency and effectiveness with which expenditure
cycle activities are performed.
 In particular, EDI, bar coding and EFT can significantly reduce the time and
costs associated with ordering, receiving and paying for goods.
 The payroll system must be designed to meet government regulations as well
as managementÊs information needs.
 Incomplete or erroneous payroll records not only impair decision making,
but also can result in fines and imprisonment.
 Thus, the design of an efficient and effective payroll system is vital.
 It is also important, however, to have a well-designed HRM system.
 The knowledge and skills of employees are valuable assets and must be
carefully managed, developed and maintained.

Blind copy Receiving report

Imprest Time card
Payroll register VendorÊs invoice
Purchase order Voucher register
Purchase requisition

Hill.
Romney, M. B., & Steinbart, P. J. (2003). Accounting information systems (9th
ed.). New Jersey: Prentice Hall.

Topic  Production
8 Cycle
Applications
LEARNING OUTCOMES
1. Describe four basic activities and related data processing operations
performed in the production cycle;
2. Discuss the key decisions that must be made in the production cycle
and identify the information required to make those decisions;
3. Explain the process of production cycle transactions using
computer;
4. Identify internal control procedures in production cycle; and
5. Explain two computerised application of production cycle.
 INTRODUCTION
This topic provides you with detail information about production cycle in
Accounting Transaction Cycles. The activities in this cycle relates to operations
associated with the manufacturing of products. The main activity in production
cycle is to convert the inputs such as raw materials, labours and overhead into
finished product. That is why this cycle is also known as conversion cycle.
8.1 PRODUCTION CYCLE ACTIVITIES

Production cycle is also an important part of accounting transaction cycles. This
cycle is closely related to other cycles such as revenue and expenditure cycles.
The context diagram in Figure 8.1 shows how the production cycle is linked to

TOPIC 8 PRODUCTION CYCLE APPLICATIONS  163
other subsystems in a companyÊs AIS. Let us examine the relationship shown in

Figure 8.1 below.
Figure 8.1: Context diagram of the production cycle

The revenue cycle provides information on customer orders and sales forecast to
the production cycle. This information is used to plan for the quantity of
inventory that will be produced. In return, the production cycle sends
information about quantity of finished goods that have been produced and
quantity that is available for sale. The production cycle also sends information
about the needs of raw materials to the expenditure cycle using purchase
requisition forms. In exchange, the expenditure cycle provides information about
the raw materials that have been purchased together with other expenditure as
the overhead costs. The production cycle also transmits information on labour
needs to payroll cycle while payroll cycle sends information on labour costs and
availability in return. Finally, production cycle transmits information on cost of
goods manufactured to the general ledger and reporting system, and summary
reports are sent to the management.
In sum, several functions are involved such as the acquisition of raw materials
and labours, the transfer of raw materials and overhead into production, the
transfer of finished goods into inventory and finally the sale of the inventory.
Next, we will look at Figure 8.2 which shows the four basic activities in the
production cycle:
(a) Product design;
(b) Planning and scheduling;
(c) Production operations; and
(d) Cost accounting.

164  TOPIC 8 PRODUCTION CYCLE APPLICATIONS
Figure 8.2 also illustrates the information flows between each of those activities
and other AIS cycles.
Figure 8.2: Level 0 DFD of the production cycle

8.1.1 Product Design

Product design is the first step in the production cycle. The objective of this
activity (circle 1.0 in Figure 8.2) is to design a product that meets customer
requirements in terms of quality, durability and functionality while
simultaneously minimising production costs.
Documentation associated with these events includes:

(a) Bill of materials; and
(b) Operations list.

8.1.2 Planning and Scheduling

The second step in the production cycle is planning and scheduling (circle 2.0 in
Figure 8.2). The objective of this step is to develop a production plan that is
efficient enough to meet existing orders and anticipated short-term demand
without creating excess inventories.
Documents associated with these events include:

(a) Master production schedule (MPS);
(b) Materials requisition; and
(c) Move tickets.
8.1.3 Product Operations

The third step in the production cycle is the actual manufacturing of products
(circle 3.0 in Figure 8.2). This activity differs among companies according to the
type of product being manufactured and the degree of automation that the
company used in the production process. Although the activity varies among
companies, the required data remain the same as stated below:
(a) Raw materials that have been used;
(b) Labour hours that have been spent;
(c) Machine operations that have been performed; and
(d) Manufacturing overhead costs that have been incurred.
8.1.4 Cost Accounting

The final step in the production cycle is cost accounting (circle 4.0 in Figure 8.2).
The three principal objectives of the cost accounting system are:
(a) To provide information for planning, controlling and evaluating the
performance of production operations;
(b) To provide accurate cost on data about products for use in pricing and
product mix decisions; and
(c) To collect and process the information used to calculate the inventory and
cost of goods sold that appear in the companyÊs financial statements.
So far, we have learnt the four basic functions of production cycle and their
objectives. The following Figure 8.3 illustrates a typical online AIS for the

production cycle. Let us look at the departments and the data storages involved
in this process.
Figure 8.3: Online production cycle information system

The departments involved are sales, production planning, engineering, cost

accounting, inventory and factory workstations.
Meanwhile, the production cycle databases involved are bill of materials,

operation list, master production schedule, inventory, production orders and
work in process.
The process begins when there is new order from customers or whenever there is
new sales forecast entered by the sales department. Then, production planning
department uses the information together with information on current inventory

level to develop the master production schedule and store in the database. To
authorise the production of specific goods, new records are added to the
production order file. At the same time, new records are also added to the work
in process file to accumulate data on cost. In the meantime, when the engineering
department enters product specification for new products, new records will be
created in the bill of materials and operation list files. The engineering
department accesses both files to examine the design of similar products in order
to develop the specification. The department also accesses the general ledger and
inventory files to get information about the costs of any alternative in designing
the products. When the list of operations to be performed is ready, it is displayed
at the appropriate workstations. Similar instructions are sent to the computer
integrated manufacturing (CIM) interface to guide the operation of computerised
machinery and robots. Finally, materials requisitions are sent to the inventory
stores department to authorise the release of raw materials into production.
During the process as illustrated in Figure 8.3, four types of cost data have been
accumulated which are raw materials, direct labour, machinery and equipment,
and manufacturing overhead. Let us now examine how these four categories of
cost data are collected.
First, we will learn how cost on raw materials is gathered. Whenever a material
requisition is being issued, the raw materials are sent to production and a debit
will be made in work in process account. If additional materials are needed,
another debit is made to work in process. On the other hand, work in process
account is credited whenever unused materials are returned to the inventory
department. The usage data to calculate the cost is collected by scanning the
materials when they are released from or returned to the inventory department
because most of the materials are bar coded. For those without bar code, the
inventory clerk uses online terminals to enter the usage data.
Next, we will examine how the cost for direct labour is collected. For direct
labour, a job time ticket can be used to accumulate data about labour activity.
This document records the amount of time a worker spent on each specific job
task. Alternatively, workers can also enter this data using online terminals at
each factory workstation. To improve the efficiency of this process, firms can also
introduce coded identification cards, which workers would be able to use using a
badge reader or bar code scanner when they start and finish any task.
Another cost to be collected is data on machinery and equipment usage. This

data is collected at each step in the production process, often together with data
about labour costs.

For example, when workers record their activities at a particular workstation,

the system can also record information identifying the machinery and
equipment used and the duration of such use.
Finally, we will examine how cost of manufacturing overhead is collected.

Manufacturing overhead is any manufacturing costs that are not economically
significant to trace directly to specific jobs or processes. Examples include the
costs of water, power and other utilities; miscellaneous supplies; rent, insurance,
and property taxes for the factory plant; and the salaries of factory supervisors.
Most of these costs are collected by the expenditure cycle information system (see
Topic 7).
Thus far, we have focused on accounting costs associated with the production of
inventory. However, the AIS also collects and processes information about
property, plant and equipment used in the production cycle. This is because such
fixed assets represent a significant portion of total assets for many companies,
and so it is important to monitor this investment. Some authors include fixed
assets system in the production cycle but some include this in the expenditure
cycle. For this module, fixed assets have been included in the expenditure cycle
as discussed in the earlier Topic 7.
8.2 INTERNAL CONTROLS PROCEDURES FOR

PRODUCTION CYCLE
ACTIVITY 8.1
What do you understand by the term „Standard Operating Procedure

(SOP)‰? Will it be helpful to have „SOP‰ for every department in an
organisation?
Internal controls procedures in production cycle are use to make the processing
in the cycle run smoothly. Table 8.1 lists some of the procedures used in
production cycle.

Table 8.1: Procedures Used in Production Cycle
No. Procedure
1 Improved information about the effects of product design on costs.
2 Detailed data about warranty and repair costs.
3 Better production planning systems.
4 Review and approval of fixed asset acquisitions; budgetary controls.
5 Restrict physical access to inventories and fixed assets.
6 Document all movement of inventory through the production process.
7 Identification of all fixed assets.
8 Periodic physical counts of inventory.
9 Adequate insurance.
10 Data entry edit controls; use of bar code scanning where feasible; reconciliation of
recorded amounts with periodic physical counts.
11 Backup and disaster recovery planning; restricting access to cost data.
12 Improved and timelier reporting.
8.3 COMPUTER APPLICATION SYSTEMS FOR

THE PRODUCTION CYCLE
We will now discuss computer application systems for the production cycle.
8.3.1 Inventory System

This system is use to maintain inventory records and to notify managers when
the inventory level of a specific item requires replenishing. It is important to
record every transaction in order to prevent overstocking or under stocking
which can lead to a loss in a company.
8.3.2 Cost Accounting System

This system is use to determine the costs of products manufactured or services
provided and to record those costs in the accounting records. The costs come
from direct material, labour and overhead and are being recorded in an account
called the work in process (WIP). Job order costing and process costing are two
most commonly use in cost accounting systems.


ENVIRONMENT
This section describes controls use in the computer environment according to
input, processing and output categories.
8.4.1 Inventory System

Let us now look at controls inventory system in detail.
(a) Input
 Verify the existence of item number and quantity on receiving
report transactions, verify the existence of item number, quantity,
and general ledger account number on materials requisition
transactions.
(ii) Validity test
 Verify that the item number on a transaction exists in the
inventory master record.
(b) Processing
(i) Record counts
 Programme verifies that the number of debits to the inventory
account = the number of receiving reports; and
 Programme verifies that the number of credits = the number of
materials requisitions.
(c) Output
(i) Control total
 Clerk verifies from control report that all transactions were
processed.
8.4.2 Cost Accounting System

Controls for cost accounting system are as follows.
(a) Input
 Verify that all fields have been entered with data in the materials
transaction and labour transaction records.

(b) Processing
(i) Control total
 In the online real time system, programme verifies that total costs
recorded in job cost file = total cost recorded in cost center file.
(ii) Record count

 Verify that the number of new job records + the number of records in
the old job cost file = the number of records in the new job cost file.
(c) Output
(i) Control totals
 Data control group verifies that total cost of jobs on job purge
control report = total of job cost reports.
(ii) Run-to-run controls

 In batch system, data control group verifies that total on register =
total transactions disclosed on error listings.
SELF-CHECK 8.1
1. What activities are involved in the production system? The cost

accounting system?
2. What are the three main functions inventory control serve in the
production process?
 In short, you should understand the four basic activities involved in the
production cycle that are
 product design, production planning and scheduling, production operations
and cost accounting.
 Companies must also invest in IT continuously in order to improve the
efficiency of these activities.
 Apart from that, we have also listed the internal control procedures used in
the cycle and described the processes involved in this cycle using the
computer.

Bill of materials Move tickets

Master Production Schedule (MPS) Production cycle
Material requisition

Hill.
Romney, M. B., & Steinbart, P. J. (2003). Accounting information systems (9th
ed.). New Jersey: Prentice Hall.

Topic  General
9 Ledger
and Reporting
System
LEARNING OUTCOMES
1. Identify four basic activities performed in the general ledger and
reporting system;
2. Explain the key decisions that must be made in the financial cycle;
3. Identify the information required to make the key decisions in
financial cycle;
4. Describe the process of financial cycle transactions using computer;
and
5. Discuss the control practices and procedures in financial cycle.
 INTRODUCTION
As a future accountant, you must be able to know the basic accounting
transaction processing cycle. After we have completely discussed all accounting
transaction processing cycle in the previous topics, we will now discuss on the
general ledger and reporting system in this topic. It tells about the operations of
information processing involved in updating the general ledger and preparing
the reports that summarise the results of an organisationÊs activities.

174  TOPIC 9 GENERAL LEDGER AND REPORTING SYSTEM
9.1 GENERAL LEDGER AND REPORTING

ACTIVITIES
ACTIVITY 9.1
What entities need to be recorded in a general ledger?
As we have learnt in previous topics, general ledger is an important element in

AIS. It is used as a hub to connect to every subsystem in the companyÊs AIS
through information flows. Basically, all summaries of transactions from other
subsystems become sources of input to general ledger and reporting systems.
The following are sources of data collected by the systems.
Each of the accounting cycle subsystems described in Topic 6 to 8 provides

information about regular transactions as summarised by Figure 9.1.
Figure 9.1: Regular transactions in accounting cycle

TOPIC 9 GENERAL LEDGER AND REPORTING SYSTEM  175
The treasurer provides information about financing and investing activities, such
as the issuance or retirement of debt and equity instruments and the purchase or
sale of investment securities. The budget department provides budget numbers.
The controller provides adjusting entries.
On the other hand, the outputs are reports which are sent to external and internal
users. The flow of this information is illustrated in Figure 9.2.
Figure 9.2: Context diagram of the general ledger and reporting system
The information flows in this system must be organised and stored in a way that
meets the various information needs of the internal and external users. For
example, managers need detailed information about the results of operations in
their particular area of responsibility. Investors and creditors want periodic
financial statements to help them assess the organisationÊs performance.
Currently, the investors and creditors are demanding more detailed and frequent
reports from the system. Government agencies also have periodic information
requirements that must be met by a company. Therefore, the design of the
general ledger and reporting system must be able to produce regular periodic
reports and to support real time inquiry needs.

For example, departmental managers should be able to access actual versus

planned performance at any time so that any differences can be identified
early in the process and corrective actions can be made. Likewise, the
treasurer must be able to closely monitor cash flows so that deviations from
forecasts can be identified in time and adjustment on short-term borrowings
plans can be made.
Now that we have studied the context diagram in Figure 9.2, we will look at the
detail processes in level 0 of DFD as shown in Figure 9.3.
Figure 9.3: Level 0 DFD for the general ledger and reporting system
There are four basic activities performed in the general ledger and reporting
system as illustrated in Figure 9.3. The first three activities which are update
general ledger, post adjusting entries and prepare financial statements represent
the basic steps in the accounting cycle which end with the creation of the
traditional set of financial statements. The fourth activity which is produce
managerial reports indicates that, in addition to financial reports for external
users, the AIS also produces reports for internal management. Let us examine
each of these activities in more detail.

9.1.1 Updating General Ledger

As shown in Figure 9.3, the first activity in the general ledger system (circle 1.0) is
updating the general ledger. Updating consists of posting journal entries that
originate from two sources:
(a) Accounting Subsystem

Each of the accounting subsystem described in Topic 6 to 8 creates a journal
entry to update the general ledger. In theory, we can say that the general
ledger could be updated for each individual transaction. In practice,
however, the various accounting subsystem usually update the general
ledger by means of summary journal entries that represent the results of all
transactions that occur during a given period of time (day, week or month).
Let us look at the example in revenue and expenditure cycles.
The revenue cycle subsystem would generate a summary journal entry

debiting accounts receivable and cash and crediting sales for all sales made
during the update period. Similarly, the expenditure cycle would generate
summary journal entries to record the purchase of supplies and inventories
and to record cash disbursements in payment for those purchases.
(b) Treasurer
The treasurerÊs office creates individual journal entries to update the
general ledger for non-routine transactions such as the issuance or
retirement of debt, the purchase or sale of investment securities, or the
acquisition of treasury stock.
Journal entries to update the general ledger may be documented on a form called
a journal voucher. Figure 9.3 shows that the individual journal entries used to
update the general ledger are then stored in the journal voucher file. Therefore,
we can find the information in general ledger located in a manual AIS as well.
However, notice that the journal voucher file is a by-product of, not an input to,
the posting process. The journal voucher file is also one of the important parts of
the audit trail.
9.1.2 Post Adjusting Entries

The second activity in the general ledger system is posting various adjusting
entries (circle 2.0 in Figure 9.2). These adjusting entries originate from the
controllerÊs office, after the initial trial balance has been prepared. The trial
balance is a report that lists the balances for all general ledger accounts. Its name

reflects the fact that if all activities have been properly recorded, the total of all
debit balances in various accounts should equal the total of all credit balances. As
shown in Figure 9.3, information about these adjusting entries is stored in the
journal voucher file. After all adjusting entries have been made an adjusted trial
balance is prepared. The adjusted trial balance serves as the input to the next step
in the general ledger and financial reporting cycle which is the preparation of
financial statements.
9.1.3 Prepare Financial Statements

As mentioned in section 9.1.2, the third activity in the general ledger and
reporting system is preparing financial statements (circle 3.0 in Figure 9.2). The
income statement is prepared first, using data from the revenue and expense
account balances in the adjusted trial balance. This is followed by the preparation
of the balance sheet. This activity requires closing entries that zero all revenue
and expense accounts and transferring the net income or loss to retained
earnings. The third major financial statement produced in this system is the
statement of cash flows. It uses data from the income statement and balance sheet
to provide details about the organisationÊs investment and financing activities.
9.1.4 Produce Managerial Reports

The final activity in the general ledger and reporting system (circle 4.0 in Figure
9.2) is producing various managerial reports. Examples of general ledger control
reports include:
(a) Lists of journal vouchers by numerical sequence, account number or date;
and
(b) Lists of general ledger account balances.
These reports are used to verify the accuracy of the posting process. Several budgets
are produced for planning and evaluating performance of an organisation. The
operating budget depicts planned revenues and expenditures for each
organisational unit. The capital expenditures budget shows planned cash inflows
from operations with planned expenditures and is used to determine the
organisationÊs borrowing needs.

In sum, the processes described above form the general ledger and reporting
system, discussed in this topic. To have a better understanding of these
processes, Figure 9.4 illustrates the general ledger and reporting system in detail
using a flowchart.
Figure 9.4: Flowchart of an online general ledger and reporting system

9.2 INTERNAL CONTROLS FOR GENERAL

LEDGER AND REPORTING SYSTEM
Internal controls procedures for general ledger and reporting system are
important since this system deals with other subsystems in the AIS. The
procedures are listed below:
(a) Input and processing controls;
(b) Reconciliations and control reports;
(c) Audit trail;

(d) Access controls; and

(e) Backup and disaster recovery procedures.
9.3 COMPUTER APPLICATION SYSTEMS

There are two main computer applications in general ledger and reporting
systems that you should know. First is Journal Entry and Financial Reporting
System and the second is property system. We will examine each application in
the section below.
9.3.1 Journal Entry and Financial Reporting System

Both journal entry system and financial reporting system processes are shown in
detail in the following Figure 9.5 and 9.6.

Figure 9.5: A journey entry system

Figure 9.6: A financial reporting system

The purpose of the journal entry system is to post to the general ledger all
transactions that are not processed by other application systems. These include
transactions that record the acquisition of capital from the issue of stocks and
bonds, the receiving of cash from bank loans, and the acquisition and disposition
of property. Meanwhile, the purpose of the financial reporting system is to close

the general ledger and to produce financial statements and performance reports.
It uses the journal entry system to record adjustments made to the accounts
during the closing process. That is why some accountants identify the two
systems as the general ledger system.
9.3.2 Property System

Property system deals with the fixed assets in a firm. The purpose of a property
system is to maintain an accurate record of all properties, factory plants and
equipment that are depreciable. It also maintains records of annual and
accumulated depreciation on this property.
Figure 9.7: A property application



ENVIRONMENT
This section describes the controls use according to input, processing and output
categories.
9.4.1 Property System

The following are controls in property system.
(a) Input
 Verify that all master file fields are completed on the voucher or
capital work order records.
(ii) Validity test

 Verify that an account number represents valid asset account.
(b) Processing
(i) Record count
 Program verifies that the number of changes to the property
master file = the number of vouchers + the number of retirement
orders + the number of capital work orders.
(ii) Control total

 Program verifies that total debits to general ledger batch summary
file = batch total of vouchers + batch total of capital work orders.
(c) Output
(i) Control total
 Program verifies that total credits to general ledger batch
summary file = total of retirement work orders.

9.4.2 Journal Entry and Financial Reporting Systems

Controls for journal entry and financial reporting systems are as follows.
(a) Input
 Input program determines that all data in required fields are
entered.
(ii) Consistency test

 For any journal voucher, sum of debits = sum of credits.
(b) Processing
(i) Record count
 Number of records from input general ledger batch summary file
= number of records in detail postings file + number of records in
output general ledger batch summary file.
(i) Consistency test

 For each transaction, sum of debits = sum of credits.
(c) Output
(i) Run-to-run control
 Data control group reconciles totals on control report, error listing
and transaction register; and
 Data control group uses transaction register to reconcile the
differences between the first and second trial balances.
SELF-CHECK 9.1
1. What are the three distinct phases of the financial accounting

process? How often are each of these functions performed?
2. What information is contained in a journal voucher?

 In general, the general ledger and financial reporting system integrates and
summarises the results of various accounting subsystems in revenue,
expenditure and production cycles.
 As discussed before, the general ledger acts as a central master file in the AIS.
 That is why, it is important to implement control procedures stated in this
topic in order to ensure its accuracy and security.
 The controls include edit checks of the journal voucher records posted to the
general ledger, access controls, an adequate audit trail, and appropriate
backup and disaster recovery procedures.
 This topic also discuss the main applications used in this system which are
Journal Entry and Financial Reporting System and Property System.
Adjusted trial balance General ledger batch summary file

Depreciation Journal voucher
General journal listing

Hill.
Hall, J. A., (2001) Accounting information systems. Ohio: Thomson Learning.

Topic  E-Business
10
LEARNING OUTCOMES
1. Explain how e-business facilitates internal business processes;
2. Describe how e-business facilitates connections with external parties;
3. Discuss the concerns and necessary precautions to take when
transacting in e-business; and
4. Identify the appropriate infrastructure and support to facilitate
various methods for conducting e-business.
 INTRODUCTION
The onset of information age and computerisation has provided us with more
options on how to communicate with each other, which helps to minimise
barriers to communication. For instance, besides telephone and face-to-face
communication, we can also make use of e-mails, instant messaging, Facebook
and even Twitter. Though the variety of technological options facilitates
communication, the quality of communication lacks human touch, e.g., an
individualÊs facial expressions at a point in time is not readily determinable from
e-mails, instant messages and/or tweets.
In a similar manner, computerisation and automation improve business

processes, interactions and communications. Greater efficiency, especially in
terms of speed, elimination of errors and papers, are readily attainable in the
short run. However, computerisation and automation of business processes are
not without their problems.

188  TOPIC 10 E-BUSINESS
10.1 ELECTRONIC BUSINESS (E-BUSINESS)
ACTIVITY 10.1
Imagine that you have completely forgotten about getting your spouse
a birthday present until you stumble upon a familiar-looking watch on
eBay while Internet-surfing. You have seen the same watch in a product
catalogue from your credit card company. The watch is now sold on
eBay at half the catalogue price.
Has your life changed for the better with access to the Internet and
online retail businesses?
What is e-business?
Electronic business or e-business can be defined as the application of

electronic networks (including the Internet) to exchange information and link
business processes among organisations and individuals.
(Dull et al., 2012: 64)
With the dawn of online retail businesses such as Amazon.com and eBay, it is
easy to perceive that e-business involves getting connected with external parties
like customers and suppliers via the use of various technology-based
communication options. Virtually any type of business involves exchange of
economic resources like goods, services and money. Such exchange of economic
resources is not feasible without the participation of external parties; i.e., you
need to exchange economic resources with somebody. How e-business affects
business processes that involve external parties is further discussed as follows.
10.1.1 Business Processes Involving External Parties

The benefits that e-business brings to business processes that involve external parties
can be categorised into three levels: information, transaction and distribution level
(Hall, 2008). Nevertheless, not every business is in a position to benefit from e-
business at each of the three levels, which is further discussed as follows.

TOPIC 10 E-BUSINESS  189
(a) Information Level

E-business enables sharing of information ă information about the
company, its products and services, expertise, etc. ă through a website.
Among the benefits of such sharing of information are access to customers
and suppliers worldwide, creation of business partnerships to fill market
niches, lower marketing costs and reductions in retail prices.
Nevertheless, you need to be careful with the following concerns to benefit

from e-business at the information level.
(i) Up-to-date, complete and accurate information is maintained on the
website;
(ii) The website is user-friendly and readily navigable;
(iii) Sufficient hardware and software infrastructure to support quick
access, especially during high usage periods; and
(iv) Confidential information and/or information that can jeopardise a
companyÊs own strategic positioning are not shared on the website.
(b) Transaction Level

E-business enables orders to be accepted from customers and/or placed
with the suppliers over the Internet. For example, when you go to
Amazon.com, you will find not only information about the various
products that are sold but also make customer orders on its website. As you
browse through the website, you can place an order for product items you
are interested in buying.
Figure 10.1 depicts a screenshot of Amazon.comÊs website. To place an

order, first, you need to add product items you are interested in purchasing
into the „shopping cart‰ by clicking on the „add to cart‰ button. Next, you
need to pay ă normally by credit cards ă for the product items in the
„shopping cart‰ by clicking on the „proceed to checkout‰ button.

Figure 10.1: A screenshot of Amazon.comÊs website
Being able to transact on the Internet with customers, suppliers and other
trading partners facilitates development of dynamic business alliances to
fill unique market niches. For instance, your business expertise is in
marketing and selling home-made cookies on the website, whereas your
trading partners have the expertise in making such cookies. You share
product information, prices and expected delivery times on your website,
accept customer orders and dispatch customer orders to your trading
partners who make and ship the cookies directly to the customers. You do
not take ownership or custody of the cookies, which reduces costs and
shortens lead times from receipt of customersÊ orders for the delivery of
cookies.
However, the risks of transacting on the Internet are high, especially when
the external parties are complete strangers. Risks can be minimised
however when transactions are on a cash basis. For example, you require
customers to pay by credit cards or transfer payments into your bank
account when placing an order. However, you still need to address the
following concerns to benefit from e-business at the transaction level.

(i) Protection of confidential data used in the transaction, such as credit

card information;
(ii) Accuracy and integrity of customers, suppliers and/or other trading
partnersÊ information systems; and
(iii) Verification of identity, physical existence and credibility of
customers, suppliers and/or other trading partners.
(c) Distribution Level

E-business enables delivery of products to the customers. Only businesses
that involve digital products benefit from e-business at the distribution
level. Examples of digital products include e-books, online news
subscriptions, software products, music and video products.
In addition to concerns related to the use of e-business at the transaction level

as discussed in part (b) above, you also need to address concerns about
successful online delivery to the legitimate customers, especially when you
do not meet customers and deliver tangible products face-to-face.
SELF-CHECK 10.1
1. What are the benefits of e-business in terms of liaising with

customers, suppliers and/or trading partners?
2. What are the risks of e-business, especially when you do not
know and/or have never met your customers, suppliers and/or
trading partners face-to-face?
3. How do you minimise such risks?
10.1.2 Internal Business Processes

E-business is not limited to getting connected with external parties. E-business
also entails internal connection. Better internal connection enhances coherence
and coordination of internal business processes. For instance, close connection
between the production department, sales and marketing department and
warehouse enables the production department to be equipped with information
about current sales volumes, future sales forecasts and inventory levels in the
warehouse. Such information enables the production department to make
informed decisions on how much of the products to manufacture. As your
business grows and expands, ensuring internal connection, and the resultant

coherence and coordination of internal business processes become increasingly

important.
The changes that e-business brings to internal business processes range from
automation to business process reengineering. Automation involves replicating
traditional, manual business processes with the use of technology to enhance
speed and cost effectiveness. However business process reengineering involve s
radical rethinking and reorganisation of existing business processes and
workflows.
(a) Automation of accounting processes

Table 10.1 provides a summary of the differences between manual and
automated accounting processes using a sales transaction as an example.
Notice that tasks performed between manual and automated processes are
similar. The differences can be seen in how data is processed.
Table 10.1: Manual versus Automated Accounting Processes
Manual Accounting Processes Automated Accounting Processes

 Journalise a credit sales transaction  Complete a sales invoice and key-
into the sales journal. in sales transaction.
 Post the credit sales transaction  Update:
into:  Accounts receivable master
 Accounts receivable subsidiary data
ledger  General ledger master data
 General ledger
 Prepare trial balance, adjusting  Retrieve general ledger master
entries, financial statements, and data and print financial reports.
closing entries.
Source: Dull et al. (2012)
(b) Batch processing

Batch processing is a common, automated mode of processing large
volumes of similar transactions. Several similar transactions (e.g. sales, cash
receipts, etc.) are aggregated over a period of time (e.g., a day, a week, etc.)
and processed at once. Batch processing involves four basic steps and there
is a time delay between each step (Dull et al., 2012; Gelinas et al., 1999).
(i) Step 1: Record business events as they occur on source documents.
For instance, record each sales transaction into the cash register as it
occurs;

(ii) Step 2: Enter aggregated batches of source documents, normally via

an offline device, into a computerised machine-readable format. For
instance, at the end of each day, all sales slips are entered into a
computer for storage on a disk;
(iii) Step 3: Update master data on completion of calculations and
summarisations, if any. For instance, at the end of each day, data store
is taken home (or to a public accountant in the event that accounting
is outsourced) to update inventory master data based on calculation
of inventory level (subtract inventory sold from prior inventory total).
Sales data are then stored in a more permanent data store; and
(iv) Step 4: Generate management reports periodically. For instance,
generate sales report and inventory update report.
(c) Periodic mode

Periodic mode of processing is characterised by a delay in between various
processing steps. Periodic mode is similar to, but is technically not, batch
processing (Dull, et al., 2012; Gelinas et al., 1999).
Periodic mode and batch processing are suitable for high volume
transactions, such as sales and cash receipts. Both processing modes require
little dedicated processing resources, which minimises disruptions of other
tasks in times of scarce resources. In fact, both processing modes maximises
use of resources and minimises instances of idle resources. For example,
instead of entering each sales transaction as it occurs into the computer, all
sales transactions are accumulated till the end of the day when the shop is
closed for business. The owner-manager is able to concentrate on entering
all sales transactions for the day without the distractions of other tasks,
such as entertaining customersÊ enquiries. Being able to concentrate on
entering sales transactions alone also minimises data-entry errors.
The very nature of periodic and batch processing, which is characterised by

delay in processing, also suggests that timeliness of information are
compromised. Both processing modes can be implemented into a
traditional manual accounting systems without many adjustments, which
provides little incentives to rethink and reorganise existing business
practices.

10.2 CHANGES IN BUSINESS PROCESSES

Business process reengineering, which requires radical rethinking and
reorganisation of business processes, is pertinent for operational efficiency and
effectiveness to take a quantum leap. Among the processing alternatives that
deviate from the traditional manual accounting systems, which stimulate
rethinking and reorganisation of existing business processes are as follows.
10.2.1 Online Transaction Entry (OLTE)

Online transaction entry (OLTE) system enables transactions to be entered into the
information systems at the time the transactions occur on an online basis. OLTE
resolves concerns about delays and redundancies typically associated with the
periodic mode where two steps ă (a) entering transactions into source documents;
and (b) entering data to convert data into a computerised format·are merged.
Accurate data entry is pertinent for OLTE; „garbage in, garbage out‰.
Introduction of bar code readers, scanners and radio-frequency identification

(RFID) readers further facilitates the use of OLTE as errors attributable to manual
data entry are eliminated. Proper scan of items is required for accurate date
entry.
You can find use of OLTE in a typical supermarket. At the check-out counter,
you will notice that the cashier scan each of the grocery items you want to buy.
Data is entered into the computer at each scan. The cashiers only manually key-in
data when the scanner fails to read the bar code.
OLTE can still be applied consistent with the periodic mode if such processing
mode is deemed suitable, where once data is entered; the remaining processing
steps such as update of master data take place at a later point in time. The
periodic mode is most suitable for payroll processing as employees are typically
paid a fixed amount at the end of each month. Payroll processing tasks are
routine and information about employeesÊ wages and salaries are somewhat
predictable. If you are earning a fixed income every month, do you know much
you will be paid on your next pay day? When timely information about wages
and salaries adds little value, immediate mode (opposite of periodic mode) of
processing is less suitable; i.e. periodic mode of processing is more suitable.
10.2.2 Online Real-time (ONRT) Processing

Online real-time (ONRT) processing completes all processing steps in an
immediate mode (as opposed to the periodic mode). Time constraints and the
importance of timely information make ONRT desirable. Business transactions
are entered at the time they occur and master data are updated immediately,
which in turn, minimizes delay in accessing up-to-date, real-time information.
ONRT processing typically involves three basic steps (Dull et al., 2012; ):
(a) Step 1: Enter data at the time business transactions occur. Similar to OLTE,
source documents are typically not used to avoid delay.
(b) Step 2: Data entered are processed ă e.g., calculations and summarisations ă
and master data are updated immediately. Unlike OLTE where processing
of data entered can be postponed in accordance with the periodic mode,
data entered are immediately processed and master data are updated
instantaneously.
(c) Step 3: While periodic reports will be generated as scheduled, ad-hoc and
unique reports are available through access to the information system at
any point in time. ONRT enables real-time information. The most current
status of master data items is available at any point in time.
Returning to the supermarket example, large supermarkets like Giant, AEON

and Cold Storage cannot afford to have stock-out problems. How do you feel
when most of the grocery items you want to buy are all out of stock every time
you shop for groceries? The point-of-sale (POS) system is most suitable in
preventing stock-out problems. At check-out counters, when products sold are
entered into the information systems, the inventory master data are updated
instantaneously. The most up-to-date information about inventory levels for
every inventory item is available at any point in time. Inventory items that fall to
the minimum levels are reordered immediately.
10.2.3 Online Transaction Processing (OLTP)

Online transaction processing (OLTP) systems enable all or part of the processing
to be performed at the data entry terminal. OLTP is a real-time system that
enables data entry, data updates, communications and coordinations at the data
entry terminal in an immediate mode.
OLTP systems are most useful for automatic teller machines (ATMs) and airline
reservation systems. Every time you withdraw cash at any ATM terminal, you
get the cash and know how much money is left in your account immediately at
the terminal. Every time you book a flight on the Internet, you pay with a credit
card and get a confirmation and/or flight itinerary almost immediately. All
processing steps are completed on the spot.

SELF-CHECK 10.2
Complete the following table. First, identify the various processing

alternatives that are of a periodic versus immediate mode. Next,
identify the types of business operations that are most suitable for the
periodic versus immediate mode of processing.
Periodic Mode Immediate Mode

Processing
alternatives
Types of business
operations
10.3 INFRASTRUCTURE FOR E-BUSINESS

ACTIVITY 10.3
Do you have access to the Internet at home and at work? How do you
access, or what do you need to get connected to the Internet to check
e-mails, chat and find out what your friends and relatives are doing
on Facebook and/or Twitter?
At the beginning of this topic, we have defined e-business as requiring the use of
technological advancements in communications for business organisations to get
connected with external people as well as internal to the organisation. E-business
is not possible without any form of connection and/or communication network.
10.3.1 Communication Networks

There are several types of communication networks, each with different
functions.
(a) Internet
The Internet connects all computers in the world, which allows global
access to information resources.

(b) Web Browsers

Web browsers are user-friendly software programmes that enable access to
the Internet to browse various sources of information available.
(c) Intranet
The intranet connects all computers and databases in an organisation. The
intranet is accessible via web browsers and/or internally developed
software specifically designed to facilitate sharing of information resources
within an organisation. The intranet operates like the Internet except that
access to the intranet is only available for users internal to an organisation.
Internal information resources such as companyÊs mission statements,
instruction manuals and operational information can be shared via the
intranet.
(d) Extranet
The extranet allows external parties such as customers, suppliers and other
trading partners access to an organisationÊs intranet.
(e) Client server

Client server is a network arrangement. UsersÊ computer is known as the
client. Databases, applications, access to shared devices such as printers,
and scanners are made available via a centralised computer known as a
server. Multiple client computers share data, applications and devices via
the server. If you were to play around with the data and applications
available at the server from a client computer, it will be as though the data
and applications are stored in the computerÊs hard-disk drive, like a typical
desktop computer.
(f) Local Area Networks (LANs)

Local area networks (LANs) are communication networks that enable client
server technologies. LANs are suitable for connection within the same
geographic region, such as within the same room, same building or even
across several buildings within close proximity.
Figure 10.2 shows as an illustration of LAN. ‰Nodes‰ refer to the

computers connected in LANs.

Figure 10.2: Local area network, LAN

Source: Hall (2008)
(g) Wide Area Networks (WANs)

Wide area networks (WANs) are also communication networks that enable
client server technologies, but unlike LANs, WANs are not geographically
limited. WANs connect geographically dispersed computers, mainframes
and even LANs. WANs can be used to connect single as well as multiple
organisations with some form of business partnership agreements. Long
distance connections ă e.g., via telephone lines and microwave channels ă
make maintenance of WANs costly. Hence, it is more cost effective to lease
from commercial networks.
Figure 10.3 shows an illustration of WAN. ‰Gateways‰ connect different

types of LANs whereas ‰bridges‰ connect same types of LANs.

Figure 10.3: Wide area network, WAN

Source: Hall (2008)
10.3.2 Methods for Conducting E-business

The communication networks discussed in the previous section facilitates use of
various methods to conduct e-business.
(a) Electronic mail (e-mail)

E-mails, which contain non-standardised messages, can be exchanged
between parties with access to communication networks like the Internet
and intranet. How many electronic mails (e-mails) do you receive on a
typical day? Do all your e-mails appear more or less the same in terms of
contents and colours? Virtually anything ă e.g., messages, pictures, attached
files, attached links to websites ă can be communicated via e-mails. E-mails
constitute an avenue to reach out to potential customers who are not
visiting your companyÊs website. You can approach potential customers via
e-mails, just like approaching customers via telephone and from door to
door.

The non-standardised nature of e-mail requires human intervention. You

need someone to read and interpret e-mails messages. When customers
place an order by e-mails, e-mails become the source documents. Unlike bar
code and radio-frequency identification (RFID) where manual data entry is
eliminated, someone has to enter data manually to capture transactions
communicated by e-mails. Manual data entries are subject to human errors.
It is feasible to manually enter data when the volume of transactions over e-

mails is low. On the other hands, when the volume of transactions is high,
you can consider attaching an electronic order form to compensate for the
non-standardised nature of e-mails. However, manual data entry is still
required to a certain extent even when electronic order form is used.
You also need a mechanism to filter unsolicited, non-document e-mails ă
i.e., spam ă especially when your e-mails have become source documents to
most of your business transactions.
(b) Electronic Document Management (EDM)

Electronic document management (EDM) deals with electronic document
images. Examples of information that can be in the form of electronic
document images are contracts, deeds, mortgages, birth certificates, price
lists and catalogues. Among the functions of EDM applications are as
follows:
(i) Store, retrieve, display and print electronic document images in
various formats, e.g., PDF. Such functions are useful when making
information publicly available for title searches.
(ii) Process and manage flow of electronic document images to the
appropriate parties regardless of geographic dispersion. Such
functions are useful when several parties are involved in making use
of the documents images to make decisions. Electronic-based image
processing systems are required. Among the examples of business
processes that will find such functions of EDM useful are
underwriting, origination and closing.
EDM is useful for business processes with the following characteristics.

(i) Produce large amount of paper documents that have to be stored.
EDM reduces storage costs;
(ii) Require frequent access to stored data from widely-dispersed
geographic locations; and
(iii) Involve complex and extensive processing of stored data from
multiple locations. Approval of loan and insurance applications are

typical examples. Figure 10.4 illustrates use of EDM to store and share
large amount of information electronically.
Figure 10.4: Use of EDM to store and share large amount of information electronically
(c) Electronic Data Interchange (EDI)

Electronic data interchange (EDI) enables computer-to-computer exchange
of information. The components of EDI and information exchange
procedures are summarised in Figure 10.4. First, the senderÊs application
software prepares business documents (e.g., purchase order) to be
transmitted to the receiver (e.g., supplier). Second, translation software
translates business documents into a structured EDI format, which the
receiverÊs computer is able to process. Third, value-added network (VAN)
service, which is a hub that connects many trading partners together,
transmits the translated business document. The translated business
document becomes an outgoing message to the sender and incoming
message to the receiver. Fourth, the receiver (e.g., supplier) picks up the
incoming message (e.g., customer order) from the VAN mailbox. Fifth, the
receiverÊs translation software translates the incoming message from the
EDI format, so that the receiverÊs application software is able to process.
Finally, the receiverÊs application software processes the incoming
document (e.g., customer order).

Figure 10.4: Components of electronic data interchange, EDI

Instead of connecting to a VAN, trading partners can also set up and

maintain their own communication infrastructure, which can be costly.
Infrastructure incompatibilities between trading partners are not
uncommon and require purchase of additional hardware and/or
software.

Alternatively, trading partners can make use of EDI service bureaus. EDI
service bureaus are intermediaries between trading partners. Among the
services that these service bureaus offer are translations of documents
into a standard EDI format as well as from EDI format to suit trading
partnersÊ application software. Another alternative is to use the Internet.
While online transaction entry (OLTE) simplifies processing by merging

preparation of source documents with keying-in of source documents,
EDI simplifies processing even further where both preparation of source
documents and keying-in of data are eliminated for the seller. The
purchaser initiate and complete OLTE activities as both the seller and
purchaserÊs computer systems are connected. EDI eliminates risk of
erroneous data entry for the seller.
Though EDI simplifies and even eliminates processing steps, some of the
control mechanisms are also inadvertently eliminated. For instance,
source documents, which constitute evidence of business transactions is
eliminated for the seller. The seller loses audit trail. There has to be a
certain degree of trust between trading partners as the purchaser is
allowed to initiate and complete the sellerÊs OLTE. Trading partners can
have an agreement upfront. However, not everything can be foreseen and
included in the agreement.
As EDI brings trading partners closer together, it also gives rise to the
importance of close connection and coherence of internal business
processes. For information to flow instantaneously across business
organisations, information flow within business organisations also needs
to be done instantaneously. EDI together with other methods and
infrastructure that support e-business facilitate close internal as well as
external connection among trading partners.

SELF-CHECK 10.3
Briefly describe how each method for conducting e-business

improves efficiency and effectiveness in business processes. Identify
the communication networks and infrastructure required to make use
of each method.
Complete the table below.
How efficiency and

Communication
effectiveness in
Methods networks and
business processes are
infrastructure required
improved?
E-mail
Electronic data
management (EDM)
Electronic data
interchange (EDI)
Ć E-business improves coherence, operational efficiency and effectiveness of

internal business processes. The changes that e-business bring range from
automation of manual processes to more radical changes that involve
aggregation and elimination of processing steps.
Ć E-business facilitates connection across organisations with suppliers,
customers and other trading partners. As communication networks and
infrastructure becomes more sophisticated, they enable various forms of
inter-organisational communication ranging from sharing of information, to
transacting and delivery of products and services, which in turn, give rise to
more avenues for value creation and business strategies that were previously
not feasible.
Ć Smooth and seamless flow of information within as well as across
organisations attributable to e-business also gives rise to concerns about
security and privacy of information.

Automation Local area network (LAN)

Batch processing Internet
Business process reengineering Intranet
Client server Online real-time (ONRT) processing
E-business Online transaction entry (OLTE)
Electronic data interchange (EDI) Online transaction processing
(OLTP)
Electronic document management
(EDM) Periodic mode
E-mail Value-added network (VAN)
Extranet Web browser
Immediate mode Wide area network (WAN)
Dull, R. B., Gelinas, Jr, U. J., & Wheeler, P. R. (2012). Accounting information
systems: Foundations in enterprise risk management (9th ed). Mason, OH:
South-Western, Thomson Corporation.
Gelinas, Jr, U. J., Sutton, S. G., & Oram, A. E. (1999). Accounting Information
Systems (4th ed.). Mason, OH: South-Western, Thomson Corporation.
Hall, J. A. (2008). Accounting information systems (6th ed). Mason, OH: South-
Western, Thomson Corporation.

Topic  Security and
Control Issues
11 in E-Business
LEARNING OUTCOMES
1. Explain the security and control issues attributable to the Internet and
e-business activities;
2. Describe the control measures for the operating system;
3. Recognise the control measures for the operating system;
4. Identify the control measures for communication security, both
internal and external communication; and
5. Apply the control measures in the electronic data interchange (EDI)
environment.
 INTRODUCTION
The trend referred to as Bring Your Own Device (BYOD) allows employees to
use their personal devices such as tablets and smartphones to access company
resources including e-mails, files, databases and applications. While providing
convenience, it also opens up security issues that companies have to address.
"There is a massive requirement for quality content management," said Anand
Kekre, co-founder and chief executive of Pune-based Vaultize that provides
data security for employees' personal devices at large companies including the
DDB Mudra group and Tech Mahindra.
(Source: The Economic Times, 25 November 2013)

TOPIC 11 SECURITY AND CONTROL ISSUES IN E-BUSINESS  207
In the previous topic, we have covered how the Internet and e-business help to
manage a business better, but not without a price. The Internet and e-business
also give rise to concerns and worries, especially in terms of privacy and
security.
In this topic, we continue to discuss the security and control issues attributable to
the Internet and e-business. We will begin by discussing how the increasing use
of the Internet and e-business contributes toward security issues and concerns.
Next, we will discuss the control measures to mitigate these security issues and
concerns. We will discuss the control measures that protect four major areas of
concern:
(a) The operating system;
(b) Database management system;
(c) Internal and external communication; and
(d) Electronic data interchange (EDI) environment.
11.1 SECURITY ISSUES AND CONCERNS
ACTIVITY 11.1
Imagine you receive a phone call from your bank asking for your
Internet-banking user ID and password for verification purposes. Will
you disclose your Internet-banking user ID and password the very
moment that you were asked? If you were to disclose such information,
what do you think can happen?
E-business changes conventional understanding of the very nature of a business.

Recall that in the previous topic, e-business simplifies, aggregates and even
eliminates some of the conventional processing steps. E-business also makes
transacting with people you do not know and have never met in person more
common. Examples of security issues and concerns that can arise as a result of e-
business are as follows (IFAC, 2002).
(a) Inadequate audit trail, as a result of reduction in paper documents;
(b) Loss of transaction integrity, especially with the elimination of audit trail;
(c) Security risks, such as virus attacks, fraud and destructions attributable to
unauthorised access by employees, customers, etc.;
(d) Improper accounting policies related to e-business practices, such as
capitalisation of website development costs, complex contractual
208  TOPIC 11 SECURITY AND CONTROL ISSUES IN E-BUSINESS
agreements between EDI partners and revenue recognition issues arising

from, for instance, sharing of advertising space on a businessÊ website and
whether to recognise revenue when goods and services are supplied or
when credit card payments are received;
(e) Non-compliance of taxation and other regulatory requirements when cross-
country transactions are involved;
(f) Difficulties in determining whether contractual obligations evidenced only
by electronic means are fulfilled;
(g) Major business operationsÊ over-reliance on technology and the Internet;
and
(h) Failures of systems, networks and other infrastructures.
How e-business gives rise to various security issues and concerns are explained
in the remainder of this section.
11.1.1 Reliance on E-business

Some businesses are more conducive to adopt e-business practices than others.
Among the business industries that are conducive to adopt e-business practices
are as follows.
(a) Computer software;
(b) Trading of securities;
(c) Banking;
(d) Travelling;
(e) Books and magazines;
(f) Music;
(g) Advertising;
(h) News media; and
(i) Education.
Businesses can make use of e-business to complement as well as to completely

replace traditional business processes. The more conducive a business is to adopt
e-business practices, the more likely it is for e-business to completely replace
traditional business processes. The more a business depends on e-business to
conduct its business operations, the more issues and concerns the business is
exposed to.

For instance, in addition to selling products, CDs, stationeries, etc. via

conventional brick-and-mortar stores, MPH bookstore also has a website, i.e.,
MPH online, to reach out to more customers both locally and internationally.
Besides conventional books in paperbacks and hard covers, electronic versions of
the books, i.e., e-books, are also available. MPHÊs business operations are not
entirely dependent on e-business. The security issues and concerns that MPH
faces are lower in comparison with those OptionXpress faces. OptionXpress is an
online broker of stocks, options, futures and other investments whose business
operations are heavily dependent on the Internet; trading is impossible without
the Internet.
11.1.2 E-business Strategy

The extent to which a business is subject to greater security issues and concerns
with the use of e-business depends on the e-business strategy adopted, which is
discussed as follows.
(a) Whether people in charge of governance are involved in making e-business
adoption decisions to ensure alignment of e-business with the businessÊ
overall strategy. For instance, have people in charge of governance ensured
that MPHÊs online presence is aligned with MPHÊs strategy as a leading
book retailer in Malaysia and Singapore?
(b) Whether e-business is used to make existing activities more efficient or
reach new markets for existing activities, or e-business is used to support
new activities. For instance, is MPHÊs online presence meant for
complementing its existing brick-and-mortar stores as a book retailer, or is
its online presence meant for venturing into completely new products lines
such as watches and jewelleries?
(c) Whether there are changes to major sources of revenue. For instance, has
MPHÊs major source of revenue shifted from sales of books, to sales of
tablets, e-book readers and other electronic accessories, and even
advertising fees received from display of advertisements on the business
website?
(d) Has there been evaluation of how e-business affects earnings and the costs
associated with setting up and maintenance of e-business infrastructure
and support?
(e) Have opportunities and risks associated with e-business been identified,
documented and supported by appropriate controls? What are the plans, if
any, to respond to opportunities and risks that arise?
(f) Is the business committed to any relevant codes of best practices or web
seal programs?

11.1.3 Extent of E-business Activities

To what extent e-business is used also determines the extent to which a business
is exposed to security issues and concerns. E-business can be used in a number of
ways:
(a) To provide information about the business. Investors, customers, suppliers,
financiers, employees and other external parties are able to access such
information;
(b) To transact with customers, suppliers and other external parties;
(c) Being able to provide information and transact via e-business allow access
to new markets and potential customers;
(d) To access Application Service Providers (ASPs); and
(e) To create an entirely new business model, i.e., change existing business
practices.
A business is exposed to security concerns for as long as a website is available for

public access. The extent to which internal business processes become more
integrated, complex and deviate from traditional practices as a result of e-
business practices determines the businessÊ vulnerability to security concerns.
11.1.4 Outsourcing Arrangements

Not every business has the expertise and resources to set up and maintain the
necessary e-business infrastructure and support. Businesses can solicit the
services of Internet Service Providers (ISPs), Applications Service Providers
(ASPs), Value Added Networks (VANs) and other organisations that provide IT-
related support for e-business.
When soliciting the services of these organisations, some of your business

processes, procedures and records are maintained by these organisations. You
need to understand the outsourcing arrangements, identify the possible security
issues and concerns.
11.1.5 Legal and Regulatory Issues

Legal and regulatory requirements ă for instance, related to sales taxes, goods
and services taxes, taxes on e-business transactions ă that you need to consider
vary across jurisdictions. The following factors affect the legal and regulatory
aspects of your business:

(a) Whether your business is legally registered;

(b) The location where your business is based;
(c) The location of the web server of your business;
(d) The locations of your suppliers; and
(e) The locations of your customers.
The more you engage in e-business activities across borders, the more you need
to consider the following issues and concerns:
(a) National and international privacy requirements;
(b) National and international requirements for regulated industries, such as
banking and finance;
(c) Enforceability of contracts;
(d) Legality of particular activities, such as Internet gambling; and
(e) Intellectual property rights.
SELF-CHECK 11.1
1. What are the major security issues and concerns in the e-business
era?
2. How does e-business practices make a business more vulnerable to

security issues and concerns?
11.2 INTERNAL CONTROL CONSIDERATIONS
ACTIVITY 11.2
How do you ensure that nobody knows your Internet banking user ID
and password? Write down a list of steps to safeguard your user ID and
password.
Do you follow the steps you have written down all the time? Do the
steps you have listed actually work?

Internal control can address security issues and concerns in the e-business era.
However, having internal control alone is not enough. Internal control needs to
be aligned with business processes and consistently monitored and revised in
line with changes in the e-business environment. Internal control at various
levels is discussed in the remainder of this section.
11.2.1 Operating System

The operating system is the first line of defence to a computer-based information
system. The typical functions of the operating system are as follows (Hall, 2008).
(a) Allows you to interact with the computer by translating high-level
languages such as COBOL, C++, BASIC and SQL, into the machine-
language that the computer can execute;
(b) Allocates computer resources to users and workgroups by authorising
access to terminals, telecommunication links, databases and printers, and
assign memory work space to applications; and
(c) Manages job scheduling and multiprogramming to establish priorities and
balance in the use of finite computer resources among competing
applications.
In order for the operating system to perform the above functions, there are five
control objectives to achieve.
(a) Protect the operating system from users, who can destroy data or cause the
operating system to cease functioning;
(b) Protect users from accessing, destroying and corrupting each otherÊs data
or programs;
(c) Protect usersÊ applications from accidental corruptions;
(d) Protect the operating systemÊs applications from accidental corruptions;
and
(e) Protect the operating system from destructions attributable to the
environment, such as power failure.
The control measures to ensure operating system security and to achieve the five
control objectives above are as tabulated by Table 11.1.

Table 11.1: The Control Measures to Ensure Operating System

Security and to Achieve the Five Control Objectives
Control Measure Description

Log-on Procedure Log-on procedure, where only users with valid usernames and
passwords are allowed to log-on, is the first line of defence
against unauthorised access.
Access Token For a successful log-on attempt, the operating system creates an
access token, which contains information about the userÊs username,
password, user group and privileges granted. The access token is
used to approve the userÊs actions during the log-on session.
Access Control The access control list contains information that defines access
List privileges for all valid users of the system resources such as
directories, files, programs and printers. Users who attempt to
access system resources are granted access based on a match with
the access control list.
Discretionary Some users are allowed discretionary access privileges and can
Access Privileges grant access to specific resources (the usersÊ own resources). For
instance, the owner of general ledger can grant read-only
privileges to the budgeting departmentÊs manager.
The following security and control issues have to be taken into consideration
when designing, assessing and testing controls to preserve the operating system.
(a) Access Privileges

Access privileges assigned to users determine which directories, files,
applications and other system resources users can access and what types of
actions users can take. Access privileges assigned to users must be
compatible with usersÊ assigned duties, typically specified in job
descriptions. Access privileges have to be closely monitored to preserve
system integrity.
The control objective to achieve is access privileges are granted consistent

with the need to separate incompatible functions and consistent with
organisational policies.
Among the control plans that facilitate achieving the control objective of
access privileges are as follows.
(i) Separation of incompatible functions is specificed in organisational
policies;
(ii) Access rights of users are appropriate for usersÊ job descriptions and
positions;

(iii) Adequate security clearance for employees that are documented in

personnel records consistent with organisational policies;
(iv) Users formally acknowledge their responsibility to maintain
confidentiality of company data, which is documented in employee
records; and
(v) UsersÊ permitted log-on times commensurate with the tasks being
performed.
(b) Password Control

A password is a secret code that users enter to gain access to the system,
applications, data, files, or network server. Among the user behaviours that
can circumvent security despite password protection are as follows.
(i) Forgetting password;
(ii) Failing to change passwords on a frequent basis;
(iii) Writing down and displaying passwords for others to see; and
(iv) Simplistic passwords that are readily anticipated.
The control objective to achieve to preserve integrity of operating system is

adequate and sufficient password policy.
Among the control plans to achieve the control objective are as follows.
(i) Passwords are required for all users;
(ii) New users are instructed on the use of passwords and importance of
password control;
(iii) Passwords are changed regularly as part of the control procedures;
(iv) Weak passwords are identified and disallowed, which may require
use of software to scan password files;
(v) Password files are encrypted and encryption key is properly secured;
(vi) Password standards are adequate, for instance in terms of length and
expiration interval of passwords; and
(vii) Adequate lockout policy and procedures, in terms of the number of
log-on attempts allowed before the account is locked and the duration
of lockout ranging from a few minutes to permanent lockout that
requires formal reactivation of the account.

(c) Malicious and Destructive Programmes

Malicious and destructive programmes include viruses, worms, logic
bombs, back doors and Trojan horses.
The control objective to achieve is to have effective organisational policies
and procedures to prevent malicious and destructive programmes.
Among the control plans to achieve the control objective are as follows:
(i) Purchase software only from reputable vendors and accept only
products in their original factory-sealed packages;
(ii) Establish and enforce policies pertaining to use of unauthorised or
illegal copies of copyrighted software;
(iii) All software upgrades are examined for viruses prior to being
implemented;
(iv) New software are verified and tested on stand-alone workstations
prior to being implemented on the host or network server;
(v) All public-domain software are inspected for viruses prior to using;
(vi) Establish and enforce procedures on making changes to production
programmes;
(vii) Establish educational programme to raise user awareness of threats
from viruses and malicious programmes;
(viii) Backup key files stored on mainframes, servers or workstations on a
routine basis;
(ix) Limit users to read and execute rights only, whenever possible. This
denies users the ability to write directly to mainframe and server
directories;
(x) Require protocols that explicitly invoke the operating systemÊs log-on
procedures to bypass Trojan horses. The log-on screen that is already
displayed for users to enter usernames and passwords has the
potential to be a Trojan horse. Requiring users to directly invoke log-
on procedure by entering a combination of keys, such as CTRL + ALT
+ DEL ensures that the log-on screen is legitimate; and
(xi) Maintain a current version of anti-viral software to examine
application and operation system programs for presence and removal
of virus. Anti-viral programs are used to safeguard mainframes,
network servers and personal computers.

(d) System Audit Trail Controls

System audit trails are logs, which record activity at the system, application
and user level. Effective selection of the level of auditing to be recorded in
the log will capture all significant events without cluttering log with trivial
activity.
There are two types of audit logs. First, logs of keystrokes record usersÊ
keystrokes and systemÊs responses, which is useful to reconstruct details of
an event and prevent unauthorised intrusion. Keystroke monitoring has to
be considered carefully due to possible legal and ethical implications.
Second, event-oriented logs record all users (based on usernames) accessing
the system, the time and duration of userÊs session, program executed
during a session, and files, databases, printers and other resources accessed.
System audit trails are adequate when the following control objectives are
achieved.
(i) Audit trails enable detection of authorised access to prevent breach of
system controls;
(ii) Audit trails enable reconstruction of events, especially events that
lead to system failures or security violations. Being able to reconstruct
events facilitates assigning responsibility and avoiding similar
circumstances in the future; and
(iii) Audit trails promote personal accountability, which is a preventive
control mechanism where individuals are less likely to violate
security policies when they know their actions are recorded in audit
logs.
Among the control plans to achieve the control objectives above are as
follows:
(i) Activate audit trail according to organisational policies.
(ii) Scan audit logs ă for instance, using data extraction tools ă for
unusual activities. Figure 11.1 depicts example of activities recorded
in an audit log organised by date, time, user and userÊs action.

Figure 11.1: Example of activities recorded in an audit log
(iii) The following defined conditions are useful for scanning audit logs.
 Unauthorised or terminated users;
 Periods of inactivity;
 Activity by user, workgroup or department;
 Log-on and log-off times;
 Failed log-on attempts; and
 Access to specific files or applications.
(iv) Establish security group to monitor and report security violations.

SELF-CHECK 11.2
1. What are the control objectives of an operating system?

2. What is the use of access control list?
3. When does password protection fail to preserve operating
system integrity?
4. How do you know whether system audit trails are adequate?
11.2.2 Database Management System

There are two categories of controls over database management. Firstly, access
controls and secondly, backup controls.
(a) Access Controls

Access controls prevent unauthorised intruders as well as ensure
authorised users do not exceed their access privileges. Control features that
safeguard the database are as follows:
(i) User views ă Defines usersÊ data domain and restrict access to the
data accordingly. Database administrator ensures access privileges
commensurate with usersÊ legitimate needs, based on job descriptions
and positions. This is also known as subschema. Figure 11.2 illustrates
the role of user view. Smith, Jones and Adams have access to the same
set of data, i.e., account number, customer name, account balance and
credit limit.

Figure 11.2: User view (i.e., subschema) restricting access to database

Source: Hall (2008)
(ii) Database authorisation table ă Contains rules that limit the actions
users can take, such as read, write and delete. The table is used to
verify usersÊ action requests. Figure 11.3 provides an example of a
database authorisation table, where Jones, a user, is authorised to
read, insert, modify and delete.
Figure 11.3: Database authorisation table

Source: Hall (2008)

(iii) User-defined procedures ă Allows users to create a personal security

program. For example, in addition to a password, the security
procedures asks a series of personal questions the users have created
(such as userÊs motherÊs name, petÊs name, etc.) for better access
control.
(iv) Data encryption ă Uses an algorithm to scramble and therefore protect
highly sensitive data, making data unreadable to intruders. Examples
of highly sensitive data that require encryption are product formulas,
password files, personnel pay rates and other financial data.
(v) Biometric devices ă Measure usersÊ personal characteristics such as
fingerprints, voiceprints, retina prints and signature characteristics as
user authentication procedures. User characteristics are digitised and
stored in a database security file or on an identification that the user
carries. Access is allowed when usersÊ biometric characteristics are
captured with a scanning device match with the profile data stored
internally or on the ID card.
Access control features should be designed and applied in a manner that

achieves the following control objectives.
(i) Users authorised to access the database are limited to data required to
fulfil their duties; and
(ii) Unauthorised individuals are denied access to data.
(b) Backup Controls

Backup controls enable recovery of files and databases in the event of loss
of data attributable to unauthorised access, equipment failure or natural
disaster. To recover lost data, the database has to be reconstructed to the
pre-failure status. The database management systems backup and recovery
features are as follows:
(i) Database backup ă Makes periodic backup on the entire database
automatically. The back copy should be stored off-site.
(ii) Transaction log ă Provides an audit trail of all processed transactions.
The transaction log is a separate log, i.e., separate from changes to the
database, which is the database change log.
(iii) Check point feature ă Suspends data processing automatically several
times in a hour while the reconciling the transaction log and the
database change log against the database. In the event of a failure,
processing from the last checkpoint can be restarted and thus, only a
few minutes of transaction processing are repeated.

(iv) Recovery module ă Uses the logs and backup files to restart the
system after a failure.
Backup control features should be designed and applied in a manner that

achieves the control objective of adequate recovery of lost, destroyed or
corrupted data.
SELF-CHECK 11.3
1. What is a database authorisation table?
2. Is user view (subschema) different compared with database

authorisation table? What are the differences, if any?
11.2.3 The Internet and Communication

Access to the Internet and various communication networks connected to
outsiders, such as suppliers, customers and other trading partners, give rise to
concerns about subversive threats. Examples of subversive threats include
computer criminals intercepting messages transmitted between the sender and
the receiver, computer hackers gaining unauthorised access to an organisationÊs
network as well as denial of service attack from a remote location on the Internet.
To mitigate subversive threats, the following control objectives should be

considered when designing and implementing controls, see Figure 11.4.
Figure 11.4: Control objectives to be considered

when designing and implementing controls

Among the controls that facilitate achievement of the control objectives above are
as follows:
(a) Firewalls ă Firewalls protect organisationsÊ intranet connected to the

Internet or other public networks. Firewalls filter all traffic from the outside
network and only authorised traffic between the organisation and the
outside as specified in formal security policy is allowed to pass through.
Firewalls can authenticate outside users, verify usersÊ level of access
authority, and direct users to the programmes, data or services requested.
Firewalls can also be used to protect portions of the organisationÊs intranet
from internal access. There are two general types of firewalls.
(i) Network-level firewall consists of a screening router that examines
the source and destination addresses of incoming message packets
and determine whether to accept and deny access requests based on
programmed filtering rules. Security level is low to facilitate free flow
of information. Outside users are not explicitly authenticated.
(ii) Application level firewall provides a higher level of security. Users
are authenticated for specific tasks. Comprehensive transmission logs
and auditing tools for reporting unauthorised access are also
provided.
Figure 11.5 illustrates the use two firewall interfaces. One filters incoming
requests from the Internet;. the other controls access to the organisationÊs
intranet.
Figure 11.5: Dual-firewall interfaces

Source: Hall (2008)
(b) Controlling denial of service (DoS) attacks ă Denial of service attacks clog
the Internet ports of the victim's server with fraudulently generated
messages. The victim becomes incapable of processing legitimate
transactions. Among the preventive steps of DoS attacks include:
(i) Programme firewalls to ignore attacking sites, once identified;

(ii) Use firewalls to block invalid IP addresses;
(iii) Use security software to scan for half-open connections; and
(iv) Use Intrusive Preventive Systems (IPS) that employ deep packet
inspection (DPI). Together with a firewall, IPS removes malicious
packets before the servers and networks are affected. DPI searches for
non-protocol compliance and decide whether packet can proceed to
its destination based on predefined criteria.
(c) Encryption ă Encryption converts data into a secret code for storage and
transmission. As illustrated in Figure 11.6, the sender uses an encryption
algorithm to convert original data, i.e., cleartext message, into ciphertext
prior to transmission. Even if computer criminals were to intercept the
ciphertext while being transmitted, the data contents are not readily
accessible. The ciphertext has to be decrypted or decoded back into
cleartext ă which only the receiver has access to the algorithm to decrypt or
decode ă for the data contents to be accessible.
Figure 11.6: Transmission of encrypted data

Source: Hall (2008)

Encryption algorithms use keys that are typically 56 to 128 bits in length.
More bits in the keys make the encrytion stronger. There are two general
approaches to encryption:
(i) Private key encryption ă The sender and the receiver use the same key
to encrypt and decrypt the message respectively. To enhance security,
triple-DES (data encryption standard) can be used. Two forms of
triple-DES are EEE3 and EDE3. EEE3 uses three keys to encrypt the
message three times. EDE3 uses the first key to encrypt the message,
second key to decrypt the same message into a garbled message (not
cleartext), and third key to encrypt the garbled message further.
Figure 11.7 illustrates EEE3 and EDE3 encryption. A common
problem with private key is when more people need to know the key
resulting in perpetrators discovering the key, coded messages can be
deciphered once intercepted.
Figure 11.7: EEE3 and EDE3 encryption

Source: Hall (2008)
(ii) Public key encryption. The sender and receiver use different keys to
encrypt and decrypt the messages, respectively. Each receiver has a
private key that is not shared and a public key that is published. The
sender uses the receiverÊs public key to encrypt the message. The
receiver uses his/her private key to decrypt the message.
(d) Digital signatures ă Digital signatures ensure that transmitted messages

are from authorised senders and transmitted messages have not been
tampered with once the digital signature is applied. First, the sender
calculates a digest, which is a mathematical value of the messageÊs contents.
Second, the digest is encrypted with the senderÊs private key to produce a

digital signature. Third, the digest and message are encrypted with the
receiverÊs public key and transmitted to the receiver. The receiver
decrypted the message with the receiverÊs private key to produce the digital
signature and cleartext message. Then, the receiver uses the senderÊs public
key to decrypt the digital signature to produce the digest. The receiver
calculates a digest from the cleartext message, which is then compared with
the digest from the sender to ascertain whether the transmitted message
has been tampered with. Figure 11.8 summarises the process discussed
above.
Figure 11.8: Digital signature

Source: Hall (2008)
(e) Digital certificate ă A certification authority (CA), a trusted third party,

verifies the senderÊs identity and creates a certification, which is the
senderÊs public key and a digital certificate, i.e., information about the
sender that CA has verified and digitally signed. The encrypted message is
transmitted together with the digital certificate. At the receiverÊs end, the
receiver uses the CAÊs public key to decrypt the senderÊs public key
attached to the message. The senderÊs public key is used to decrypt the
message.
(f) Message sequence numbering ă A sequence is inserted in each message.

Any attempt to delete a message, change the order of messages or duplicate
a message is noticeable.
(g) Message transaction log ă Incoming and outgoing messages and attempted
access are recorded in the log, together with user ID, time of access,
terminal location or telephone number from which access originates. Efforts
of hacker can be detected from the log.
(h) Request-response technique ă A control message from the sender and a

response from the receiver are sent periodically to prevent intruders from
intercepting or delaying message transmission when senders and receivers
are not in contact.
(i) Call-back devices ă Before data transmission and/or communication is

complete, the connection between the sender and receiver is broken to
enable the receiver to reconnect with the sender at the pre-authorised
number to prevent intruders from pretending as senders.
SELF-CHECK 11.4
1. What is a firewall?
2. What are the ways to protect data and/or messages in the event
such data and/or messages fall into the wrong hands?
11.2.4 Electronic Data Interchange (EDI) Controls

Recall that electronic data interchange (EDI) allows direct connection and
communication between trading partnersÊ information systems or indirect
connection via a value-added network (VAN). In the absence of human
intervention, EDI presents unique control issues. Among the control objectives to
achieve when transacting in an EDI environment are as follows:
(a) Transactions are authorised, validated and in accordance with agreements

with trading partners;
(b) No unauthorised organisations have access to database records;
(c) Authorised partners have access only to approved data; and
(d) Controls are in place to provide complete audit trails of transactions.

The following are control issues and how controls should be designed and
applied to achieve the control objectives in the EDI environment.
(a) Transaction Authorisation and Validation

Value-added network (VAN) has the capability to ensure that it is dealing
with valid trading partners by matching user IDs and passwords against a
valid customer and vendor file. Translation software can also validate
trading partnersÊ user IDs and passwords against a validation file in the
database.
It is important to ensure valid customer and vendor file are accessible only
to authorised employees. Password file should also be encrypted.
(b) Access Control

Valid vendor and customer file must be established and consistently
updated to prevent unauthorised access. The degree of access authorised
trading partners are allowed is as specified in the agreement. User
authority tables can be established to specify trading partnersÊ degree of
access as per the agreement.
Periodic reconciliation of terms in trading agreement and trading partnerÊs

access privileges as stated in the database authority table improves security.
Periodically simulating access by a sample of trading partners and attempt
to violate access privileges also help to further test access security.
(c) EDI Audit Trail

Transaction logs can be used to record transactions at each phase. As a
transaction is received at each stage of the process, an entry is made in the
transaction log. Figure 11.9 illustrates that both customer and supplier have
a transaction log. CustomerÊs transaction log helps to ensure all purchases
initiated are correctly translated and communicated. Meanwhile, supplierÊs
transaction log helps to ensure all sales orders are correctly translated and
processed. Selecting a sample of transactions and tracing them through the
process helps to verify that key data values are recorded correctly.

Figure 11.9: EDI with transaction control log for audit trail
Source: Hall (2008)
SELF-CHECK 11.5
1. In the absence of human intervention, what are the control measures

to ensure EDI transactions are authorised and valid?
2. What are the control measures to preserve EDI audit trail?

Ć The Internet and e-business activities have brought about security issues and
concerns. To what extent an organisation relies completely on e-business or
use e-business as a complement, the e-business strategies adopted, extent of
the use of e-business, and outsourcing arrangements, if any, all contribute
towards security issues and concerns.
Ć Operating system is the first line of defence to mitigate security concerns.
Access privileges to the information system, password protection, malicious
and destructive programs, and system audit trail are areas of concern in
preserving the integrity of the operating system.
Ć Integrity of the database management system also needs to be preserved, via
access and backup controls.
Ć Integrity of information communicated regardless of internal or external
communication, especially in the EDI environment where communication is
devoid of human intervention, also needs to be preserved.
Access control list Encription

Access privileges Firewall
Access token Log-on procedure
Audit log Message sequence numbering
Audit trail Message transaction log
Call-back device Operating system
Digital certificate Passwords
Digital signature Request-response technique
Discretionary access priviledges

Hall, J. A. (2008). Accounting information systems (6th ed.). South-Western,

Thomson Corporation.
International Federation of Accountants (IFAC). (2002). International Auditing

Practice Statement 1013: Electronic commerce ă Effect on audit of financial
statements. Retrieved from www.paab.co.za/documents/doc_00301.pdf

Topic  Risk
Assessment
12 and
Management
LEARNING OUTCOMES
1. Define risks and risk management;
2. Explain the role of internal control in risk management;
3. Describe the cost-benefit considerations of risk management; and
4. Identify the role of ethics in risk management.
 INTRODUCTION
The Internet and e-business give rise to more opportunities for value creation
and adoption of business strategies that are previously not feasible. However, not
everybody manages to capitalise on such opportunities as evidenced by the fall
of dot-coms in the early 2000s.
We will discuss risks, especially risks of not being able to capitalise on

opportunities for value creation. We will also discuss how internal control
facilitates risk assessment and management; internal control is essentially part of
risk management. We get to choose how we want to assess and manage risk. The
choice that we make has its pros and cons.
The Internet and e-business help to manage a business better, but not without a
price. The Internet and e-business also bring us concerns and worries, especially
in terms of privacy and security. In this topic, we continue to discuss the security
and control issues attributable to the Internet and e-business.

232  TOPIC 12 RISK ASSESSMENT AND MANAGEMENT
ACTIVITY 12.1
Do you use Internet banking? Write down all the factors that
encourage as well discourage you from using Internet banking. Try to
reflect on all the factors you managed to identify.
Now, have you identified more factors that encourage or discourage

you to use Internet banking? Have you become more motivated or
demotivated to use Internet banking?
12.1 RISKS
The future is uncertain due to many unforeseen circumstances. Future events can
have a positive impact, which presents opportunities, as well as negative impact,
which presents risks. Opportunities helps to attain organisational objectives and
supports value creation and/or preservation whereas risks hinder value creation
and may even erode existing values.
12.1.1 Risk Management

As risks are capable of undermining your business and can even cause its
downfall, you need to be prepared for any risk. You need to manage risks rather
than allowing risks to take control. According to the Committee of Sponsoring
Organisations of the Treadway Commission, COSO (2004), risk management is:
(a) An ongoing process that encompasses the entire organisation;
(b) The responsibility of every individual at every level in an organisation;
(c) Relevant in strategy setting;
(d) Relevant across the organisation, at every level and unit, and viewed as a
portfolio;
(e) Designed to identify potential risks and manage risks within the
organisationÊs risk appetite if risks were to affect the organisation;
(f) Able to provide reasonable assurance to an organisationÊs management and
board of directors that the organisation is protected from risks; and
(g) Geared towards achievement of organisational objectives.
COSOÊs views of risks and how to manage risks suggests that anticipating,
assessing and managing risks have become part and parcel of everyday business
activities. Every individual at every level in the organisation is responsible for

TOPIC 12 RISK ASSESSMENT AND MANAGEMENT  233
anticipating, assessing and managing risks while going through everyday tasks of
operating the business.
As unforeseen circumstances come in many ways and have the potential to affect
any part of the business operations, COSO (2004) provided a risk management
framework to guide businesses on what to focus on in managing risks. Successful
risk management enables you to deal effectively with unforeseen circumstances
where you are able to minimise their negative effects and maximise their positive
effects, if any.
COSOÊs (2004) enterprise risk management framework specifies the important

aspects of risk management, which is summarised in Figure 12.1. Based on the
framework, risk management is geared towards achieving an organisationÊs four
categories of objectives:
(a) Strategic: High-level goals that are aligned with the organisationÊs mission;
(b) Operations: Effective and efficient use of organisational resources;
(c) Reporting: Reliability of reporting; and
(d) Compliance: Compliance with applicable laws and regulations.
Figure 12.1: Enterprise risk management framework

Source: COSO (2004)

Enterprise risk management accommodates for business operations at various

levels, from the entity or enterprise level, to the division, business unit and
subsidiary level, depending on how a business organisation is structured.
COSOÊs (2004) risk management framework consists of eight interrelated

components. Each component can affect achievement of more than one category of
organisational objectives and influence business operations at more than one level
(see Figure 12.2).
Figure 12.2: Eight interrelated components of risk management framework
Now let us look at each component in greater detail.
(a) Internal environment

The internal environment of a business organisation encompasses
management philosophy, risk philosophy, risk appetite (i.e., willingness to
take and accept risks), ethical values, governance mechanism, organisational
design, structure and assignment of authority and responsibility. The internal
environment is also referred to as control environment. The internal
environment affects the overall orientation and major decisions of the
organisation. Corporate scandals such as Enron and WorldCom stemmed
from a poorly established internal environment to a certain extent.
(b) Objective setting

Internal environment affects objective setting. Risk philosophy and risk
appetite affect objectives set at each of the four categories (i.e., strategic,
operations, reporting and compliance). Objective setting at one category also
affects objective setting at other categories. For instance, a book retailer with a
huge risk appetite sets a strategic objective of diversifying into electronic
devices. This in turn affects the book retailerÊs operational objectives. The two
product lines ă books and electronic devices ă require different operational
benchmarks and therefore have different objectives to achieve in terms of
effective and efficient use of resources. The internal environment also affects
risk tolerances (acceptable levels of deviation from objectives).
(c) Event identification

Objectives set at each of the four categories affect event identification (i.e.,
internal and external events that affect achievement of the objectives). Events
bring risks and opportunities. Risks are assessed to determine response
plans. Opportunities are channelled back to objective setting. Returning to
the book retailer example, the book retailer has little knowledge about access
to reliable suppliers of electronic devices and existing network of trading
partners offer little assistance. The book retailer subsequently realises that the
Internet presents opportunities to expand customer base and increase sales of
existing product lines. Hence, the book retailer revises its strategic objectives
from diversification into electronic devices to expansion of customer base via
the Internet.
(d) Risk assessment

Risks from internal and external events are assessed to determine their
likelihood and impact. Likelihood is the possibility of the risks arising.
Returning the previous example, the likelihood of the book retailer obtaining
supply of electronic devices from unreliable sources is 70 per cent. Impact is
the negative effect. Examples of the impact of trading with unreliable
suppliers are purchase of defective goods for sales, and purchase costs are
too high for the product line to be profitable. Inherent risks exist when no
actions are taken to reduce the likelihood and impact of risks.
(e) Risk response

There are four possible risk responses. First, avoid a risk, as in the example of
the book retailer not diversifying into electronic devices. Second, reduce a
risk by taking actions to reduce its likelihood and/or impact, such as buying
from suppliers who are willing to accept a longer duration for returning
defective electronic devices. Third, share a risk, such as buying insurance.
Finally, accept a risk by taking no action. Residual risk is the remaining risk
after a response is chosen.

(f) Control activities

Control activities are policies and procedures that ensure risk responses are
implemented. Controls constitute risk responses in certain circumstances
(Dull et al., 2012). Controls are meant to reduce risks but can contribute
toward risks when control mechanism fails to operate as intended.
(g) Information and communication

Relevant information is identified, then captured in the right form and
timeframe to enable individuals to carry out their responsibilities. Effective
communication requires timely information from internal and external
sources shared across every level in a business organisation ă facilitated by
horizontal and vertical flow of information ă to enable risk management and
decision making. Individuals must understand their duties and
responsibilities, and how their work affect and is affected by other
individualsÊ work, to enable individuals to appreciate their work and
respond to risks (Dull et al., 2012)
(h) Monitoring
The risk management process has to be evaluated, via management activities,
separate evaluations, or both. Modifications are made to any component of
the risk management process when required. For example, achievement of
strategic objectives is measured in terms of profitability and controls are
reviewed to determine whether a different response or additional actions are
required.

SELF-CHECK 12.1
Imagine that your best friend inherited a business from his relative. It is a
retail business in sports equipment and apparel, with a retail outlet in
Mid Valley Megamall. Your friend has requested for your participation
as a business partner and you have agreed.
Try to identify and assess risks associated with the business. Use your
knowledge to identify the circumstances capable of increasing and
decreasing risks for each of the eight components of risk management.
Complete the table below.
Components of Risk Increase in Decrease in

Management Risks Risks
1. Internal
Environment
2. Objective Setting
3. Event Identification
4. Risk Assessment
5. Risk Response
6. Control Activities
7. Information and
Communication
8. Monitoring
12.2 INTERNAL CONTROL

Risk management requires internal control. As internal control is part of risk
management, internal control is also a process that ensures achievement of a
businessÊ four categories of objective discussed earlier, i.e., strategic, operations,
reporting and compliance. Like risk assessment, internal control is managementÊs
responsibility and its strength is dependent on the people who operate it and
therefore subject to the competence and ethical values of the people involved.
Furthermore, there are also costs and benefits associated with each internal
control alternative. Internal control cannot provide 100 per cent assurance to the
achievement of organisational objectives. Instead, internal control provides
reasonable assurance.

COSO and Statement on Auditing Standards No. 78 (SAS No. 78) define internal
control as consisting of five interrelated components that constitute a subset of
enterprise risk management components discussed earlier.
(a) Control environment

Control environment sets the tone of a business organisations and is the
foundation that provides discipline and structure for other components of
internal control.
(b) Risk assessment

Identification and analyses of risks that obstruct achievement of objectives
serve as a basis for determining how to respond to risks.
(c) Control activities

Policies and procedures that ensure individuals at various levels of the
organisation carry out management directives.
(d) Information and communication

Exchange of information in the right form and time frame to enable
individuals to carry out responsibilities.
(e) Monitoring
Assessment of internal control performance over time, which serves as a
feedback to determine whether certain components of internal control
require adjustments.
12.2.1 Assessing Internal Control

To assess whether a system of internal control is designed in a manner that
facilitates achievement of objectives and response to risks, a matrix as depicted in
Table 12.1 is useful (Dull, 2012). In the matrix, there are five high-level categories
of objectives to be achieved. Check marks indicate which internal control
processes address each objective.

Table 12.1: Matrix for Assessing Internal Controls
Objectives
Compliance
Processes
Strategy Effectiveness Efficiency of Reliability with laws
(with
setting of operations operations of reporting and
controls)
regulations
Process 1 “ “
Process 2 √ “
Process 3 √ √ √
Process n “ “
Assessment using a matrix leads to provision of reasonable assurance that each

objective is achieved (e.g., provision of reasonable assurance whether reduction
of production costs by 15 per cent is attainable). Such assessment serves as a
reference for recommendations of necessary changes to any business process
and/or control. Each recommendation of changes is subject to costs and benefits
analyses. Changes can encompass the processes (e.g., purchasing raw materials)
and the controls (e.g., procedures in approving purchase orders). If variance from
objective cannot be reduced, changes to objectives can be considered (e.g.,
reduction of production costs by 5 per cent instead).
As risk management is relevant across all levels in a business organisation, a

matrix is useful for assessing alignment of internal control with objectives and
goals at any level. For instance, a matrix can be used for goals of specific business
processes such as accelerating cash flow by promptly depositing cash receipts.
Such matrix is known as control matrix.
12.2.2 Control Matrix

A control matrix is a tool to evaluate effectiveness of controls in specific business
processes by matching control goals with the relevant control plans. Control
goals are objectives of specific business processes, which the internal control
system is designed to achieve. Table 12.2 provides a summary of the generic
control goals related to operations process and information process.

Table 12.2: Generic Control Goals
Control plans are policies and procedures that assist in achieving control goals.
Control plans can be categorised based their breadth of coverage, as follows.
(a) Control environment

Control environment is at the top of the hierarchy, which affects
effectiveness of all control plans down the hierarchy.
(b) Pervasive control plans

Like the control environment, pervasive control plans cover a broad scope
and apply to several business processes, i.e., prevades all systems.
(c) General controls

General controls, which is also known as IT general controls, apply to all IT
services activities, e.g., prevent unauthorised access to the computer system
to protect specific business processes such as sales order entry, billing and
cash receipts.
(d) Business process control plans

Business process control plans are applicable to specific business processes
such as sales order processing, billing and cash receipts.
(e) Application controls

Application controls are automated business process controls within
computer programs.
Control plans can also be categorised according to the timing of their occurrence,
which are as follows.
(a) Preventive control plans prevent problems from occurring;
(b) Detective control plans detect problems that occur; and
(c) Corrective control plans correct problems that occur.
Figure 12.3 provides an example of a control matrix that aligns control goals with
the relevant control plans. Control plans that are in place are indicated by a „P‰,
e.g. „P-1‰ and „P-2‰. Control plans that are missing are indicated by an „M‰, e.g.,
„M-1‰ and „M-2‰. You can assess to what extent control goals are aligned with
control plans by evaluating the control plans that are present and missing as
indicated in the control matrix.

Figure 12.3: Control matrix

Source: Gelinas et al. (1999)

SELF-CHECK 12.2
1. What is the relationship between internal control and risk

management?
2. How do you make sure objectives and goals at various levels of

your business are aligned with your internal control system?
12.3 COST-BENEFIT CONSIDERATIONS

For each source of risks you manage to identify, your choice of actions and
responses incurred costs that must be weighted against the corresponding
benefits. Not all the costs and benefits are quantifiable and measureable in
monetary terms. You need to exercise judgment to a certain extent. Figure 12.4
provides an example of costs-and-benefits analyses of four alternative risk
responses with the objective of optimising plant capacity.
A supplier to the automotive industry manufactures aluminum suspension

modules. The supplier is in a „tandem‰ relationship with an original equipment
manufacturer (OEM), where the vast majority of revenue is generated with the
OEM. This OEM traditionally revises its forecasted demand by an average of
20%, always late in the cycle, creating a high degree of uncertainty for the
supplierÊs production and scheduling activities. If the OEM were not to
significantly revise demand late in the cycle, the supplier would be able to
increase plant utilisation by increasing its manufacturing of products for other
customers, thereby increasing profitability. The supplier seeks to optimise
scheduling and capacity planning for plant utilisation to achieve 95% average
monthly utilisation.
Management assessed the most significant risk to this objective ă that is, the high
level of uncertainty regarding actual demand from the OEM ă and assessed costs
and benefits of the following risk responses:
A Accept: Absorb the costs of having to respond to late changes in OEM
demand, and consider the extent to which it can produce and sell
product to other customers within the constraints of the OEM
relationship.
B Avoid: Exit the relationship with the OEM, and establish relationships
with new customers offering more stable demand.

C Share: Negotiate a revision to the current contract, stipulating a „take or

pay‰ clause to ensure a certain rate of return.
D Reduce: Install a more sophisticated forecasting system, which analyses
external factors (e.g., public information on consumer budgets, OEM
and dealership inventories) and internal factors (historical orders
from various sources) to better project actual demand from all
customers.
The following table compares the costs and benefits of these responses. Costs relate
predominantly to supply chain management, marketing, information technology,
and legal functions. Benefits are expressed using the unit of measure for the
objective ă plant utilisation ă and the resultant effect on targeted earnings before
interest and taxes (EBIT).
Response Cost Description Benefits
A Accept RM750,000 Marketing/sales Management predicts it can
efforts required to sell an additional 2% to other
generate additional customers, bringing utilisation
customers, and up to 82%
additional
transportation costs,
Effect on EBIT: increase of
RM750,000
RM1,250,000
B Avoid RM1,500,000 Unit price drops 2% Marketing efforts allow
due to smaller utilisation of 97%
customers paying less
than premium price
RM750,000 in RM1,560,000
increased salary costs
for personnel required
to identify, win and
sustain new customers
RM250,000 in eased
outbound logistics
costs due to larger
number of suppliers
RM500,000 in legal fees
to negotiate and
finalise new
agreements

C Share RM350,000 Unit price drops 5% due New contract allows

to increased pressure utilisation of 99%
from OEM in response to
the „take or pay‰ nature
of relationship
RM100,000
RM250,000 in legal fees to
negotiate and revise
contract agreement
RM100,000 to improve
data sharing, forecasting
and planning
D Reduce RM1,050,000 Average unit price drops Improved forecasting
1% due to smaller provides sufficient time to
customers not paying win alternative customers
premium price for a utilisation of 98%
RM500,000 for
purchasing new software Effect on EBIT: increase of
$3,170,000
RM50,000 for new
software training
RM500,000 for increased
forecasting and analysis
With this analysis, and considering the likelihood of each alternative and
sustainability of results, management decided on response D.
Figure 12.4: An example of costs-and-benefits analyses
Source: Adapted from Enterprise Risk Management ă Intergrated Framework:
Application Techniques (COSO, 2004)
Once you have decided on a choice of risk response, you need to make a choice
on control activities in a similar manner, i.e., based on evaluation of costs and
benefits of control alternatives. A control matrix, as discussed is the previous
section is helpful in making such evaluations. Control activities can support risk
responses. Control activities can also be risk responses in certain circumstances.
As discussed earlier, risk management is an ongoing process. The entire process

of risk management, particularly in terms of how control activities and risk
responses relate to risks, which in turn, relate to achievement of objectives, have
to be evaluated to ascertain whether corrective actions are required.
Figure 12.5 provides an example of the evaluation. Control activities and risk
responses are evaluated in terms of reduction in the likelihood and impact of
risks that obstruct achievement of reporting objectives in terms of completeness,

accuracy and validity. Notice that likelihood of residual risks is lower with
control activities, compared with likelihood of inherent risks.
Reporting Asset acquisitions and expenses incurred are entered for processing
objectives completely (C) and accurately (A) and are valid/occurred (V)
Unit of Financial reporting errors detected, measured in RM
measure
Target Errors in monthly financial statements are less than RM100,000
Tolerance Errors less than RM110,000
Risks Inherent risk assessment Risk Residual risk assessment
responses
Likelihood Impact Likelihood Impact
Vendor Possible Minor Almost Minor
invoice 50% RM5,000ă unlikely RM2,500ă
amounts are 20% RM7,500
RM15,000
captured
incorrectly
Vendor Almost Moderate Possible Minor
invoices are certain $10,000ă See below 50% RM2,500ă
not received for control
80% $25,000 RM7,500
prior to the activities
month end that serve
cutoff as the
responses
Vendors are Possible Minor Almost Minor
to risks
paid from 50% $5,000ă unlikely $5,000ă
statements as 20%
$15,000 $7,500
well as
invoices,
resulting in
duplicate
payments

Control Asset acquisition and expense transactions are subject to

Activities programmed edit/validation checks which include:
- Purchasing data (PO number, amount, etc.) are validated against
specified files or tables (A);
- Key fields are tested for blanks, alphas, values within a specified
range (e.g., purchase amounts), missing data elements (e.g.,
payment due date), and programmed check digits (e.g., vendor
number) (A);
- Reasonableness tests are performed, comparing data input in two
or more different fields based on specified criteria (e.g., sales tax
rate is compared with the tax rate (A);
- Edit checks compare key amounts with tables to ensure input data
are within limits established for each user or class of user (e.g.,
payment amounts are compared with approval limits for electronic
payment) (A); and
- Edit checks compare vendor name/number and invoice numbers
with those on file to ensure valid vendor and to detect duplicate
payments (V).
All payment transactions input are matched to the original
purchase order details before further processing may occur (A)
Payment amounts, including electronic payment transactions, are
verified on screen by someone other than the staff member responsible
for the original payment information (A,V)
Staff reconcile each batch or series of on-line transactions with
system edit or processing reports (A,C)
Exception reports are produced, listing large or unusual items
(e.g., amounts exceeding $100,000), which are then individually
compared with input documents (A)
Exception reports produce a listing of unmatched purchase orders
open for more than 30 days, which are then followed up (C)
Changes to user-defined system parameters (e.g., authorisation
limits) are automatically reported and checked by an independent
official (A,C,V)
Overrides of system warnings by the user are automatically
reported for independent approval (A,C,V)
Figure 12.5: An example of the relationship between objectives,

risks, responses and control activities
Source: Adapted from Enterprise Risk Management ă
Intergrated Framework: Application Techniques (COSO, 2004)

SELF-CHECK 12.3
1. Is there any difference between the role of control activities with

the role of risk responses? What are the differences, if any?
2. When residual risks are not any different compared with inherent
risks, in terms of both likehood and impact of risks, what does that
mean to you?
12.4 ETHICAL ISSUES IN BUSINESS

For each source of risks you manage to identify, your choice of actions and
responses incurred costs that must be weighted against the corresponding
benefits. Not all the costs and benefits are quantifiable and measureable in
monetary terms. You need to exercise judgment to a certain extent. Figure
Risk management becomes increasingly important in line with mounting concerns

about damages attributable to corporate malfeasance and malpractices as
highlighted in the media worldwide, as in the Enron, Arthur Andersen and
WorldCom scandals. Personal wealth accumulation takes precedence at the
expense of survival of business organisations.
How do you decide what is right or wrong to do? Once you have decided what is
right to do, how do you do it? What is right or wrong, ethical and unethical is
subjective and there is no universally agreed upon answer. This is further
complicated by conflict of interests and responsibilities across stakeholders, i.e.,
board of directors, employees, customers, suppliers, shareholders, regulators, etc.
Every major decision has the potential to be harmful and beneficial to various
stakeholders. The quest for a balance between harmful versus beneficial
consequences, which is often easier said than done, is every business organisationÊs
ethical responsibility (Hall, 2008). Among the ethical principles that promote
ethical responsibility are as follows:
(a) Proportionality: Benefits of a decision should outweigh risks.
(b) Justice: Benefits of a decision should be shared fairly among stakeholders

who also bear the risks.
(c) Minimise risks: Decisions should be implemented in a manner that

minimises all risks and/or avoids unnecessary risks.

Recall that in COSOÊs (2004) enterprise risk management framework, ethics

constitute an organisationÊs internal environment, which sets the tone for the
organisationÊs visions, missions, objectives and overall orientations. An internal
environment characterised by deep-rooted ethical principles may lower
investments in internal controls. By contrast, even the most sophisticated internal
controls break down in the absence of ethics.
12.4.1 Fraud
Fraud is a major ethical issue that causes the downfall of large corporations.
Common law has defined the characteristics of fraud as follows (Hall, 2008).
(a) False representation: There must be a false statement or non-disclosure of a

true statement.
(b) Material fact: There must be a fact that is substantial in inducing someone to
act.
(c) Intent: There must be an intent to deceive or the knowledge that oneÊs
knowledge is false.
(d) Justifiable reliance: The misrepresentation must be substantial, on which the

injured party (i.e., victim) relied upon.
(e) Injury or loss: The deception must have caused injury or loss to the victim of
the fraud.
Among the factors that affect likelihood of a fraud are as follows:
(a) Situational pressures: E.g., a cashier working in Giant hypermarket, is

pressured by high personal debt.
(b) Opportunities: E.g., Giant resorts to manual procedures at check-out counters

for a day due to computer system failures.
(c) Personal characteristics: E.g., the cashier does not feel guilty if Giant were to
lose some cash due to the belief that Giant is resource-rich.
Large public accounting firms, especially the Big Four, have checklists to help
uncover fraudulent activities. Business organisations can also make use of such
checklists as part of risk assessment to determine possible risk responses that can
reduce inherent risks of fraud, by minimising the likelihood and impact of fraud.
Example questions in such checklists are as follows.

(a) Do key personnel have unusually high personal debt?

(b) Do key personnel appear to be living beyond their means?
(c) Do key personnel engage in habitual gambling?
(d) Do key personnel appear to abuse alcohol or drugs?
(e) Do key personnel appear to lack personal codes of ethics?
(f) Are economic conditions unfavourable to the business industry?
(g) Does the business use several banks, with several bank accounts, none of
which provides a complete financial picture of the business?
(h) Do key personnel have close association with suppliers?
(i) Is the business experiencing rapid turnover among key personnel, through
resignation and/or termination?
(j) Do one or few personnel dominate the business?
SELF-CHECK 12.4
1. What is ethics?
2. What are the ethical principles that promote ethical responsibility?
3. What is fraud?
4. How do you reduce the inherent risks of fraud in your business
organisation?
 As risks have a negative effect on value creation and objective achievement,

this topic covers the importance of managing risks at every level from
strategic to operational level of a business organisation, while managing day-
to-day business activities.
 Internal control assists in risk management at every level in a business
organisation. Internal control systems need to be aligned with objectives and
goals at various levels in an organisation to facilitate risk management.

 Eventhough risk management minimises obstructions to value creation and

objective achievement, choices made throughout the risk management
process ă i.e., risk responses, control activities, etc ă have to be carefully
considered in terms of their respective costs and benefits.
 Ethics is a key determinant of success in risk management. Even the most
well-designed risk management process and internal control system crumble
in the absence of ethics.
Control goals Inherent risk

Control matrix Internal control
Control plans Likelihood of risk
Ethical principles Residual risk
Ethics Risk management
Fraud Risk reponses
Impact of risk
Committee of Sponsoring Organisations of the Treadway Commission (COSO).

(2004). Enterprise risk management ă Integrated framework. Executive
summary. Retrieved from www.aicpa.org
Dull, R. B., Gelinas, Jr, U. J., & Wheeler, P. R. (2012). Accounting information
systems: Foundations in enterprise risk management (9th ed.). Mason, OH:
South-Western, Thomson Corporation.
Gelinas, Jr, U. J., Sutton, S. G., & Oram, A. E. (1999). Accounting Information
Systems (4th ed.). Mason, OH: South-Western, Thomson Corporation.
Hall, J. A. (2008). Accounting information systems (6th ed.). Mason, OH: South-
Western, Thomson Corporation.

MODULE FEEDBACK
MAKLUM BALAS MODUL
If you have any comment or feedback, you are welcome to:
1. E-mail your comment or feedback to modulefeedback@oum.edu.my
OR
2. Fill in the Print Module online evaluation form available on myINSPIRE.
Thank you.
Centre for Instructional Design and Technology

(Pusat Reka Bentuk Pengajaran dan Teknologi )
Tel No.: 03-27732578
Fax No.: 03-26978702


BBAS4103 Accounting Information System I

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

BBAS4103 Accounting Information System I

Загружено:

Авторское право:

Доступные форматы

BBAS4103

Accounting Information System I

Copyright © Open University Malaysia (OUM)

Copyright © Open University Malaysia (OUM)

Module Writers: Rina Md Anwar

Lau Yeng Wai

Moderator: Norhaslinda Zakaria

Developed by: Centre for Instructional Design and Technology

First Edition, August 2017

Copyright © Open University Malaysia (OUM), August 2017, BBAS4103

Copyright © Open University Malaysia (OUM)

Topic 1 Accounting Information System: An Overview 1

Topic 2 Information and Business Operation 17

Copyright © Open University Malaysia (OUM)

Topic 3 Accounting Records and Documentation Techniques 34

Topic 4 Control and Accounting Information Systems 64

Topic 5 Accounting Transaction Cycles 105

Copyright © Open University Malaysia (OUM)

Topic 6 Revenue Cycle Applications 118

Topic 7 Expenditure Cycle Applications 137

Copyright © Open University Malaysia (OUM)

Topic 8 Production Cycle Applications 162

Topic 9 General Ledger and Reporting System 173

Copyright © Open University Malaysia (OUM)

Topic 10 E-Business 187

Topic 11 Security and Control Issues in E-Business 206

Topic 12 Risk Assessment and Management 231

Copyright © Open University Malaysia (OUM)

Copyright © Open University Malaysia (OUM)

Copyright © Open University Malaysia (OUM)

COURSE GUIDE DESCRIPTION

Copyright © Open University Malaysia (OUM)

Table 1: Estimation of Time Accumulation of Study Hours

Topic 2 explains how information flows within a business to support business

Topic 3 describes the relationship between accounting records to documentation

Copyright © Open University Malaysia (OUM)

Topic 7 describes the expenditure cycle activities (purchasing and cash

Topic 10 describes how e-business improves coherence, operational efficiency

Copyright © Open University Malaysia (OUM)

TEXT ARRANGEMENT GUIDE

Self-Check: This component of the module is inserted at strategic locations

Activity: Like Self-Check, the Activity component is also placed at various

References: The References section is where a list of relevant and useful

Copyright © Open University Malaysia (OUM)

Dunn, C., Cherrington, J. O., & Hollander, A. S. (2005). Enterprise information

Hall, J. A. (2001). Accounting information systems. Ohio: Thomson Learning.

OÊbrien, J. A. (2003). Introduction to information system. New York: McGraw-

Copyright © Open University Malaysia (OUM)

TAN SRI DR ABDULLAH SANUSI (TSDAS) DIGITAL

Copyright © Open University Malaysia (OUM)

Copyright © Open University Malaysia (OUM)

1.1 A FRAMEWORK FOR INFORMATION

Table 1.1: Definition of System, Subsystem and Information System

Figure 1.1: Two major subsystems of IS

Copyright © Open University Malaysia (OUM)

Figure 1.2: Framework for information system

As we know, the basic configuration of an IS is input resources transformed into

Copyright © Open University Malaysia (OUM)

Figure 1.3: Transactions processed by the information system

Distinguish between financial and non-financial transactions. Give

Copyright © Open University Malaysia (OUM)

1.1.1 The Accounting Information System (AIS)

(a) Transaction Processing System (TPS)

(b) General Ledger (GL)/Financial Reporting System (FRS)