Sharing Notes 123

INFORMATION TECHNOLOGY 200910

2009-12-17T19:27:00.000-08:00

..Jasmeet Chap 01 Intro To Computers

2009-12-17T17:51:00.000-08:00

View more presentations from sharing notes123.

Jasmeet Chap 01 Intro To Computers - Presentation Transcript

CHAPTER 1
INTRODUCTION TO COMPUTERS
By : Jasmeet Khosa
What is a computer ?
How is computer defined ?
Electronic device operating under the control of instructions stored in its own memory
Accepts Data
Processes Data into Information
Produces and stores results
What is a computer ?
What is the information processing cycle ?
Input
Process
Output
Storage
Communication
The components of a computer ?
What is an input device ?
Hardware used to enter data and instructions.
What is and output device ?
Hardware that conveys information to one or more people.
What is a system Unit ?
Case containing electronic components used to process data.
The components of a computer ?
What are the two main components on the motherboard ?
Central Processing Unit (CPU)
* Also called as processor.
Memory
The components of a computer ?
What is storage?
Holds Data, instructions and information for future use.
The two components of storage are:
Storage Media
Storage Device
The components of a computer ?
Examples of storage media are:
Portable, thin memory cards
USB flash drive
Floppy Disk
Compact Disk
(CD)
Hard Disk
The components of a computer ?
What is a communications device ?
Hardware components that enables a computer to send and receive Data, instructions, and information.
Occurs over cables, telephone lines, cellular radio network, Satellites, and others transmission media.
ADVANTAGES AND DISADVANTAGES OF USING COMPUTERS ?
What is the advantages of using computers ?
Reliability
Speed
Communications
Consistency
Storage
ADVANTAGES AND DISADVANTAGES OF USING COMPUTERS ?
What is the disadvantages of using computers ?
Violation of privacy
Impact on Labor Force
Health Risks
Impact on Environment
Network and the internet ?
What is a network ?
Collection of computers and devices connected together.
Communications Device
Transmission Media
Enable a connection between computers
Cables
Satellites
Telephone lines
Cellular radio
One type is a modem
Network and the internet ?
To save time and money
What are the reasons to internet ?
To share
Resources
Information
Hardware devices
Data
Software programs
Network and the internet ?
Why do users access the internet ?
Communication
Information
Shopping
Banking and investing
Classes
Entertainment
COMPUTER SOFTWARE?
What is a software ?
Consists of a series of instructions that tells the computer what to do
Also called a program
COMPUTER SOFTWARE?
What is system software ?
Programs that control or maintain the operations of the computer and its devices.
What is application software ?
Programs that performs that perform specific tasks for users.
What is a programmers ?
Someone who develops applications or system software.
Categories of computers ?
What are the categories of computers ?
Microcomputers
Mobile computers and mobile devices
Midrange Servers
Mainframes
Supercomputers
Embedded Computers
Categories of computers ?
What are the categories of computers ?
Under microcomputers there are :
Desktop
Laptop
Tablet Pc
Palm PC
PDA
Net book
SERVERS?
What types of servers are there ?
Midrange server
Powerful, large computer that supports up to a few thousand computer.
Mainframe server
Very powerful, expensive computer that supports thousands of computers.
Supercomputer
-The faster, most powerful, most expensive computer. Used for application requiring complex mathematical calculations.
Elements of an information system ?
What are the information system elements ?
Data
Hardware
Software
Procedures
People
Computer applications in society ?
Education
Finance
Government
Healthcare
Science
Publishing
Travel
Industry
Question ?
1) Give me few example of who needs and uses a power computer?
Question ?
Engineers
Scientists
Architects
Desktop publishers
Graphic artists
Question ?
2) What are the few functions of a PDA ?
Question ?
Calendar
Appointment book
Address book
Calculator
Notepad

..Bliana Chap 02 Internet

2009-12-17T17:41:00.000-08:00

Bliana Chap 02 Internet

View more presentations from sharing notes123.

Bliana Chap 02 Internet - Presentation Transcript

Chapter 2: The Internet and World Wide Web
Prepared by:Bliana Muhammad Halime
Started by Pentagon’s Advanced Research Program Agency(ARPA) by US Department of Defense.
It allowed scientist to share information at different locations and projects to function even if part of network is disabled.
Original ARPANET consist 4 computers in 4 universities that served as a host on the network.
Evolution of Internet
National Science Foundation (NSF) uses it huge network of 5 supercomputers to connect (NSFNET) with ARPANET. Known as Internet.
The World Wide Web Consortium (W3C) sets standards and guidelines in contributing to the growth of the web.
NSFNET is replaced by companies that provide networks to handle internet traffic.
Internet 2- develop and test advanced network that will benefit internet users in short term future.
Cable Internet Service
DSL ( Digital Service Line)
Fiber to the Premises
Fixed wireless
Cellular radio network
Wi-Fi
Satellite internet service
Connecting to the Internet
Differences betw dial up and broadband internet connections.
Dial-up
Broadband
Requires modem that is connected to computers and land line
Connects to internet via phone line
Slower speed technology
Access through cable television network, regular telephone lines and fiber optic cable.
Does not requires modem for every computers( a modem acts as ports and hotspot).
Connects to internet via radio signal and satellite signals.
High speed technology
Access through wireless ports, router etc.
Access Providers
Internet Service Provider
Online Service Provider
Is a regional or national service provider.
Regional- provides access to a specific geographic area.
National- provides access to cities and towns nationwide.
For dial up access- some offers both local and toll free telephone numbers.
Has members only features. E.g. AOL and MSN.
Provides gateway functionality to Internet.
Provides free access to Internet
Uniquely identifies computer that are connected to the internet.
Relies on IP add to identifies and send data to specific locations.
Internet Protocol Address- consist of four different group of numbers, each separated by a period.
E.g 72.14.207.99 or www.google.com
Domain name is text version of IP add.
Purpose of an IP address and domain name.
Web Browser- application software that allows users to access and view Web pages.
Components of web address
-link(hyperlink) built in connection to web
page.
-URL (Uniform Resource Locator) or web
address.
Purpose of a web browser and the components of a web address.
Enter a word or phrase.
The results is called searched query.
Each word is known as keywords.
The search engine displays the number of hits. (in a form of a list)
Subject directory classifies the topics that u searched.
By clicking at it, it will link you to the web page.
How do u use a search engine?
Portal
Blog
Wiki
Online social network
Web application.
What are the types of websites?

..Adeyinka Chap 03 Application Software

2009-12-17T17:31:00.000-08:00

Adeyinka Chap 03 Application Software

View more presentations from sharing notes123.

Adeyinka Chap 03 Application Software - Presentation Transcript

APPLICATION SOFTWARE
APPLICATION SOFTWARE – this is a program designed to make user more productive, and/or assist them with personal task. application software help to create letters, memos, and reports etc.
THE USES OF APPLICATION SOFTWARE
(1) to make business activities more efficient
(2) to assist with graphic and multimedia project
(3) to support home personal and educational tasks
(4)to facilitate communication
Categories of application software
APPLICATION SOFTWARE CAN BE CATIGORISE INTO FOUR GROUPS
(1) BUSINESS APLICATION SOFTWARE --- this is an application software that assist people in becoming more effective and efficient when performing their day to day activities.eg accounting software,personal information, and the document management
(2)GRAPIC AND MULTIMEDIA SOFTWARE – this are sophisticated software that allow them to work with graphic and multimedia .this software include desktop publishing printing image ,editing photo editing video etc
(3)HOME PERSONAL EDUCATION -- this software provide valuable and through information for all individual popular reference soft ware including encyclopedias dictionaries health media guide
(4) COMMUNICATION SOFTWARE this is a software that transmit information from the encoder which is the sender to the decoder which is the reliever
CHAPTER THREE PRESENTATION BY OMOSUWA .ADEYINKA .O
TYPES OF APPLICATION SOFTWARE
Date base software - this is a structural collection of data it help the user to store retrieve from data base
Word processing software –it enable user to credit and edit document e.g. ms word word pad note pad
Spread sheet software - this software allows users to perform calculation
Presentation software –this is used to display information in form of slide show
MULTIMEDIA SOFTWARE – this allows users to create and play audio video e.g. real and media player
THE ROLE OF SYSTEM SOFT WARE
system software serve as an interface between the user application software and the computer hardware, the user does not communicate directly to the hardware e.g. when the user instruct the application soft ware to print a document, the application send the print instruction to the system software which in turn send the print instruction to the hard ware.
WORKING WITH APPLICATION SOFTWARE
To work or use the application software ,you must instruct the operating system to start the program e.g. you click the all program command and on the start menu then all programs listed is displayed on the start menu. then click the program name on the menu the action instruct the operating system to start the programs, instruction load from a storage menu e.g. when you click print the accessories lead window loads the print program instruction from the computer hard ware disc into the memory.
QUESTION What are the types of application software ?

..Pramilah Chap 04 System Unit

2009-12-17T17:21:00.000-08:00

Pramilah Chap 04 System Unit

View more presentations from sharing notes123.

Pramilah Chap 04 System Unit - Presentation Transcript

Chapter 4: The Components of the System Unit
By Pramiladevi
What is the system unit?
Case that contain the motherboard, the flat board within the personal computer housing that holds the chips and circuitry that organize the computers activities.
Sometimes called chassis, is made of metal or plastic and protects the internal electronic components from damage.
The electronic components and circuitry of the system unit, such as the processor and memory, usually are part of or are connected to a circuit board called the motherboard.
What is the motherboard?
Sometimes called a system board, is the main circuit board of the system unit.
The motherboard contains several bus lines, or buses, sets of parallel electrical paths that transport electrical signals. The system bus transfers data between CPU and memory. Bus width and speed affect system performance.
Some expansion buses connect to expansion slots on the motherboard and can receive expansion boards (also called interface cards or adapter cards) that enable you to connect various peripheral devices to the computer.
A serial port enables data to be transmitted one bit at a time, while a parallel port transmit a group of bits at a time.
What is the Central Processing Unit (CPU)?
A CPU, or processor, on a chip is a microprocessor.
A microprocessor maybe called a logic chip when it is used to control specialized devices.
A microprocessor contains tiny transistors, electronic switches that may or may not allow current to pass through, representing a 1 or 0 bit, respectively.
The more functions that are combined on a microprocessor, the faster the computer runs, the cheaper it is to make, and the more reliable it is.
The 2 parts of the CPU are the control unit and the arithmetic logic unit, both working together as a team to process the computer’s command.
What is the machine cycle?
Four operation of CPU comprise a machine cycle
Step 1. FETCH
obtain program
instruction
or data item from memory
memory
Step 4. STORE
Write result to
memory
Processor
Step 2.DECODE
Translate instruction
Into commands
Control unit
ALU
Step 3.EXECUTE
Carry out command
What is memory?
Electronic components that store instruction, data, and result.
Consist of one or more chips on motherboard or other circuit board.
Each byte stored in unique location called an address, similar to seats in a concert hall.
What is Random Access Memory(RAM)?
Keeps the instruction and data for whatever programs you are using at the moment.
Divided into two types: static RAM(SRAM),which is faster, and dynamic RAM(DRAM), which is slower and much less expensive, SDRAM and RDRAM are faster and more expensive types of DRAM.

..Uthaya Chap 05 Input

2009-12-17T17:11:00.000-08:00

Uthaya Chap 05 Input

View more presentations from sharing notes123.

Uthaya Chap 05 Input - Presentation Transcript

What Is Input?
Input is any data or instruction entered into the memory of a computer.
By:UthAyA
Difference Among a Program, a Command, and a User Response
*Program is a series of related instructions that tells a computer what tasks to perform and how to perform them.
*Command is an instructions that causes a program to perform a specific action.
*User Response replying to a question displayed by a program to perform certain actions.
->Keyboard is an input that contains keys users press to enter data and instructions into a computer.->Most keyboard also have function keys programmed to issues commands ; toggle keys that switch between two states when press; and keys used to move the insertion point, or cursor , on the screen.
-> Input Device is any hardware component that allows users to enter data and instructions(program, command, and user response)
Mouse is a pointing device that fits under the palm of your hand.
Optical mouse -> emit and sense light to detect the mouse’s movement.
Laser mouse -> uses a laser and is more expensive than an optical mouse.
Air mouse -> allows you to control objects, media players, and slide shows by moving
the mouse in predetermined directions through the air.
Wireless/Cordless mouse -> transmit data using wireless technology.
Touch screen is a touch-sensitive display device.Touch screen that recognize multiple points of contact at the same time are known as multi-touch.
*(Kiosk is a freestanding computer that usually includes a touch screen)
*(Microsoft Surface is a 30-inch tabletop display that allows one or more people to
interact with screen)
Touch-sensitive pad is an input device thatenable users to scroll through.
Various Types Of Pen Input and Other Types of Input for Smart Phone.
*Pen input is stylus or digital pen that u touch on a flat surface, such as a screen on a
monitor, mobile device and a signature capture pad.
*Stylus is a small metal or plastic device that looks like a tiny ink pen but uses
pressure instead of ink.
*Digital pen is features electronic erasers and programmable buttons.
*Handwriting recognition software is a program that translate handwritten letters
and symbols into characters a computer or mobile device can process.
*Signature capture pad captures signatures written with a stylus or pen attached to a device.
*Gamepad controls the movement and actions and object.
*Joystick is a handheld vertical lever that you move to control a simulated vehicle player.
*Wheel is a steering-wheel-type device that you turn to stimulate driving a vehicle.
*Light gun is used to shoot targets as you pull the trigger on the weapon.
*Dance pad is an electronic device, divided into panels, that users press with their feet.
*Motion sensing game controllers such as Wii Remote guide on screen elements by moving a handheld input device in predetermined direction through the air.
How Does Resolution Affect the Quality of a Picture Captured on a Digital Camera?
*Resolution is the number of horizontal and vertical pixels in a display device.
*higher the resolution the better the picture quality.
How Are Voice Recognition, Web Cams, and Video Conferencing Used?
*Voice recognition also called speech recognition is the
computer ‘s capability of distinguishing spoken words.
*Web cam enable users to capture video and still image
and then send or broadcast over the internet.
*Video conference enable two or more users to transmit audio and video data.
Scanner or optic scanner is a light sensing input device that reads printed text and graphic and translate the results into a form the computer can process.
Examples:
*Flatbed scanner
*Optical reader
*Optical character recognition(OCR)
*Optical mark recognition(OMR)
*bar code reader/bar code scanner
*Radio frequency identification(RFID)
*magnetic stripe card reader
*magnetic ink character recognition(MICR)
What Are Various Biometric Devices?
*Biometric device translate a personal characteristic into digital
code that is compared with a digital code stored in the
computer to identify an individual.
Devices:
*fingerprint reader
*face recognition system
*hand geometry system
*voice verification system
*signature verification system
*retinal scanner

..Mahendran Chap 06 Output

2009-12-17T17:01:00.000-08:00

Mahendran Chap 06 Output

View more presentations from sharing notes123.

Mahendran Chap 06 Output - Presentation Transcript

OUTPUT
processed into useful form
4 Types of Output:
Text
Graphics
Audio
Video
Devices – Hardware component that conveys
information to one or more people
Display Devices
Output display that visually conveys text, graphics, and video information
2 Types of Display Devices
Flat-panel Displays
( LCD Monitors[uses a liquid crystal display to produce images])
( LCD Screens[produce colour using either active –matrix or passive matrix technology])
( Plasma Monitors[display device that uses gas plasma technology ,which sandwiches a layer of gas between two glass plates)
* LCD Technology-uses a liquids compound to present information on a device.
*LCD Quality-depends primarily on its resolution ,response time,brightness,dot pitch ,and contrast ratio.
CRT Monitors
Speaker, Headphones and Ear buds
Audio output device is a component of a computer that produces music, speech, and sounds.
Printer
Output device that produces text and graphics on a physical medium such as paper
3 Type of Printer
Nonimpact Printers
(forms characters and graphics on a piece of paper without actually striking the paper)
Ink-Jet Printers
(forms characters and graphics by spraying tiny drops of liquid ink onto a piece of paper )
Photo Printers
(a colour printer that produces photo-lab-quality pictures)
Printer ( cont )
Laser Printers
(a high speed ,high –quality nonimpact printer that operates in a manner similar to a copy machine,creating images using a laser beam and powdered ink,called toner
Thermal Printer
(generates images by pushing electrically heated pins against heat-sensitive paper)
Mobile Printer
(allows a mobile user to print from a notebook computer or other mobile device)
Printer ( cont )
Label and Postage Printers
(prints on an adhesive –type material that can be placed on a variety of items )
Plotters and Large-Format Printers
(sophisticated printers used to produce high-quality drawing )
Impact Printers
(forms characters and graphics on a piece of paper by striking a mechanism against an linked ribbon that physically contacts the paper)
Other Output Devices
Data Projectors text and images displaying on a
(device that takes the computer screen and projects them onto a larger screen so that an audience can see the image clearly)
Interactive Whiteboards
(a touch –sensitive device)
Force-Feedback Game Controllers and Tactile Output

..Faizan Chap 07 Storage

2009-12-17T16:51:00.000-08:00

Faizan Chap 07 Storage

View more presentations from sharing notes123.

Faizan Chap 07 Storage - Presentation Transcript

STORAGE CHAPTER 7 by Faizan Tariq
kilobyte (KB) 1 thousand Megabyte (MB) 1 million Gigabyte (GB) 1 billion Terabyte (TB) 1 trillion Petabyte (PB) 1 quadrillion STORAGE
What is Storage?
holds data, instructions, and information for future use
storage medium is physical material used for storage
What is Capacity?
number of bytes (characters) a storage medium can hold
What is a storage device?
Hardware that records and retrieves items from storage media
Reading : Process of transferring items from storage media to memory
Functions as source of input
Writing : Process of transferring items from memory to storage media
creates output
STORAGE
STORAGE
What are tracks and sectors?
Tracks is narrow recording band that forms full circle disk
Sectors stores up to 512 bytes of data
What is a floppy disk ?
Portable , inexpensive storage medium (also called as diskette)
Magnetic disks
What is a floppy disk drive ?
Device that reads from and writes to floppy disk
Also called secondary storage
Floppy disk drive built into a desktop computer
External floppy disk drive attaches a computer with a cable
Magnetic disks
How do you compute a disk's storage capacity?
Multiply number of sides, number of tracks, number of sectors per track, and number of bytes per sector
For high density disk 2 sides x 80 tracks x 18 sectors per track x 512 bytes per sector = 1,474,560 bytes
Characteristics of a 3.5 inch High density Floppy disk
Capacity: 1.44 MB Slides: 2 Tracks: 80 Sector per track: 18 Bytes per second: 512 Sector per disk: 2880
Magnetic disks
What is a Zip disk ?
Magnetic medium that stores 100 MB to 750 MB of data
Used to back up and to transfer files
: backup is duplicate of files, program, or disk in
case of original is lost.
Zip disk requires a Zip drive high capacity drive that reads
and writes on a Zip disk
What is a hard disk ?
High capacity storage
Consist of several inflexible, circular platters that stores items electronically
Components enclosed in alright, sealed case for protection
Advertised capacity 120GB Platters 3 Read/write heads 6 Cylinders 16,383 Bytes per seconds 512 Sectors per track 63 Sectors per drive 234,441,648 Revolution per minute 7,200 Transfer rate 133MB per second Access time 8.9 ms Magnetic disks
What are characteristics of a hard disk?
Simple hard drive characteristics
What is a cylinder ?
Vertical section of track through all platters , single movement of read/write head
arms access all platters in cylinder
Magnetic disks
How does a hard disk work ?
Step 1 : circuit board controls movement of head actuator and a small motor.
Step 2 : small motor spins platter while computer is running.
Step 3 : when software request a disk access, read/write heads determine current or new location of data.
Step 4 : head actuator positions read/write arms over correct location on platters to read or write data.
What is a head crash ?
Occurs when read/write head touches platter surface
Spinning creates cushion of air that floats read/write above platter
Clearance between head and platter is approximately two- millionths of an inch
A smoke particle, dust particle, or human hair could render drive unusable
Magnetic disks
What is a miniature hard disk ?
Provide users with greater storage capacities than flash memory
Some have a form factor of less than 1 inch
Storage capacities range from 2 GB to 100 GB
What is online storage ?
Service on web that provides storage for minimum monthly fee
Files can be accessed from any computer with web access
Large file can be downloaded instantly
Others can be authorized to access your data
Magnetic disks
What are external hard disk and removable hard disk ?
Used to back up or transfer files
External hard disk : freestanding hard disk that connects to system unit
Removable hard disk : hard disk that you insert and remove from hard drive
What are optical discs ?
Flat, round, portable metal discs made of metal, plastic, and lacquer
Can be read only or read/write
Most PCs include an optical disc drive
What is a CD-ROM ?
Compact disc read- only memory
Cannot erase or modify contents
Typically holds 650 MB to 1 GB
Commonly used to distribute multimedia and complex software
Optical disks
What is a DVD-ROM (digital versatile disc-ROM or digital video disc-ROM)?
Highly capacity disc capable of storing 4.7 GB to 17 GB
Must have DVD –ROM drive or DVD player to read DVD -ROM
Stores databases, music, complex software, and movies
How does a laser read data on an optical disc ?
Step 1 . laser diode shines a light beam toward disc
Step 2 . if light strikes a it scatters, if a light strikes a land, it strike a land , it is reflected back towards diode.
Step 3 . reflected light is deflected to a light-sensing diode, which send digital signals of 1 to computer. Absence of reflected light is read as digital signal of 0.
Optical disks
How should you take care of an optical disc ?
Do not expose the disc to excessive heat or sunlight
Do not smoke ,eat or drink near a disc
Do not stack disc
Do not touch the underside of the disc
Do store the disc in a jewel box when not in use
Do hold the disc by its edges
What are CD-Rs and CD- RWs?
CD-R (compact disc – recordable) disc you can write once
Must have CD recorder or CD-R drive
Cannot erase discs contents
CD-RW (compact disc- rewriteable) erasable disc you can write on multiple times
Must have CD-RW software and CD-RW drive
Tape
What is tape?
Magnetically coated plastic ribbon capable of storing large amounts of data at low cost
Primarily used for backup
How is data stored on a tape ?
Sequential access
Reads and write data consecutively like a music tape
Unlike direct access – used on floppy, zip disks , hard disks, CDs and DVDs – which can locate particular item immediately

..Amr Chap 08 Operating Systems & Utility Programs

2009-12-17T16:41:00.000-08:00

Amr Chap 08 Operating Systems & Utility Programs

View more presentations from sharing notes123.

Amr Chap 08 Operating Systems & Utility Programs - Presentation Transcript

Operating Systems & Utility ProgramsChapter 8
By Amr Aborig.
What is System Software?
System software consists of the programs that control or maintain the operations of the computer and its devices.
Two types of system software .
Operating systems
Utility programs.
An operating system (OS)is a set of programs containing instructions that work together to coordinate all the activities among computer hardware resources .
Operating systems
Operating systems are divided in to three basic categories :
1.Stand-alone OS: is a complete operating system that works on a desktop computer ,notebook computer, or mobile computing device.
Names of Stand-alone operating systems: DOS /Early Windows Versions (Windows 3.x,Windows 95, Windows NT Workstation, Windows 98, Windows 2000 professional, Windows Millennium Edition, Windows XP)/Windows Vista/ Mac OS X/UNIX/Linux.
2.Server OS: is an operating system that is designed specifically to support a network.
Names of Server operating systems: Early Windows server versions(Windows NT Server, Windows 2000 server, Windows Server 2003)//Windows Server 2008 /UNIX /Linux /Solaris/ Netware.
-Embedded OS :The operating system on mobile devices and many consumer electronics.
-Names of embedded OS :Windows Embedded CE/Windows Mobile/ Palm OS / i Phones OS /BlackBerry/ Embedded Linux /Symbian OS.
~The Boot Process~
-Is the process of starting or restarting a computer is called booting.
-When turning on a computer that has been powered off completely, you are performing a cold boot. A warm boot is the process of using the operating system to restart a computer.
-Steps of the boot process:-
1-The power supply sends a signal to the components in the system unit.
2-The processor finds the ROM chips(s) that contains the BIOS (basic input/output system.
3-The BIOS performs the POST (power on self test) ,which checks components ,such as the mouse , keyboard &adapter cards.
4-The results of the POST are compared with data in a CMOS (Complementary metal-oxide semiconductor) chip.
5-The BIOS may look for the system files on a USB flash drive or on an optical disc drive or may look directly on drive C (hard disk).
6-The system files and the kernel of the operating system load into memory (RAM) from storage (i.e., hard disk).
7-The operating system loads configuration information , may request user information , starts several background processes , and displays the desktop on the screen
Functions of operating systems
-Starting and shutting down a computer (cold or warm boot).
-Providing a user interface.
-Managing computers & Memory.
-coordinating Tasks.
-Configuring Devices.
-Establishing an Internet connection.
-Monitoring Performance.
-Providing file management & other utilities.
-And automatically updating itself &certain utility programs.
-Control a network & administer security.
What is a utility program?
A utility program , also called a utility, is a type of software that allows a user to perform maintenance- type tasks ,usually related to managing a computer , its devices or its programs.
Functions of utility programs
Managing/searching for files.
Viewing images
Uninstalling programs
Cleaning up/Defragmenting disks
Backing up files & disks
Setting up screen savers
Securing a computer from unauthorized eccess
Protecting against viruses/removing spyware & adware
Filtering Internet content
Compressing files
Playing media Files/Burning optical discs.
& Maintaining a personal computer.
Q?
1-What is system software? Name the types of system software.
2-What does POST ,BIOS & CMOS stand for and name their functions?

..Dennis Chap 09 Data Communication

2009-12-17T16:31:00.000-08:00

Dennis Chap 09 Data Communication

View more presentations from sharing notes123.

Dennis Chap 09 Data Communication - Presentation Transcript

By:
Amanta Dennis Saputra
(Diploma in Marketing)
Process in which two or more devices transfer data, instruction, and information.
Wireless Messaging Services
Wireless Internet Access Point
Cybercafés
Global Positioning System
Groupware
Voicemail
Collaboration
Web Service

Is a collections of computers and devices connected together via communications devices and transmission media.
Facilitating communications
Sharing Hardware
Sharing Data and Information
Sharing Software
Transferring Funds
LAN ( is a network that connects computers and devices in a limited geographical area, such as home, office building, etc)
WLAN ( is a LAN that uses no physical wires)
MAN (is a High-speed network that connects local area network in a metropolitan area, such as city or town)
WAN (is a network covers a large geographical area, such as a city, a country, or the world)

Dial-Up Lines (temporary connection that uses one or more analog telephone lines for communications)
Dedicated Lines (type of always-on connections that is established between two communications devices)
ISDN Lines (faster than Dial-Up)
DSL (fast speeds on existing standard copper telephone wiring)
FTTP ( uses fiber-optic to provide extremely high-speed Internet access to users physical permanent locations)
ATM (a service that carries voice, data, video, and multimedia at very high speeds)

Dial-up Modems (communications device that can convert digital signals to analog and analog signals to digital signals)
Digital Modems (communications device that sends and receives data and information to and from a digital line)
Wireless Modems
Network Cars (communications device that enables a computer or device that doesn’t have built-in networking capability to access a network)
Wireless access point (central communications device that allows computer and devices to transfer data wirelessly)
Routers (communications devices that connects multiple computers or other routers together and transmits data to its correct destination on a network)
Connect to the Internet at the same time
Share a single high-speed Internet connection
Access files and programs on the other computers in the house
Share peripherals such as a printer, scanner, external hard disk
Play multiplayer game with players on others computer in the house
Connect game consoles to the Internet
Ethernet (network standard that specifies no central computer or device on the network should control when data can be transmitted)
Power line Cable Network (network that uses the same lines that bring electricity into the house)
Phone line Network (an easy-to-install and inexpensive network that uses existing telephone lines in the home)

1. What is communication in computer ??
2. What is communication device ??

..Gevita Chap 10 Database Management

2009-12-17T16:21:00.000-08:00

Gevita Chap 10 Database Management

View more presentations from sharing notes123.

Gevita Chap 10 Database Management - Presentation Transcript

CHAPTER 10 DATABASE MANAGEMENT PRESENTED BY GEVITA
DATABASE,DATA& INFORMATION
7 type data
- Data integrity
- Quality Of valuable information
- Hierarchy of data
- Characters
- Fields
- Records
- Files
MAINTAINING DATA
Adding Records
Modifying Records
Deleting Records
Validating Data
FILE PROCESSING VERSUS DATABASES File processing system Data Redundancy Isolated data The database Approach Disadvantages of database Many programs and users share the data in the database.
Can be more complex than a file processing system.
Store a lot in single file.
DATABASE MANAGEMENT SYSTEM
4 TYPE OF DATABASE
1. File Retrieval & Maintenance
2. Query Language
3. Data Security
4. Backup & Recovery
Relational, Object Oriented & Multidimensional databases
1. Relational
- Stores data in tables
2. Object- Oriented Database
- store data in object
3. Multidimensional
- store data dimensions
Web Database & Types
CHAPTER REVIEW -Database, Data and information -Maintaining Data -File Processing versus Databases -Database Management System -Relational, Object Oriented & Multidimensional - Web Database
What is the examples of application for an object-oriented database?
2. What is the 2 major weaknesses of file processing system?
1. A multimedia database, a groupware database, a computer –aided design, a hypertext database. 2. Data redundancy and isolated data THANK YOU!

..Chen-special-topic-01-Multimedia

2009-12-17T16:11:00.000-08:00

Chen-special-topic-01-Multimedia

View more presentations from sharing notes123.

Chen-special-topic-01-Multimedia - Presentation Transcript

Multimedia
Multimedia is media and content that uses a combination of different content forms. The term can be used as a noun (a medium with multiple content forms) or as an adjective describing a medium as having multiple content forms. The term is used in contrast to media which only use traditional forms of printed or hand-produced material. Multimedia includes a combination of text, audio, still images, animation, video, and interactivity content forms.
Multimedia is usually recorded and played, displayed or accessed by information content processing devices, such as computerized and electronic devices, but can also be part of a live performance. Multimedia (as an adjective) also describes electronic media devices used to store and experience multimedia content. Multimedia is distinguished from mixed media in fine art; by including audio, for example, it has a broader scope. The term "rich media" is synonymous for interactive multimedia. Hypermedia can be considered one particular multimedia application.
What are some popular graphics and multimedia software products?
Graphics and Multimedia Software
Next
p. 151 Fig. 3-19
Graphics and Multimedia Software
Next
What is computer-aided design (CAD)?
Sophisticated application software that allows you to create engineering, architectural, and scientific designs
p. 151 Fig. 3-20
Graphics and Multimedia Software
Next
What is desktop publishing software?
Enables you to design and produce sophisticated documents that contain text, graphics, and many colors
p. 152 Fig. 3-21
Graphics and Multimedia Software
Next
What is paint/image editing software?
Used to create and modify graphical images
Sometimes called illustration software
p. 152 Fig. 3-22
Graphics and Multimedia Software
Next
What is professional photo editing software?
Allows users to customize digital photographs
Save images in a variety of file formats
p. 152 - 153 Fig. 3-23
Graphics and Multimedia Software
Next
What is video and audio editing software?
Video editing software allows you to modify a segment of a video, called a clip
Audio editing software allows you to modify audio clips
p. 153 Fig. 3-24
Graphics and Multimedia Software
Next
What is multimedia authoring software?
Allows you to combine text, graphics, audio, video, and animation in an interactive application
p. 154 Fig. 3-25
Graphics and Multimedia Software
organize
manage
maintain
Next
What is Web page authoring software?
Helps users of all skill levels to create Web pages
Some application software programs include Web page authoring programs
graphicalimages
video
Web pagesand/orWeb sites
animation
audio
p. 154
Media player is a term typically used to describe computer software for playing back multimedia files. Most software media players support an array of media formats, including both audio and video files.
Media Player
Types of media player.
Windows Media Player
iTunes
Winamp
Qq Player
Qvod player
Media Player
Media Player
Every media player uses the same function as shown in my swf file – play and stop button function. A movie that is played in a media player is said to be having the synchronization of audio and video in a fixed frame setting.
Media Player(ext)

..Wong Pau Tung-special-topic-02-Virus

2009-12-17T16:01:00.000-08:00

Wong Pau Tung-special-topi-02-Virus

View more presentations from sharing notes123.

Wong Pau Tung-special-topi-02-Virus - Presentation Transcript

Internet and Network Attacks
What are viruses , worms , and Trojan horses ?
p. 558 Virus is a potentially damaging computer program
Worm copies itself repeatedly, using up resources and possibly shutting down computer or network
Trojan horse hides within or looks like legitimate program until triggered Payload (destructive event) that is delivered when you open file, run infected program, or boot computer with infected disk in disk drive Can spread and damage files Does not replicate itself on other computers Next
Internet and Network Attacks
How can a virus spread through an e-mail message?
p. 559 Fig. 11-2 Step 1. Unscrupulous programmers create a virus program. They hide the virus in a Word document and attach the Word document to an e-mail message. Step 2. They use the Internet to send the e-mail message to thousands of users around the world. Step 3b. Other users do not recognize the name of the sender of the e-mail message. These users do not open the e-mail message. Instead they delete the e-mail message. These users’ computers are not infected with the virus. Step 3a. Some users open the attachment and their computers become infected with the virus. Next
Internet and Network Attacks Video: Attack of the Mobile Viruses Next CLICK TO START
Internet and Network Attacks
How can you protect your system from a macro virus?
p. 560 Fig. 11-3
Set macro security level in applications that allow you to write macros
Set security level so that warning displays that document contains macro
Macros are instructions saved in an application, such as word processing or spreadsheet program
Next
Internet and Network Attacks
What is an antivirus program ?
p. 560 - 561 Fig. 11-4
Identifies and removes computer viruses
Most also protect against worms and Trojan horses
Next
Internet and Network Attacks
What is a virus signature ?
p. 561 Fig. 11-5
Specific pattern of virus code
Also called virus definition
Antivirus programs look for virus signatures
Next
Internet and Network Attacks
How does an antivirus program inoculate a program file?
p. 561 Keeps file in separate area of hard disk Next Records information about program such as file size and creation date Attempts to remove any detected virus Uses information to detect if virus tampers with file Quarantines infected files that it cannot remove
Internet and Network Attacks
What are some tips for preventing virus, worm, and Trojan horse infections?
p. 562 Install a personal firewall program If the antivirus program flags an e-mail attachment as infected, delete the attachment immediately Never start a computer with removable media inserted Never open an e-mail attachment unless you are expecting it and it is from a trusted source Install an antivirus program on all of your computers Check all downloaded programs for viruses, worms, or Trojan horses Next Click to view Web Link, click Chapter 11, Click Web Link from left navigation, then click Virus Hoaxes below Chapter 11

DESIGNING TIC TAC TOE PROGRAM USING C++ LANGUAGE

2009-12-15T08:00:00.000-08:00

Tic-tac-toe, also spelled tick tack toe, and alternatively called noughts and crosses, X's and O's, and many other names, is a pencil-and-paper game for two players, O and X, who take turns marking the spaces in a 3×3 grid, usually X going first. The player who succeeds in placing three respective marks in a horizontal, vertical or diagonal row wins the game.

The following example game is won by the first player, X:

Players soon discover that best play from both parties leads to a draw. Hence, tic-tac-toe is most often played by young children; when they have discovered an unbeatable strategy they move on to more sophisticated games such as chess or chinese checkers. This reputation for ease has led to casinos offering gamblers the chance to play tic-tac-toe against trained chickens—though the chicken is advised by a computer program.

How do we design a simple DOS program for two players?

First of all, we need to approach the game structure systematically using problem decomposition, i.e., breaking down the main problem into small manageable chunks of problem.

EXAMPLE 1

basic procedures:

1. main() - to control the program

2. PlayGame() - to control the game session

3. GameRound() - to control each player's turn

4. DisplayPanel() - to control the game display

5. DisplaySymbol() - to control the symbol display

6. CheckWin() - to determine winning condition

7. InitVar() - to initialize variables before a game session starts

optional procedures:

8. GetPlayerNames() - to get the name of each players

9. PlaySound() - to play certain sounds to accompany events in the game

10. ComputerPlayer() - to play against the human

..Tic Tac Toe Program Design 1

2009-12-14T10:14:00.000-08:00

..Tic Tac Toe Program Design 2

2009-12-14T09:16:00.000-08:00

..Tic Tac Toe Program Design 3

2009-12-14T08:16:00.000-08:00

Ais Romney 2006 Slides 07 IS Control1

2009-11-01T07:48:00.000-08:00

Ais Romney 2006 Slides 07 Is Control1

View more presentations from sharing notes123.

Ais Romney 2006 Slides 07 Is Control1

View more presentations from sharing notes123.

Ais Romney 2006 Slides 06 Control And Ais

2009-11-01T07:38:00.000-08:00

Ais Romney 2006 Slides 06 Control And Ais

View more presentations from sharingnotes123.

Ais Romney 2006 Slides 06 Control And Ais - Presentation Transcript

HAPTER 6 Control and Accounting Information Systems
INTRODUCTION
Questions to be addressed in this chapter:
What are the basic internal control concepts, and why are computer control and security important?
What is the difference between the COBIT, COSO, and ERM control frameworks?
What are the major elements in the internal environment of a company?
What are the four types of control objectives that companies need to set?
What events affect uncertainty, and how can they be identified?
How is the Enterprise Risk Management model used to assess and respond to risk?
What control activities are commonly used in companies?
How do organizations communicate information and monitor control processes?
INTRODUCTION
Why AIS Threats Are Increasing
Control risks have increased in the last few years because:
There are computers and servers everywhere, and information is available to an unprecedented number of workers.
Distributed computer networks make data available to many users, and these networks are harder to control than centralized mainframe systems.
Wide area networks are giving customers and suppliers access to each other’s systems and data, making confidentiality a major concern.
INTRODUCTION
Historically, many organizations have not adequately protected their data due to one or more of the following reasons:
Computer control problems are often underestimated and downplayed.
Control implications of moving from centralized, host-based computer systems to those of a networked system or Internet-based system are not always fully understood.
Companies have not realized that data is a strategic resource and that data security must be a strategic requirement.
Productivity and cost pressures may motivate management to forego time-consuming control measures.
INTRODUCTION
Some vocabulary terms for this chapter:
A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization.
The exposure or impact of the threat is the potential dollar loss that would occur if the threat becomes a reality.
The likelihood is the probability that the threat will occur.
INTRODUCTION
Control and Security are Important
Companies are now recognizing the problems and taking positive steps to achieve better control, including:
Devoting full-time staff to security and control concerns.
Educating employees about control measures.
Establishing and enforcing formal information security policies.
Making controls a part of the applications development process.
Moving sensitive data to more secure environments.
INTRODUCTION
To use IT in achieving control objectives, accountants must:
Understand how to protect systems from threats.
Have a good understanding of IT and its capabilities and risks.
Achieving adequate security and control over the information resources of an organization should be a top management priority.
INTRODUCTION
Control objectives are the same regardless of the data processing method, but a computer-based AIS requires different internal control policies and procedures because:
Computer processing may reduce clerical errors but increase risks of unauthorized access or modification of data files.
Segregation of duties must be achieved differently in an AIS.
Computers provide opportunities for enhancement of some internal controls.
INTRODUCTION
One of the primary objectives of an AIS is to control a business organization.
Accountants must help by designing effective control systems and auditing or reviewing control systems already in place to ensure their effectiveness.
Management expects accountants to be control consultants by:
Taking a proactive approach to eliminating system threats; and
Detecting, correcting, and recovering from threats when they do occur.
INTRODUCTION
It is much easier to build controls into a system during the initial stage than to add them after the fact.
Consequently, accountants and control experts should be members of the teams that develop or modify information systems.
OVERVIEW OF CONTROL CONCEPTS
In today’s dynamic business environment, companies must react quickly to changing conditions and markets, including steps to:
Hire creative and innovative employees.
Give these employees power and flexibility to:
Satisfy changing customer demands;
Pursue new opportunities to add value to the organization; and
Implement process improvements.
At the same time, the company needs control systems so they are not exposed to excessive risks or behaviors that could harm their reputation for honesty and integrity.
OVERVIEW OF CONTROL CONCEPTS
Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
Assets (including data) are safeguarded.
This objective includes prevention or timely detection of unauthorized acquisition, use, or disposal of material company assets.
OVERVIEW OF CONTROL CONCEPTS
Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
Assets (including data) are safeguarded.
Records are maintained in sufficient detail to accurately and fairly reflect company assets.
OVERVIEW OF CONTROL CONCEPTS
Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
Assets (including data) are safeguarded.
Records are maintained in sufficient detail to accurately and fairly reflect company assets.
Accurate and reliable information is provided.
OVERVIEW OF CONTROL CONCEPTS
Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
Assets (including data) are safeguarded.
Records are maintained in sufficient detail to accurately and fairly reflect company assets.
Accurate and reliable information is provided.
There is reasonable assurance that financial reports are prepared in accordance with GAAP.
OVERVIEW OF CONTROL CONCEPTS
Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
Assets (including data) are safeguarded.
Records are maintained in sufficient detail to accurately and fairly reflect company assets.
Accurate and reliable information is provided.
There is reasonable assurance that financial reports are prepared in accordance with GAAP.
Operational efficiency is promoted and improved.
This objective includes ensuring that company receipts and expenditures are made in accordance with management and directors’ authorizations.
OVERVIEW OF CONTROL CONCEPTS
Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
Assets (including data) are safeguarded.
Records are maintained in sufficient detail to accurately and fairly reflect company assets.
Accurate and reliable information is provided.
There is reasonable assurance that financial reports are prepared in accordance with GAAP.
Operational efficiency is promoted and improved.
Adherence to prescribed managerial policies is encouraged.
OVERVIEW OF CONTROL CONCEPTS
Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
Assets (including data) are safeguarded.
Records are maintained in sufficient detail to accurately and fairly reflect company assets.
Accurate and reliable information is provided.
There is reasonable assurance that financial reports are prepared in accordance with GAAP.
Operational efficiency is promoted and improved.
Adherence to prescribed managerial policies is encouraged.
The organization complies with applicable laws and regulations .
OVERVIEW OF CONTROL CONCEPTS
Internal control is a process because:
It permeates an organization’s operating activities.
It is an integral part of basic management activities.
Internal control provides reasonable , rather than absolute, assurance, because complete assurance is difficult or impossible to achieve and prohibitively expensive.
OVERVIEW OF CONTROL CONCEPTS
Internal control systems have inherent limitations, including:
They are susceptible to errors and poor decisions.
They can be overridden by management or by collusion of two or more employees.
Internal control objectives are often at odds with each other.
EXAMPLE: Controls to safeguard assets may also reduce operational efficiency.
OVERVIEW OF CONTROL CONCEPTS
Internal controls perform three important functions:
Preventive controls
Deter problems before they arise.
OVERVIEW OF CONTROL CONCEPTS
Internal controls perform three important functions:
Preventive controls
Detective controls
Discover problems quickly when they do arise.
OVERVIEW OF CONTROL CONCEPTS
Internal controls perform three important functions:
Preventive controls
Detective controls
Corrective controls
Remedy problems that have occurred by:
Identifying the cause;
Correcting the resulting errors; and
Modifying the system to prevent future problems of this sort.
OVERVIEW OF CONTROL CONCEPTS
Internal controls are often classified as:
General controls
Those designed to make sure an organization’s control environment is stable and well managed.
They apply to all sizes and types of systems.
Examples: Security management controls.
OVERVIEW OF CONTROL CONCEPTS
Internal controls are often classified as:
General controls
Application controls
Prevent, detect, and correct transaction errors and fraud.
Are concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported.
OVERVIEW OF CONTROL CONCEPTS
An effective system of internal controls should exist in all organizations to:
Help them achieve their missions and goals
Minimize surprises
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
In 1977, Congress passed the Foreign Corrupt Practices Act , and to the surprise of the profession, this act incorporated language from an AICPA pronouncement.
The primary purpose of the act was to prevent the bribery of foreign officials to obtain business.
A significant effect was to require that corporations maintain good systems of internal accounting control.
Generated significant interest among management, accountants, and auditors in designing and evaluating internal control systems.
The resulting internal control improvements weren’t sufficient.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
In the late 1990s and early 2000s, a series of multi-million-dollar accounting frauds made headlines.
The impact on financial markets was substantial, and Congress responded with passage of the Sarbanes-Oxley Act of 2002 (aka, SOX ).
Applies to publicly held companies and their auditors
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
The intent of SOX is to:
Prevent financial statement fraud
Make financial reports more transparent
Protect investors
Strengthen internal controls in publicly-held companies
Punish executives who perpetrate fraud
SOX has had a material impact on the way boards of directors, management, and accountants operate.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession.
Has five members, three of whom cannot be CPAs.
Charges fees to firms to fund the PCAOB.
Sets and enforces auditing, quality control, ethics, independence, and other standards relating to audit reports.
Currently recognizes FASB statements as being generally accepted.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession.
New rules for auditors
They must report specific information to the company’s audit committee, such as:
Critical accounting policies and practices
Alternative GAAP treatments
Auditor-management disagreements
Audit partners must be rotated periodically.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession.
New rules for auditors
Auditors cannot perform certain non-audit services, such as:
Bookkeeping
Information systems design and implementation
Internal audit outsourcing services
Management functions
Human resource services
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession.
New rules for auditors
Permissible non-audit services must be approved by the board of directors and disclosed to investors.
Cannot audit a company if a member of top management was employed by the auditor and worked on the company’s audit in the past 12 months.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession.
New rules for auditors
New rules for audit committees
Members must be on the company’s board of directors and must otherwise be independent of the company.
One member must be a financial expert.
The committee hires, compensates, and oversees the auditors, and the auditors report directly to the committee.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession.
New rules for auditors
New rules for audit committees
New rules for management
The CEO and CFO must certify that:
The financial statements and disclosures are fairly presented, were reviewed by management, and are not misleading.
Management is responsible for internal controls.
The auditors were advised of any material internal control weaknesses or fraud.
Any significant changes to controls after management’s evaluation were disclosed and corrected.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession.
New rules for auditors
New rules for audit committees
New rules for management
If management willfully and knowingly violates the certification, they can be:
Imprisoned up to 20 years.
Fined up to $5 million.
Management and directors cannot receive loans that would not be available to people outside the company.
They must disclose on a rapid and current basis material changes to their financial condition.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession.
New rules for auditors
New rules for audit committees
New rules for management
New internal control requirements
New internal control requirements:
Section 404 of SOX requires companies to issue a report accompanying the financial statements that:
States management is responsible for establishing and maintaining an adequate internal control structure and procedures.
Contains management’s assessment of the company’s internal controls.
Attests to the accuracy of the internal controls, including disclosures of significant defects or material noncompliance found during the tests.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession.
New rules for auditors
New rules for audit committees
New rules for management
New internal control requirements
SOX also requires that the auditor attests to and reports on management’s internal control assessment.
Each audit report must describe the scope of the auditor’s internal control tests.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
After the passage of SOX, the SEC further mandated that:
Management must base its evaluation on a recognized control framework, developed using a due-process procedure that allows for public comment. The most likely framework is the COSO model discussed later in the chapter.
The report must contain a statement identifying the framework used.
Management must disclose any and all material internal control weaknesses.
Management cannot conclude that the company has effective internal control if there are any material weaknesses.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
Levers of Control
Many people feel there is a basic conflict between creativity and controls.
Robert Simons has espoused four levers of controls to help companies reconcile this conflict:
A concise belief system
Communicates company core values to employees and inspires them to live by them.
Draws attention to how the organization creates value.
Helps employees understand management’s intended direction.
Must be broad enough to appeal to all levels.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
Levers of Control
Many people feel there is a basic conflict between creativity and controls.
Robert Simons has espoused four levers of controls to help companies reconcile this conflict:
A concise belief system
A boundary system
Helps employees act ethically by setting limits beyond which they must not pass.
Does not create rules and standard operating procedures that can stifle creativity.
Encourages employees to think and act creatively to solve problems and meet customer needs as long as they operate within limits such as:
Meeting minimum standards of performance
Shunning off-limits activities
Avoiding actions that could damage the company’s reputation.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
Levers of Control
Many people feel there is a basic conflict between creativity and controls.
Robert Simons has espoused four levers of controls to help companies reconcile this conflict:
A concise belief system
A boundary system
A diagnostic control system
Ensures efficient and effective achievement of important controls.
This system measures company progress by comparing actual to planned performance.
Helps managers track critical performance outcomes and monitor performance of individuals, departments, and locations.
Provides feedback to enable management to adjust and fine-tune.
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
Levers of Control
Many people feel there is a basic conflict between creativity and controls.
Robert Simons has espoused four levers of controls to help companies reconcile this conflict:
A concise belief system
A boundary system
A diagnostic control system
An interactive control system
Helps top-level managers with high-level activities that demand frequent and regular attention. Examples:
Developing company strategy.
Setting company objectives.
Understanding and assessing threats and risks.
Monitoring changes in competitive conditions and emerging technologies.
Developing responses and action plans to proactively deal with these high-level issues.
Also helps managers focus the attention of subordinates on key strategic issues and to be more involved in their decisions.
Data from this system are best interpreted and discussed in face-to-face meetings.
CONTROL FRAMEWORKS
A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are:
The COBIT framework
The COSO internal control framework
COSO’s Enterprise Risk Management framework (ERM)
CONTROL FRAMEWORKS
A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are:
The COBIT framework
The COSO internal control framework
COSO’s Enterprise Risk Management framework (ERM)
CONTROL FRAMEWORKS
COBIT Framework
Also know as the Control Objectives for Information and Related Technology framework.
Developed by the Information Systems Audit and Control Foundation (ISACF).
A framework of generally applicable information systems security and control practices for IT control.
CONTROL FRAMEWORKS
The COBIT framework allows:
Management to benchmark security and control practices of IT environments.
Users of IT services to be assured that adequate security and control exists.
Auditors to substantiate their opinions on internal control and advise on IT security and control matters.
CONTROL FRAMEWORKS
The framework addresses the issue of control from three vantage points or dimensions:
Business objectives
To satisfy business objectives, information must conform to certain criteria referred to as “business requirements for information.”
The criteria are divided into seven distinct yet overlapping categories that map into COSO objectives:
Effectiveness (relevant, pertinent, and timely)
Efficiency
Confidentiality
Integrity
Availability
Compliance with legal requirements
Reliability
CONTROL FRAMEWORKS
The framework addresses the issue of control from three vantage points or dimensions:
Business objectives
IT resources
Includes:
People
Application systems
Technology
Facilities
Data
CONTROL FRAMEWORKS
The framework addresses the issue of control from three vantage points or dimensions:
Business objectives
IT resources
IT processes
Broken into four domains
Planning and organization
Acquisition and implementation
Delivery and support
Monitoring
CONTROL FRAMEWORKS
COBIT consolidates standards from 36 different sources into a single framework.
It is having a big impact on the IS profession.
Helps managers to learn how to balance risk and control investment in an IS environment.
Provides users with greater assurance that security and IT controls provided by internal and third parties are adequate.
Guides auditors as they substantiate their opinions and provide advice to management on internal controls.
CONTROL FRAMEWORKS
A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are:
The COBIT framework
The COSO internal control framework
COSO’s Enterprise Risk Management framework (ERM)
CONTROL FRAMEWORKS
COSO’s Internal Control Framework
The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of:
The American Accounting Association
The AICPA
The Institute of Internal Auditors
The Institute of Management Accountants
The Financial Executives Institute
CONTROL FRAMEWORKS
In 1992, COSO issued the Internal Control Integrated Framework :
Defines internal controls.
Provides guidance for evaluating and enhancing internal control systems.
Widely accepted as the authority on internal controls.
Incorporated into policies, rules, and regulations used to control business activities.
CONTROL FRAMEWORKS
COSO’s internal control model has five crucial components:
Control environment
The core of any business is its people.
Their integrity, ethical values, and competence make up the foundation on which everything else rests.
CONTROL FRAMEWORKS
COSO’s internal control model has five crucial components:
Control environment
Control activities
Policies and procedures must be established and executed to ensure that actions identified by management as necessary to address risks are, in fact, carried out.
CONTROL FRAMEWORKS
COSO’s internal control model has five crucial components:
Control environment
Control activities
Risk assessment
The organization must be aware of and deal with the risks it faces.
It must set objectives for its diverse activities and establish mechanisms to identify, analyze, and manage the related risks.
CONTROL FRAMEWORKS
COSO’s internal control model has five crucial components:
Control environment
Control activities
Risk assessment
Information and communication
Information and communications systems surround the control activities.
They enable the organization’s people to capture and exchange information needed to conduct, manage, and control its operations.
CONTROL FRAMEWORKS
COSO’s internal control model has five crucial components:
Control environment
Control activities
Risk assessment
Information and communication
Monitoring
The entire process must be monitored and modified as necessary.
CONTROL FRAMEWORKS
A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are:
The COBIT framework
The COSO internal control framework
COSO’s Enterprise Risk Management framework (ERM)
CONTROL FRAMEWORKS
Nine years after COSO issued the preceding framework, it began investigating how to effectively identify, assess, and manage risk so organizations could improve the risk management process.
Result: Enterprise Risk Manage Integrated Framework (ERM)
An enhanced corporate governance document.
Expands on elements of preceding framework.
Provides a focus on the broader subject of enterprise risk management.
CONTROL FRAMEWORKS
Intent of ERM is to achieve all goals of the internal control framework and help the organization:
Provide reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized.
Achieve its financial and performance targets.
Assess risks continuously and identify steps to take and resources to allocate to overcome or mitigate risk.
Avoid adverse publicity and damage to the entity’s reputation.
CONTROL FRAMEWORKS
ERM defines risk management as:
A process effected by an entity’s board of directors, management, and other personnel
Applied in strategy setting and across the enterprise
To identify potential events that may affect the entity
And manage risk to be within its risk appetite
In order to provide reasonable assurance of the achievement of entity objectives.
CONTROL FRAMEWORKS
Basic principles behind ERM:
Companies are formed to create value for owners.
Management must decide how much uncertainty they will accept.
Uncertainty can result in:
Risk
The possibility that something will happen to:
Adversely affect the ability to create value; or
Erode existing value.
CONTROL FRAMEWORKS
Basic principles behind ERM:
Companies are formed to create value for owners.
Management must decide how much uncertainty they will accept.
Uncertainty can result in:
Risk
Opportunity
The possibility that something will happen to positively affect the ability to create or preserve value.
CONTROL FRAMEWORKS
The framework should help management manage uncertainty and its associated risk to build and preserve value.
To maximize value, a company must balance its growth and return objectives and risks with efficient and effective use of company resources.
CONTROL FRAMEWORKS
COSO developed a model to illustrate the elements of ERM.
CONTROL FRAMEWORKS
Columns at the top represent the four types of objectives that management must meet to achieve company goals.
Strategic objectives
Strategic objectives are high-level goals that are aligned with and support the company’s mission.
CONTROL FRAMEWORKS
Columns at the top represent the four types of objectives that management must meet to achieve company goals.
Strategic objectives
Operations objectives
Operations objectives deal with effectiveness and efficiency of company operations, such as:
Performance and profitability goals
Safeguarding assets
CONTROL FRAMEWORKS
Columns at the top represent the four types of objectives that management must meet to achieve company goals.
Strategic objectives
Operations objectives
Reporting objectives
Reporting objectives help ensure the accuracy, completeness, and reliability of internal and external company reports of both a financial and non-financial nature.
Improve decision-making and monitor company activities and performance more efficiently.
CONTROL FRAMEWORKS
Columns at the top represent the four types of objectives that management must meet to achieve company goals.
Strategic objectives
Operations objectives
Reporting objectives
Compliance objectives
Compliance objectives help the company comply with applicable laws and regulations.
External parties often set the compliance rules.
Companies in the same industry often have similar concerns in this area.
CONTROL FRAMEWORKS
ERM can provide reasonable assurance that reporting and compliance objectives will be achieved because companies have control over them.
However, strategic and operations objectives are sometimes at the mercy of external events that the company can’t control.
Therefore, in these areas, the only reasonable assurance the ERM can provide is that management and directors are informed on a timely basis of the progress the company is making in achieving them.
CONTROL FRAMEWORKS
Columns on the right represent the company’s units:
Entire company
CONTROL FRAMEWORKS
Columns on the right represent the company’s units:
Entire company
Division
CONTROL FRAMEWORKS
Columns on the right represent the company’s units:
Entire company
Division
Business unit
CONTROL FRAMEWORKS
Columns on the right represent the company’s units:
Entire company
Division
Business unit
Subsidiary
CONTROL FRAMEWORKS
The horizontal rows are eight related risk and control components, including:
Internal environment
The tone or culture of the company.
Provides discipline and structure and is the foundation for all other components.
Essentially the same as control environment in the COSO internal control framework.
CONTROL FRAMEWORKS
The horizontal rows are eight related risk and control components, including:
Internal environment
Objective setting
Ensures that management implements a process to formulate strategic, operations, reporting, and compliance objectives that support the company’s mission and are consistent with the company’s tolerance for risk.
Strategic objectives are set first as a foundation for the other three.
The objectives provide guidance to companies as they identify risk-creating events and assess and respond to those risks.
CONTROL FRAMEWORKS
The horizontal rows are eight related risk and control components, including:
Internal environment
Objective setting
Event identification
Requires management to identify events that may affect the company’s ability to implement its strategy and achieve its objectives.
Management must then determine whether these events represent:
Risks (negative-impact events requiring assessment and response); or
Opportunities (positive-impact events that influence strategy and objective-setting processes).
CONTROL FRAMEWORKS
The horizontal rows are eight related risk and control components, including:
Internal environment
Objective setting
Event identification
Risk assessment
Identified risks are assessed to determine how to manage them and how they affect the company’s ability to achieve its objectives.
Qualitative and quantitative methods are used to assess risks individually and by category in terms of:
Likelihood
Positive and negative impact
Effect on other organizational units
Risks are analyzed on an inherent and a residual basis.
Corresponds to the risk assessment element in COSO’s internal control framework.
CONTROL FRAMEWORKS
The horizontal rows are eight related risk and control components, including:
Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Management aligns identified risks with the company’s tolerance for risk by choosing to:
Avoid
Reduce
Share
Accept
Management takes an entity-wide or portfolio view of risks in assessing the likelihood of the risks, their potential impact, and costs-benefits of alternate responses.
CONTROL FRAMEWORKS
The horizontal rows are eight related risk and control components, including:
Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
To implement management’s risk responses, control policies and procedures are established and implemented throughout the various levels and functions of the organization.
Corresponds to the control activities element in the COSO internal control framework.
CONTROL FRAMEWORKS
The horizontal rows are eight related risk and control components, including:
Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and communication
Information about the company and ERM components must be identified, captured, and communicated so employees can fulfill their responsibilities.
Information must be able to flow through all levels and functions in the company as well as flowing to and from external parties.
Employees should understand their role and importance in ERM and how these responsibilities relate to those of others.
Has a corresponding element in the COSO internal control framework.
CONTROL FRAMEWORKS
The horizontal rows are eight related risk and control components, including:
Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and communication
Monitoring
ERM processes must be monitored on an ongoing basis and modified as needed.
Accomplished with ongoing management activities and separate evaluations.
Deficiencies are reported to management.
Corresponding module in COSO internal control framework.
CONTROL FRAMEWORKS
The ERM model is three-dimensional.
Means that each of the eight risk and control elements are applied to the four objectives in the entire company and/or one of its subunits.
CONTROL FRAMEWORKS
ERM Framework Vs. the Internal Control Framework
The internal control framework has been widely adopted as the principal way to evaluate internal controls as required by SOX. However, there are issues with it.
It has too narrow of a focus.
Examining controls without first examining purposes and risks of business processes provides little context for evaluating the results.
Makes it difficult to know:
Which control systems are most important.
Whether they adequately deal with risk.
Whether important control systems are missing.
CONTROL FRAMEWORKS
ERM Framework Vs. the Internal Control Framework
The internal control framework has been widely adopted as the principal way to evaluate internal controls as required by SOX. However, there are issues with it.
It has too narrow of a focus.
Focusing on controls first has an inherent bias toward past problems and concerns.
May contribute to systems with many controls to protect against risks that are no longer important.
CONTROL FRAMEWORKS
These issues led to COSO’s development of the ERM framework.
Takes a risk-based, rather than controls-based, approach to the organization.
Oriented toward future and constant change.
Incorporates rather than replaces COSO’s internal control framework and contains three additional elements:
Setting objectives.
Identifying positive and negative events that may affect the company’s ability to implement strategy and achieve objectives.
Developing a response to assessed risk.
CONTROL FRAMEWORKS
Controls are flexible and relevant because they are linked to current organizational objectives.
ERM also recognizes more options than simply controlling risk, which include accepting it, avoiding it, diversifying it, sharing it, or transferring it.
CONTROL FRAMEWORKS
Over time, ERM will probably become the most widely adopted risk and control model.
Consequently, its eight components are the topic of the remainder of the chapter.
INTERNAL ENVIRONMENT
The most critical component of the ERM and the internal control framework.
Is the foundation on which the other seven components rest.
Influences how organizations:
Establish strategies and objectives
Structure business activities
Identify, access, and respond to risk
A deficient internal control environment often results in risk management and control breakdowns.
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Management’s philosophy, operating style, and risk appetite
The board of directors
Commitment to integrity, ethical values, and competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Management’s philosophy, operating style, and risk appetite
The board of directors
Commitment to integrity, ethical values, and competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
INTERNAL ENVIRONMENT
Management’s Philosophy, Operating Style, and Risk Appetite
An organization’s management has shared beliefs and attitudes about risk.
That philosophy affects everything the organization does, long- and short-term, and affects their communications.
Companies also have a risk appetite , which is the amount of risk a company is willing to accept to achieve its goals and objectives.
That appetite needs to be in alignment with company strategy.
INTERNAL ENVIRONMENT
The more responsible management’s philosophy and operating style, the more likely employees will behave responsibly.
This philosophy must be clearly communicated to all employees; it is not enough to give lip service.
Management must back up words with actions; if they show little concern for internal controls, then neither will employees.
INTERNAL ENVIRONMENT
This component can be assessed by asking questions such as:
Does management take undue business risks or assess potential risks and rewards before acting?
Does management attempt to manipulate performance measures such as net income?
Does management pressure employees to achieve results regardless of methods or do they demand ethical behavior?
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Management’s philosophy, operating style, and risk appetite
The board of directors
Commitment to integrity, ethical values, and competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
INTERNAL ENVIRONMENT
The Board of Directors
An active and involved board of directors plays an important role in internal control.
They should:
Oversee management
Scrutinize management’s plans, performance, and activities
Approve company strategy
Review financial results
Annually review the company’s security policy
Interact with internal and external auditors
INTERNAL ENVIRONMENT
Directors should possess management, technical, or other expertise, knowledge, or experience, as well as a willingness to advocate for shareholders.
At least a majority should be independent, outside directors not affiliated with the company or any of its subsidiaries.
INTERNAL ENVIRONMENT
Public companies must have an audit committee , composed entirely of independent, outside directors.
The audit committee oversees:
The company’s internal control structure;
Its financial reporting process;
Its compliance with laws, regulations, and standards.
Works with the corporation’s external and internal auditors.
Hires, compensates, and oversees the auditors.
Auditors report all critical accounting policies and practices to the audit committee.
Provides an independent review of management’s actions.
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Management’s philosophy, operating style, and risk appetite
The board of directors
Commitment to integrity, ethical values, and competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
INTERNAL ENVIRONMENT
Commitment to Integrity, Ethical Values, and Competence
Management must create an organizational culture that stresses integrity and commitment to both ethical values and competence.
Ethical standards of behavior make for good business.
Tone at the top is everything.
Employees will watch the actions of the CEO, and the message of those actions (good or bad) will tend to permeate the organization.
INTERNAL ENVIRONMENT
Companies can endorse integrity as a basic operating principle by actively teaching and requiring it.
Management should:
Make it clear that honest reports are more important than favorable ones.
Management should avoid:
Unrealistic expectations, incentives or temptations.
Attitude of earnings or revenue at any price.
Overly aggressive sales practices.
Unfair or unethical negotiation practices.
Implied kickback offers.
Excessive bonuses.
Bonus plans with upper and lower cutoffs.
INTERNAL ENVIRONMENT
Management should not assume that employees would always act honestly.
Consistently reward and encourage honesty.
Give verbal labels to honest and dishonest acts.
The combination of these two will produce more consistent moral behavior.
INTERNAL ENVIRONMENT
Management should develop clearly stated policies that explicitly describe honest and dishonest behaviors, often in the form of a written code of conduct.
In particular, such a code would cover issues that are uncertain or unclear.
Dishonesty often appears when situations are gray and employees rationalize the most expedient action as opposed to making a right vs. wrong choice.
INTERNAL ENVIRONMENT
SOX only requires a code of ethics for senior financial management. However, the ACFE suggests that companies create a code of conduct for all employees:
Should be written at a fifth-grade level.
Should be reviewed annually with employees and signed.
This approach helps employees keep themselves out of trouble.
Helps the company if they need to take legal action against the employee.
INTERNAL ENVIRONMENT
Management should require employees to report dishonest, illegal, or unethical behavior and discipline employees who knowingly fail to report.
Reports of dishonest acts should be thoroughly investigated.
Those found guilty should be dismissed.
Prosecution should be undertaken when possible, so that other employees are clear about consequences.
Companies must make a commitment to competence.
Begins with having competent employees.
Varies with each job but is a function of knowledge, experience, training, and skills.
INTERNAL ENVIRONMENT
The levers of control, particularly beliefs and boundaries systems, can be used to create the kind of commitment to integrity an organization wants.
Requires more than lip service and signing forms.
Must be systems in which top management actively participates in order to:
Demonstrate the importance of the system.
Create buy-in and a team spirit.
INTERNAL ENVIRONMENT
Management should require employees to report dishonest, illegal, or unethical behavior and discipline employees who knowingly fail to report.
Reports of dishonest acts should be thoroughly investigated.
Those found guilty should be dismissed.
Prosecution should be undertaken when possible, so that other employees are clear about consequences.
INTERNAL ENVIRONMENT
Companies must make a commitment to competence.
Begins with having competent employees.
Varies with each job but is a function of knowledge, experience, training, and skills.
INTERNAL ENVIRONMENT
The levers of control, particularly beliefs and boundary systems, can be used to create the kind of commitment to integrity an organization wants.
Requires more than lip service and signing forms.
Must be systems in which top management actively participates in order to:
Demonstrate the importance of the system.
Create buy-in and a team spirit.
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Management’s philosophy, operating style, and risk appetite
The board of directors
Commitment to integrity, ethical values, and competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
INTERNAL ENVIRONMENT
Organizational Structure
A company’s organizational structure defines its lines of authority, responsibility, and reporting.
Provides the overall framework for planning, directing, executing, controlling, and monitoring its operations.
INTERNAL ENVIRONMENT
Important aspects or organizational structure:
Degree of centralization or decentralization.
Assignment of responsibility for specific tasks.
Direct-reporting relationships or matrix structure
Organization by industry, product, geographic location, marketing network
How the responsibility allocation affects management’s information needs
Organization of accounting and IS functions
Size and nature of company activities
INTERNAL ENVIRONMENT
Statistically fraud occurs more frequently in organizations with complex structures
The structures may unintentionally impede communication and clear assignment of responsibility, making fraud easier to commit and conceal; or
The structure may be intentionally complex to facilitate the fraud.
INTERNAL ENVIRONMENT
In today’s business world, the hierarchical organizations with many layers of management are giving way to flatter organizations with self-directed work teams.
Team members are empowered to make decisions without multiple layers of approvals.
Emphasis is on continuous improvement rather than on regular evaluations.
These changes have a significant impact on the nature and type of controls needed.
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Management’s philosophy, operating style, and risk appetite
The board of directors
Commitment to integrity, ethical values, and competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
INTERNAL ENVIRONMENT
Methods of Assigning Authority and Responsibility
Management should make sure:
Employees understand the entity’s objectives
Authority and responsibility for business objectives is assigned to specific departments and individuals
Ownership of responsibility encourages employees to take initiative in solving problems and holds them accountable for achieving objectives.
Management:
Must be sure to identify who is responsible for the IS security policy.
Should monitor results so decisions can be reviewed and, if necessary, overruled.
INTERNAL ENVIRONMENT
Authority and responsibility are assigned through:
Formal job descriptions
Employee training
Operating plans, schedules, and budgets
Codes of conduct that define ethical behavior, acceptable practices, regulatory requirements, and conflicts of interest
Written policies and procedures manuals (a good job reference and job training tool) which covers:
Proper business practices
Knowledge and experience needed by key personnel
Resources provided to carry out duties
Policies and procedures for handling particular transactions
The organization’s chart of accounts
Sample copies of forms and documents
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Management’s philosophy, operating style, and risk appetite
The board of directors
Commitment to integrity, ethical values, and competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
INTERNAL ENVIRONMENT
Human Resources Standards
Employees are both the company’s greatest control strength and the greatest control weakness.
Organizations can implement human resource policies and practices with respect to hiring, training, compensating, evaluating, counseling, promoting, and discharging employees that send messages about the level of competence and ethical behavior required.
Policies on working conditions, incentives, and career advancement can powerfully encourage efficiency and loyalty and reduce the organization’s vulnerability.
INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
Hiring
Should be based on educational background, relevant work experience, past achievements, honesty and integrity, and how well candidates meet written job requirements.
Employees should undergo a formal, in-depth employment interview.
Resumes, reference letters, and thorough background checks are critical.
INTERNAL ENVIRONMENT
Background checks can involve:
Verifying education and experience
Talking with references
Checking for criminal records, credit issues, and other publicly available data.
Note that you must have the employee’s or candidate’s written permission to conduct a background check, but that permission does not need to have an expiration date.
Background checks are important because recent studies show that about 50% of resumes have been falsified or embellished.
INTERNAL ENVIRONMENT
Sometimes professional firms are hired to do the background checks because applicants are becoming more aggressive in their deceptions.
Some get phony degrees from online “diploma mills.”
A Pennsylvania district attorney recently filed suit against a Texas “university” for issuing an MBA to the DA’s 6-year-old black cat.
Others actually hack (or hire someone to hack) into the systems of universities to create or alter transcripts and other academic data.
No employee should be exempted from background checks. Anyone from the custodian to the company president is capable of committing fraud, sabotage, etc
INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
Compensating
Employees should be paid a fair and competitive wage.
Poorly compensated employees are more likely to feel the resentment and financial pressures that lead to fraud.
Appropriate incentives can motivate and reinforce outstanding performance.
INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
Policies on Training
Training programs should familiarize new employees with:
Their responsibilities.
Expected performance and behavior.
Company policies, procedures, history, culture, and operating style.
Training needs to be ongoing, not just one-time.
Companies who shortchange training are more likely to experience security breaches and fraud.
INTERNAL ENVIRONMENT
Many believe employee training and education are the most important elements of fraud prevention and security programs.
Fraud is less likely to occur when employees believe security is everyone’s business.
An ideal corporate culture exists when:
Employees are proud of their company and protective of its assets.
They believe fraud hurts everyone and that they therefore have a responsibility to report it.
INTERNAL ENVIRONMENT
These cultures do not just happen. They must be created, taught, and practiced, and the following training should be provided:
Fraud awareness
Employees should be aware of fraud’s prevalence and dangers, why people do it, and how to deter and detect it.
Ethical considerations
The company should promote ethical standards in its practice and its literature.
Acceptable and unacceptable behavior should be defined and labeled, leaving as little gray area as possible.
INTERNAL ENVIRONMENT
Punishment for fraud and unethical behavior.
Employees should know the consequences (e.g., reprimand, dismissal, prosecution) of bad behavior.
Should be disseminated as a consequence rather than a threat.
EXAMPLE: “Using a computer to steal or commit fraud is a federal crime, and anyone doing so faces immediate dismissal and/or prosecution.”
The company should display notices of program and data ownership and advise employees of the penalties of misuse.
INTERNAL ENVIRONMENT
Training can take place through:
Informal discussions
Formal meetings
Periodic memos
Written guidelines
Codes of ethics
Circulating reports of unethical behavior and its consequences
Promoting security and fraud training programs
INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
Evaluating and promoting
Do periodic performance appraisals to help employees understand their strengths and weaknesses.
Base promotions on performance and qualifications.
INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
Discharging
Fired employees are disgruntled employees.
Disgruntled employees are more likely to commit a sabotage or fraud against the company.
Employees who are terminated (whether voluntary or involuntary) should be removed from sensitive jobs immediately and denied access to information systems.
INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
Managing disgruntled employees
Disgruntled employees may be isolated and/or unhappy, but are much likelier fraud candidates than satisfied employees.
The organization can try to reduce the employee’s pressures through grievance channels and counseling.
Difficult to do because many employees feel that seeking counseling will stigmatize them in their jobs.
Disgruntled employees should not be allowed to continue in jobs where they could harm the organization.
INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
Vacations and rotation of duties
Some fraud schemes, such as lapping and kiting, cannot continue without the constant attention of the perpetrator.
Mandatory vacations or rotation of duties can prevent these frauds or lead to early detection.
These measures will only be effective if someone else is doing the job while the usual employee is elsewhere.
INTERNAL ENVIRONMENT
The following policies and procedures are important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
Confidentiality agreements and fidelity bond insurance
Employees, suppliers, and contractors should be required to sign and abide by nondisclosure or confidentiality agreements.
Key employees should have fidelity bond insurance coverage to protect the company against losses from fraudulent acts by those employees.
INTERNAL ENVIRONMENT
In addition to the preceding policies, the company should seek prosecution and incarceration of hackers and fraud perpetrators
Most fraud cases and hacker attacks go unreported. They are not prosecuted for several reasons.
Companies fear:
Public relations nightmares
Copycat attacks
But unreported fraud and intrusions create a false sense of security.
INTERNAL ENVIRONMENT
Law enforcement officials and courts are busy with violent crimes and may regard teen hacking as “childish pranks.”
Fraud is difficult, costly, and time-consuming to investigate and prosecute.
Law enforcement officials, lawyers, and judges often lack the computer skills needed to investigate, prosecute, and evaluate computer crimes.
When cases are prosecuted and a conviction obtained, penalties are often very light. Judges often regard the perps as “model citizens.”
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Management’s philosophy, operating style, and risk appetite
The board of directors
Commitment to integrity, ethical values, and competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
INTERNAL ENVIRONMENT
External influences
External influences that affect the control environment include requirements imposed by:
FASB
PCAOB
SEC
Insurance commissions
Regulatory agencies for banks, utilities, etc.
OBJECTIVE SETTING
Objective setting is the second ERM component.
It must precede many of the other six components.
For example, you must set objectives before you can define events that affect your ability to achieve objectives
OBJECTIVE SETTING
Top management, with board approval, must articulate why the company exists and what it hopes to achieve.
Often referred to as the corporate vision or mission.
Uses the mission statement as a base from which to set corporate objectives.
The objectives:
Need to be easy to understand and measure.
Should be prioritized.
Should be aligned with the company’s risk appetite.
OBJECTIVE SETTING
Objectives set at the corporate level are linked to and integrated with a cascading series of sub-objectives in the various sub-units.
For each set of objectives:
Critical success factors (what has to go right) must be defined.
Performance measures should be established to determine whether the objectives are met.
OBJECTIVE SETTING
Objective-setting process proceeds as follows:
First, set strategic objectives, the high-level goals that support the company’s mission and create value for shareholders.
To meet these objectives, identify alternative ways of accomplishing them.
For each alternative, identify and assess risks and implications.
Formulate a corporate strategy.
Then set operations, compliance, and reporting objectives.
OBJECTIVE SETTING
As a rule of thumb:
The mission and strategic objectives are stable.
The strategy and other objectives are more dynamic:
Must be adapted to changing conditions.
Must be realigned with strategic objectives.
OBJECTIVE SETTING
Operations objectives:
Are a product of management preferences, judgments, and style
Vary significantly among entities:
One may adopt technology; another waits until the bugs are worked out.
Are influenced by and must be relevant to the industry, economic conditions, and competitive pressures.
Give clear direction for resource allocation—a key success factor.
OBJECTIVE SETTING
Compliance and reporting objectives:
Many are imposed by external entities, e.g.:
Reports to IRS or to EPA
Financial reports that comply with GAAP
A company’s reputation can be impacted significantly (for better or worse) by the quality of its compliance.
EVENT IDENTIFICATION
Events are:
Incidents or occurrences that emanate from internal or external sources
That affect implementation of strategy or achievement of objectives.
Impact can be positive, negative, or both.
Events can range from obvious to obscure.
Effects can range from inconsequential to highly significant.
EVENT IDENTIFICATION
By their nature, events represent uncertainty:
Will they occur?
If so, when?
And what will the impact be?
Will they trigger another event?
Will they happen individually or concurrently?
EVENT IDENTIFICATION
Management must do its best to anticipate all possible events—positive or negative—that might affect the company:
Try to determine which are most and least likely.
Understand the interrelationships of events.
COSO identified many internal and external factors that could influence events and affect a company’s ability to implement strategy and achieve objectives.
EVENT IDENTIFICATION
Some of these factors include:
External factors:
Economic factors
Availability of capital; lower or higher costs of capital
Lower barriers to entry, resulting in new competition
Price movements up or down
Ability to issue credit and possibility of default
Concentration of competitors, customers, or vendors
Presence or absence of liquidity
Movements in the financial markets or currency fluctuations
Rising or lowering unemployment rates
Mergers or acquisitions
Potential regulatory, contractual, or criminal legal liability
EVENT IDENTIFICATION
Some of these factors include:
External factors:
Economic factors
Natural environment
Natural disasters such as fires, floods, or earthquakes
Emissions and waste
Energy restrictions or shortages
Restrictions limiting development
EVENT IDENTIFICATION
Some of these factors include:
External factors:
Economic factors
Natural environment
Political factors
Election of government officials with new agendas
New laws and regulations
Public policy, including higher or lower taxes
Regulation affecting the company’s ability to compete
EVENT IDENTIFICATION
Some of these factors include:
External factors:
Economic factors
Natural environment
Political factors
Social factors
Changing demographics, social mores, family structures, and work/life priorities
Consumer behavior that changes demand for products and services or creates new buying opportunities
Corporate citizenship
Privacy
Terrorism
Human resource issues causing production shortages or stoppages
EVENT IDENTIFICATION
Some of these factors include:
External factors:
Economic factors
Natural environment
Political factors
Social factors
Technological factors
New e-business technologies that lower infrastructure costs or increase demand for IT-based services
Emerging technology
Increased or decreased availability of data
Interruptions or down time caused by external parties
EVENT IDENTIFICATION
Some of these factors include:
Internal factors:
Infrastructure
Inadequate access or poor allocation of capital
Availability and capability of company assets
Complexity of systems
EVENT IDENTIFICATION
Some of these factors include:
Internal factors:
Infrastructure
Personnel
Employee skills and capability
Employees acting dishonestly or unethically
Workplace accidents, health or safety concerns
Strikes or expiration of labor agreements
EVENT IDENTIFICATION
Some of these factors include:
Internal factors:
Infrastructure
Personnel
Process
Process modification without proper change management procedures
Poorly designed processes
Process execution errors
Suppliers cannot deliver quality goods on time
EVENT IDENTIFICATION
Some of these factors include:
Internal factors:
Infrastructure
Personnel
Process
Technology
Insufficient capacity to handle peak IT usages
Security breaches
Data or system unavailability from internal factors
Inadequate data integrity
Poor systems selection/development
Inadequately maintained systems
EVENT IDENTIFICATION
Lists can help management identify factors, evaluate their importance, and examine those that can affect objectives.
Identifying events at the activity and entity levels allows companies to focus their risk assessment on major business units or functions and align their risk tolerance and risk appetite.
EVENT IDENTIFICATION
Companies usually use two or more of the following techniques together to identify events:
Use comprehensive lists of potential events
Often produced by special software that can tailor lists to an industry, activity, or process.
EVENT IDENTIFICATION
Companies usually use two or more of the following techniques together to identify events:
Use comprehensive lists of potential events
Perform an internal analysis
An internal committee analyzes events, contacting appropriate insiders and outsiders for input.
EVENT IDENTIFICATION
Companies usually use two or more of the following techniques together to identify events:
Use comprehensive lists of potential events
Perform an internal analysis
Monitor leading events and trigger points
Appropriate transactions, activities, and events are monitored and compared to predefined criteria to determine when action is needed.
EVENT IDENTIFICATION
Companies usually use two or more of the following techniques together to identify events:
Use comprehensive lists of potential events
Perform an internal analysis
Monitor leading events and trigger points
Conduct workshops and interviews
Employee knowledge and expertise is gathered in structured discussions or individual interviews.
EVENT IDENTIFICATION
Companies usually use two or more of the following techniques together to identify events:
Use comprehensive lists of potential events
Perform an internal analysis
Monitor leading events and trigger points
Conduct workshops and interviews
Perform data mining and analysis
Examine data on prior events to identify trends and causes that help identify possible events.
EVENT IDENTIFICATION
Companies usually use two or more of the following techniques together to identify events:
Use comprehensive lists of potential events
Perform an internal analysis
Monitor leading events and trigger points
Conduct workshops and interviews
Perform data mining and analysis
Analyze processes
Analyze internal and external factors that affect inputs, processes, and outputs to identify events that might help or hinder the process.
RISK ASSESSMENT AND RISK RESPONSE
The fourth and fifth components of COSO’s ERM model are risk assessment and risk response.
COSO indicates there are two types of risk:
Inherent risk
The risk that exists before management takes any steps to control the likelihood or impact of a risk.
RISK ASSESSMENT AND RISK RESPONSE
The fourth and fifth components of COSO’s ERM model are risk assessment and risk response.
COSO indicates there are two types of risk:
Inherent risk
Residual risk
The risk that remains after management implements internal controls or some other form of response to risk.
RISK ASSESSMENT AND RISK RESPONSE
Companies should:
Assess inherent risk
Develop a response
Then assess residual risk
The ERM model indicates four ways to respond to risk:
Reduce it
The most effective way to reduce the likelihood and impact of risk is to implement an effective system of internal controls.
RISK ASSESSMENT AND RISK RESPONSE
Companies should:
Assess inherent risk
Develop a response
Then assess residual risk
The ERM model indicates four ways to respond to risk:
Reduce it
Accept it
Don’t act to prevent or mitigate it.
RISK ASSESSMENT AND RISK RESPONSE
Companies should:
Assess inherent risk
Develop a response
Then assess residual risk
The ERM model indicates four ways to respond to risk:
Reduce it
Accept it
Share it
Transfer some of it to others via activities such as insurance, outsourcing, or hedging.
RISK ASSESSMENT AND RISK RESPONSE
Companies should:
Assess inherent risk
Develop a response
Then assess residual risk
The ERM model indicates four ways to respond to risk:
Reduce it
Accept it
Share it
Avoid it
Don’t engage in the activity that produces it.
May require:
Sale of a division
Exiting a product line
Canceling an expansion plan
RISK ASSESSMENT AND RISK RESPONSE
Accountants:
Help management design effective controls to reduce inherent risk
Evaluate internal control systems to ensure they are operating effectively
Assess and reduce inherent risk using the risk assessment and response strategy
RISK ASSESSMENT AND RISK RESPONSE
Event Identification
The first step in risk assessment and response strategy is event identification, which we have already discussed.
Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost-beneficial to protect system Avoid, share, or accept risk Yes No
RISK ASSESSMENT AND RISK RESPONSE
Estimate Likelihood and Impact
Some events pose more risk because they are more probable than others.
Some events pose more risk because their dollar impact would be more significant.
Likelihood and impact must be considered together:
If either increases, the materiality of the event and the need to protect against it rises.
Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost-beneficial to protect system Avoid, share, or accept risk Yes No
RISK ASSESSMENT AND RISK RESPONSE
Identify Controls
Management must identify one or more controls that will protect the company from each event.
In evaluating benefits of each control procedure, consider effectiveness and timing.
Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost-beneficial to protect system Avoid, share, or accept risk Yes No
RISK ASSESSMENT AND RISK RESPONSE
All other factors equal:
A preventive control is better than a detective one.
However, if preventive controls fail, detective controls are needed to discover the problem, and corrective controls are needed to recover.
Consequently, the three complement each other, and a good internal control system should have all three.
Similarly, a company should use all four levers of control.
Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost-beneficial to protect system Avoid, share, or accept risk Yes No
RISK ASSESSMENT AND RISK RESPONSE
Estimate Costs and Benefits
It would be cost-prohibitive to create an internal control system that provided foolproof protection against all events.
Also, some controls negatively affect operational efficiency, and too many controls can make it very inefficient.
Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost-beneficial to protect system Avoid, share, or accept risk Yes No
RISK ASSESSMENT AND RISK RESPONSE
The benefits of an internal control procedure must exceed its costs.
Benefits can be hard to quantify, but include:
Increased sales and productivity
Reduced losses
Better integration with customers and suppliers
Increased customer loyalty
Competitive advantages
Lower insurance premiums
Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost-beneficial to protect system Avoid, share, or accept risk Yes No
RISK ASSESSMENT AND RISK RESPONSE
Costs are usually easier to measure than benefits.
Primary cost is personnel, including:
Time to perform control procedures
Costs of hiring additional employees to effectively segregate duties
Costs of programming controls into a system
Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost-beneficial to protect system Avoid, share, or accept risk Yes No
RISK ASSESSMENT AND RISK RESPONSE
Other costs of a poor control system include:
Lost sales
Lower productivity
Drop in stock price if security problems arise
Shareholder or regulator lawsuits
Fines and penalties imposed by governmental agencies
Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost-beneficial to protect system Avoid, share, or accept risk Yes No
RISK ASSESSMENT AND RISK RESPONSE
The expected loss related to a risk is measured as:
Expected loss = impact x likelihood
The value of a control procedure is the difference between:
Expected loss with control procedure
Expected loss without it
Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost-beneficial to protect system Avoid, share, or accept risk Yes No
RISK ASSESSMENT AND RISK RESPONSE
Determine Cost-Benefit Effectiveness
After estimating benefits and costs, management determines if the control is cost beneficial, i.e., is the cost of implementing a control procedure less than the change in expected loss that would be attributable to the change?
Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost-beneficial to protect system Avoid, share, or accept risk Yes No
RISK ASSESSMENT AND RISK RESPONSE
In evaluating costs and benefits, management must consider factors other than those in the expected benefit calculation.
If an event threatens an organization’s existence, it may be worthwhile to institute controls even if costs exceed expected benefits.
The additional cost can be viewed as a catastrophic loss insurance premium.
Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost-beneficial to protect system Avoid, share, or accept risk Yes No
RISK ASSESSMENT AND RISK RESPONSE
Let’s go through an example:
Hobby Hole is trying to decide whether to install a motion detector system in its warehouse to reduce the probability of a catastrophic theft.
A catastrophic theft could result in losses of $800,000.
Local crime statistics suggest that the probability of a catastrophic theft at Hobby Hole is 12%.
Companies with motion detectors only have about a .5% probability of catastrophic theft.
The present value of purchasing and installing a motion detector system and paying future security costs is estimated to be about $43,000.
Should Hobby Hole install the motion detectors?
Expected Loss without control procedure = $800,000 x .12 = $96,000.
Expected loss with control procedure = $800,000 x .005 = $4,000.
Estimated value of control procedure = $96,000 - $4,000 = $92,000.
Estimated cost of control procedure = $43,000 (given).
Benefits exceed costs by $92,000 - $43,000 = $49,000 .
In this case, Hobby Hole should probably install the motion detectors.
RISK ASSESSMENT AND RISK RESPONSE
Implement the Control or Avoid, Share, or Accept the Risk
When controls are cost effective, they should be implemented so risk can be reduced.
Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost-beneficial to protect system Avoid, share, or accept risk Yes No
RISK ASSESSMENT AND RISK RESPONSE
Risks that are not reduced must be accepted, shared, or avoided.
If the risk is within the company’s risk tolerance, they will typically accept the risk.
A reduce or share response is used to bring residual risk into an acceptable risk tolerance range.
An avoid response is typically only used when there is no way to cost-effectively bring risk into an acceptable risk tolerance range.
Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost-beneficial to protect system Avoid, share, or accept risk Yes No
CONTROL ACTIVITIES
The sixth component of COSO’s ERM model.
Control activities are policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and their risk responses are carried out.
CONTROL ACTIVITIES
It is management’s responsibility to develop a secure and adequately controlled system.
Controls are much more effective when built in on the front end.
Consequently, systems analysts, designers, and end users should be involved in designing adequate computer-based control systems.
Management must also establish a set of procedures to ensure control compliance and enforcement.
Usually the purview of the information security officer and the operations staff.
CONTROL ACTIVITIES
It is critical that controls be in place during the year-end holiday season. A disproportionate amount of computer fraud and security break-ins occur during this time because:
More people are on vacation and fewer around to mind the store.
Students are not tied up with school.
Counterculture hackers may be lonely.
CONTROL ACTIVITIES
Generally, control procedures fall into one of the following categories:
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
CONTROL ACTIVITIES
Generally, control procedures fall into one of the following categories:
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
CONTROL ACTIVITIES
Proper Authorization of Transactions and Activities
Management lacks the time and resources to supervise each employee activity and decision.
Consequently, they establish policies and empower employees to perform activities within policy.
This empowerment is called authorization and is an important part of an organization’s control procedures.
CONTROL ACTIVITIES
Authorizations are often documented by signing initializing, or entering an authorization code.
Computer systems can record digital signatures as a means of signing a document.
Employees who process transactions should verify the presence of the appropriate authorizations.
Auditors review transactions for proper authorization, as their absence indicates a possible control problem.
CONTROL ACTIVITIES
Typically at least two levels of authorization:
General authorization
Management authorizes employees to handle routine transactions without special approval.
Special authorization
For activities or transactions that are of significant consequences, management review and approval is required.
Might apply to sales, capital expenditures, or write-offs over a particular dollar limit.
Management should have written policies for both types of authorization and for all types of transactions.
CONTROL ACTIVITIES
Generally, control procedures fall into one of the following categories:
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
CONTROL ACTIVITIES
Segregation of Duties
Good internal control requires that no single employee be given too much responsibility over business transactions or processes.
An employee should not be in a position to commit and conceal fraud or unintentional errors.
Segregation of duties is discussed in two sections:
Segregation of accounting duties
Segregation of duties within the systems function
CONTROL ACTIVITIES
Segregation of Duties
Good internal control requires that no single employee be given too much responsibility over business transactions or processes.
An employee should not be in a position to commit and conceal fraud or unintentional errors.
Segregation of duties is discussed in two sections:
Segregation of accounting duties
Segregation of duties within the systems function
CONTROL ACTIVITIES
To learn a little about segregation of duties, let’s first meet Bill.
CONTROL ACTIVITIES
Bill has charge of a pile of the organization’s money—let’s say $1,000.
CONTROL ACTIVITIES
Bill also keeps the books for that money.
Ledger $1,000
CONTROL ACTIVITIES
Bill has a date tonight, and he’s a little desperate to impress that special someone, so he takes $100 of the cash. (Thinks he’s only borrowing it, you know.)
Ledger $1,000
CONTROL ACTIVITIES
Bill has a date tonight, and he’s a little desperate to impress that special someone, so he takes $100 of the cash. (Thinks he’s only borrowing it, you know.)
Ledger $1,000
CONTROL ACTIVITIES
Bill also records an entry in the books to show that $100 was spent for some “legitimate” purpose. Now the balance in the books is $900.
Ledger $1,000
CONTROL ACTIVITIES
How will Bill ever get caught at his theft?
Ledger $900
CONTROL ACTIVITIES
Now let’s change the story. Bill has charge of the pile of cash.
CONTROL ACTIVITIES
But Mary keeps the books.
This arrangement is a form of segregation of duties.
Ledger $1,000
CONTROL ACTIVITIES
Bill gets in a pinch again and takes $100 of the organization’s cash.
Ledger $1,000
CONTROL ACTIVITIES
How will Bill get caught?
Ledger $1,000
CONTROL ACTIVITIES
Segregation of Accounting Duties
Effective segregation of accounting duties is achieved when the following functions are separated:
Authorization —approving transactions and decisions.
Recording —Preparing source documents; maintaining journals, ledgers, or other files; preparing reconciliations; and preparing performance reports.
Custody —Handling cash, maintaining an inventory storeroom, receiving incoming customer checks, writing checks on the organization’s bank account.
If any two of the preceding functions are the responsibility of one person, then problems can arise.
CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS
Handling cash
Handling inventories, tools, or fixed assets
Writing checks
Receiving checks in mail
AUTHORIZATION FUNCTIONS
Authorization of transactions
RECORDING FUNCTIONS
Preparing source documents
Maintaining journals, ledgers, or other files
Preparing reconciliations
Preparing performance reports
EXAMPLE OF PROBLEM: A person who has custody of cash receipts and the recording for those receipts can steal some of the cash and falsify accounts to conceal the theft.
SOLUTION: The pink fence (segregation of custody and recording) prevents employees from falsifying records to conceal theft of assets entrusted to them.
CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS
Handling cash
Handling inventories, tools, or fixed assets
Writing checks
Receiving checks in mail
AUTHORIZATION FUNCTIONS
Authorization of transactions
RECORDING FUNCTIONS
Preparing source documents
Maintaining journals, ledgers, or other files
Preparing reconciliations
Preparing performance reports
EXAMPLE OF PROBLEM: A person who has custody of checks for transactions that he has authorized can authorize fictitious transactions and then steal the payments.
SOLUTION: The green fence (segregation of custody and authorization) prevents employees from authorizing fictitious or inaccurate transactions as a means of concealing a theft.
CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS
Handling cash
Handling inventories, tools, or fixed assets
Writing checks
Receiving checks in mail
AUTHORIZATION FUNCTIONS
Authorization of transactions
RECORDING FUNCTIONS
Preparing source documents
Maintaining journals, ledgers, or other files
Preparing reconciliations
Preparing performance reports
EXAMPLE OF PROBLEM: A person who can authorize a transaction and keep records related to the transactions can authorize and record fictitious payments that might, for example, be sent to the employee’s home address or the address of a shell company he creates.
SOLUTION: The purple fence (segregation of recording and authorization) prevents employees from falsifying records to cover up inaccurate or false transactions that were inappropriately authorized.
CONTROL ACTIVITIES
In a system that incorporates an effective separation of duties, it should be difficult for any single employee to commit embezzlement successfully.
But when two or more people collude , then segregation of duties becomes impotent and controls are overridden.
CONTROL ACTIVITIES
If this happens . . .
Ledger $1,000
CONTROL ACTIVITIES
Then segregation of duties is out the window. Collusion overrides segregation.
Ledger $1,000
CONTROL ACTIVITIES
Employees can collude with other employees or with customers or vendors.
The most frequent form of employee/vendor collusions include:
Billing at inflated prices
Performing substandard work and receiving full payment
Payment for non-performance
Duplicate billings
Improperly funneling more work to or purchasing more goods from a colluding company
CONTROL ACTIVITIES
The most frequent form of employee/customer collusions include:
Unauthorized loans or insurance payments
Receipt of assets or services at unauthorized discount prices
Forgiveness of amounts owed
Unauthorized extension of due dates
CONTROL ACTIVITIES
Segregation of Duties
Good internal control requires that no single employee be given too much responsibility over business transactions or processes.
An employee should not be in a position to commit and conceal fraud or unintentional errors.
Segregation of duties is discussed in two sections:
Segregation of accounting duties
Segregation of duties within the systems function
CONTROL ACTIVITIES
Segregation of Duties Within the Systems Function
In a highly integrated information system, procedures once performed by separate individuals are combined.
Therefore, anyone who has unrestricted access to the computer, its programs, and live data could have the opportunity to perpetrate and conceal fraud.
To combat this threat, organizations must implement effective segregation of duties within the IS function.
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration
Responsible for ensuring that the different parts of an information system operate smoothly and efficiently.
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration
Network management
Ensures that all applicable devices are linked to the organization’s internal and external networks and that the networks operate continuously and properly.
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration
Network management
Security management
Ensures that all aspects of the system are secure and protected from internal and external threats.
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration
Network management
Security management
Change management
Manages changes to the organization’s information system to ensure they are made smoothly and efficiently and to prevent errors and fraud.
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration
Network management
Security management
Change management
Users
Record transactions, authorize data to be processed, and use system output.
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration
Network management
Security management
Change management
Users
Systems analysts
Help users determine their information needs and design systems to meet those needs.
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration
Network management
Security management
Change management
Users
Systems analysts
Programming
Use design provided by the systems analysts to write the computer programs for the information system.
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration
Network management
Security management
Change management
Users
Systems analysts
Programming
Computer operations
Run the software on the company’s computers.
Ensure that data are input properly, correctly processed, and needed output is produced.
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration
Network management
Security management
Change management
Users
Systems analysts
Programming
Computer operations
Information systems library
Maintains custody of corporate databases, files, and programs in a separate storage area.
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration
Network management
Security management
Change management
Users
Systems analysts
Programming
Computer operations
Information systems library
Data control
Ensures that source data have been properly approved.
Monitors the flow of work through the computer.
Reconciles input and output.
Maintains a record of input errors to ensure their correction and resubmission.
Distributes system output.
CONTROL ACTIVITIES
It is important that different people perform the preceding functions.
Allowing a person to do two or more jobs exposes the company to the possibility of fraud.
In addition to adequate segregation of duties, organizations should ensure that the people who design, develop, implement, and operate the IS are qualified and well trained.
The same holds true for systems security personnel.
CONTROL ACTIVITIES
Generally, control procedures fall into one of the following categories:
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
CONTROL ACTIVITIES
Project Development and Acquisition Controls
It’s important to have a formal, appropriate, and proven methodology to govern the development, acquisition, implementation, and maintenance of information systems and related technologies.
Should contain appropriate controls for:
Management review and approval
User involvement
Analysis
Design
Testing
Implementation
Conversion
Should make it possible for management to trace information inputs from source to disposition and vice versa (the audit trail).
CONTROL ACTIVITIES
Examples abound of poorly managed projects that have wasted large sums of money because certain basic principles of project management control were ignored.
CONTROL ACTIVITIES
The following basic principles of control should be applied to systems development in order to reduce the potential for cost overruns and project failure and to improve the efficiency and effectiveness of the IS:
Strategic master plan
A multi-year strategic plan should align the organization’s information system with its business strategies and show the projects that must be completed to achieve long-range goals.
Should address hardware, software, personnel, and infrastructure requirements.
Each year, the board and top management should prepare and approve the plan and its supporting budget.
Should be evaluated several times a year to ensure the organization can acquire needed components and maintain existing ones.
CONTROL ACTIVITIES
The following basic principles of control should be applied to systems development in order to reduce the potential for cost overruns and project failure and to improve the efficiency and effectiveness of the IS:
Strategic master plan
Project controls
A project development plan shows how a project will be completed, including:
Modules or tasks to be performed
Who will perform them
Anticipated completion dates
Project costs
Project milestones should be specified—points when progress is reviewed and actual completion times are compared to estimates
Each project should be assigned to a manager and team who are responsible for its success or failure.
At project completion, a project evaluation of the team members should be performed.
CONTROL ACTIVITIES
The following basic principles of control should be applied to systems development in order to reduce the potential for cost overruns and project failure and to improve the efficiency and effectiveness of the IS:
Strategic master plan
Project controls
Data processing schedule
Data processing tasks should be organized according to a schedule to maximize the use of scarce computer resources .
CONTROL ACTIVITIES
The following basic principles of control should be applied to systems development in order to reduce the potential for cost overruns and project failure and to improve the efficiency and effectiveness of the IS:
Strategic master plan
Project controls
Data processing schedule
Steering committee
A steering committee should guide and oversee systems development and acquisition.
CONTROL ACTIVITIES
The following basic principles of control should be applied to systems development in order to reduce the potential for cost overruns and project failure and to improve the efficiency and effectiveness of the IS:
Strategic master plan
Project controls
Data processing schedule
Steering committee
System performance measurements
To be evaluated properly, a system should be assessed with measures such as:
Throughput (output per unit of time)
Utilization (percent of time it is used productively)
Response time (how long it takes to respond)
CONTROL ACTIVITIES
The following basic principles of control should be applied to systems development in order to reduce the potential for cost overruns and project failure and to improve the efficiency and effectiveness of the IS:
Strategic master plan
Project controls
Data processing schedule
Steering committee
System performance measurements
Post-implementation review
A review should be performed after a development project is completed to determine if the anticipated benefits were achieved.
Helps control project development activities and encourage accurate and objective initial cost and benefit estimates.
CONTROL ACTIVITIES
To simplify and improve systems development, some companies hire a systems integrator—a vendor who uses common standards and manages the development effort using their own personnel and those of the client and other vendors.
Many companies rely on the integrator’s assurance that the project will be completed on time.
Unfortunately, the integrator is often wrong.
These third-party systems development projects are subject to the same cost overruns and missed deadlines as systems developed internally.
CONTROL ACTIVITIES
When using systems integrators, companies should adhere to the same basic rules used for project management of internal projects. In addition, they should:
Develop clear specifications
Before third parties bid, provide clear specifications, including:
Exact descriptions and definitions of the system
Explicit deadlines
Precise acceptance criteria
While it’s expensive to develop these specifications, it will save money in the end.
CONTROL ACTIVITIES
When using systems integrators, companies should adhere to the same basic rules used for project management of internal projects. In addition, they should:
Develop clear specifications
Monitor the systems integration project
A sponsors committee should monitor third-party development projects.
Established by the CIO and chaired by the project’s internal champion.
Should include department managers from all units that will use the system.
Should establish formal procedures for measuring and reporting project status.
Best approach is to:
Divide project into manageable tasks.
Assign responsibility for each task.
Meet on a regular basis (at least monthly) to review progress and assess quality.
CONTROL ACTIVITIES
Generally, control procedures fall into one of the following categories:
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
CONTROL ACTIVITIES
Change Management Controls
Organizations constantly modify their information systems to reflect new business practices and take advantage of information technology advances.
Change management is the process of making sure that the changes do not negatively affect:
Systems reliability
Security
Confidentiality
Integrity
Availability
CONTROL ACTIVITIES
Generally, control procedures fall into one of the following categories:
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
CONTROL ACTIVITIES
Design and Use of Adequate Documents and Records
Proper design and use of documents and records helps ensure accurate and complete recording of all relevant transaction data.
Form and content should be kept as simple as possible to:
Promote efficient record keeping
Minimize recording errors
Facilitate review and verification
Documents that initiate a transaction should contain a space for authorization.
Those used to transfer assets should have a space for the receiving party’s signature.
CONTROL ACTIVITIES
Documents should be sequentially pre-numbered:
To reduce likelihood that they would be used fraudulently.
To help ensure that all valid transactions are recorded.
A good audit trail facilitates:
Tracing individual transactions through the system.
Correcting errors.
Verifying system output.
CONTROL ACTIVITIES
Generally, control procedures fall into one of the following categories:
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
CONTROL ACTIVITIES
Safeguard Assets, Records, and Data
When people consider safeguarding assets, they most often think of cash and physical assets, such as inventory and equipment.
Another company asset that needs to be protected is information.
According to the ACFE’s 2004 National Fraud Survey, theft of information made up only 17.3% of non-cash misappropriations; however, the median cost of an information theft was $340,000. This cost was 126% higher than the next most costly non-asset theft. (Equipment theft had a median cost of $150,000.)
CONTROL ACTIVITIES
Many people mistakenly believe that the greatest risks companies face are from outsiders.
However, employees pose a much greater risk when it comes to loss of data because:
They know the system and its weaknesses better.
They are better able to hide their illegal acts.
CONTROL ACTIVITIES
Insiders also create less-intentional threats to systems, including:
Accidentally deleting company data
Turning viruses loose
Trying to fix hardware or software without appropriate expertise (i.e., when in doubt, unplug it).
These actions can result in crashed networks, corrupt data, and hardware and software malfunctions.
Companies also face significant risks from customers and vendors that have access to company data.
CONTROL ACTIVITIES
Many steps can be taken to safeguard both information and physical assets from theft, unauthorized use, and vandalism. Chapters 7 and 8 discuss computer-based controls. In addition, it is important to:
Maintain accurate records of all assets
Periodically reconcile recorded amounts to physical counts.
CONTROL ACTIVITIES
Many steps can be taken to safeguard both information and physical assets from theft, unauthorized use, and vandalism. Chapters 7 and 8 discuss computer-based controls. In addition, it is important to:
Maintain accurate records of all assets
Periodically reconcile recorded amounts to physical counts.
Restrict access to assets
Use restricted storage areas for inventories and equipment.
Use cash registers, safes, lockboxes, and safe deposit boxes to limit access to cash, securities, and paper assets.
CONTROL ACTIVITIES
Many steps can be taken to safeguard both information and physical assets from theft, unauthorized use, and vandalism. Chapters 7 and 8 discuss computer-based controls. In addition, it is important to:
Maintain accurate records of all assets
Periodically reconcile recorded amounts to physical counts.
Restrict access to assets
Protect records and documents
Use fireproof storage areas, locked filing cabinets, backup of files (including copies at off-site locations).
Limit access to blank checks and documents to authorized personnel.
CONTROL ACTIVITIES
Generally, control procedures fall into one of the following categories:
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
CONTROL ACTIVITIES
Let’s look at Bill and Mary again. Assume that Bill stole cash but Mary did NOT alter the books.
Ledger $1,000
CONTROL ACTIVITIES
Can Bill’s theft be discovered if an independent party doesn’t compare a count of the cash to what’s recorded on the books?
Ledger $1,000
CONTROL ACTIVITIES
Segregation of duties only has value when supplemented by independent checks.
Ledger $1,000
CONTROL ACTIVITIES
Internal checks to ensure that transactions are processed accurately are an important control element.
These checks should be performed by someone independent of the party(ies) responsible for the activities.
CONTROL ACTIVITIES
The following independent checks are typically used:
Top-level reviews
Management at all levels should monitor company results and periodically compare actual performance to:
Planned performance as shown in budgets, targets, and forecasts
Prior-period performance
The performance of competitors
CONTROL ACTIVITIES
The following independent checks are typically used:
Top-level reviews
Analytical reviews
Examinations of relationships between different sets of data.
EXAMPLE: If credit sales increased significantly during the period and there were no changes in credit policy, then bad debt expense should probably have increased also.
Management should periodically analyze and review data relationships to detect fraud and other business problems.
CONTROL ACTIVITIES
The following independent checks are typically used:
Top-level reviews
Analytical reviews
Reconciliation of independently maintained sets of records
Check the accuracy and completeness of records by reconciling them with other records that should have the same balance.
EXAMPLES:
Bank reconciliations
Comparing accounts payable control account to sum of subsidiary accounts.
CONTROL ACTIVITIES
The following independent checks are typically used:
Top-level reviews
Analytical reviews
Reconciliation of independently maintained sets of records
Comparison of actual quantities with recorded amounts
Periodically count significant assets and reconcile the count to company records.
EXAMPLE: Annual physical inventory.
High-dollar items and critical components should be counted more frequently.
CONTROL ACTIVITIES
The following independent checks are typically used:
Top-level reviews
Analytical reviews
Reconciliation of independently maintained sets of records
Comparison of actual quantities with recorded amounts
Double-entry accounting
Ensure that debits equal credits.
CONTROL ACTIVITIES
The following independent checks are typically used:
Top-level reviews
Analytical reviews
Reconciliation of independently maintained sets of records
Comparison of actual quantities with recorded amounts
Double-entry accounting
Independent review
After one person processes a transaction, another reviews their work.
INFORMATION AND COMMUNICATION
The seventh component of COSO’s ERM model.
The primary purpose of the AIS is to gather, record, process, store, summarize, and communicate information about an organization.
So accountants must understand how:
Transactions are initiated
Data are captured in or converted to machine-readable form
Computer files are accessed and updated
Data are processed
Information is reported to internal and external parties
INFORMATION AND COMMUNICATION
Accountants must also understand the accounting records and procedures, supporting documents, and specific financial statement accounts involved in processing and reporting transactions.
The preceding items facilitate an audit trail which allows for transactions to be traced from origin to financial statements and vice versa.
INFORMATION AND COMMUNICATION
According to the AICPA, an AIS has five primary objectives:
Identify and record all valid transactions.
Properly classify transactions.
Record transactions at their proper monetary value.
Record transactions in the proper accounting period.
Properly present transactions and related disclosures in the financial statements.
INFORMATION AND COMMUNICATION
Accounting systems generally consist of several accounting subsystems, each designed to process transactions of a particular type.
Though they differ with respect to the type of transactions processed, all accounting subsystems follow the same sequence of procedures, referred to as accounting cycles .
The five major accounting cycles and their related control objectives and procedures are detailed in Chapters 10-14.
MONITORING
The eighth component of COSO’s ERM model.
Monitoring can be accomplished with a series of ongoing events or by separate evaluations.
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
MONITORING
Perform ERM Evaluation
Can measure ERM effectiveness through a formal evaluation or through a self-assessment process.
A special group can be assembled to conduct the evaluation or it can be done by internal auditing.
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
MONITORING
Implement Effective Supervision
Involves:
Training and assisting employees;
Monitoring their performance;
Correcting errors; and
Safeguarding assets by overseeing employees with access.
Especially important in organizations that:
Can’t afford elaborate responsibility reporting; or
Are too small for segregation of duties.
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
MONITORING
Use Responsibility Accounting
Includes use of:
Budgets, quotas, schedules, standard costs, and quality standards;
Performance reports that compare actual with planned performance and highlight variances;
Procedures for investigating significant variances and taking timely actions to correct adverse conditions.
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
MONITORING
Monitor System Activities
Risk analysis and management software packages are available to:
Review computer and network security measures;
Detect illegal entry into systems;
Test for weaknesses and vulnerabilities;
Report weaknesses found; and
Suggest improvements.
MONITORING
Cost parameters can be entered to balance acceptable levels of risk tolerance and cost-effectiveness.
Software is also available to monitor and combat viruses, spyware, spam, pop-up ads, and to prevent browsers from being hijacked.
Also helps companies recover from frauds and malicious actions and restore systems to pre-incident status.
MONITORING
System transactions and activities should be recorded in a log which indicates who accessed what data, when, and from which terminal.
Logs should be reviewed frequently to monitor system activity and trace any problems to their source.
Data collected can be used to:
Evaluate employee productivity;
Control company costs;
Fight corporate espionage and other attacks; and
Comply with legal requirements.
MONITORING
Companies that monitor system activities need to ensure they do not violate employee privacy rights.
Employers cannot discreetly observe communications of employees when those employees have a “reasonable expectation of privacy.”
Employers must therefore ensure that employees realize their business communications are not “private.” One way to accomplish that objective is to have written policies that employees agree to in writing which indicate:
The technology employees use on the job belongs to the company.
Emails received on company computers are not private and can be read by supervisory personnel.
Employees should not use technology in any way to contribute to a hostile work environment.
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
MONITORING
Track Purchased Software
The Business Software Alliance (BSA) aggressively tracks down and fines companies who violate software license agreements.
To comply with copyrights, companies should periodically conduct software audits to ensure that.
There are enough licenses for all users;
The company is not paying for more licenses than needed.
Employees should be informed of the consequences of using unlicensed software.
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
MONITORING
Conduct Periodic Audits
To monitor risk and detect fraud and errors, the company should have periodic:
External audits
Internal audits
Special network security audits
Auditors should test system controls and browse system usage files looking for suspicious activities (discussed in Chapter 9).
MONITORING
Again, care should be exercised that employees’ privacy rights are not violated.
Therefore, inform employees that auditors will conduct random surveillance, which:
Avoids privacy violations
Creates a “perception of detection” that can deter crime and reduce errors
MONITORING
Internal auditing involves:
Reviewing the reliability and integrity of financial and operating information.
Providing an appraisal of internal control effectiveness.
Assessing employee compliance with management policies and procedures and applicable laws and regulations.
Evaluating the efficiency and effectiveness of management.
MONITORING
Internal audits can detect:
Excess overtime
Under-used assets
Obsolete inventory
Padded expense reimbursements
Excessively loose budgets and quotas
Poorly justified capital expenditures
Production bottlenecks
MONITORING
Internal auditing should be organizationally independent of the accounting and operating functions.
The head should report to the audit committee of the board of directors rather than to the controller or CFO.
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
MONITORING
Employ a Computer Security Officer and Computer Consultants
The computer security officer (CSO) is in charge of AIS security
Should be independent of the IS function
Should report to the COO or CEO
Many companies also use outside computer consultants or in-house teams to test and evaluate their security procedures and computer systems.
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
MONITORING
Engage Forensic Specialists
Forensic accountants specialize in fraud detection and investigation.
Now one of the fastest growing areas of accounting due to:
SOX
SAS-99
Boards of Directors demanding that forensic accounting be an ongoing part of the financial reporting and corporate governance process.
MONITORING
Most forensic accountants are CPAs and may have received special training with the FBI, CIA, or other law enforcement agencies.
In particular demand are those with the necessary computer skills to ferret out and combat fraudsters who use sophisticated technology to perpetrate their crimes.
The Association of Certified Fraud Examiners (ACFE) has created a professional certification program for fraud examiners.
Most forensic accountants are CPAs and may have received special training with the FBI, CIA, or other law enforcement agencies.
MONITORING
Management may also need to call on computer forensic specialists for help.
They assist in discovering, extracting, safeguarding, and documenting computer evidence so that its authenticity, accuracy, and integrity will not succumb to legal challenges.
MONITORING
Common incidents investigated by computer forensic experts include:
Improper internet usage
Fraud
Sabotage
Loss, theft, or corruption of data
Retrieving information from emails and databases that users thought they had erased
Determining who performed certain actions on a computer
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
MONITORING
Install Fraud Detection Software
People who commit fraud tend to follow certain patterns and leave behind clues.
Software has been developed to seek out these fraud symptoms.
Some companies employ neural networks (programs that mimic the brain and have learning capabilities) which are very accurate in identifying suspected fraud.
For example, if a husband and wife were each using the same credit card in two different stores at the same time, a neural network would probably flag at least one of the transactions immediately as suspicious.
These networks and other recent advances in fraud detection software are significantly reducing the incidences of credit card fraud.
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
MONITORING
Implement a Fraud Hotline
People who witness fraudulent behavior are often torn between conflicting feelings.
They want to protect company assets and report fraud perpetrators.
But they are uncomfortable in the whistleblower role and find it easier to remain silent.
They are particularly reluctant to report if they know of others who have suffered repercussions from doing so.
MONITORING
SOX mandates that companies set up mechanisms for employees to anonymously report abuses such as fraud.
An effective way to comply with the law and resolve employee concerns is to provide access to an anonymous hotline.
Anonymous reporting can be accomplished through:
Phone lines
Web-based reporting
Anonymous emails
Snail mail
MONITORING
Outsourcing is available through a number of third parties and offers several benefits, including:
Increased confidence on the part of employee that his/her report is truly anonymous.
24/7 availability.
Often have multilingual capabilities—an important plus for multinational organizations.
The outsourcer may be able to do follow up with the employee if additional information is needed after the initial contact.
The employee can be advised of the outcome of his report.
Low cost.
MONITORING
A downside to anonymous reporting mechanisms is that they will produce a significant amount of petty or slanderous reports that do not require investigation.
The ACFE’s 2004 Report to the Nation indicates that companies without fraud hotlines had median fraud losses that were 140% higher than companies that had fraud hotlines.
SUMMARY
In this chapter, you’ve learned about basic internal control concepts and why computer control and security are so important.
You’ve learned about the similarities and differences between the COBIT, COSO, and ERM control frameworks.
You’ve learned about the major elements in the internal control environment of a company and the four types of control objectives that companies need to set.
You’ve also learned about events that affect uncertainty and how these events can be identified.
You’ve explored how the Enterprise Risk Management model is used to assess and respond to risk, as well as the control activities that are commonly used in companies.
Finally, you’ve learned how organizations communicate information and monitor control processes.

Ais Romney 2006 Slides 05 Computer Fraud And Abuse

2009-11-01T07:36:00.000-08:00

Ais Romney 2006 Slides 05 Computer Fraud And Abuse

View more presentations from sharingnotes123.

Ais Romney 2006 Slides 05 Computer Fraud And Abuse - Presentation Transcript

HAPTER 5 Computer Fraud and Security
INTRODUCTION
Questions to be addressed in this chapter:
What is fraud, and how are frauds perpetrated?
Who perpetrates fraud and why?
What is computer fraud, and what forms does it take?
What approaches and techniques are used to commit computer fraud?
INTRODUCTION
Information systems are becoming increasingly more complex and society is becoming increasingly more dependent on these systems.
Companies also face a growing risk of these systems being compromised.
Recent surveys indicate 67% of companies suffered a security breach in the last year with almost 60% reporting financial losses.
INTRODUCTION
Companies face four types of threats to their information systems:
Natural and political disasters
Include:
Fire or excessive heat
Floods
Earthquakes
High winds
War and terrorist attack
When a natural or political disaster strikes, many companies can be affected at the same time.
Example: Bombing of the World Trade Center in NYC.
The Defense Science Board has predicted that attacks on information systems by foreign countries, espionage agents, and terrorists will soon be widespread.
INTRODUCTION
Companies face four types of threats to their information systems:
Natural and political disasters
Software errors and equipment malfunction
Include:
Hardware or software failures
Software errors or bugs
Operating system crashes
Power outages and fluctuations
Undetected data transmission errors
Estimated annual economic losses due to software bugs = $60 billion.
60% of companies studied had significant software errors in previous year.
INTRODUCTION
Companies face four types of threats to their information systems:
Natural and political disasters
Software errors and equipment malfunction
Unintentional acts
Include
Accidents caused by:
Human carelessness
Failure to follow established procedures
Poorly trained or supervised personnel
Innocent errors or omissions
Lost, destroyed, or misplaced data
Logic errors
Systems that do not meet needs or are incapable of performing intended tasks
Information Systems Security Assn. estimates 65% of security problems are caused by human error.
INTRODUCTION
Companies face four types of threats to their information systems:
Natural and political disasters
Software errors and equipment malfunction
Unintentional acts
Intentional acts (computer crime)
Include:
Sabotage
Computer fraud
Misrepresentation, false use, or unauthorized disclosure of data
Misappropriation of assets
Financial statement fraud
Information systems are increasingly vulnerable to these malicious attacks.
INTRODUCTION
In this chapter we’ll discuss:
The fraud process
Why fraud occurs
Approaches to computer fraud
Specific techniques used to commit computer fraud
Ways companies can deter and detect computer fraud
INTRODUCTION
In this chapter we’ll discuss:
The fraud process
Why fraud occurs
Approaches to computer fraud
Specific techniques used to commit computer fraud
Ways companies can deter and detect computer fraud
THE FRAUD PROCESS
Fraud is any and all means a person uses to gain an unfair advantage over another person.
In most cases, to be considered fraudulent, an act must involve:
A false statement (oral or in writing)
About a material fact
Knowledge that the statement was false when it was uttered (which implies an intent to deceive)
A victim relies on the statement
And suffers injury or loss as a result
The definition is the same whether it is a criminal or civil fraud case.
The only difference is the burden of proof required.
Criminal case: Beyond a reasonable doubt.
Civil case: Preponderance of the evidence OR clear and convincing evidence.
THE FRAUD PROCESS
Since fraudsters don’t make journal entries to record their frauds, we can only estimate the amount of losses caused by fraudulent acts:
The Association of Certified Fraud Examiners (ACFE) estimates that total fraud losses in the U.S. run around 6% of annual revenues or approximately $660 billion in 2004.
More than we spend on education and roads in a year.
6 times what we pay for the criminal justice system.
Income tax fraud (the difference between what taxpayers owe and what they pay to the government) is estimated to be over $200 billion per year.
Fraud in the healthcare industry is estimated to exceed $100 billion a year.
THE FRAUD PROCESS
Fraud against companies may be committed by an employee or an external party.
Former and current employees (called knowledgeable insiders ) are much more likely than non-employees to perpetrate frauds (and big ones) against companies.
Largely owing to their understanding of the company’s systems and its weaknesses, which enables them to commit the fraud and cover their tracks.
Organizations must utilize controls to make it difficult for both insiders and outsiders to steal from the company.
THE FRAUD PROCESS
Fraud perpetrators are often referred to as white-collar criminals .
Distinguishes them from violent criminals, although some white-collar crime can ultimately have violent outcomes, such as:
Perpetrators or their victims committing suicide.
Healthcare patients killed because of alteration of information, etc., that can result in their deaths.
Types of Frauds
OCCUPATIONAL
Fraudulent Statements
Financial
Non-financial
Asset Misappropriation
Theft of Cash
Fraudulent disbursements
Inventory and other assets
Bribery and Corruption
Bribery
Illegal gratuities
Economic extortion
Conflict of interest
OTHER
Intellectual property theft
Financial institution fraud
Check and credit card fraud
Insurance fraud
Healthcare fraud
Bankruptcy fraud
Tax fraud
Securities fraud
Money laundering
Consumer fraud
Computer and Internet fraud
Information is from the ACFE’s 2004 Report to the Nation on Occupational Fraud and Abuse and from the Fraud Examiner’s Manual , also published by the ACFE.
THE FRAUD PROCESS
Three types of occupational fraud:
Misappropriation of assets
Involves theft, embezzlement, or misuse of company assets for personal gain.
Examples include billing schemes, check tampering, skimming, and theft of inventory.
In the 2004 Report to the Nation on Occupational Fraud and Abuse , 92.7% of occupational frauds involved asset misappropriation at a median cost of $93,000.
THE FRAUD PROCESS
Three types of occupational fraud:
Misappropriation of assets
Corruption
Corruption involves the wrongful use of a position, contrary to the responsibilities of that position, to procure a benefit.
Examples include kickback schemes and conflict of interest schemes.
About 30.1% of occupational frauds include corruption schemes at a median cost of $250,000.
THE FRAUD PROCESS
Three types of occupational fraud:
Misappropriation of assets
Corruption
Fraudulent statements
Financial statement fraud involves misstating the financial condition of an entity by intentionally misstating amounts or disclosures in order to deceive users.
Financial statements can be misstated as a result of intentional efforts to deceive or as a result of undetected asset misappropriations that are so large that they cause misstatement.
About 7.9% of occupational frauds involve fraudulent statements at a median cost of $1 million. (The median pales in comparison to the maximum cost.)
THE FRAUD PROCESS
A typical employee fraud has a number of important elements or characteristics:
The fraud perpetrator must gain the trust or confidence of the person or company being defrauded in order to commit and conceal the fraud.
Instead of using a gun, knife, or physical force, fraudsters use weapons of deceit and misinformation.
Frauds tend to start as the result of a perceived need on the part of the employee and then escalate from need to greed. Most fraudsters can’t stop once they get started, and their frauds grow in size.
The fraudsters often grow careless or overconfident over time.
Fraudsters tend to spend what they steal. Very few save it.
In time, the sheer magnitude of the frauds may lead to detection.
The most significant contributing factor in most employee frauds is the absence of internal controls and/or the failure to enforce existing controls.
THE FRAUD PROCESS
The National Commission on Fraudulent Financial Reporting ( aka, the Treadway Commission) defined fraudulent financial reporting as intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements.
Financial statements can be falsified to:
Deceive investors and creditors
Cause a company’s stock price to rise
Meet cash flow needs
Hide company losses and problems
THE FRAUD PROCESS
Fraudulent financial reporting is of great concern to independent auditors, because undetected frauds lead to half of the lawsuits against auditors.
In the case of Enron, a financial statement fraud led to the total elimination of Arthur Andersen, a premiere international public accounting firm.
THE FRAUD PROCESS
Common approaches to “cooking the books” include:
Recording fictitious revenues
Recording revenues prematurely
Recording expenses in later periods
Overstating inventories or fixed assets (WorldCom)
Concealing losses and liabilities
THE FRAUD PROCESS
The Treadway Commission recommended four actions to reduce the possibility of fraudulent financial reporting:
Establish an organizational environment that contributes to the integrity of the financial reporting process.
Identify and understand the factors that lead to fraudulent financial reporting.
Assess the risk of fraudulent financial reporting within the company.
Design and implement internal controls to provide reasonable assurance that fraudulent financial reporting is prevented.
THE FRAUD PROCESS
SAS 99: The Auditor’s Responsibility to Detect Fraud
In 1997, SAS-82, Consideration of Fraud in a Financial Statement Audit , was issued to clarify the auditor’s responsibility to detect fraud.
THE FRAUD PROCESS
A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:
Understand fraud
Auditors can’t effectively audit something they don’t understand.
SAS-99 also indicated that auditors are not lawyers and “do not make legal determinations of whether fraud has occurred.”
The external auditor’s interest specifically relates to acts that result in a material misstatement of the financial statements.
Note that SAS-99 relates to external auditors. Internal auditors will have a more extensive interest in fraud than just those that impact financial statements.
THE FRAUD PROCESS
A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:
Understand fraud
Discuss the risks of material fraudulent misstatements
While planning the audit, members of the audit team should discuss how and where the company’s financial statements might be susceptible to fraud.
THE FRAUD PROCESS
A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:
Understand fraud
Discuss the risks of material fraudulent misstatements
Obtain information
The audit team must gather evidence about the existence of fraud by:
Looking for fraud risk factors
Testing company records
Asking management, the audit committee, and others if they know of any past or current fraud or of fraud risks the organization faces.
Special care needs to be exercised in examining revenue accounts, since they are particularly popular fraud targets.
THE FRAUD PROCESS
A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:
Understand fraud
Discuss the risks of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
Use the gathered information to identify, assess, and respond to risks.
Auditors can respond by varying the nature, timing, and extent of auditing procedures they perform.
They should also carefully evaluate risks related to management override of controls.
THE FRAUD PROCESS
A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:
Understand fraud
Discuss the risks of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
Evaluate the results of their audit tests
Auditors must assess the risk of fraud throughout the audit.
When the audit is complete, they must evaluate whether any identified misstatements indicate the presence of fraud.
If so, they should determine the impact on the financial statements and the audit.
THE FRAUD PROCESS
A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:
Understand fraud
Discuss the risks of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
Evaluate the results of their audit tests
Communicate findings
Auditors communicate their fraud findings to management, the audit committee, and others.
THE FRAUD PROCESS
A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:
Understand fraud
Discuss the risks of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
Evaluate the results of their audit tests
Communicate findings
Document their audit work
Auditors must document their compliance with SAS-99 requirements.
THE FRAUD PROCESS
A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:
Understand fraud
Discuss the risks of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
Evaluate the results of their audit tests
Communicate findings
Document their audit work
Incorporate a technology focus
SAS-99 recognizes that technology impacts fraud risks and notes opportunities that auditors have to use technology-oriented tools and techniques to design fraud auditing procedures.
INTRODUCTION
In this chapter we’ll discuss:
The fraud process
Why fraud occurs
Approaches to computer fraud
Specific techniques used to commit computer fraud
Ways companies can deter and detect computer fraud
WHO COMMITS FRAUD AND WHY
Researchers have compared the psychological and demographic characteristics of three groups of people:
White-collar criminals
Violent criminals
The general public
They found:
Significant differences between violent and white-collar criminals.
Few differences between white-collar criminals and the general public.
WHO COMMITS FRAUD AND WHY
White-collar criminals tend to mirror the general public in:
Education
Age
Religion
Marriage
Length of employment
Psychological makeup
WHO COMMITS FRAUD AND WHY
Perpetrators of computer fraud tend to be younger and possess more computer knowledge, experience, and skills.
Hackers and computer fraud perps tend to be more motivated by:
Curiosity
A quest for knowledge
The desire to learn how things work
The challenge of beating the system
WHO COMMITS FRAUD AND WHY
They may view their actions as a game rather than dishonest behavior.
Another motivation may be to gain stature in the hacking community.
Some see themselves as revolutionaries spreading a message of anarchy and freedom.
But a growing number want to profit financially. To do so, they may sell data to:
Spammers
Organized crime
Other hackers
The intelligence community
WHO COMMITS FRAUD AND WHY
Some fraud perpetrators are disgruntled and unhappy with their jobs and are seeking revenge against their employers.
Others are regarded as ideal, hard-working employees in positions of trust.
Most have no prior criminal record.
So why are they willing to risk everything?
WHO COMMITS FRAUD AND WHY
Criminologist Donald Cressey, interviewed 200+ convicted white-collar criminals in an attempt to determine the common threads in their crimes. As a result of his research, he determined that three factors were present in the commission of each crime. These three factors have come to be known as the fraud triangle.
Pressure
Opportunity
Rationalization
The “Fraud Triangle” Donald Cressey Pressure Opportunity Rationalization
The “Fraud Triangle” Donald Cressey Pressure Opportunity Rationalization
WHO COMMITS FRAUD AND WHY
Pressure
Cressey referred to this pressure as a “perceived non-shareable need.”
The pressure could be related to finances, emotions, lifestyle, or some combination.
WHO COMMITS FRAUD AND WHY
The most common pressures were:
Not being able to pay one’s debts, nor admit it to one’s employer, family, or friends (which makes in non-shareable )
May be associated with vices, such as drugs, gambling, mistresses, etc.
WHO COMMITS FRAUD AND WHY
The most common pressures were:
Not being able to pay one’s debts, nor admit it to one’s employer, family, or friends (which makes in non-shareable)
Fear of loss of status because of a personal failure
Example would be mismanagement of a personal investment or retirement fund.
WHO COMMITS FRAUD AND WHY
The most common pressures were:
Not being able to pay one’s debts, nor admit it to one’s employer, family, or friends (which makes in non-shareable)
Fear of loss of status because of a personal failure
Business reversals
Not many people can walk away from a failing business.
WHO COMMITS FRAUD AND WHY
The most common pressures were:
Not being able to pay one’s debts, nor admit it to one’s employer, family, or friends (which makes in non-shareable)
Fear of loss of status because of a personal failure
Business reversals
Physical isolation
When an individual is isolated, physically or psychologically, almost any pressure becomes non-shareable.
WHO COMMITS FRAUD AND WHY
The most common pressures were:
Not being able to pay one’s debts, nor admit it to one’s employer, family, or friends (which makes in non-shareable)
Fear of loss of status because of a personal failure
Business reversals
Physical isolation
Status gaining
Many frauds are motivated by nothing more than a perceived need to keep up with the Joneses.
The problem is that there is always a richer “Jones” down the street and the pressure continues to mount, as do the resulting thefts.
WHO COMMITS FRAUD AND WHY
The most common pressures were:
Not being able to pay one’s debts, nor admit it to one’s employer, family, or friends (which makes in non-shareable)
Fear of loss of status because of a personal failure
Business reversals
Physical isolation
Status gaining
Difficulties in employer-employee relations
May create pressure to get revenge, take the money you feel is rightfully owed to you, etc.
WHO COMMITS FRAUD AND WHY
What’s important here is the perception of the pressure .
There might be a number of people who could and would help a tentative fraudster out of his financial woes.
But as long as he perceives that he cannot share his burden, the pressure is present.
Research has also found that an individual’s propensity to commit fraud is more related to how much he worries about his financial position than his actual position.
The millionaire who frets a lot about his financial condition is more likely to commit fraud than the guy who doesn’t have two dimes to rub together but isn’t worried about it.
WHO COMMITS FRAUD AND WHY
Financial statement fraud is distinct from other types of fraud in that the individuals who commit the fraud are not the direct beneficiaries.
The company is the direct beneficiary.
The perpetrators are typically indirect beneficiaries.
WHO COMMITS FRAUD AND WHY
In the case of financial statement frauds, common pressures include:
To prop up earnings or stock price so that management can:
Receive performance-related compensation.
Preserve or improve personal wealth held in company stock or stock options.
Keep their jobs.
To cover the inability to generate cash flow.
To obtain financing.
To appear to comply with bond covenants or other agreements.
May be opposite of propping up earnings in cases involving income-tax motivations, government contracts, or regulation.
Click here for a comprehensive list of pressures .
Pressures
PRESSURES THAT LEAD TO EMPLOYEE FRAUD
FINANCIAL
Living beyond means
High personal debt/expenses
“ Inadequate” salary/income
Poor credit ratings
Heavy financial losses
Bad investments
Tax avoidance
Meet unreasonable quotas/goals
EMOTIONAL
Greed
Unrecognized performance
Job dissatisfaction
Fear of losing job
Power or control
Pride or ambition
Beating the system
Frustration
Non-conformity
Envy, resentment
Arrogance, dominance
Non-rules oriented
LIFESTYLE
Support gambling habit
Drug or alcohol addiction
Support sexual relationships
Family/peer pressure
The “Fraud Triangle” Donald Cressey Pressure Opportunity Rationalization
WHO COMMITS FRAUD AND WHY
Opportunity is the opening or gateway that allows an individual to:
Commit the fraud
Conceal the fraud
Convert the proceeds
WHO COMMITS FRAUD AND WHY
Opportunity is the opening or gateway that allows an individual to:
Commit the fraud
Conceal the fraud
Convert the proceeds
WHO COMMITS FRAUD AND WHY
Committing the fraud might involve acts such as:
Misappropriating assets.
Issuing deceptive financial statements.
Accepting a bribe in order to make an arrangement that is not in the company’s best interest.
WHO COMMITS FRAUD AND WHY
Opportunity is the opening or gateway that allows an individual to:
Commit the fraud
Conceal the fraud
Convert the proceeds
WHO COMMITS FRAUD AND WHY
Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation.
Examples of concealment efforts:
Charge a stolen asset to an expense account or to an account receivable that is about to be written off.
WHO COMMITS FRAUD AND WHY
Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation.
Examples of concealment efforts:
Charge a stolen asset to an expense account or to an account receivable that is about to be written off.
Create a ghost employee who receives an extra paycheck.
WHO COMMITS FRAUD AND WHY
Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation.
Examples of concealment efforts:
Charge a stolen asset to an expense account or to an account receivable that is about to be written off.
Create a ghost employee who receives an extra paycheck.
Lapping.
Steal a payment from Customer A.
Apply Customer B’s payment to Customer A’s account so Customer A won’t get a late notice.
Apply Customer C’s payment to Customer B’s account, so Customer B won’t get a late notice, etc.
WHO COMMITS FRAUD AND WHY
Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation.
Examples of concealment efforts:
Charge a stolen asset to an expense account or to an account receivable that is about to be written off.
Create a ghost employee who receives an extra paycheck.
Lapping.
Kiting.
Creates “cash” by transferring money between banks.
Requires multiple bank accounts.
Basic scheme:
Write a check on the account of Bank A.
Bank A doesn’t have sufficient funds to cover the check, so write a check from an account in Bank B to be deposited in Bank A.
Bank B doesn’t have sufficient funds to cover the check, so write a check from an account in Bank C to be deposited in Bank B, etc.
WHO COMMITS FRAUD AND WHY
Opportunity is the opening or gateway that allows an individual to:
Commit the fraud
Conceal the fraud
Convert the proceeds
WHO COMMITS FRAUD AND WHY
Unless the target of the theft is cash, then the stolen goods must be converted to cash or some form that is beneficial to the perpetrator.
Checks can be converted through alterations, forged endorsements, check washing, etc.
Non-cash assets can be sold (online auctions are a favorite forum) or returned to the company for cash.
WHO COMMITS FRAUD AND WHY
If the fraud is a financial statement fraud, then the gains received may include:
I got to keep my job.
The value of my stock or stock options rose.
I got a raise, promotion, or bonus.
I got power.
There are many opportunities that enable fraud. Some of the most common are:
Lack of internal controls
Failure to enforce controls (the most prevalent reason)
Excessive trust in key employees
Incompetent supervisory personnel
Inattention to details
Inadequate staff
Click here for a comprehensive list of opportunities.
WHO COMMITS FRAUD AND WHY Opportunities
OPPORTUNITIES PERMITTING EMPLOYEE AND FINANCIAL STATEMENT FRAUD
Internal Control Factors
Failure to enforce/monitor internal controls
Management not involved in control system
Management override of controls and guidelines
Managerial carelessness, inattention to details
Dominant and unchallenged management
Ineffective oversight by board of directors
No effective internal auditing staff
Infrequent third-party reviews
Insufficient separation of authorization, custody, and record-keeping duties
Too much trust in key employees
Inadequate supervision
Unclear lines of authority
OPPORTUNITIES PERMITTING EMPLOYEE AND FINANCIAL STATEMENT FRAUD
Lack of proper authorization procedures
No independent checks on performance
Inadequate documents and records
Inadequate system for safeguarding assets
No physical or logical security system
No audit trails
Failure to conduct background checks
No policy of annual vacations, rotation of duties
OPPORTUNITIES PERMITTING EMPLOYEE AND FINANCIAL STATEMENT FRAUD
Other Factors
Large, unusual, or complex transactions
Numerous adjusting entries at year end
Related-party transactions
Accounting department understaffed and overworked
Incompetent personnel
Rapid turnover of key employees
Lengthy tenure in a key job
Unnecessarily complex organizational structure
No code of conduct, conflict of interest statements, or definitions of unacceptable behavior
Frequently changing auditors, legal counsel
Operating on a crisis basis
Close association with suppliers/customers
OPPORTUNITIES PERMITTING EMPLOYEE AND FINANCIAL STATEMENT FRAUD
Assets highly susceptible to misappropriation
Questionable accounting practices
Pushing accounting principles to the limit
Unclear company policies and procedures
Failing to teach and stress corporate honesty
Failure to prosecute dishonest employees
Low employee morale and loyalty
WHO COMMITS FRAUD AND WHY
Internal controls that may be lacking or un-enforced include:
Authorization procedures
Clear lines of authority
Adequate supervision
Adequate documents and records
A system to safeguard assets
Independent checks on performance
Separation of duties
One control feature that many companies lack is a background check on all potential employees.
WHO COMMITS FRAUD AND WHY
Management may allow fraud by:
Not getting involved in the design or enforcement of internal controls;
Inattention or carelessness;
Overriding controls; and/or
Using their power to compel subordinates to carry out the fraud.
The “Fraud Triangle” Donald Cressey Pressure Opportunity Rationalization
WHO COMMITS FRAUD AND WHY
How many people do you know who regard themselves as being unprincipled or sleazy?
It is important to understand that fraudsters do not regard themselves as unprincipled.
In general, they regard themselves as highly principled individuals.
That view of themselves is important to them.
The only way they can commit their frauds and maintain their self image as principled individuals is to create rationalizations that recast their actions as “morally acceptable” behaviors.
WHO COMMITS FRAUD AND WHY
These rationalizations take many forms, including:
I was just borrowing the money.
It wasn’t really hurting anyone. (Corporations are often seen as non-persons, therefore crimes against them are not hurting “anyone.”)
Everybody does it.
I’ve worked for them for 35 years and been underpaid all that time. I wasn’t stealing; I was only taking what was owed to me.
I didn’t take it for myself. I needed it to pay my child’s medical bills.
WHO COMMITS FRAUD AND WHY
Creators of worms and viruses often use rationalizations like:
The malicious code helped expose security flaws, so I did a good service.
It was an accident.
It was not my fault—just an experiment that went bad.
It was the user’s fault because they didn’t keep their security up to date.
If the code didn’t alter or delete any of their files, then what’s the problem?
WHO COMMITS FRAUD AND WHY
Fraud occurs when:
People have perceived, non-shareable pressures ;
The opportunity gateway is left open; and
They can rationalize their actions to reduce the moral impact in their minds (i.e., they have low integrity).
Fraud is much less likely to occur when
There is low pressure, low opportunity, and high integrity.
Unfortunately, there is usually a mixture of these forces in play, and it can be very difficult to determine the pressures that may apply to an individual and the rationalizations he/she may be able to produce.
INTRODUCTION
In this chapter we’ll discuss:
The fraud process
Why fraud occurs
Approaches to computer fraud
Specific techniques used to commit computer fraud
Ways companies can deter and detect computer fraud
APPROACHES TO COMPUTER FRAUD
The U.S. Department of Justice defines computer fraud as any illegal act for which knowledge of computer technology is essential for its:
Perpetration;
Investigation; or
Prosecution.
APPROACHES TO COMPUTER FRAUD
Computer fraud includes the following:
Unauthorized theft, use, access, modification, copying, and destruction of software or data.
Theft of money by altering computer records.
Theft of computer time.
Theft or destruction of computer hardware.
Use or the conspiracy to use computer resources to commit a felony.
Intent to illegally obtain information or tangible property through the use of computers.
APPROACHES TO COMPUTER FRAUD
In using a computer, fraud perpetrators can steal:
More of something
In less time
With less effort
They may also leave very little evidence, which can make these crimes more difficult to detect.
APPROACHES TO COMPUTER FRAUD
Computer systems are particularly vulnerable to computer crimes for several reasons:
Company databases can be huge and access privileges can be difficult to create and enforce. Consequently, individuals can steal, destroy, or alter massive amounts of data in very little time.
Organizations often want employees, customers, suppliers, and others to have access to their system from inside the organization and without. This access also creates vulnerability.
Computer programs only need to be altered once, and they will operate that way until:
The system is no longer in use; or
Someone notices.
APPROACHES TO COMPUTER FRAUD
Modern systems are accessed by PCs, which are inherently more vulnerable to security risks and difficult to control.
It is hard to control physical access to each PC.
PCs are portable, and if they are stolen, the data and access capabilities go with them.
PCs tend to be located in user departments, where one person may perform multiple functions that should be segregated.
PC users tend to be more oblivious to security concerns.
APPROACHES TO COMPUTER FRAUD
Computer systems face a number of unique challenges:
Reliability (accuracy and completeness)
Equipment failure
Environmental dependency (power, water damage, fire)
Vulnerability to electromagnetic interference and interruption
Eavesdropping
Misrouting
APPROACHES TO COMPUTER FRAUD
Organizations that track computer fraud estimate that most U.S. businesses have been victimized by at least one incident of computer fraud.
APPROACHES TO COMPUTER FRAUD
These frauds cost billions of dollars each year, and their frequency is increasing because:
Not everyone agrees on what constitutes computer fraud.
Many don’t believe that taking an unlicensed copy of software is computer fraud. (It is and can result in prosecution.)
Some don’t think it’s a crime to browse through someone else’s computer if their intentions aren’t malicious.
APPROACHES TO COMPUTER FRAUD
Many computer frauds go undetected.
An estimated 80-90% of frauds that are uncovered are not reported because of fear of:
Adverse publicity
Copycats
Loss of customer confidence.
There are a growing number of competent computer users, and they are aided by easier access to remote computers through the Internet and other data networks.
APPROACHES TO COMPUTER FRAUD
Some folks believe “it can’t happen to us.”
Many networks have a low level of security.
Instructions on how to perpetrate computer crimes and abuses are readily available on the Internet.
Law enforcement is unable to keep up with the growing number of frauds.
The total dollar value of losses is difficult to calculate.
APPROACHES TO COMPUTER FRAUD
Economic espionage , the theft of information and intellectual property, is growing especially fast.
This growth has led to the need for investigative specialists or cybersleuths.
APPROACHES TO COMPUTER FRAUD
Computer Fraud Classification
Frauds can be categorized according to the data processing model:
Input
Processor
Computer instructions
Stored data
Output
COMPUTER FRAUD CLASSIFICATIONS Processor Fraud Input Fraud Output Fraud Data Fraud Computer Instructions Fraud
COMPUTER FRAUD CLASSIFICATIONS Processor Fraud Input Fraud Output Fraud Data Fraud Computer Instructions Fraud
APPROACHES TO COMPUTER FRAUD
Input Fraud
The simplest and most common way to commit a fraud is to alter computer input.
Requires little computer skills.
Perpetrator only need to understand how the system operates
Can take a number of forms, including:
Disbursement frauds
The perpetrator causes a company to:
Pay too much for ordered goods; or
Pay for goods never ordered.
APPROACHES TO COMPUTER FRAUD
Input Fraud
The simplest and most common way to commit a fraud is to alter computer input.
Requires little computer skills.
Perpetrator only need to understand how the system operates
Can take a number of forms, including:
Disbursement frauds
Inventory frauds
The perpetrator enters data into the system to show that stolen inventory has been scrapped.
APPROACHES TO COMPUTER FRAUD
Input Fraud
The simplest and most common way to commit a fraud is to alter computer input.
Requires little computer skills.
Perpetrator only need to understand how the system operates
Can take a number of forms, including:
Disbursement frauds
Inventory frauds
Payroll frauds
Perpetrators may enter data to:
Increase their salaries
Create a fictitious employee
Retain a terminated employee on the records.
In the latter two instances, the perpetrator intercepts and cashes the resulting paychecks.
APPROACHES TO COMPUTER FRAUD
Input Fraud
The simplest and most common way to commit a fraud is to alter computer input.
Requires little computer skills.
Perpetrator only need to understand how the system operates
Can take a number of forms, including:
Disbursement frauds
Inventory frauds
Payroll frauds
Cash receipt frauds
The perpetrator hides the theft by falsifying system input.
EXAMPLE: Cash of $200 is received. The perpetrator records a cash receipt of $150 and pockets the $50 difference.
APPROACHES TO COMPUTER FRAUD
Input Fraud
The simplest and most common way to commit a fraud is to alter computer input.
Requires little computer skills.
Perpetrator only need to understand how the system operates
Can take a number of forms, including:
Disbursement frauds
Inventory frauds
Payroll frauds
Cash receipt frauds
Fictitious refund fraud
The perpetrator files for an undeserved refund, such as a tax refund.
COMPUTER FRAUD CLASSIFICATIONS Processor Fraud Input Fraud Output Fraud Data Fraud Computer Instructions Fraud
APPROACHES TO COMPUTER FRAUD
Processor Fraud
Involves computer fraud committed through unauthorized system use.
Includes theft of computer time and services.
Incidents could involve employees:
Surfing the Internet;
Using the company computer to conduct personal business; or
Using the company computer to conduct a competing business.
APPROACHES TO COMPUTER FRAUD
In one example, an agriculture college at a major state university was experiencing very sluggish performance from its server.
Upon investigating, IT personnel discovered that an individual outside the U.S. had effectively hijacked the college’s server to both store some of his/her research data and process it.
The college eliminated the individual’s data and blocked future access to the system.
The individual subsequently contacted college personnel to protest the destruction of the data.
Demonstrates both:
How a processor fraud can be committed.
How oblivious users can sometimes be to the unethical or illegal nature of their activities.
COMPUTER FRAUD CLASSIFICATIONS Processor Fraud Input Fraud Output Fraud Data Fraud Computer Instructions Fraud
APPROACHES TO COMPUTER FRAUD
Computer Instructions Fraud
Involves tampering with the software that processes company data.
May include:
Modifying the software
Making illegal copies
Using it in an unauthorized manner
Also might include developing a software program or module to carry out an unauthorized activity.
APPROACHES TO COMPUTER FRAUD
Computer instruction fraud used to be one of the least common types of frauds because it required specialized knowledge about computer programming beyond the scope of most users.
Today these frauds are more frequent--courtesy of web pages that instruct users on how to create viruses and other schemes.
COMPUTER FRAUD CLASSIFICATIONS Processor Fraud Input Fraud Output Fraud Data Fraud Computer Instructions Fraud
APPROACHES TO COMPUTER FRAUD
Data Fraud
Involves:
Altering or damaging a company’s data files; or
Copying, using, or searching the data files without authorization.
In many cases, disgruntled employees have scrambled, altered, or destroyed data files.
Theft of data often occurs so that perpetrators can sell the data.
Most identity thefts occur when insiders in financial institutions, credit agencies, etc., steal and sell financial information about individuals from their employer’s database.
COMPUTER FRAUD CLASSIFICATIONS Processor Fraud Input Fraud Output Fraud Data Fraud Computer Instructions Fraud
APPROACHES TO COMPUTER FRAUD
Output Fraud
Involves stealing or misusing system output.
Output is usually displayed on a screen or printed on paper.
Unless properly safeguarded, screen output can easily be read from a remote location using inexpensive electronic gear.
This output is also subject to prying eyes and unauthorized copying.
Fraud perpetrators can use computers and peripheral devices to create counterfeit outputs, such as checks.
INTRODUCTION
In this chapter we’ll discuss:
The fraud process
Why fraud occurs
Approaches to computer fraud
Specific techniques used to commit computer fraud
Ways companies can deter and detect computer fraud
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling
Changing data before, during, or after it is entered into the system.
Can involve adding, deleting, or altering key system data.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling
Data leakage
Unauthorized copying of company data.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
An attacker overloads and shuts down an Internet Service Provider’s email system by sending email bombs at a rate of thousands per second—often from randomly generated email addresses.
May also involve shutting down a web server by sending a load of requests for the web pages.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
Carried out as follows:
The attacker infects dozens of computers that have broadband Internet access with denial-of-service programs. These infected computers are the zombies .
The attacker then activates the denial-of-service programs, and the zombies send pings (emails or requests for data) to the target server. The victim responds to each, not realizing they have fictitious return addresses, and waits for responses that don’t come.
While the victim waits, system performance degrades until the system freezes up or crashes.
The attacker terminates the program after an hour or two to limit the victim’s ability to trace the source.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
Experts estimate there as many as 5,000 denial-of-service attacks weekly in the U.S.
A denial-of-service can cause severe economic damage to its victim or even drive them out of business.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
Eavesdropping
Perpetrators surreptitiously observe private communications or transmission of data.
Equipment to commit these “electronic wiretaps” is readily available at electronics stores.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
Eavesdropping
Email threats
A threatening message is sent to a victim to induce the victim to do something that would make it possible to be defrauded.
Several banks in the Midwest were contacted by an overseas perpetrator who indicated that:
He had broken into their computer system and obtained personal and banking information about all of the bank’s customers.
He would notify the bank’s customers of this breach if he was not paid a specified sum of money.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
Eavesdropping
Email threats
Email forgery (aka, spoofing )
Involves sending an email message that appears to have come from someone other than the actual sender.
Email spoofers may:
Claim to be system administrators and ask users to change their passwords to specific values.
Pretend to be management and request a copy of some sensitive information.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
Eavesdropping
Email threats
Email forgery (aka, spoofing )
Hacking
Unauthorized access to and use of computer systems—usually by means of a personal computer and a telecommunications network.
Most hackers break into systems using known flaws in operating systems, applications programs, or access controls.
Some are not very malevolent and mainly motivated by curiosity and a desire to overcome a challenge.
Others have malicious intent and can do significant damage.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
Eavesdropping
Email threats
Email forgery (aka, spoofing )
Hacking
Phreaking
Hacking that attacks phone systems and uses phone lines to transmit viruses and to access, steal, and destroy data.
They also steal telephone services and may break into voice mail systems.
Some hackers gain access to systems through dial-up modem lines.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
Eavesdropping
Email threats
Email forgery (aka, spoofing )
Hacking
Phreaking
Hijacking
Involves gaining control of someone else’s computer to carry out illicit activities without the user’s knowledge.
The illicit activity is often the perpetuation of spam emails.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
Eavesdropping
Email threats
Email forgery (aka, spoofing )
Hacking
Phreaking
Hijacking
Identity theft
Assuming someone’s identity, typically for economic gain, by illegally obtaining and using confidential information such as the person’s social security number, bank account number, or credit card number.
Identity thieves benefit financially by:
Taking funds out of the victim’s bank account.
Taking out mortgages or other loans under the victim’s identity.
Taking out credit cards and running up large balances.
If the thief is careful and ensures that bills and notices are sent to an address he controls, the scheme may be prolonged until such time as the victim attempts to buy a home or car and finds out that his credit is destroyed.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
Eavesdropping
Email threats
Email forgery (aka, spoofing )
Hacking
Phreaking
Hijacking
Identity theft
Victims can usually clear their credit, but the effort requires a significant amount of time and expense.
Identity theft was made a federal offense in 1998, but it is a growing crime industry.
One U.S. postal inspector, whose job duties involved investigation of identity thefts, was himself a victim. The thief ran up $80,000 in debt under the postal inspector’s identity before the inspector discovered the problem.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
Eavesdropping
Email threats
Email forgery (aka, spoofing )
Hacking
Phreaking
Hijacking
Identity theft
Identity thieves can steal corporate or individual identities by:
Shoulder surfing
Watching people enter telephone calling card numbers or credit card numbers or listening to communications as they provide this information to sales clerks or others.
Scavenging or dumpster diving
Searching corporate or personal records by rifling garbage cans, communal trash bins, and city dumps for documents with confidential company information.
May also look for personal information such as checks, credit card statements, bank statements, tax returns, discarded applications for pre-approved credit cards, or other records that contain social security numbers, names, addresses, phone numbers, and other data that allow them to assume an identity.
Redirecting mail
Intercepting mail and having it delivered to a location where others can access it.
Using Internet, email, and other technology in spoofing, phishing, eavesdropping, impersonating, social engineering, and data leakage schemes.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
Eavesdropping
Email threats
Email forgery (aka, spoofing )
Hacking
Phreaking
Hijacking
Identity theft
The U.S. Department of Justice suggests the following four ways to minimize the chances of being victimized by identity theft:
Do not give out corporate or personal information unless there is a good reason to trust the person to whom it is given.
Check financial information regularly for what should be there, as well as for what should not be there.
Periodically review your credit report.
Maintain careful records of banking and financial accounts.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation
Using the Internet to spread false or misleading information about people or companies.
May involve:
Planting inflammatory messages in online chat rooms.
Websites with misinformation.
Pretending to be someone else online and making inflammatory comments that will be attributed to that person.
A “pump-and-dump” occurs when an individual spreads misinformation, often through Internet chat rooms, to cause a run-up in the value a stock and then sells off his shares of the stock. A number of pump-and-dump cases have been prosecuted by the SEC.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation
Another common form of Internet misinformation is the spreading of “urban legends”—often by innocently forwarding emails.
Urban legends may often include damaging implications about company products, such as a recent email suggesting that certain lipsticks contain lead or that using plastic cookware in the microwave can cause cancer.
Before forwarding any emails with negative information about individuals, companies, or their products, it’s a good idea to check the veracity of the information first.
Emails with urban legends often attribute their “facts” to credible sources, such as the federal government, Stanford University researchers, the FBI, etc.
There are several websites that attempt to verify the truth of emails that are circulated. One such website is www.snopes.com . You can easily locate the email you received on these websites, by searching under a key term in the email, such as “lipstick.”
You are likely to find that most emails you were getting ready to forward are either false or only partially true.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Hackers use the Internet to disrupt electronic commerce and destroy company and individual communications.
Viruses and worms are two main forms of Internet terrorism.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
A program that lies idle until triggered by some circumstance or a particular time.
Once triggered, it sabotages the system, destroying programs, data, or both.
Usually written by disgruntled programmers.
EXAMPLE: A programmer places a logic bomb in a payroll application that will destroy all the payroll records if the programmer is terminated.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
The perpetrator gains access to the system by pretending to be an authorized user.
The perpetrator must know the legitimate user’s ID and password.
Once in the system, he enjoys the same privileges as the legitimate user.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Programs that capture data from information packets as they travel over the Internet or company networks.
Confidential information and access information can be gleaned from the captured data—some of which is later sold.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Password cracking
An intruder penetrates a system’s defenses, steals the file of valid passwords, decrypts them, and then uses them to gain access to almost any system resources.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Password cracking
Phishing
Sending out a spoofed email that appears to come from a legitimate company, such as a financial institution. EBay, PayPal, and banks are commonly spoofed.
The recipient is advised that information or a security check is needed on his account, and advised to click on a link to the company’s website to provide the information.
The link connects the individual to a website that is an imitation of the spoofed company’s actual website. These counterfeit websites appear very authentic, as do the emails.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Password cracking
Phishing
One newly graduated college student recently took a job in California and deposited his first paycheck of approximately $5,000 in the bank.
That same night, he received an email from the bank, inviting him to click on the link in the email to set up online banking for his new bank account.
He followed directions and provided the requested information to set up online banking.
Two hours later, he was nervous and called the bank—only to find out that his bank account had been cleaned out and closed.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Password cracking
Phishing
As a rule of thumb, it is a good idea not to click on any link provided in an email and to go directly to the website instead.
PayPal, whose email address is commonly spoofed for phishing scams, offers the following advice:
If PayPal ever sends you an email, they will include your first and last name in the salutation of the email.
If you need to enter PayPal’s website, type “https:” in the URL instead of “http:” in order to enter on the company’s secured server.
If you receive a suspicious email, get out of your browser and go back in before proceeding directly to a company website.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Password cracking
Phishing
In 2004, a phishing-related scam took place in South America with respect to three large South American banks. Once an individual opened the related email, a script was downloaded on their computer. The script would alter the individual’s web browser so that if the user entered the URL of one of these three banks, the browser would redirect them to a counterfeit website for that bank. The oblivious user would provide ID and password information, and was instantly set up for a high-tech robbery of his bank account.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Password cracking
Phishing
Consumer Reports suggests that if you have any questions about the legitimacy of a website, you should try entering the wrong password. A phishing website will typically accept an incorrect password—which cues you that it is a phishing scam.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Example of a website produced for a phishing scam.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Password cracking
Phishing
Piggybacking
Tapping into a telecommunications line and latching onto a legitimate user before that user logs into a system.
The legitimate user unknowingly carries the perpetrator into the system.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Password cracking
Phishing
Piggybacking
Round-down technique
Made famous in the movie, Office Space .
The programmer instructs the computer to round interest calculations down to two decimal places and deposits the remaining fraction into the account of a programmer or an accomplice.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Password cracking
Phishing
Piggybacking
Round-down technique
Salami technique
Involves the theft of tiny slices of money over a period of time.
The round-down is just a special form of a salami technique.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering
Perpetrators trick employees into giving them information they need to get into the system.
A perpetrator might call an employee and indicate he is the systems administrator and needs to get the employee’s password.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering
Software piracy
Copying software without the publisher’s permission.
In the U.S., it’s estimated that 26% of software in use is pirated.
Fines for individuals and corporations are stiff, and individuals convicted of software piracy can serve jail terms of up to 5 years.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
Emailing an unsolicited message to multitudes of people, often in an attempt to sell a product.
Many times the product offers are fraudulent.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
Spammers use creative means to find valid email addresses:
Scanning the Internet for addresses posted online.
Hacking into company databases and stealing mailing lists.
Staging dictionary (aka direct harvesting ) attacks .
These attacks use special software to guess addresses at a particular company and send blank emails.
Messages not returned are usually valid.
These attacks are very burdensome to corporate email systems.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
Companies may use filtering software to detect dictionary attacks, search mail for competitive leaks, and block inappropriate attachments, such as pornography and illegal MP3 files.
Filtering is not always viable. The director of internal audit at a major healthcare company changes email addresses frequently because of the volume of spam email in his inbox. When asked why his company did not filter the spam, he replied, “Because we’re a healthcare company, we cannot filter out any references to body parts or prescription medications.”
There is increasing public clamor for laws to clamp down on spamming. In December 2004, a federal judge awarded over $1 billion to a small Midwestern Internet service provider in an action against three spammers.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
Spyware
Software that monitors computing habits, such as web-surfing habits, and sends the data it gathers to someone else, typically without the user’s permission.
One type, called adware (for advertising-supported software) does two things:
Causes banner ads to pop up on your monitor as you surf the net.
Collects information about your Web-surfing and spending habits and forwards it to a company gathering the data—often an advertising or large media organization.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
Spyware
Usually comes bundled with freeware and shareware downloaded from the Internet.
May be disclosed in the licensing agreement, but users are unlikely to read it.
Reputable adware companies claim they don’t collect sensitive or identifying data.
But there is no way for users to control or limit the activity.
It is not illegal, but many find it objectionable.
Software has been developed to detect and eliminate spyware, but it may also impair the downloaded software.
Some is intentionally difficult to uninstall.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
A keystroke logger records a user’s keystrokes and emails them to or saves them for the party that planted the logger. These are sometimes used by:
Parents to monitor their children’s computer usage.
Businesses to monitor employee activity.
Fraudsters to capture passwords, credit card numbers, etc.
A keystroke logger can be a hardware device attached to a computer or can be downloaded on an individual’s computer in the same way that any Trojan horse might be downloaded.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Spyware and keystroke loggers are very problematic for companies with employees who telecommute or contact the company’s computer from remote locations.
Spyware on those computers makes the company’s systems vulnerable.
Individuals are also exposed when they use wireless networks, such as those that may be available in coffee shops.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Superzapping
Unauthorized use of special system programs to bypass regular system controls and perform illegal acts.
The name is derived from an IBM software utility called Superzap that was used to restored crashed systems.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Superzapping
Trap doors
Also called back doors .
Programmers create trap doors to modify programs.
The trap door is a way into the system that bypasses normal controls.
The trap door should be removed before the program is implemented.
If it is not, the programmer or others may later gain unauthorized access to the system.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Superzapping
Trap doors
Trojan horse
A set of unauthorized computer instructions planted in an authorized and otherwise properly functioning program.
Allows the creator to control the victim’s computer remotely.
The code does not try to replicate itself but performs an illegal act at some specific time or when some condition arises.
Programs that launch denial of service attacks are often Trojan horses.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Superzapping
Trap doors
Trojan horse
War dialing
Hackers search for an idle modem by programming their computers to dial thousands of phone lines.
Hackers enter through the idle modem and gain access to the connected network.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Superzapping
Trap doors
Trojan horse
War dialing
War driving
Driving around in cars looking for unprotected home or corporate wireless networks.
If the hackers mark the sidewalk of the susceptible wireless network, the practice is referred to as warchalking .
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Virus
Many viruses have two phases:
First, when some predefined event occurs, the virus replicates itself and spreads to other systems or files.
Another event triggers the attack phase in which the virus carries out its mission.
A virus may lay dormant or propagate itself without causing damage for an extended period.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Virus
Damage may take many forms:
Send email with the victim’s name as the alleged source.
Destroy or alter data or programs.
Take control of the computer.
Destroy or alter file allocation tables.
Delete or rename files or directories.
Reformat the hard drive.
Change file content.
Prevent users from booting.
Intercept and change transmissions.
Print disruptive images or messages on the screen.
Change screen appearance.
As viruses spread, they take up much space, clog communications, and hinder system performance.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Virus
Virus symptoms:
Computer will not start or execute
Performs unexpected read or write operations
Unable to save files
Long time to load programs
Abnormally large file sizes
Slow systems operation
Unusual screen activity
Error messages
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Virus
Viruses are contagious and easily spread from one system to another.
They are usually spread by:
Opening an infected email attachment or file (most common); or
Running an infected program.
Some viruses can mutate, which makes them more difficult to detect and destroy.
The emails often appear to come from sources like Microsoft and seem very convincing.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Virus
Virus protections include:
Install reliable virus software that scans for, identifies, and destroys viruses.
Keep the antivus program up to date.
Scan incoming email at the server level, rather than when it hits the desktops.
Certify all software as virus-free before loading it.
Software from unknown sources may be virus bait, especially if it seems too good to be true.
Deal with trusted software retailers.
Use electronic techniques to make tampering evident.
Check new software on an isolated machine.
Have two backups of all files.
Do not put diskettes or CDs in strange machines, or let others put unscanned disks in your machine.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Virus
Viruses attack computers, but any device that is part of the communications network is vulnerable, including:
Cell phones
Smart phones
PDAs
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Virus
Worms
A worm is similar to a virus except for:
A worm is a stand-alone program, while a virus is only a segment of code hidden in a host program or executable file.
A worm will replicate itself automatically, while a virus requires a human to do something like open a file.
Worms often reproduce by mailing themselves to the recipient’s mailing list.
They are not confined to PCs and have infected cell phones in Japan.
A worm typically has a short but very destructive life.
It takes little technical knowledge to create worms or viruses; several websites provide instructions.
Most exploit known software vulnerabilities that can be corrected with a software patch, making it important to install all patches as soon as they are available.
COMPUTER FRAUD AND ABUSE TECHNIQUES
Perpetrators have devised many methods to commit computer fraud and abuse. These include:
Virus
Worms
The low-tech, do-it-yourself attack
You receive an email from a friend, apologizing profusely that he/she has previously sent you an email that was infected with a virus.
The friend’s email gives you instructions to look for and remove the offending virus.
You delete the file from your hard drive. The only problem is that the file you just deleted was part of your operating system.
Your friend was well-intended and has done the same thing to his/her computer.
REMEDY: Before even considering following instructions of this sort, check the list of hoaxes that are available on any virus protection website, such as:
www.norton.com
www.mcafee.com
INTRODUCTION
In this chapter we’ll discuss:
The fraud process
Why fraud occurs
Approaches to computer fraud
Specific techniques used to commit computer fraud
Ways companies can deter and detect computer fraud
PREVENTING AND DETECTING COMPUTER FRAUD
Organizations must take every precaution to protect their information systems.
Certain measures can significantly decrease the potential for fraud and any resulting losses.
These measures include:
Make fraud less likely to occur
Increase the difficulty of committing fraud
Improve detection methods
Reduce fraud losses
PREVENTING AND DETECTING COMPUTER FRAUD
Organizations must take every precaution to protect their information systems.
Certain measures can significantly decrease the potential for fraud and any resulting losses.
These measures include:
Make fraud less likely to occur
Increase the difficulty of committing fraud
Improve detection methods
Reduce fraud losses
PREVENTING AND DETECTING COMPUTER FRAUD
Make fraud less likely to occur
Create a culture that stresses integrity and commitment to ethical values and competence.
Adopt an organizational structure, management philosophy, operating style, and appetite for risk that minimizes the likelihood of fraud.
Require oversight from an active, involved, and independent audit committee.
Assign authority and responsibility for business objectives to specific departments and individuals, encourage initiative in solving problems, and hold them accountable for achieving those objectives.
PREVENTING AND DETECTING COMPUTER FRAUD
Identify the events that lead to increased fraud risk, and take steps to prevent, avoid, share, or accept that risk.
Develop a comprehensive set of security policies to guide the design and implementation of specific control procedures, and communicate them effectively to company employees.
Implement human resource policies for hiring, compensating, evaluating, counseling, promoting, and discharging employees that send messages about the required level of ethical behavior and integrity.
Effectively supervise employees, including monitoring their performance and correcting their errors.
PREVENTING AND DETECTING COMPUTER FRAUD
Train employees in integrity and ethical considerations, as well as security and fraud prevention measures.
Require annual employee vacations, periodically rotate duties of key employees, and require signed confidentiality agreements.
Implement formal and rigorous project development and acquisition controls, as well as change management controls.
Increase the penalty for committing fraud by prosecuting fraud perpetrators more vigorously.
PREVENTING AND DETECTING COMPUTER FRAUD
Organizations must take every precaution to protect their information systems.
Certain measures can significantly decrease the potential for fraud and any resulting losses.
These measures include:
Make fraud less likely to occur
Increase the difficulty of committing fraud
Improve detection methods
Reduce fraud losses
PREVENTING AND DETECTING COMPUTER FRAUD
Increase the difficulty of committing fraud
Develop a strong system of internal controls
Segregate the accounting functions of:
Authorization
Recording
Custody
Implement a program segregation of duties between systems functions
Restrict physical and remote access to system resources to authorized personnel
PREVENTING AND DETECTING COMPUTER FRAUD
Require transactions and activities to be authorized by appropriate supervisory personnel. Have the system authenticate the person and their right to perform the transaction before allowing the transaction to take place.
Use properly designed documents and records to capture and process transactions.
Safeguard all assets, records, and data.
Require independent checks on performance, such as reconciliation of two independent sets of records, where possible and appropriate.
PREVENTING AND DETECTING COMPUTER FRAUD
Implement computer-based controls over data input, computer processing, data storage, data transmission, and information output.
Encrypt stored and transmitted data and programs to protect them from unauthorized access and use.
Fix known software vulnerabilities by installing the latest updates to operating systems, security, and applications programs.
PREVENTING AND DETECTING COMPUTER FRAUD
Organizations must take every precaution to protect their information systems.
Certain measures can significantly decrease the potential for fraud and any resulting losses.
These measures include:
Make fraud less likely to occur
Increase the difficulty of committing fraud
Improve detection methods
Reduce fraud losses
PREVENTING AND DETECTING COMPUTER FRAUD
Improve detection methods.
Create an audit trail so individual transactions can be traced through the system to the financial statements and vice versa.
Conduct periodic external and internal audits, as well as special network security audits.
Install fraud detection software.
Implement a fraud hotline.
PREVENTING AND DETECTING COMPUTER FRAUD
Employ a computer security officer, as well as computer consultants and forensic specialists as needed.
Monitor system activities, including computer and network security efforts, usage and error logs, and all malicious actions.
Use intrusion detection systems to help automate the monitoring process.
PREVENTING AND DETECTING COMPUTER FRAUD
Organizations must take every precaution to protect their information systems.
Certain measures can significantly decrease the potential for fraud and any resulting losses.
These measures include:
Make fraud less likely to occur
Increase the difficulty of committing fraud
Improve detection methods
Reduce fraud losses
PREVENTING AND DETECTING COMPUTER FRAUD
Reduce Fraud Losses
Maintain adequate insurance.
Develop comprehensive fraud contingency, disaster recovery, and business continuity plans.
Store backup copies of program and data files in a secure, off-site location.
Use software to monitor system activity and recover from fraud.
SUMMARY
In this chapter, you’ve learned what fraud is, who commits fraud, and how it’s perpetrated.
You’ve learned about the many variations of computer fraud, and you’ve learned about techniques to reduce an organization’s vulnerability to these types of fraud.

Ais Romney 2006 Slides 04 Relational Databases

2009-11-01T07:33:00.000-08:00

Ais Romney 2006 Slides 04 Relational Databases

View more presentations from sharingnotes123.

Ais Romney 2006 Slides 04 Relational Databases - Presentation Transcript

HAPTER 4 Relational Databases
INTRODUCTION
Questions to be addressed in this chapter:
How are databases different than file-based legacy systems?
Why are databases important and what is their advantage?
What is the difference between logical and physical views of a database?
What are the fundamental concepts of database systems such as DBMS, schemas, the data dictionary, and DBMS languages?
What is a relational database, and how does it organize data?
How are tables structured to properly store data in a relational database?
INTRODUCTION
Relational databases underlie most modern integrated AISs.
They are the most popular type of database used for transaction processing.
In this chapter, we’ll define the concept of a database.
FILE VS. DATABASES
Let’s examine some basic principles about how data are stored in computer systems.
An entity is anything about which the organization wishes to store data. At your college or university, one entity would be the student.
04/20/85 555-5555 Artie Moore 123-45-6789 11/24/86 444-4444 Ned Sanders 111-11-1111 10/11/84 333-3333 Alice Simpson 333-33-3333 Birth Date Phone Number First Name Last Name Student ID STUDENTS
FILE VS. DATABASES
Information about the attributes of an entity (e.g., the student’s ID number and birth date) are stored in fields .
04/20/85 555-5555 Artie Moore 123-45-6789 11/24/86 444-4444 Ned Sanders 111-11-1111 10/11/84 333-3333 Alice Simpson 333-33-3333 Birth Date Phone Number First Name Last Name Student ID STUDENTS
FILE VS. DATABASES
All the fields containing data about one entity (e.g., one student) form a record .
The example below shows the record for Artie Moore.
04/20/85 555-5555 Artie Moore 123-45-6789 11/24/86 444-4444 Ned Sanders 111-11-1111 10/11/84 333-3333 Alice Simpson 333-33-3333 Birth Date Phone Number First Name Last Name Student ID STUDENTS
FILE VS. DATABASES
A set of all related records forms a file (e.g., the student file).
If this university only had three students and five fields for each student, then the entire file would be depicted below.
04/20/85 555-5555 Artie Moore 123-45-6789 11/24/86 444-4444 Ned Sanders 111-11-1111 10/11/84 333-3333 Alice Simpson 333-33-3333 Birth Date Phone Number First Name Last Name Student ID STUDENTS
FILE VS. DATABASES
A set of interrelated, centrally coordinated files forms a database .
Student File Class File Advisor File
FILE VS. DATABASES
Database systems were developed to address the problems associated with the proliferation of master files.
For years, each time a new information need arose, companies created new files and programs.
The result: a significant increase in the number of master files.
FILE VS. DATABASES
This proliferation of master files created problems:
Often the same information was stored in multiple master files.
Made it more difficult to effectively integrate data and obtain an organization-wide view of the data.
Also, the same information may not have been consistent between files.
If a student changed his phone number, it may have been updated in one master file but not another.
Master File 1 Fact A Fact B Fact C Master File 2 Fact A Fact D Fact F Master File 1 Fact A Fact B Fact F Enrollment Program Fin. Aid Program Grades Program
FILE VS. DATABASES
A database is a set of inter-related, centrally coordinated files.
Database Fact A Fact B Fact C Fact D Fact E Fact F Enrollment Program Fin. Aid Program Grades Program Database Management System
FILE VS. DATABASES
The database approach treats data as an organizational resource that should be used by and managed for the entire organization, not just a particular department.
A database management system (DBMS) serves as the interface between the database and the various application programs.
Database Fact A Fact B Fact C Fact D Fact E Fact F Enrollment Program Fin. Aid Program Grades Program Database Management System
FILE VS. DATABASES
The combination of the database, the DBMS, and the application programs that access the database is referred to as the database system .
Database Fact A Fact B Fact C Fact D Fact E Fact F Enrollment Program Fin. Aid Program Grades Program Database Management System
FILE VS. DATABASES
The person responsible for the database is the database administrator .
As technology improves, many large companies are developing very large databases called data warehouses.
Database Fact A Fact B Fact C Fact D Fact E Fact F Enrollment Program Fin. Aid Program Grades Program Database Management System
IMPORTANCE AND ADVANTAGES OF DATABASE SYSTEMS
Database technology is everywhere.
Most new AISs implement a database approach.
Virtually all mainframe computer sites use database technology.
Use of databases with PCs is growing also.
IMPORTANCE AND ADVANTAGES OF DATABASE SYSTEMS
As accountants, you are likely to audit or work for companies that use database technology to store, process, and report accounting transactions.
Many accountants work directly with databases and will enter, process, and query databases.
Some will develop and evaluate internal controls necessary to ensure database integrity.
Others will be involved in the design and management of databases.
IMPORTANCE AND ADVANTAGES OF DATABASE SYSTEMS
Database technology provides the following benefits to organizations:
Data integration
Achieved by combining master files into larger pools of data accessible by many programs.
IMPORTANCE AND ADVANTAGES OF DATABASE SYSTEMS
Database technology provides the following benefits to organizations:
Data integration
Data sharing
It’s easier to share data that’s integrated.
IMPORTANCE AND ADVANTAGES OF DATABASE SYSTEMS
Database technology provides the following benefits to organizations:
Data integration
Data sharing
Reporting flexibility
Reports can be revised easily and generated as needed.
The database can easily be browsed to research problems or obtain detailed information.
IMPORTANCE AND ADVANTAGES OF DATABASE SYSTEMS
Database technology provides the following benefits to organizations:
Data integration
Data sharing
Reporting flexibility
Minimal data redundancy and inconsistencies
Because data items are usually stored only once.
IMPORTANCE AND ADVANTAGES OF DATABASE SYSTEMS
Database technology provides the following benefits to organizations:
Data integration
Data sharing
Reporting flexibility
Minimal data redundancy and inconsistencies
Data independence
Data items are independent of the programs that use them.
Consequently, a data item can be changed without changing the program and vice versa.
Makes programming easier and simplifies data management.
IMPORTANCE AND ADVANTAGES OF DATABASE SYSTEMS
Database technology provides the following benefits to organizations:
Data integration
Data sharing
Reporting flexibility
Minimal data redundancy and inconsistencies
Data independence
Central management of data
Data management is more efficient because the database administrator is responsible for coordinating, controlling, and managing data.
IMPORTANCE AND ADVANTAGES OF DATABASE SYSTEMS
Database technology provides the following benefits to organizations:
Data integration
Data sharing
Reporting flexibility
Minimal data redundancy and inconsistencies
Data independence
Central management of data
Cross-functional analysis
Relationships can be explicitly defined and used in the preparation of management reports.
EXAMPLE: Relationship between selling costs and promotional campaigns.
DATABASE SYSTEMS
Logical and Physical Views of Data
In file-oriented systems, programmers must know the physical location and layout of records used by a program.
They must reference the location, length, and format of every field they utilize.
When data is used from several files, this process becomes more complex.
DATABASE SYSTEMS
Database systems overcome this problem by separating the storage and use of data elements.
Two separate views of the data are provided:
Logical view
How the user or programmer conceptually organizes and understands the data.
DATABASE SYSTEMS
Database systems overcome this problem by separating the storage and use of data elements.
Two separate views of the data are provided:
Logical view
Physical view
How and where the data are physically arranged and stored.
DATABASE SYSTEMS
Database systems overcome this problem by separating the storage and use of data elements.
Two separate views of the data are provided:
Logical view
Physical view
Separating these views facilitates application development, because programmers can focus on coding the logic and not be concerned with storage details.
Database Enrollment by Class Logical View—User A Logical View—User B DBMS Operating System The DBMS translates users’ logical views into instructions as to which data should be retrieved from the database.
Database Enrollment by Class Logical View—User A Logical View—User B DBMS Operating System The operating system translates DBMS requests into instructions to physically retrieve data from various disks.
DATABASE SYSTEMS
The DBMS handles the link between the physical and logical views of the data.
Allows the user to access, query, and update data without reference to how or where it is physically stored.
The user only needs to define the logical data requirements.
DATABASE SYSTEMS
Separating the logical and physical views of data also means users can change their conceptualizations of the data relationships without making changes in the physical storage.
The database administrator can also change the physical storage of the data without affecting users or application programs.
DATABASE SYSTEMS
Schemas
A schema describes the logical structure of a database.
There are three levels of schema.
Conceptual level
The organization-wide view of the entire database—i.e., the big picture.
Lists all data elements and the relationships between them.
Subschema--User A Smith . . . A Jones . . . B Arnold . . .D Subschema--User B Subschema--User C Enroll Cash Receipt Classes Student Mapping external-level views to conceptual-level schema Mapping conceptual-level items to internal-level descriptions
DATABASE SYSTEMS
Schemas
A schema describes the logical structure of a database.
There are three levels of schema.
Conceptual level
External level
A set of individual user views of portions of the database, i.e., how each user sees the portion of the system with which he interacts.
These individual views are referred to as subschema .
Subschema--User A Smith . . . A Jones . . . B Arnold . . .D Subschema--User B Subschema--User C Enroll Cash Receipt Classes Student Mapping external-level views to conceptual-level schema Mapping conceptual-level items to internal-level descriptions
DATABASE SYSTEMS
Schemas
A schema describes the logical structure of a database.
There are three levels of schema.
Conceptual level
External level
Internal level
A low-level view of the database.
It describes how the data are actually stored and accessed including:
Record layouts
Definitions
Addresses
Indexes
Subschema--User A Smith . . . A Jones . . . B Arnold . . .D Subschema--User B Subschema--User C Enroll Cash Receipt Classes Student Mapping external-level views to conceptual-level schema Mapping conceptual-level items to internal-level descriptions
Subschema--User A Smith . . . A Jones . . . B Arnold . . .D Subschema--User B Subschema--User C Enroll Cash Receipt Classes Student Mapping external-level views to conceptual-level schema Mapping conceptual-level items to internal-level descriptions The bidirectional arrows represent mappings between the schema.
DATABASE SYSTEMS
The DBMS uses the mappings to translate a request by a user or program for data (expressed in logical names and relationships) into the indexes and addresses needed to physically access the data.
DATABASE SYSTEMS
Accountants are frequently involved in developing conceptual- and external-level schema.
An employee’s access to data should be limited to the subschema of data that is relevant to the performance of his job.
DATABASE SYSTEMS
The Data Dictionary
A key component of a DBMS is the data dictionary.
Contains information about the structure of the database.
For each data element, there is a corresponding record in the data dictionary describing that element.
DATABASE SYSTEMS
Information provided for each element includes:
A description or explanation of the element.
The records in which it is contained.
Its source.
The length and type of the field in which it is stored.
The programs in which it is used.
The outputs in which it is contained.
The authorized users of the element.
Other names for the element.
DATABASE SYSTEMS
Accountants should participate in the development of the data dictionary because they have a good understanding of the data elements in a business organization, as well as where those elements originate and how they are used.
DATABASE SYSTEMS
The DBMS usually maintains the data dictionary.
It is often one of the first applications of a newly implemented database system.
Inputs to the dictionary include:
Records of new or deleted data elements.
Changes in names, descriptions, or uses of existing elements.
Outputs include:
Reports that are useful to programmers, database designers, and IS users in:
Designing and implementing the system.
Documenting the system.
Creating an audit trail.
DATABASE SYSTEMS
DBMS Languages
Every DBMS must provide a means of performing the three basic functions of:
Creating a database
Changing a database
Querying a database
DATABASE SYSTEMS
DBMS Languages
Every DBMS must provide a means of performing the three basic functions of:
Creating a database
Changing a database
Querying a database
DATABASE SYSTEMS
Creating a database:
The set of commands used to create the database is known as data definition language (DDL) . DDL is used to:
Build the data dictionary
Initialize or create the database
Describe the logical views for each individual user or programmer
Specify any limitations or constraints on security imposed on database records or fields
DATABASE SYSTEMS
DBMS Languages
Every DBMS must provide a means of performing the three basic functions of:
Creating a database
Changing a database
Querying a database
DATABASE SYSTEMS
Changing a database
The set of commands used to change the database is known as data manipulation language (DML) . DML is used for maintaining the data including:
Updating data
Inserting data
Deleting portions of the database
DATABASE SYSTEMS
DBMS Languages
Every DBMS must provide a means of performing the three basic functions of:
Creating a database
Changing a database
Querying a database
DATABASE SYSTEMS
Querying a database:
The set of commands used to query the database is known as data query language (DQL) . DQL is used to interrogate the database, including:
Retrieving records
Sorting records
Ordering records
Presenting subsets of the database
The DQL usually contains easy-to-use, powerful commands that enable users to satisfy their own information needs.
DATABASE SYSTEMS
Report Writer
Many DBMS packages also include a report writer , a language that simplifies the creation of reports.
Users typically specify:
What elements they want printed
How the report should be formatted
The report writer then:
Searches the database
Extracts specified data
Prints them out according to specified format
DATABASE SYSTEMS
Users typically have access to both DQL and report writer.
Access to DQL and DML are typically restricted to employees with administrative and programming responsibilities.
RELATIONAL DATABASES
A DBMS is characterized by the type of logical data model on which it is based.
A data model is an abstract representation of the contents of a database.
Most new DBMSs are called relational databases because they use the relational model developed by E.F. Codd in 1970.
RELATIONAL DATABASES
The relational data model represents everything in the database as being stored in the forms of tables (aka, relations ).
Relation
RELATIONAL DATABASES
This model only describes how the data appear in the conceptual- and external-level schemas.
The data are physically stored according to the description in the internal-level schema.
Each row is called a tuple, which rhymes with “couple.”
Each row contains data about a specific occurrence of the type of entity in the table.
Each column in a table contains information about a specific attribute of the entity.
A primary key is the attribute or combination of attributes that uniquely identifies a specific row in a table.
In some tables, two or more attributes may be joined to form the primary key.
A foreign key is an attribute in one table that is a primary key in another table. 203 J.D. Radowski 1506 202 Xi Zhang 1503 316 Amy Melton 1419 420 Glen Howard 1418 Office No. First Name Last Name Advisor No. ADVISORS 1503 555-5555 Artie Moore 123-45-6789 1418 444-4444 Ned Sanders 111-11-1111 1418 333-3333 Alice Simpson 333-33-3333 Advisor No. Phone No. First Name Last Name Student ID STUDENTS
Foreign keys are used to link tables together. 203 J.D. Radowski 1506 202 Xi Zhang 1503 316 Amy Melton 1419 420 Glen Howard 1418 Office No. First Name Last Name Advisor No. ADVISORS 1503 555-5555 Artie Moore 123-45-6789 1418 444-4444 Ned Sanders 111-11-1111 1418 333-3333 Alice Simpson 333-33-3333 Advisor No. Phone No. First Name Last Name Student ID STUDENTS
Other non-key attributes in each table store important information about the entity. 203 J.D. Radowski 1506 202 Xi Zhang 1503 316 Amy Melton 1419 420 Glen Howard 1418 Office No. First Name Last Name Advisor No. ADVISORS 1503 555-5555 Artie Moore 123-45-6789 1418 444-4444 Ned Sanders 111-11-1111 1418 333-3333 Alice Simpson 333-33-3333 Advisor No. Phone No. First Name Last Name Student ID STUDENTS
RELATIONAL DATABASES
Alternatives for Storing Data
One possible alternate approach would be to store all data in one uniform table.
For example, instead of separate tables for students and classes, we could store all data in one table and have a separate line for each student x class combination.
Using the suggested approach, a student taking three classes would need three rows in the table.
In the above, simplified example, a number of problems arise.
11:00 AM Th 3 FIN-3213 555-5555 Artie Moore 123-45-6789 10:00 AM T 2 ACCT-3433 555-5555 Artie Moore 123-45-6789 9:00 AM F 7 ANSI-1422 444-4444 Ned Sanders 111-11-1111 8:00 AM W 5 MGMT-3021 444-4444 Ned Sanders 111-11-1111 10:00 AM T 2 ACCT-3433 444-4444 Ned Sanders 111-11-1111 12:00 PM TH 11 MGMT-3021 333-3333 Alice Simpson 333-33-3333 11:00 AM Th 3 FIN-3213 333-3333 Alice Simpson 333-33-3333 9:00 AM M 1 ACCT-3603 333-3333 Alice Simpson 333-33-3333 Time Day Section Course No. Phone No. First Name Last Name Student ID
Suppose Alice Simpson changes her phone number. You need to make the change in three places. If you fail to change it in all three places or change it incorrectly in one place, then the records for Alice will be inconsistent.
This problem is referred to as an update anomaly .
11:00 AM Th 3 FIN-3213 555-5555 Artie Moore 123-45-6789 10:00 AM T 2 ACCT-3433 555-5555 Artie Moore 123-45-6789 9:00 AM F 7 ANSI-1422 444-4444 Ned Sanders 111-11-1111 8:00 AM W 5 MGMT-3021 444-4444 Ned Sanders 111-11-1111 10:00 AM T 2 ACCT-3433 444-4444 Ned Sanders 111-11-1111 12:00 PM TH 11 MGMT-3021 333-3333 Alice Simpson 333-33-3333 11:00 AM Th 3 FIN-3213 333-3333 Alice Simpson 333-33-3333 9:00 AM M 1 ACCT-3603 333-3333 Alice Simpson 333-33-3333 Time Day Sect. Course No. Phone No. First Name Last Name Student ID
What happens if you have a new student to add, but he hasn’t signed up for any courses yet?
Or what if there is a new class to add, but there are no students enrolled in it yet? In either case, the record will be partially blank.
This problem is referred to as an insert anomaly .
11:00 AM Th 3 FIN-3213 555-5555 Artie Moore 123-45-6789 10:00 AM T 2 ACCT-3433 555-5555 Artie Moore 123-45-6789 9:00 AM F 7 ANSI-1422 444-4444 Ned Sanders 111-11-1111 8:00 AM W 5 MGMT-3021 444-4444 Ned Sanders 111-11-1111 10:00 AM T 2 ACCT-3433 444-4444 Ned Sanders 111-11-1111 12:00 PM TH 11 MGMT-3021 333-3333 Alice Simpson 333-33-3333 11:00 AM Th 3 FIN-3213 333-3333 Alice Simpson 333-33-3333 9:00 AM M 1 ACCT-3603 333-3333 Alice Simpson 333-33-3333 Time Day Sect. Course No. Phone No. First Name Last Name Student ID
If Ned withdraws from all his classes and you eliminate all three of his rows from the table, then you will no longer have a record of Ned. If Ned is planning to take classes next semester, then you probably didn’t really want to delete all records of him.
This problem is referred to as a delete anomaly .
11:00 AM Th 3 FIN-3213 555-5555 Artie Moore 123-45-6789 10:00 AM T 2 ACCT-3433 555-5555 Artie Moore 123-45-6789 9:00 AM F 7 ANSI-1422 444-4444 Ned Sanders 111-11-1111 8:00 AM W 5 MGMT-3021 444-4444 Ned Sanders 111-11-1111 10:00 AM T 2 ACCT-3433 444-4444 Ned Sanders 111-11-1111 12:00 PM TH 11 MGMT-3021 333-3333 Alice Simpson 333-33-3333 11:00 AM Th 3 FIN-3213 333-3333 Alice Simpson 333-33-3333 9:00 AM M 1 ACCT-3603 333-3333 Alice Simpson 333-33-3333 Time Day Sect. Course No. Phone No. First Name Last Name Student ID
RELATIONAL DATABASES
Alternatives for Storing Data
Another possible approach would be to store each student in one row of the table and create multiple columns to accommodate each class that he is taking.
This approach is also fraught with problems:
How many classes should you allow for in building the table?
The above table is quite simplified. In reality, you might need to allow for 20 or more classes (assuming a student could take many 1-hour classes). Also, more information than just the course number would be stored for each class. There would be a great deal of wasted space for all the students taking fewer than the maximum possible number of classes.
Also, if you wanted a list of every student taking MGMT-3021, notice that you would have to search multiple attributes.
FIN-3213 ACCT-3433 555-5555 Artie Moore 123-45-6789 ANSI-1422 MGMT-3021 ACCT-3433 444-4444 Ned Sanders 111-11-1111 MGMT-3021 FIN-3213 ACCT-3603 333-3333 Alice Simpson 333-33-3333 Class 4 Class 3 Class 2 Class 1 Phone No. First Name Last Name Student ID0
The solution to the preceding problems is to use a set of tables in a relational database.
Each entity is stored in a separate table, and separate tables or foreign keys can be used to link the entities together.
RELATIONAL DATABASES
Basic Requirements of a Relational Database
Every column in a row must be single valued.
In other words, every cell can have one and only one value.
In the student table, you couldn’t have an attribute named “Phone Number” if a student could have multiple phone numbers.
There might be an attribute named “local phone number” and an attribute named “permanent phone number.”
You could not have an attribute named “Class” in the student table, because a student could take multiple classes.
RELATIONAL DATABASES
Basic Requirements of a Relational Database
The primary key cannot be null.
The primary key uniquely identifies a specific row in the table, so it cannot be null, and it must be unique for every record.
This rule is referred to as the entity integrity rule .
Note that within each table, there are no duplicate primary keys and no null primary keys.
Consistent with the entity integrity rule.
RELATIONAL DATABASES
Basic Requirements of a Relational Database
A foreign key must either be null or correspond to the value of a primary key in another table.
This rule is referred to as the referential integrity rule .
The rule is necessary because foreign keys are used to link rows in one table to rows in another table.
Advisor No. is a foreign key in the STUDENTS table. Every incident of Advisor No. in the STUDENTS table either matches an instance of the primary key in the ADVISORS table or is null. 203 J.D. Radowski 1506 202 Xi Zhang 1503 316 Amy Melton 1419 420 Glen Howard 1418 Office No. First Name Last Name Advisor No. ADVISORS 1503 555-5555 Artie Moore 123-45-6789 1418 444-4444 Ned Sanders 111-11-1111 1418 333-3333 Alice Simpson 333-33-3333 Advisor No. Phone No. First Name Last Name Student ID STUDENTS
RELATIONAL DATABASES
Basic Requirements of a Relational Database
All non-key attributes in a table should describe a characteristic of the object identified by the primary key.
Could nationality be a non-key attribute in the student table?
Could advisor’s nationality be a non-key attribute in the student table?
RELATIONAL DATABASES
The preceding four constraints produce a well-structured (normalized) database in which:
Data are consistent.
Redundancy is minimized and controlled.
In a normalized database, attributes appear multiple times only when they function as foreign keys.
The referential integrity rule ensures there will be no update anomaly problem with foreign keys.
RELATIONAL DATABASES
An important feature is that data about various things of interest (entities) are stored in separate tables.
Makes it easier to add new data to the system.
You add a new student by adding a row to the student table.
You add a new course by adding a row to the course table.
Means you can add a student even if he hasn’t signed up for any courses.
And you can add a class even if no students are yet enrolled in it.
Makes it easy to avoid the insert anomaly.
Space is also used more efficiently than in the other schemes. There should be no blank rows or attributes.
Add a student here.
Leaves no blank spaces.
Add a course here.
Leaves no blank spaces.
When a particular student enrolls for a particular course, add that info here.
RELATIONAL DATABASES
Deletion of a class for a student would cause the elimination of one record in the student x class table.
The student still exists in the student table.
The class still exists in the class table.
Avoids the delete anomaly.
Ned still exists in the student table.
Even if Ned was the only student in the class, ACCT-3603 still exists in the course table.
If Ned Sanders drops ACCT-3603, remove Ned’s class from this table.
RELATIONAL DATABASES
There are two basic ways to design well-structured relational databases.
Normalization
Semantic data modeling
RELATIONAL DATABASES
There are two basic ways to design well-structured relational databases.
Normalization
Semantic data modeling
RELATIONAL DATABASES
Normalization
Starts with the assumption that everything is initially stored in one large table.
A set of rules is followed to decompose that initial table into a set of normalized tables.
Objective is to produce a set of tables in third-normal form (3NF) because such tables are free of update, insert, and delete anomalies.
Approach is beyond the scope of this book but can be found in any database textbook.
RELATIONAL DATABASES
There are two basic ways to design well-structured relational databases.
Normalization
Semantic data modeling
RELATIONAL DATABASES
Semantic data modeling (covered in detail in Chapter 15)
Database designer uses knowledge about how business processes typically work and the information needs associated with transaction processing to draw a graphical picture of what should be included in the database.
The resulting graphic is used to create a set of relational tables that are in 3NF.
RELATIONAL DATABASES
Advantages over simply following normalization rules:
Semantic data modeling uses the designer’s knowledge about business processes and practices; it therefore facilitates efficient design of transaction processing databases.
The resulting graphical model explicitly represents information about the organization’s business processes and policies and facilitates communication with intended users.
RELATIONAL DATABASES
Creating Relational Database Queries
Databases store data for people and organizations.
To retrieve the data, you query the database and its tables.
Chapter 4 of your textbooks provides some samples of database queries in Microsoft Access.
Try these on your own and/or with your instructor in class.
DATABASE SYSTEMS AND THE FUTURE OF ACCOUNTING
Database systems may profoundly affect the fundamental nature of accounting:
May lead to abandonment of double-entry accounting, because the redundancy of the double entry is not necessary in computer data processing.
May also alter the nature of external reporting.
EXAMPLE: External users could have access to the company’s database and manipulate the data to meet their own reporting needs.
DATABASE SYSTEMS AND THE FUTURE OF ACCOUNTING
The use of accounting information in decision making will be enhanced by:
Powerful querying capabilities that accompany database packages.
The ability to accommodate multiple views of the same underlying phenomenon.
The ability to integrate financial and operational data.
DATABASE SYSTEMS AND THE FUTURE OF ACCOUNTING
Accountants must become knowledgeable about databases so they can participate in developing the AIS of the future.
They must help ensure that adequate controls are included to safeguard the data and assure its reliability.
SUMMARY
You’ve learned how databases differ from file-based legacy systems.
You’ve learned why databases are important and what advantages they offer.
You’ve learned how the logical and physical views of a database differ.
You’ve learned about fundamental concepts of database systems such as DBMS, schemas, the data dictionary, and DBMS languages.
You’ve learned what a relational database is and how it organizes data.
You’ve learned how tables are structured to properly store data in a relational database.

AIS romney 2006 slides 03 systems development and documentation techniques

2009-11-01T07:30:00.001-08:00

AIS Romney 2006 slides 03 Systems Development and Documentation Techniques

View more presentations from sharingnotes123.

AIS Romney 2006 slides 03 Systems Development and Documentation Techniques - Presentation Transcript

HAPTER 3 Systems Development and Documentation Techniques
INTRODUCTION
Questions to be addressed in this chapter include:
What is the purpose of documentation?
Why do accountants need to understand documentation?
What documentation techniques are used in accounting systems?
What are data flow diagrams and flowcharts?
How are they alike and different?
How are they prepared?
INTRODUCTION
Documentation includes the following types of tools:
Narratives (written descriptions)
Flowcharts
Diagrams
Other written material
INTRODUCTION
Documentation covers the who, what, when, where, why, and how of:
Data entry
Processing
Storage
Information output
System controls
INTRODUCTION
How do accountants use documentation?
At a minimum, they have to read documentation to understand how a system works.
They may need to evaluate the strengths and weaknesses of an entity’s internal controls.
Requires heavy reliance on documentation.
They may peruse documentation to determine if a proposed system meets the needs of its users.
They may prepare documentation to:
Demonstrate how a proposed system would work
Demonstrate their understanding of a system of internal controls
INTRODUCTION
In this chapter, we discuss two of the most common documentation tools:
Data flow diagrams
Graphical descriptions of the sources and destinations of data. They show:
Where data comes from
How it flows
The processes performed on it
Where it goes
INTRODUCTION
In this chapter, we discuss two of the most common documentation tools:
Data flow diagrams
Flowcharts
Include three types:
Document flowcharts describe the flow of documents and information between departments or units.
System flowcharts describe the relationship between inputs, processing, and outputs for a system.
Program flowcharts describe the sequence of logical operations performed in a computer program.
INTRODUCTION
Documentation techniques are necessary tools for accountants:
SAS-94 requires that auditors understand the automated and manual procedures an entity uses.
This understanding can be gleaned through documenting the internal control system—a process that effectively exposes strengths and weaknesses of the system.
SOX (2002) effectively requires that publicly-traded corporations and their auditors document and test the company’s internal controls.
Auditing Standard No. 2 promulgated by the PCAOB requires that the external auditor express an opinion on the client’s system of internal controls.
INTRODUCTION
Documentation tools help accountants by:
Organizing very complicated systems into a form that can be more readily understood
Helping new team members understand a pre-existing system
INTRODUCTION
Which method should you use—flowcharts or DVDs?
62.5% of IS professionals use DFDs.
97.6% use flowcharts.
Both can be prepared relatively simply using available software.
Both are tested on professional exams.
CONCLUSION: You need to know them both.
DATA FLOW DIAGRAMS
A data flow diagram (DFD) graphically describes the flow of data within an organization. It is used to:
Document existing systems
Plan and design new systems
There is no black-and-white approach to developing a DFD.
DATA FLOW DIAGRAMS Customer 1.0 Process Payment 2.0 Update A/R Credit Manager Bank Customer payment Remittance data Receivables Information Deposit
Example of a data flow diagram of the customer payment process from Figure 3-3 in your textbook
Accounts Receivable
DATA FLOW DIAGRAMS
A data flow diagram consists of four basic elements:
Data sources and destinations
Data flows
Transformation processes
Data stores
DATA FLOW DIAGRAMS
A data flow diagram consists of four basic elements:
Data sources and destinations
Data flows
Transformation processes
Data stores
DATA FLOW DIAGRAMS
Data sources and destinations
Appear as squares
Represent organizations or individuals that send or receive data used or produced by the system
An item can be both a source and a destination
DATA FLOW DIAGRAMS Customer 1.0 Process Payment 2.0 Update A/R Credit Manager Bank Customer payment Remittance data Receivables Information Deposit
Data sources and destinations are marked in red.
Can you tell which are sources and which are destinations?
Accounts Receivable
DATA FLOW DIAGRAMS
A data flow diagram consists of four basic elements:
Data sources and destinations
Data flows
Transformation processes
Data stores
DATA FLOW DIAGRAMS
Data flows
Appear as arrows
Represent the flow of data between sources and destinations, processes, and data stores
DATA FLOW DIAGRAMS Customer 1.0 Process Payment 2.0 Update A/R Credit Manager Bank Customer payment Remittance data Receivables Information Deposit
Data flows are shown in red.
Does it appear that a data flow can be two-way?
If so, how is it handled?
Accounts Receivable
DATA FLOW DIAGRAMS Customer 1.0 Process Payment 2.0 Update A/R Credit Manager Bank Customer payment Remittance data Receivables Information Deposit
Data flows should always be labeled.
The exception is a data flow moving into or out of a data store.
What symbol is the data store?
Accounts Receivable
DATA FLOW DIAGRAMS
As you probably surmised from the previous slides, if a data flow is two-way, use a bi-directional arrow.
Update Receiv- ables General Ledger
DATA FLOW DIAGRAMS
If two data elements flow together, then the use of one data flow line is appropriate.
Customer Process Payment Cash Rec’t & Remittance Slip
DATA FLOW DIAGRAMS
If the data elements do not always flow together, then multiple lines will be needed.
Customer Process Payment Customer Inquiry Customer Payment
DATA FLOW DIAGRAMS
A data flow diagram consists of four basic elements:
Data sources and destinations
Data flows
Transformation processes
Data stores
DATA FLOW DIAGRAMS
Processes
Appear as circles
Represent the transformation of data
DATA FLOW DIAGRAMS Customer 1.0 Process Payment 2.0 Update A/R Credit Manager Bank Customer payment Remittance data Receivables Information Deposit
The transformation processes are shown in red.
Every process must have at least one data inflow and at least one data outflow. Why?
What do you notice about how the processes are labeled?
Accounts Receivable
DATA FLOW DIAGRAMS
Data stores
Appear as two horizontal lines
Represent a temporary or permanent repository of data
DATA FLOW DIAGRAMS Customer 1.0 Process Payment 2.0 Update A/R Credit Manager Bank Accounts Receivable Customer payment Remittance data Receivables Information Deposit
The data store is shown in red.
Notice that the inflows and outflows to the data store are not labeled.
DATA FLOW DIAGRAMS
Data dictionary:
Data flows and data stores are typically collections of data elements.
EXAMPLE: A data flow labeled student information might contain elements such as student name, date of birth, ID number, address, phone number, and major.
The data dictionary contains a description of all data elements, data stores, and data flows in a system.
DATA FLOW DIAGRAMS
Subdividing the DFD:
Few systems can be fully diagrammed on one sheet of paper, and users have needs for differing levels of detail.
Consequently, DFDs are subdivided into successively lower levels to provide increasing amounts of detail.
DATA FLOW DIAGRAMS
The highest level of DFD is called a context diagram .
It provides a summary-level view of the system.
It depicts a data processing system and the external entities that are:
Sources of its input
Destinations of its output
DATA FLOW DIAGRAMS Payroll Processing System Depart- ments Human Resources Govt. Agencies Employees Bank Manage- ment Time cards New employee form Employee change form Tax report & payment Employee checks Payroll check Payroll report
This is the context diagram for the S&S payroll processing system (Figure 3-5 in your textbook).
DATA FLOW DIAGRAMS Payroll Processing System Depart- ments Human Resources Govt. Agencies Employees Bank Manage- ment Time cards New employee form Employee change form Tax report & payment Employee checks Payroll check Payroll report
What information comes into this process, and from where?
DATA FLOW DIAGRAMS Payroll Processing System Depart- ments Human Resources Govt. Agencies Employees Bank Manage- ment Time cards New employee form Employee change form Tax report & payment Employee checks Payroll check Payroll report
What information is produced by this process, and where does it go?
DATA FLOW DIAGRAMS 1.0 Update empl. Payroll file 2.0 Pay Employ- ees 5.0 Update Gen. Ledger 4.0 Pay taxes 3.0 Prepare reports Human Resources Depart- ments Employees Bank Govt. Agencies Manage- ment Employee Change form New employee form Time cards Employee paychecks Payroll check Payroll Disburse- ment data Payroll tax disb. voucher Tax report & payment Payroll report This diagram shows the next level of detail for the context diagram in Figure 3-5. Employee/ Payroll file General Ledger
DATA FLOW DIAGRAMS 1.0 Update empl. Payroll file 2.0 Pay Employ- ees 5.0 Update Gen. Ledger 4.0 Pay taxes 3.0 Prepare reports Human Resources Depart- ments Employees Bank Govt. Agencies Manage- ment Employee Change form New employee form Time cards Employee paychecks Payroll check Payroll Disburse- ment data Payroll tax disb. voucher Tax report & payment Payroll report What information comes into these processes and from where? Employee/ Payroll file General Ledger
DATA FLOW DIAGRAMS 1.0 Update empl. Payroll file 2.0 Pay Employ- ees 5.0 Update Gen. Ledger 4.0 Pay taxes 3.0 Prepare reports Human Resources Depart- ments Employees Bank Govt. Agencies Manage- ment Employee Change form New employee form Time cards Employee paychecks Payroll check Payroll Disburse- ment data Payroll tax disb. voucher Tax report & payment Payroll report What information is produced by these processes, and where does it go? Employee/ Payroll file General Ledger
DATA FLOW DIAGRAMS 1.0 Update empl. Payroll file 2.0 Pay Employ- ees 5.0 Update Gen. Ledger 4.0 Pay taxes 3.0 Prepare reports Human Resources Depart- ments Employees Bank Govt. Agencies Manage- ment Employee Change form New employee form Time cards Employee paychecks Payroll check Payroll Disburse- ment data Payroll tax disb. voucher Tax report & payment Payroll report How do the sources and destinations differ from the context diagram? Employee/ Payroll file General Ledger
DATA FLOW DIAGRAMS 1.0 Update empl. Payroll file 2.0 Pay Employ- ees 5.0 Update Gen. Ledger 4.0 Pay taxes 3.0 Prepare reports Human Resources Depart- ments Employees Bank Govt. Agencies Manage- ment Employee Change form New employee form Time cards Employee paychecks Payroll check Payroll Disburse- ment data Payroll tax disb. voucher Tax report & payment Payroll report Notice that each process in the DFD is numbered sequentially. Employee/ Payroll file General Ledger
DATA FLOW DIAGRAMS 1.0 Update empl. Payroll file 2.0 Pay Employ- ees 5.0 Update Gen. Ledger 4.0 Pay taxes 3.0 Prepare reports Human Resources Depart- ments Employees Bank Govt. Agencies Manage- ment Employee Change form New employee form Time cards Employee paychecks Payroll check Payroll Disburse- ment data Payroll tax disb. voucher Tax report & payment Payroll report Suppose we exploded Process 2.0 (pay employees) in the next level. The sub-processes would be numbered 2.1, 2.2, 2.3, etc. Employee/ Payroll file General Ledger
DATA FLOW DIAGRAMS
We’re going to go into a partial example of how the first level of detail was created.
But before we do, let’s step through some guidelines on how to create a DFD.
DATA FLOW DIAGRAMS
RULE 1: Understand the system. Observe the flow of information and interview people involved to gain that understanding.
RULE 2: Ignore control processes and control actions (e.g., error corrections). Only very critical error paths should be included.
RULE 3: Determine the system boundaries—where it starts and stops. If you’re not sure about a process, include it for the time being.
DATA FLOW DIAGRAMS
RULE 4: Draw the context diagram first, and then draw successively greater levels of detail.
RULE 5: Identify and label all data flows. The only ones that do not have to be labeled are those that go into or come out of data stores.
RULE 6: Data flows that always flow together should be grouped together. Those that do not flow together should be shown on separate lines.
DATA FLOW DIAGRAMS
RULE 7: Show a process (circle) wherever a data flow is converted from one form to another. Likewise, every process should have at least one incoming data flow and at least one outgoing data flow.
RULE 8: Transformation processes that are logically related or occur simultaneously can be grouped in one bubble.
RULE 9: Number each process sequentially. A process labeled 5.0 would be exploded at the next level into processes numbered 5.1, 5.2, etc. A process labeled 5.2 would be exploded into 5.21, 5.22, etc.
DATA FLOW DIAGRAMS
RULE 10: Process names should include action verbs, such as update , prepare , etc.
RULE 11: Identify and label all data stores, whether temporary or permanent.
RULE 12: Identify and label all sources and destinations. An entity can be both a source and destination. You may wish to include such items twice on the diagram, if needed, to avoid excessive or crossing lines.
DATA FLOW DIAGRAMS
RULE 13: As much as possible, organize the flow from top to bottom and left to right.
RULE 14: You’re not likely to get it beautiful the first time, so plan to go through several iterations of refinements.
RULE 15: On the final copy, lines should not cross. On each page, include:
The name of the DFD
The date prepared
The preparer’s name
DATA FLOW DIAGRAMS
Now that we’ve been through the guidelines for developing DFDs, let’s go back to the chapter example and see if we can re-create a part of it.
You may wish to create a table with the following headings to organize your information:
Data Inputs
Processes
Data Outputs
DATA FLOW DIAGRAMS Data Outputs Processes Data Inputs
DATA FLOW DIAGRAMS
The first paragraph of the narrative for the payroll process reads as follows:
When employees are hired, they complete a new employee form. When a change to an employee’s payroll status occurs, such as a raise or a change in the number of exemptions, human resources completes an employee change form. A copy of these forms is sent to payroll. These forms are used to create or update the records in the employee/payroll file and are then stored in the file. Employee records are stored alphabetically.
DATA FLOW DIAGRAMS
The first paragraph of the narrative for the payroll process reads as follows:
When employees are hired, they complete a new employee form. When a change to an employee’s payroll status occurs, such as a raise or a change in the number of exemptions, human resources completes an employee change form. A copy of these forms is sent to payroll. These forms are used to create or update the records in the employee/payroll file and are then stored in the file. Employee records are stored alphabetically.
The portion marked in red relates to activities that go on outside the boundaries of the payroll system. Consequently, these activities will not be included on the DFD.
DATA FLOW DIAGRAMS
The first paragraph of the narrative for the payroll process reads as follows:
When employees are hired, they complete a new employee form . When a change to an employee’s payroll status occurs, such as a raise or a change in the number of exemptions, human resources completes an employee change form . A copy of these forms is sent to payroll . These forms are used to create or update the records in the employee/payroll file and are then stored in the file. Employee records are stored alphabetically.
The portion marked in red suggests two data flows coming into the payroll process (new employee forms and employee change forms). The source of the inflows is the human resources department.
DATA FLOW DIAGRAMS New employee forms and employee change forms (from H.R. Dept.) Data Outputs Processes Data Inputs
DATA FLOW DIAGRAMS
The first paragraph of the narrative for the payroll process reads as follows:
When employees are hired, they complete a new employee form. When a change to an employee’s payroll status occurs, such as a raise or a change in the number of exemptions, human resources completes an employee change form. A copy of these forms is sent to payroll. These forms are used to create or update the records in the employee/payroll file and are then stored in the file . Employee records are stored alphabetically.
The sentence marked in red suggests a process (update employee records) with the data outflow going to a data store (the employee/payroll file).
DATA FLOW DIAGRAMS Updated employee/ payroll file Update records (read from file and record) New employee forms and employee change forms (from H.R. Dept.) Data Outputs Processes Data Inputs
DATA FLOW DIAGRAMS
The first paragraph of the narrative for the payroll process reads as follows:
When employees are hired, they complete a new employee form. When a change to an employee’s payroll status occurs, such as a raise or a change in the number of exemptions, human resources completes an employee change form. A copy of these forms is sent to payroll. These forms are used to create or update the records in the employee/payroll file and are then stored in the file. Employee records are stored alphabetically.
The final sentence in this paragraph provides information about the physical storage of the data. Physical information is utilized in flowcharts but not in data flow diagrams.
DATA FLOW DIAGRAMS We will not do the entire DFD, however, you could finish this table by reading the remainder of the narrative in Table 3-1 in your textbook. The portion of the table completed so far allows us to draw the segment of the DFD that is highlighted on the following slide. Updated employee/ payroll file Update records (read from file and record) New employee forms and employee change forms (from H.R. Dept.) Data Outputs Processes Data Inputs
DATA FLOW DIAGRAMS 1.0 Update empl. Payroll file 2.0 Pay Employ- ees 5.0 Update Gen. Ledger 4.0 Pay taxes 3.0 Prepare reports Employee/ Payroll file Human Resources Depart- ments Employees Bank Govt. Agencies Manage- ment Employee Change form New employee form Time cards Employee paychecks Payroll check Payroll Disburse- ment data Payroll tax disb. voucher Tax report & payment Payroll report General Ledger
DATA FLOW DIAGRAMS
Keep the following in mind as you develop your DFD:
Remember to ignore control activities, such as error correction processes.
Some data inputs and outputs will not appear on the first level of the DFD but appear as the processes are exploded into greater levels of detail.
DATA FLOW DIAGRAMS
The data flow diagram focuses on the logical flow of data.
Next, we will discuss flowcharts, which place greater emphasis on physical details.
FLOWCHARTS
A flowchart is an analytical technique that describes some aspect of an information system in a clear, concise, and logical manner.
Flowcharts use a set of standard symbols to depict processing procedures and the flow of data.
FLOWCHARTS
Every shape on a flowchart depicts a unique operation, input, processing activity, or storage medium.
In the days of yore, flowcharts were commonly drawn with templates.
Now, it is more common to use a software program such as Visio.
Microsoft and Power Point are also used
The software uses pre-drawn shapes, and the developer drags the shapes into the drawing.
FLOWCHARTS
There are four types of flowcharting symbols:
Input/output symbols
Input/output symbols indicate the type of device or media that provides input to or records output from a process.
FLOWCHARTS
There are four types of flowcharting symbols:
Input/output symbols
Processing symbols
Processing symbols indicate the type of device used to process the data or whether the data is processed manually.
FLOWCHARTS
There are four types of flowcharting symbols:
Input/output symbols
Processing symbols
Storage symbols
Storage symbols indicate the type of device used to store data while the system is not using it.
FLOWCHARTS
There are four types of flowcharting symbols:
Input/output symbols
Processing symbols
Storage symbols
Flow and miscellaneous symbols
Flow and miscellaneous symbols may indicate:
The flow of data and goods
The beginning or end of the flowchart
The location of a decision
An explanatory note
FLOWCHARTS
Click on buttons below if you wish to review symbols in the various categories.
Input/Output Symbols Processing Symbols Storage Symbols Flow & Misc. Symbols
INPUT/OUTPUT SYMBOLS
Document Symbol
Represents a document or report that is prepared by hand or printed by a computer.
INPUT/OUTPUT SYMBOLS
Multiple Copies of One Document
Indicates multiple copies of a paper document or report.
The document copies should be numbered in the upper, right-hand corner.
2 3 1
INPUT/OUTPUT SYMBOLS
Input/Output; Journal/Ledger
Can represent any input or output on a program flowchart.
Also represents accounting journals or ledgers in a document flowchart.
INPUT/OUTPUT SYMBOLS
Display
Represents information displayed by an online output device such as a terminal, monitor, or screen.
INPUT/OUTPUT SYMBOLS
Online Keying
Represents data entry by an online device such as a terminal or personal computer.
INPUT/OUTPUT SYMBOLS
Terminal or Personal Computer
Combines the display and online keying symbols to represent terminals and personal computers.
INPUT/OUTPUT SYMBOLS
Transmittal Tape
Represents manually prepared control totals which are to be compared to computer totals for control purposes.
Return to Menu Processing Symbols Skip Symbols
PROCESSING SYMBOLS
Computer Processing
Represents a process performed by a computer, which usually results in a change in data or information.
PROCESSING SYMBOLS
Manual Operation
Represents a processing operation that is performed manually.
PROCESSING SYMBOLS
Auxiliary Operation
Represents a processing operation carried out by a device other than a computer, e.g., an optical character scanner.
PROCESSING SYMBOLS
Off-line Keying Operation
Represents an operation that uses an off-line keying device, such as a cash register or keying to a disk.
Return to Menu Skip Symbols Storage Symbols
STORAGE SYMBOLS
Magnetic disk
Represents data stored permanently on a magnetic disk.
Frequently used to represent master files and databases.
STORAGE SYMBOLS
Magnetic Tape
Represents data stored on a magnetic tape.
Sometimes represents transaction files.
STORAGE SYMBOLS
Diskette
Represents data stored on a floppy disk or zip disk.
STORAGE SYMBOLS
Online Storage
Represents data stored in a temporary online file in a direct-access medium such as a magnetic disk.
STORAGE SYMBOLS
File
Represents a file of documents that are manually stored and retrieved.
Letter indicates the ordering sequence:
A = Alphabetic order
D = Date order
N = Numeric order
A Return to Menu Skip Symbols Flow/Misc Symbols
FLOW AND MISCELLANEOUS SYMBOLS
Document or Processing Flow
Represents the direction of processing or document flow.
Normal flow is top to bottom and left to right.
FLOW AND MISCELLANEOUS SYMBOLS
Data/Information Flow
Represents the direction of data/information flow.
Often used to show data being copied from one document to another.
FLOW AND MISCELLANEOUS SYMBOLS
Communication Link
Represents the transmission of data from one location to another via communication lines.
FLOW AND MISCELLANEOUS SYMBOLS
On-page connector
Connects processing from one location to another on the same page.
Used to avoid crisscrossing lines.
FLOW AND MISCELLANEOUS SYMBOLS
Off-page connector
Connects the processing flow between two different pages.
Signals the exit from one page and the corresponding entrance on another page.
FLOW AND MISCELLANEOUS SYMBOLS
Terminal
Represents the beginning, end, or a point of interruption in a process or program.
Also used to indicate an external party.
FLOW AND MISCELLANEOUS SYMBOLS
Decision
Represents a decision-making step.
Used in a program flowchart to show branching to alternate paths.
FLOW AND MISCELLANEOUS SYMBOLS
Annotation
Provides for the addition of descriptive comments or explanatory notes as clarification.
Return to Menu Continue
DOCUMENT FLOWCHARTS
A document flowchart shows the flow of documents and information among areas of responsibility in an organization.
These flowcharts trace a document from cradle to grave and show:
Where a document comes from
Where it’s distributed
How it’s used
It’s ultimate disposition
Everything that happens as it flows through the system
DOCUMENT FLOWCHARTS
Internal control flowcharts are document flowcharts used to evaluate the adequacy of internal controls, such as segregation of duties or internal checks.
They can reveal weaknesses or inefficiences such as:
Inadequate communication flows
Unnecessarily complex document flows
Procedures that cause wasteful delays
Document flowcharts are also prepared in the system design process.
This is part of the document flowchart from Figure 3-9 in your textbook.
GUIDELINES FOR PREPARING FLOWCHARTS
Let’s step through some guidelines for preparing flowcharts:
As with DFDs, you can’t effectively prepare a flowchart if you don’t understand the system, so:
Interview users, developers, auditors, and management.
Administer questionnaires.
Read through narratives.
Walk through systems transactions
GUIDELINES FOR PREPARING FLOWCHARTS
Identify:
Entities to be flowcharted, e.g., departments, functions, external parties (the parties who “do” things in the story)
Documents or information flows
Processes
As you read through a narrative, you may want to mark the preceding items with different shapes (e.g., drawing a rectangle around entities, circling documents, etc.).
GUIDELINES FOR PREPARING FLOWCHARTS
Use separate columns for the activity of each entity.
Example: If there are three different departments or functions that “do” things in the narrative, there would be three columns on the flowchart.
What are the entities in this flowchart?
GUIDELINES FOR PREPARING FLOWCHARTS
Flowchart the normal course of operations, and identify exceptions with annotations.
As much as possible, the flow should go from top to bottom and left to right.
Use standard flowcharting symbols, and draw with a template or computer.
Clearly label all symbols. Use annotations if necessary to provide adequate explanation.
GUIDELINES FOR PREPARING FLOWCHARTS
Give the flowchart a clear beginning and ending.
Show where each document originated and its final disposition.
One approach you can use is to read through the narrative and for each step define:
What was (were) the input(s)
What process was carried out
What was (were) the output(s)
Note on the next slide that the flow sequence is input -- process – output.
Identifies where input is coming from
Inputs
Process
Output to storage
Input for next process
Process
Output
GUIDELINES FOR PREPARING FLOWCHARTS
Every manual process should have at least one input and at least one output.
Show all data entered into or retrieved from a computer file as passing through a process first.
Do not show process symbols for:
Forwarding a document to another entity
Filing a document
Forwarding a document
Filing a document
GUIDELINES FOR PREPARING FLOWCHARTS
Do not connect two documents except when forwarding to another column.
When a document is forwarded, show it in both locations.
Show forwarded document in both locations
GUIDELINES FOR PREPARING FLOWCHARTS
When using multiple copies of a document, place document numbers in the upper, right-hand corner.
What happens to the document numbers as the documents move to other locations?
GUIDELINES FOR PREPARING FLOWCHARTS
Show on-page connectors and label them clearly to avoid excess flow lines.

GUIDELINES FOR PREPARING FLOWCHARTS
Use off-page connectors if the flow goes to another page.
Are there other off-page connectors on this flowchart?
GUIDELINES FOR PREPARING FLOWCHARTS
If a flowchart takes more than one page, label the pages as 1 of 5, 2 of 5, 3 of 5, etc.
Show documents or reports first in the column where they are created.
Start with a rough draft; then redesign to avoid clutter and crossed lines.
Verify the accuracy of your flowchart by reviewing it with users, etc.
Place the flowchart name, the date, and the preparer’s name on each page of the final copy.
SYSTEM FLOWCHARTS
Now that we’ve looked at document flowcharts and guidelines for creating flowcharts, let’s take a brief look at system flowcharts.
SYSTEM FLOWCHARTS
A system flowchart depicts the relationship among the inputs, processes, and outputs of an AIS.
The system flowchart begins by identifying the inputs to the system.
These inputs can be:
New data
Data stored for future use
Both
SYSTEM FLOWCHARTS
A system flowchart depicts the relationship among the inputs, processes, and outputs of an AIS.
The system flowchart begins by identifying the inputs to the system.
Each input is followed by a process, i.e., the steps performed on the data.
If the process is performed by a computer, the logic of the computer program would be depicted in a program flowchart.
SYSTEM FLOWCHARTS
A system flowchart depicts the relationship among the inputs, processes, and outputs of an AIS.
The system flowchart begins by identifying the inputs to the system.
Each input is followed by a process, i.e., the steps performed on the data.
The process is followed by outputs—the resulting new information.
The output may be:
Stored for later use
Displayed on a screen
Printed on paper
An input to the next process
SYSTEM FLOWCHARTS
A system flowchart depicts the relationship among the inputs, processes, and outputs of an AIS.
The system flowchart begins by identifying the inputs to the system.
Each input is followed by a process, i.e., the steps performed on the data.
The process is followed by outputs—the resulting new information.
In other words, it’s the same basic input – process – output pattern that we saw in the document flowchart.
System Flowchart Shown in Figure 3-11 in your textbook
Can you spot the input – process – output pattern?
PROGRAM FLOWCHARTS
Program flowcharts illustrate the sequence of logical operations performed by a computer in executing a program.
They also follow an input – process – output pattern.
The program flowchart from Figure 3-11 in your textbook is shown on the right.
Note that the program flowchart details the logic of processes performed by the computer.
This flowchart becomes the programmer’s blueprint for writing the actual computer program.
FLOWCHARTS VS. DFDs
Now that we’ve examined both flowcharts and DFDs, it may be useful to discuss the differences again.
DFDs place a heavy emphasis on the logical aspects of a system.
Flowcharts place more emphasis on the physical characteristics of the system.
An example may be useful.
FLOWCHARTS VS. DFDs
EXAMPLE: The registrar’s office of a small college receives paper enrollment forms from students. They sort these records alphabetically and then update the student record file to show the new classes. They also prepare class lists from the same data. The sorted enrollment forms are forwarded to the bursar’s office for billing purposes. Class lists are mailed to faculty members.
Here’s a DFD that goes with the story. Students 1.0 Update Student Records 2.0 Prepare Class Lists Student Records Faculty Bursar Enrollment Forms Enrollment Forms Enrollment Forms Class Lists
Students 1.0 Update Student Records 2.0 Prepare Class Lists Faculty Bursar Enrollment Forms Enrollment Forms Enrollment Forms Class Lists Here’s a flowchart that goes with the story Student Records Students Registrar’s Office Enrollment Forms Sort Forms Sorted Enrollment Forms Update Student Records A Prepare Class Lists Sorted Enrollment Forms Class Lists Sorted Enrollment Forms Bursar Faculty
FLOWCHARTS VS. DFDs
Now let’s change the story so that students enter enrollment data online. The registrar’s office sends a tape file of the enrollment data to the bursar’s office and continues to send paper class lists to faculty.
Original DFD Students 1.0 Update Student Records 2.0 Prepare Class Lists Faculty Bursar Enrollment Forms Enrollment Forms Enrollment Forms Class Lists Here’s the revised DFD. How has it changed? Students 1.0 Update Student Records 2.0 Prepare Class Lists Student Records Faculty Bursar Enrollment Data Enrollment Data Enrollment Data Class Lists Student Records
Here’s the revised flowchart. How has it changed? Original Flowchart Registrar’s Office Students Class Lists Bursar Faculty Enrollment Data Update Student Records Student Records Enrollment Data Prepare Class Lists Students Registrar’s Office Enrollment Forms Sort Forms Sorted Enrollment Forms Update Student Records A Prepare Class Lists Sorted Enrollment Forms Class Lists Sorted Enrollment Forms Bursar Faculty
FLOWCHARTS VS. DFDs
Moral of the Story: Changes in the physical characteristics of the process do affect the flowchart but have little or no impact on the DFD.
The DFD focuses more on the logic.
When deciding which tool to employ, consider the information needs of those who will view it.
QUIZ QUESTION
How is playing the piano like making DFDs and flowcharts?
You can’t learn to do it by just watching someone else.
You can’t learn to do it by just looking at examples.
Your first attempts are clumsy.
Practice leads to improvement and maybe even perfection.
SUMMARY
We’ve learned about graphical forms of documentation, particularly:
Data flow diagrams
Flowcharts
We’ve learned why these tools are important to accountants and how they are employed.
We’ve learned basic guidelines for creating data flow diagrams and flowcharts.

AIS Romney 2006 Slides 02 Business Process

2009-11-01T07:11:00.000-08:00

Ais Romney 2006 Slides 02 Business Process

View more presentations from sharingnotes123.

Ais Romney 2006 Slides 02 Business Process - Presentation Transcript

HAPTER 2 Overview of Business Processes
INTRODUCTION
Questions to be addressed in this chapter include:
What are the basic business activities in which an organization engages?
What decisions must be made to undertake these activities?
What information is required to make those decisions?
What role does the data processing cycle play in organizing business activities and providing information to users?
What is the role of the information system and enterprise resource planning in modern organizations?
INFORMATION NEEDS AND BUSINESS ACTIVITIES
Businesses engage in a variety of activities, including:
Acquiring capital
Buying buildings and equipment
Hiring and training employees
Purchasing inventory
Doing advertising and marketing
Selling goods or services
Collecting payment from customers
Paying employees
Paying taxes
Paying vendors
Each activity requires different types of decisions!
INFORMATION NEEDS AND BUSINESS ACTIVITIES
Businesses engage in a variety of activities, including:
Acquiring capital
Buying buildings and equipment
Hiring and training employees
Purchasing inventory
Doing advertising and marketing
Selling goods or services
Collecting payment from customers
Paying employees
Paying taxes
Paying vendors
Each decision requires different types of information.
Types of information needed for decisions:
Some is financial
Some is nonfinancial
Some comes from internal sources
Some comes from external sources
An effective AIS needs to be able to integrate information of different types and from different sources.
INFORMATION NEEDS AND BUSINESS ACTIVITIES
INTERACTION WITH EXTERNAL AND INTERNAL PARTIES
The AIS interacts with external parties, such as customers, vendors, creditors, and governmental agencies.
AIS External Parties
INTERACTION WITH EXTERNAL AND INTERNAL PARTIES
The AIS also interacts with internal parties such as employees and management.
AIS Internal Parties External Parties
INTERACTION WITH EXTERNAL AND INTERNAL PARTIES
The interaction is typically two-way, in that the AIS sends information to and receives information from these parties.
AIS Internal Parties External Parties
A transaction is:
An agreement between two entities to exchange goods or services; OR
Any other event that can be measured in economic terms by an organization.
EXAMPLES:
Sell goods to customers
Depreciate equipment
BUSINESS CYCLES
The transaction cycle is a process:
Begins with capturing data about a transaction
Ends with an information output, such as financial statements
BUSINESS CYCLES
Many business activities are paired in give-get exchanges
The basic exchanges can be grouped into five major transaction cycles.
Revenue cycle
Expenditure cycle
Production cycle
Human resources/payroll cycle
Financing cycle
BUSINESS CYCLES
Many business activities are paired in give-get exchanges
The basic exchanges can be grouped into five major transaction cycles.
Revenue cycle
Expenditure cycle
Production cycle
Human resources/payroll cycle
Financing cycle
BUSINESS CYCLES
The revenue cycle involves interactions with your customers.
You sell goods or services and get cash.
REVENUE CYCLE Give Goods Get Cash
Many business activities are paired in give-get exchanges
The basic exchanges can be grouped into five major transaction cycles.
Revenue cycle
Expenditure cycle
Production cycle
Human resources/payroll cycle
Financing cycle
BUSINESS CYCLES
The expenditure cycle involves interactions with your suppliers.
You buy goods or services and pay cash.
EXPENDITURE CYCLE Give Cash Get Goods
Many business activities are paired in give-get exchanges
The basic exchanges can be grouped into five major transaction cycles.
Revenue cycle
Expenditure cycle
Production cycle
Human resources/payroll cycle
Financing cycle
BUSINESS CYCLES
In the production cycle, raw materials and labor are transformed into finished goods.
PRODUCTION CYCLE Give Raw Materials & Labor Get Finished Goods
Many business activities are paired in give-get exchanges
The basic exchanges can be grouped into five major transaction cycles.
Revenue cycle
Expenditure cycle
Production cycle
Human resources/payroll cycle
Financing cycle
BUSINESS CYCLES
The human resources cycle involves interactions with your employees.
Employees are hired, trained, paid, evaluated, promoted, and terminated.
HUMAN RESOURCES/ PAYROLL CYCLE Give Cash Get Labor
Many business activities are paired in give-get exchanges
The basic exchanges can be grouped into five major transaction cycles.
Revenue cycle
Expenditure cycle
Production cycle
Human resources/payroll cycle
Financing cycle
BUSINESS CYCLES
The financing cycle involves interactions with investors and creditors.
You raise capital (through stock or debt), repay the capital, and pay a return on it (interest or dividends).
FINANCING CYCLE Give Cash Get cash
Thousands of transactions can occur within any of these cycles.
But there are relatively few types of transactions in a cycle.
BUSINESS CYCLES
EXAMPLE: In the revenue cycle, the basic give-get transaction is:
Give goods
Get cash
BUSINESS CYCLES
Other transactions in the revenue cycle include:
BUSINESS CYCLES
Handle customer inquiries
Take customer orders
Approve credit sales
Check inventory availability
Initiate back orders
Pick and pack orders
Ship goods
Bill customers
Update sales and Accts Rec. for sales
Receive customer payments
Update Accts Rec. for collections
Handle sales returns, discounts, & bad debts
Prepare management reports
Send info to other cycles
Note that the last activity in any cycle is to send information to other cycles.
Click on the buttons below if you wish to see the transactions that occur in the other cycles:
BUSINESS CYCLES Expenditure Cycle Human Res./ Payroll Cycle Production Cycle Financing Cycle
Transactions in the expenditure cycle:
BUSINESS CYCLES
MAJOR GIVE-GET:
Give cash; get goods or services
OTHER TRANSACTIONS
Requisition goods and services
Process purchase orders to vendors
Receive goods and services
Store goods
Receive vendor invoices
Update accounts payable for purchase
Approve invoices for payment
Pay vendors
Update accounts payable for payment
Handle purchase returns, discounts, and allowances
Prepare management reports
Send info to other cycles
Transactions in the HR/payroll cycle:
BUSINESS CYCLES
MAJOR GIVE-GET:
Give cash; get labor
OTHER TRANSACTIONS
Recruit, hire, and train employees
Evaluate and promote employees
Discharge employees
Update payroll records
Pay employees
Process timecard and commission data
Prepare and distribute payroll
Calculate and disburse tax and benefit payments
Prepare management reports
Send info to other cycles
Transactions in the production cycle:
BUSINESS CYCLES
MAJOR GIVE-GET:
Give labor and raw materials; Get finished goods
OTHER TRANSACTIONS
Design products
Forecast, plan, and schedule production
Requisition raw materials
Manufacture products
Store finished goods
Accumulate costs for products
Prepare management reports
Send info to other cycles
Transactions in the financing cycle:
BUSINESS CYCLES
MAJOR GIVE-GET:
Give cash; get cash
OTHER TRANSACTIONS
Forecast cash needs
Sell securities to investors
Borrow money from lenders
Pay dividends to investors and interest to lenders
Retire debt
Prepare management reports
Send info to other cycles
Every transaction cycle:
Relates to other cycles
Interfaces with the general ledger and reporting system, which generates information for management and external parties.
BUSINESS CYCLES
The revenue cycle
Gets finished goods from the production cycle
Provides funds to the financing cycle
Provides data to the General Ledger and Reporting System
General Ledger and Reporting System Revenue Cycle Expenditure Cycle Production Cycle Human Res./ Payroll Cycle Financing Cycle Finished Goods Funds Data
The expenditure cycle
Gets funds from the financing cycle
Provides raw materials to the production cycle
Provides data to the General Ledger and Reporting System
General Ledger and Reporting System Revenue Cycle Expenditure Cycle Production Cycle Human Res./ Payroll Cycle Financing Cycle Funds Raw Mats. Data
The production cycle:
Gets raw materials from the expenditure cycle
Gets labor from the HR/payroll cycle
Provides finished goods to the revenue cycle
Provides data to the General Ledger and Reporting System
General Ledger and Reporting System Revenue Cycle Expenditure Cycle Production Cycle Human Res./ Payroll Cycle Financing Cycle Raw Mats. Data Finished Goods Labor
The HR/payroll cycle:
Gets funds from the financing cycle
Provides labor to the production cycle
Provides data to the General Ledger and Reporting System
General Ledger and Reporting System Revenue Cycle Expenditure Cycle Production Cycle Human Res./ Payroll Cycle Financing Cycle Labor Funds Data
The Financing cycle:
Gets funds from the revenue cycle
Provides funds to the expenditure and HR/payroll cycles
Provides data to the General Ledger and Reporting System
General Ledger and Reporting System Revenue Cycle Expenditure Cycle Production Cycle Human Res./ Payroll Cycle Financing Cycle Funds Data Funds Funds
The General Ledger and Reporting System:
Gets data from all of the cycles
Provides information for internal and external users
General Ledger and Reporting System Revenue Cycle Expenditure Cycle Production Cycle Human Res./ Payroll Cycle Financing Cycle Information for Internal & External Users Data Data Data Data Data
Many accounting software packages implement the different transaction cycles as separate modules.
Not every module is needed in every organization, e.g., retail companies don’t have a production cycle.
Some companies may need extra modules.
The implementation of each transaction cycle can differ significantly across companies.
BUSINESS CYCLES
However the cycles are implemented, it is critical that the AIS be able to:
Accommodate the information needs of managers
Integrate financial and nonfinancial data.
BUSINESS CYCLES
Accountants play an important role in data processing. They answer questions such as:
What data should be entered and stored?
Who should be able to access the data?
How should the data be organized, updated, stored, accessed, and retrieved?
How can scheduled and unanticipated information needs be met.
To answer these questions, they must understand data processing concepts.
TRANSACTION PROCESSING: THE DATA PROCESSING CYCLE
An important function of the AIS is to efficiently and effectively process the data about a company’s transactions.
In manual systems, data is entered into paper journals and ledgers.
In computer-based systems, the series of operations performed on data is referred to as the data processing cycle.
TRANSACTION PROCESSING: THE DATA PROCESSING CYCLE
The data processing cycle consists of four steps:
Data input
Data storage
Data processing
Information output
TRANSACTION PROCESSING: THE DATA PROCESSING CYCLE
The data processing cycle consists of four steps:
Data input
Data storage
Data processing
Information output
TRANSACTION PROCESSING: THE DATA PROCESSING CYCLE
The first step in data processing is to capture the data.
Usually triggered by a business activity.
Data is captured about:
The event that occurred
The resources affected by the event
The agents who participated
DATA INPUT
A number of actions can be taken to improve the accuracy and efficiency of data input:
Turnaround documents
DATA INPUT
EXAMPLE: The stub on your telephone bill that you tear off and return with your check when you pay the bill.
The customer account number is coded on the document, usually in machine-readable form, which reduces the probability of human error in applying the check to the correct account.
A number of actions can be taken to improve the accuracy and efficiency of data input:
Turnaround documents
Source data automation
DATA INPUT
Capture data with minimal human intervention.
EXAMPLES:
ATMs for banking
Point-of-sale (POS) scanners in retail stores
Automated gas pumps that accept your credit card
A number of actions can be taken to improve the accuracy and efficiency of data input:
Turnaround documents
Source data automation
Well-designed source documents and data entry screens
DATA INPUT
How do these improve the accuracy and efficiency of data input?
A number of actions can be taken to improve the accuracy and efficiency of data input:
Turnaround documents
Source data automation
Well-designed source documents and data entry screens
Using pre-numbered documents or having the system automatically assign sequential numbers to transactions
DATA INPUT
What does it mean if a document number is missing in the sequence?
A number of actions can be taken to improve the accuracy and efficiency of data input:
Turnaround documents
Source data automation
Well-designed source documents and data entry screens
Using pre-numbered documents or having the system automatically assign sequential numbers to transactions
DATA INPUT
What does it mean if there are duplicate document numbers?
A number of actions can be taken to improve the accuracy and efficiency of data input:
Turnaround documents
Source data automation
Well-designed source documents and data entry screens
Using pre-numbered documents or having the system automatically assign sequential numbers to transactions
Verify transactions
DATA INPUT
EXAMPLE: Check for inventory availability before completing an online sales transaction.
The data processing cycle consists of four steps:
Data input
Data storage
Data processing
Information output
TRANSACTION PROCESSING: THE DATA PROCESSING CYCLE
Data needs to be organized for easy and efficient access.
Let’s start with some vocabulary terms with respect to data storage.
DATA STORAGE
Ledger
DATA STORAGE A ledger is a file used to store cumulative information about resources and agents. We typically use the word ledger to describe the set of t-accounts. The t-account is where we keep track of the beginning balance, increases, decreases, and ending balance for each asset, liability, owners’ equity, revenue, expense, gain, loss, and dividend account.
Ledger
Following is an example of a ledger account for accounts receivable:
DATA STORAGE
Ledger
General ledger
DATA STORAGE The general ledger is the summary level information for all accounts. Detail information is not kept in this account.
Ledger
General ledger
DATA STORAGE Example: Suppose XYZ Co. has three customers. Anthony Adams owes XYZ $100. Bill Brown owes $200. And Cory Campbell owes XYZ $300. The balance in accounts receivable in the general ledger will be $600, but you will not be able to tell how much individual customers owe by looking at that account. The detail isn’t there.
Ledger
General ledger
Subsidiary ledger
DATA STORAGE The subsidiary ledgers contain the detail accounts associated with the related general ledger account. The accounts receivable subsidiary ledger will contain three separate t-accounts—one for Anthony Adams, one for Bill Brown, and one for Cory Campbell.
Ledger
General ledger
Subsidiary ledger
DATA STORAGE The related general ledger account is often called a “control” account. The sum of the subsidiary account balances should equal the balance in the control account.
Ledger
General ledger
Subsidiary ledger
Coding techniques
DATA STORAGE
Coding is a method of systematically assigning numbers or letters to data items to help classify and organize them. There are many types of codes including:
Sequence codes
Block codes
Group codes
Ledger
General ledger
Subsidiary ledger
Coding techniques
DATA STORAGE
With sequence codes , items (such as checks or invoices) are numbered consecutively to ensure no gaps in the sequence. The numbering helps ensure that:
All items are accounted for
There are no duplicated numbers, which would suggest errors or fraud
Ledger
General ledger
Subsidiary ledger
Coding techniques
DATA STORAGE
When block codes are used, blocks of numbers within a numerical sequence are reserved for a particular category.
EXAMPLE: The first three digits of a Social Security number make up a block code that indicates the state in which the Social Security number was issued:
001-003 New Hampshire
004-007 Maine
008-009 Vermont
Ledger
General ledger
Subsidiary ledger
Coding techniques
DATA STORAGE
When group codes are used, two or more subgroups of digits are used to code an item.
EXAMPLE: The code in the upper, right-hand corner of many checks is a group code organized as follows:
Digits 1-2 Bank number
Digit 3 Federal Reserve District
Digits 4-7 Branch office of Federal Reserve
Digits 8-9 State
Ledger
General ledger
Subsidiary ledger
Coding techniques
DATA STORAGE
Group coding schemes are often used in assigning general ledger account numbers. The following guidelines should be observed:
The code should be consistent with its intended use, so make sure you know what users need.
Provide enough digits to allow room for growth.
Keep it simple in order to:
Minimize costs
Facilitate memorization
Ensure employee acceptance
Make sure it’s consistent with:
The company’s organization structure
Other divisions of the organization
Ledger
General ledger
Subsidiary ledger
Coding techniques
Chart of accounts
DATA STORAGE
The chart of accounts is a list of all general ledger accounts an organization uses.
Group coding is often used for these numbers, e.g.:
The first section identifies the major account categories , such as asset, liability, revenue, etc.
The second section identifies the primary sub-account , such as current asset or long-term investment.
The third section identifies the specific account , such as accounts receivable or inventory.
The fourth section identifies the subsidiary account , e.g., the specific customer code for an account receivable.
The structure of this chart is an important AIS issue, as it must contain sufficient detail to meet the organization’s needs.
Ledger
General ledger
Subsidiary ledger
Coding techniques
Chart of accounts
DATA STORAGE
Table 2-4 in your textbook contains the chart of accounts for S&S.
What is the account number for federal unemployment taxes payable?
What is the account number for cost of goods sold?
What is the range of account numbers for expenses?
With this chart of accounts, can S&S easily distinguish the costs they incur for automobile insurance from the costs for health insurance?
Ledger
General ledger
Subsidiary ledger
Coding techniques
Chart of accounts
Journals
DATA STORAGE
In manual systems and some accounting packages, the first place that transactions are entered is the journal.
A general journal is used to record:
Non-routine transactions, such as loan payments
Summaries of routine transactions
Adjusting entries
Closing entries
A special journal is used to record routine transactions. The most common special journals are:
Cash receipts
Cash disbursements
Credit sales
Credit purchases
Ledger
General ledger
Subsidiary ledger
Coding techniques
Chart of accounts
Journals
Audit trail
DATA STORAGE
An audit trail exists when there is sufficient documentation to allow the tracing of a transaction from beginning to end or from the end back to the beginning.
The inclusion of posting references and document numbers enable the tracing of transactions through the journals and ledgers and therefore facilitate the audit trail.
Now that we’ve learned some storage terminology, let’s return to the data storage process.
When transaction data is captured on a source document, the next step is to record the data in a journal.
A journal entry is made for each transaction showing the accounts and amounts to be credited.
DATA STORAGE
If you took a principles of financial accounting class, you probably worked with journals that looked something like this:
DATA STORAGE
You may not have gotten much experience with special journals, but in most real-world situations, journal entries really work like this.
Entries are originally made in the general journal only for
Non-routine transactions.
Summaries of routine transactions
Routine transactions are originally entered in special journals. The most common special journals are:
Credit sales
Cash receipts
Credit purchases
Cash disbursements
DATA STORAGE
Let’s work through an example with a special journal. In this case we’ll use the sales journal.
DATA STORAGE
On Dec. 1, a sale is made to Lee Co. for $800. Lee Co. was sent Invoice No. 201.
DATA STORAGE
The general ledger account number for accounts receivable is No. 120. Lee Co. was about the 122 nd customer, so their subsidiary account number is 120-122.
DATA STORAGE
The next sale on Dec. 1 was made to May Co. for $700.
DATA STORAGE
The third and final sale on Dec. 1 was made to DLK Co. for $900.
DATA STORAGE
Suppose the company making these sales posts transactions at the end of each day. Consequently, at day’s end, they will post each individual transaction to the accounts receivable subsidiary ledger:
An $800 increase in accounts receivable (debit) will be posted to Lee Co.’s subsidiary account (120-122).
A $700 debit will be posted to May Co.’s subsidiary account (120-033).
A $900 debit will be posted to DLK Co.’s subsidiary account (120-111).
DATA STORAGE
Then a summary journal entry must be made to the general journal. The sales for the period are totaled. In this case, they add up to $2,400.
DATA STORAGE
The “120/502” that appears beneath the total indicates that a summary journal entry is made in the general journal with a debit to accounts receivable (120) and a credit to sales (502).
DATA STORAGE
The entries in the general journal are periodically (or automatically) posted to the general ledger. The $2,400 debit to accounts receivable will be posted to the accounts receivable control account, and the $2,400 credit will be posted to the general ledger account for sales.
DATA STORAGE
From time to time, the subsidiary account balances will be added up, and this sum will be compared to the balance of the control account.
What does it mean if they aren’t equal?
DATA STORAGE
Review so far:
When routine transactions occur, they are recorded in special journals .
When non-routine transactions occur, they are recorded in the general journal .
Periodically, the transactions in the special journal are totaled, and a summary entry is made in the general journal.
The individual line items in the special journal are posted to the subsidiary ledger accounts.
The items in the general journal are posted to the general ledger.
Periodically, the balances in the general ledger control accounts are compared to the sums of the balances in the related subsidiary accounts.
DATA STORAGE
Click the button below if you wish to go through a summary of the remaining steps in the accounting cycle:
DATA STORAGE See Remainder Of Accounting Cycle
The Rest of the Story:
As transactions occur, they are recorded in journals and then posted to ledgers.
But that’s not the end of the story.
At the end of each accounting period, we complete the process by carrying out the following steps.
DATA STORAGE
Using the balances in the general ledger, prepare a trial balance.
DATA STORAGE
Prepare the end-of-period adjusting entries.
Record in journal
Post to ledger
Make an adjusted trial balance.
Using the numbers in the adjusted trial balance, prepare an income statement.
Prepare closing entries.
Prepare:
Statement of stockholders’ equity
Balance sheet
Statement of cash flows
DATA STORAGE
Now let’s moving on to discussing some computer-based storage concepts, including:
Entity
Attribute
Record
Data Value
Field
File
Master File
Transaction File
Database
COMPUTER-BASED STORAGE CONCEPTS
An entity is something about which information is stored.
In your university’s student information system, one entity is the student. The student information system stores information about students.
What are some other entities in your student information system?
COMPUTER-BASED STORAGE CONCEPTS
Attributes are characteristics of interest with respect to the entity.
Some attributes that a student information system typically stores about the student entity are:
Student ID number
Phone number
Address
What are some other attributes about students that a university might store?
COMPUTER-BASED STORAGE CONCEPTS
A field is the physical space where an attribute is stored.
The space where the student ID number is stored is the student ID field.
COMPUTER-BASED STORAGE CONCEPTS 4057475863 CARLA FLANDERS 529036409 4057440236 BARRY ANDREWS 328500732 4053721111 ALICE SIMPSON 328469993 Col. 41-50 Col. 31-40 Col. 10-30 Col. 1-9
A record is the set of attributes stored for a particular instance of an entity.
The combination of attributes stored for Barry Andrews is Barry’s record.
COMPUTER-BASED STORAGE CONCEPTS 4057475863 CARLA FLANDERS 529036409 4057440236 BARRY ANDREWS 328500732 4053721111 ALICE SIMPSON 328469993 Col. 41-50 Col. 31-40 Col. 10-30 Col. 1-9
A data value is the intersection of the row and column.
The data value for Barry Andrews’ phone number is 405-744-0236.
COMPUTER-BASED STORAGE CONCEPTS 4057475863 CARLA FLANDERS 529036409 4057440236 BARRY ANDREWS 328500732 4053721111 ALICE SIMPSON 328469993 Col. 41-50 Col. 31-40 Col. 10-30 Col. 1-9
A file is a group of related records.
The collection of records about all students at the university might be called the student file. If there were only three students and four attributes stored for each student, the file might appear as shown below:
COMPUTER-BASED STORAGE CONCEPTS 4057475863 CARLA FLANDERS 529036409 4057440236 BARRY ANDREWS 328500732 4053721111 ALICE SIMPSON 328469993 Col. 41-50 Col. 31-40 Col. 10-30 Col. 1-9
A master file is a file that stores cumulative information about an organization’s entities.
It is conceptually similar to a ledger in a manual AIS in that:
The file is permanent
The file exists across fiscal periods
Changes are made to the file to reflect the effects of new transactions.
COMPUTER-BASED STORAGE CONCEPTS
A transaction file is a file that contains records of individual transactions (events) that occur during a fiscal period.
It is conceptually similar to a journal in a manual AIS in that:
The files are temporary
The files are usually maintained for one fiscal period
COMPUTER-BASED STORAGE CONCEPTS
A database is a set of interrelated, centrally-coordinated files.
When files about students are integrated with files about classes and files about instructors, we have a database.
COMPUTER-BASED STORAGE CONCEPTS Student File Class File Instructor File
The data processing cycle consists of four steps:
Data input
Data storage
Data processing
Information output
TRANSACTION PROCESSING: THE DATA PROCESSING CYCLE
Once data about a business activity has been collected and entered into a system, it must be processed.
DATA PROCESSING
There are four different types of file processing:
Updating data to record the occurrence of an event, the resources affected by the event, and the agents who participated, e.g., recording a sale to a customer.
Changing data , e.g., a customer address
Adding data , e.g., a new customer.
Deleting data , e.g., removing an old customer that has not purchased anything in 5 years.
DATA PROCESSING
Updating can be done through several approaches:
Batch processing
DATA PROCESSING
Batch processing:
Source documents are grouped into batches, and control totals are calculated.
Periodically, the batches are entered into the computer system, edited, sorted, and stored in a temporary file.
The temporary transaction file is run against the master file to update the master file.
Output is printed or displayed, along with error reports, transaction reports, and control totals.
DATA PROCESSING
Updating can be done through several approaches:
Batch processing
On-line Batch Processing
DATA PROCESSING
On-line batch processing:
Transactions are entered into a computer system as they occur and stored in a temporary file.
Periodically, the temporary transaction file is run against the master file to update the master file.
The output is printed or displayed.
DATA PROCESSING
Updating can be done through several approaches:
Batch processing
On-line Batch Processing
On-line, Real-time Processing
DATA PROCESSING
On-line, Real-time Processing
Transactions are entered into a computer system as they occur.
The master file is immediately updated with the data from the transaction.
Output is printed or displayed.
DATA PROCESSING
Updating can be done through several approaches:
Batch processing
On-line Batch Processing
On-line, Real-time Processing
If you’re going through enrollment, which of these approaches would you prefer that your university was using?
Why?
DATA PROCESSING
The data processing cycle consists of four steps:
Data input
Data storage
Data processing
Information output
TRANSACTION PROCESSING: THE DATA PROCESSING CYCLE
The final step in the information process is information output.
This output can be in the form of:
Documents
INFORMATION OUTPUT
Documents are records of transactions or other company data.
EXAMPLE: Employee paychecks or purchase orders for merchandise
Documents generated at the end of the transaction processing activities are known as operational documents (as opposed to source documents).
They can be printed or stored as electronic images.
The final step in the information process is information output.
This output can be in the form of:
Documents
Reports
INFORMATION OUTPUT
Reports are used by employees to control operational activities and by managers to make decisions and design strategies.
They may be produced:
On a regular basis
On an exception basis
On demand
Organizations should periodically reassess whether each report is needed.
The final step in the information process is information output.
This output can be in the form of:
Documents
Reports
Queries
INFORMATION OUTPUT
Queries are user requests for specific pieces of information.
They may be requested:
Periodically
One time
They can be displayed:
On the monitor, called soft copy
On the screen, called hard copy
Output can serve a variety of purposes:
Financial statements can be provided to both external and internal parties.
Some outputs are specifically for internal use:
For planning purposes
INFORMATION OUTPUT
Examples of outputs for planning purposes include:
Budgets
Budgets are an entity’s formal expression of goals in financial terms
Sales forecasts
Output can serve a variety of purposes:
Financial statements can be provided to both external and internal parties.
Some outputs are specifically for internal use:
For planning purposes
For management of day-to-day operations
INFORMATION OUTPUT
Example: delivery schedules
Output can serve a variety of purposes:
Financial statements can be provided to both external and internal parties.
Some outputs are specifically for internal use:
For planning purposes
For management of day-to-day operations
For control purposes
INFORMATION OUTPUT
Performance reports are outputs that are used for control purposes.
These reports compare an organization’s standard or expected performance with its actual outcomes.
Management by exception is an approach to utilizing performance reports that focuses on investigating and acting on only those variances that are significant.
Output can serve a variety of purposes:
Financial statements can be provided to both external and internal parties.
Some outputs are specifically for internal use:
For planning purposes
For management of day-to-day operations
For control purposes
For evaluation purposes
INFORMATION OUTPUT
These outputs might include:
Surveys of customer satisfaction
Reports on employee error rates
Behavioral implications of managerial reports:
YOU GET WHAT YOU MEASURE!
INFORMATION OUTPUT
Suppose an instructor wants to improve student learning.
He decides to encourage better attendance by grading students on attendance (i.e., measuring it).
The result will be better student attendance, i.e., you get what you measure.
The improved attendance may or may not improve learning outcomes.
Students may be getting better grades when attendance is measured, but not learning more.
Some students may in fact reduce their studying because they believe they can use the attendance score to boost their grade. This behavior would be a dysfunctional result of the measurement.
INFORMATION OUTPUT
Budgets can cause dysfunctional behavior.
EXAMPLE: In order to stay within budget, the IT Department did not buy a security package for its system.
A hacker broke in and devastated some of their data files.
Critical security measures were foregone in order to meet budgetary goals.
The resulting costs far outweighed the savings.
INFORMATION OUTPUT
Budgeting can also be dysfunctional in that the focus can be redirected to creating acceptable numbers instead of achieving organizational objectives.
Does this mean organizations shouldn’t budget?
INFORMATION OUTPUT
The saying goes, “Not many people sit around and have a roast goose fall in their lap.”
In other words, if you want a roast goose, you have to aim.
With financial results, you’re also unlikely to achieve when you don’t aim.
Just be careful where you aim!
INFORMATION OUTPUT
The traditional AIS captured financial data.
Non-financial data was captured in other, sometimes-redundant systems
Enterprise resource planning (ERP) systems are designed to integrate all aspects of a company’s operations (including both financial and non-financial information) with the traditional functions of an AIS.
ROLE OF THE AIS
We’ve learned about the basic business activities in which an organization engages, the decisions that need to be made, and the information required to make those decisions.
We’ve reviewed the data processing cycle and its role in organizing business activities and providing information to users.
Finally, we’ve touched on the role of the information systems in modern organizations and introduced the notion of enterprise resource planning systems.
SUMMARY

Ais Romney 2006 Slides 01 Overview

2009-11-01T06:47:00.000-08:00

AIS-Romney-2006-slides-01-overview.ppt

View more presentations from sharingnotes123.

AIS-Romney-2006-slides-01-overview.ppt - Presentation Transcript

HAPTER 1 Accounting Information Systems: An Overview
INTRODUCTION
Questions to be addressed in this chapter include:
What is the meaning of system , data , and information ?
What is an accounting information system (AIS)?
Why is the AIS an important topic to study?
What is the role of the AIS in the value chain?
How does the AIS provide information for decision making?
What are the basic strategies and strategic positions an organization can pursue?
SYSTEMS, DATA, AND INFORMATION
A system is:
A set of interrelated components
That interact
To achieve a goal
SYSTEMS, DATA, AND INFORMATION
Most systems are composed of smaller subsystems . . .
. . . And vice versa!
SYSTEMS, DATA, AND INFORMATION
Every organization has goals.
The subsystems should be designed to maximize achievement of the organization’s goals
Even to the detriment of the subsystem itself
EXAMPLE: The production department (a subsystem) of a company might have to forego its goal of staying within its budget in order to meet the organization’s goal of delivering product on time.
SYSTEMS, DATA, AND INFORMATION
Goal conflict occurs when the activity of a subsystem is not consistent with another subsystem or with the larger system.
Goal congruence occurs when the subsystem’s goals are in line with the organization’s goals.
The larger and more complicated a system, the more difficult it is to achieve goal congruence.
SYSTEMS, DATA, AND INFORMATION
The systems concept encourages integration (i.e., minimizing the duplication of recording, storing, reporting and processing).
Data are facts that are collected, recorded, stored, and processed by an information system.
Organizations collect data about:
Events that occur
Resources that are affected by those events
Agents who participate in the events
SYSTEMS, DATA, AND INFORMATION
Information is different from data.
Information is data that have been organized and processed to provide meaning to a user.
Usually, more information and better information translates into better decisions.
SYSTEMS, DATA, AND INFORMATION
However, when you get more information than you can effectively assimilate, you suffer from information overload .
Example: Final exams week!
When you’ve reached the overload point, the quality of decisions declines while the costs of producing the information increases.
SYSTEMS, DATA, AND INFORMATION
Benefits of information
- Cost of producing information
Value of information
Benefits of information may include:
Reduction of uncertainty
Improved decisions
Improved ability to plan and schedule activities
SYSTEMS, DATA, AND INFORMATION
Benefits of information
- Cost of producing information
Value of information
Costs may include time and resources spent:
Collecting data
Processing data
Storing data
Distributing information to users
SYSTEMS, DATA, AND INFORMATION
Benefits of information
- Cost of producing information
Value of information
Costs and benefits of information are often difficult to quantify, but you need to try when you’re making decisions about whether to provide information.
SYSTEMS, DATA, AND INFORMATION
Characteristics that make information useful:
Relevance
It reduces uncertainty by helping you predict what will happen or confirm what already has happened.
SYSTEMS, DATA, AND INFORMATION
Characteristics that make information useful:
Relevance
Reliability
It’s dependable, i.e., free from error or bias and faithfully portrays events and activities.
SYSTEMS, DATA, AND INFORMATION
Characteristics that make information useful:
Relevance
Reliability
Completeness
It doesn’t leave out anything that’s important.
SYSTEMS, DATA, AND INFORMATION
Characteristics that make information useful:
Relevance
Reliability
Completeness
Timeliness
You get it in time to make your decision.
SYSTEMS, DATA, AND INFORMATION
Characteristics that make information useful:
Relevance
Reliability
Completeness
Timeliness
Understandability
It’s presented in a manner you can comprehend and use.
SYSTEMS, DATA, AND INFORMATION
Characteristics that make information useful:
Relevance
Reliability
Completeness
Timeliness
Understandability
Verifiability
A consensus notion—the nature of the information is such that different people would tend to produce the same result.
SYSTEMS, DATA, AND INFORMATION
Characteristics that make information useful:
Relevance
Reliability
Completeness
Timeliness
Understandability
Verifiability
Accessibility
You can get to it when you need it and in a format you can use.
Information is provided to both:
External users
Internal Users
SYSTEMS, DATA, AND INFORMATION
Information is provided to both:
External users
Internal Users
SYSTEMS, DATA, AND INFORMATION
External users primarily use information that is either:
MANDATORY INFORMATION—Required by a governmental entity, such as Form 10-K’s required by the SEC; or
ESSENTIAL INFORMATION—Required to conduct business with external parties, such as purchase orders.
SYSTEMS, DATA, AND INFORMATION
In providing mandatory or essential information, the focus should be on:
Minimizing costs
Meeting regulatory requirements
Meeting minimum standards of reliability and usefulness
SYSTEMS, DATA, AND INFORMATION
Information is provided to both:
External users
Internal Users
SYSTEMS, DATA, AND INFORMATION
Internal users primarily use discretionary information.
The primary focus in producing this information is ensuring that benefits exceed costs, i.e., the information has positive value.
SYSTEMS, DATA, AND INFORMATION
An AIS is a system that collects, records, stores, and processes data to produce information for decision makers.
It can:
Use advanced technology; or
Be a simple paper-and-pencil system; or
Be something in between.
Technology is simply a tool to create, maintain, or improve a system.
WHAT IS AN AIS?
The functions of an AIS are to:
Collect and store data about events, resources, and agents.
Transform that data into information that management can use to make decisions about events, resources, and agents.
Provide adequate controls to ensure that the entity’s resources (including data) are:
Available when needed
Accurate and reliable
WHAT IS AN AIS?
It’s fundamental to accounting.
WHY STUDY ACCOUNTING INFORMATION SYSTEMS?
Accounting is an information-providing activity, so accountants need to understand:
How the system that provides that information is designed, implemented and used.
How financial information is reported
How information is used to make decisions
It’s fundamental to accounting.
WHY STUDY ACCOUNTING INFORMATION SYSTEMS?
Other accounting courses focus on how the information is provided and used.
An AIS course places greater emphasis on:
How the data is collected and transformed
How the availability, reliability, and accuracy of the data is ensured
AIS courses are not number-crunching courses
It’s fundamental to accounting.
The skills are critical to career success.
WHY STUDY ACCOUNTING INFORMATION SYSTEMS?
Auditors need to evaluate the accuracy and reliability of information produced by the AIS.
It’s fundamental to accounting.
The skills are critical to career success.
WHY STUDY ACCOUNTING INFORMATION SYSTEMS?
Tax accountants must understand the client’s AIS adequately to be confident that it is providing complete and accurate information for tax planning and compliance work.
It’s fundamental to accounting.
The skills are critical to career success.
WHY STUDY ACCOUNTING INFORMATION SYSTEMS?
In private industry and not-for-profits , systems work is considered the most important activity performed by accountants.
It’s fundamental to accounting.
The skills are critical to career success.
WHY STUDY ACCOUNTING INFORMATION SYSTEMS?
In management consulting , the design, selection, and implementation of accounting systems is a rapid growth area.
It’s fundamental to accounting.
The skills are critical to career success.
The AIS course complements other systems courses.
WHY STUDY ACCOUNTING INFORMATION SYSTEMS?
Other systems courses focus on design and implementation of information systems, databases, expert systems, and telecommunications.
AIS courses focus on accountability and control.
It’s fundamental to accounting.
The skills are critical to career success.
The AIS course complements other systems courses.
AIS topics are tested on the new CPA exam.
WHY STUDY ACCOUNTING INFORMATION SYSTEMS?
Makes up about 25% of the Business Environment & Concepts section of the CPA exam.
It’s fundamental to accounting.
The skills are critical to career success.
The AIS course complements other systems courses.
AIS topics are tested on the new CPA exam.
AIS topics impact corporate strategy and culture.
WHY STUDY ACCOUNTING INFORMATION SYSTEMS?
WHY STUDY ACCOUNTING INFORMATION SYSTEMS? AIS Occupational Culture Strategy Information Technology AIS design is affected by information technology, the organization’s strategy, and the organization’s culture.
WHY STUDY ACCOUNTING INFORMATION SYSTEMS? AIS Occupational Culture Strategy Information Technology Information technology affects the company’s choice of business strategy. To perform cost-benefit analyses on IT changes, you need to understand business strategy.
WHY STUDY ACCOUNTING INFORMATION SYSTEMS? AIS Occupational Culture Strategy Information Technology While culture affects the design of the AIS, it’s also true that the AIS affects culture by altering the dispersion and availability of information.
The objective of most organizations is to provide value to their customers.
What does it mean to deliver value?
Let’s peek in on a conversation at Joe’s pharmacy . . .
ROLE OF THE AIS IN THE VALUE CHAIN
ROLE OF THE AIS IN THE VALUE CHAIN Well, Mr. Pharmaceutical Salesman, your proposal looks good, but your prices are about 5% higher than your competitors.
ROLE OF THE AIS IN THE VALUE CHAIN That’s true, but we’re comfortable with that because of the value-added that we bring to this arrangement.
ROLE OF THE AIS IN THE VALUE CHAIN What is that “value-added,” and how do you convert it into dollars?
ROLE OF THE AIS IN THE VALUE CHAIN Blah—blah—blah– customer service– blah—blah--blah
While “adding value” is a commonly used buzzword, in its genuine sense, it means making the value of the finished component greater than the sum of its parts.
It may mean:
Making it faster
Making it more reliable
Providing better service or advice
Providing something in limited supply (like O-negative blood or rare gems)
Providing enhanced features
Customizing it
ROLE OF THE AIS IN THE VALUE CHAIN
Value is provided by performing a series of activities referred to as the value chain. These include:
Primary activities
Support activities
These activities are sometimes referred to as “line” and “staff” activities respectively.
ROLE OF THE AIS IN THE VALUE CHAIN
Value is provided by performing a series of activities referred to as the value chain. These include:
Primary activities
Support activities
These activities are sometimes referred to as “line” and “staff” activities respectively.
ROLE OF THE AIS IN THE VALUE CHAIN
Primary activities include:
Inbound logistics
ROLE OF THE AIS IN THE VALUE CHAIN Receiving, storing, and distributing the materials that are inputs to the organization’s product or service. For a pharmaceutical company, this activity might involve handling incoming chemicals and elements that will be used to make their drugs.
Primary activities include:
Inbound logistics
Operations
ROLE OF THE AIS IN THE VALUE CHAIN Transforming those inputs into products or services. For the pharmaceutical company, this step involves combining the raw chemicals and elements with the work of people and equipment to produce the finished drug product that will be sold to customers.
Primary activities include:
Inbound logistics
Operations
Outbound logistics
ROLE OF THE AIS IN THE VALUE CHAIN Distributing products or services to customers. For the pharmaceutical company, this step involves packaging and shipping the goods to drug stores, doctors, and hospitals.
Primary activities include:
Inbound logistics
Operations
Outbound logistics
Marketing and sales
ROLE OF THE AIS IN THE VALUE CHAIN Helping customers to buy the organization’s products or services. A pharmacy rep may visit with drug stores, doctors, etc. to inform them about their products and take orders.
Primary activities include:
Inbound logistics
Operations
Outbound logistics
Marketing and sales
Service
ROLE OF THE AIS IN THE VALUE CHAIN Post-sale support provided to customers such as repair and maintenance function. A pharmaceutical firm will typically not be repairing it’s product (though the product may be periodically reformulated). The pharmaceutical company is more likely to be providing advisory services to pharmacists, etc.
Value is provided by performing a series of activities referred to as the value chain. These include:
Primary activities
Support activities
These activities are sometimes referred to as “line” and “staff” activities respectively.
ROLE OF THE AIS IN THE VALUE CHAIN
Support activities include:
Firm infrastructure
ROLE OF THE AIS IN THE VALUE CHAIN Accountants, lawyers, and administration. Includes the company’s accounting information system.
Support activities include:
Firm infrastructure
Human resources
ROLE OF THE AIS IN THE VALUE CHAIN Involves recruiting and hiring new employees, training employees, paying employees, and handling employee benefits.
Support activities include:
Firm infrastructure
Human resources
Technology
ROLE OF THE AIS IN THE VALUE CHAIN Activities to improve the products or services (e.g., R&D, website development). For the pharmaceutical company, these activities would include research and development to create new drugs and modify existing ones.
Support activities include:
Firm infrastructure
Human resources
Technology
Purchasing
ROLE OF THE AIS IN THE VALUE CHAIN Buying the resources (e.g., materials, inventory, fixed assets) needed to carry out the entity’s primary activities. In the pharmaceutical company, the purchasing folks are trying to get the best combination of cost and quality in buying chemicals, supplies, and other assets the company needs to run its operations.
Information technology can significantly impact the efficiency and effectiveness with which the preceding activities are carried out.
An organization’s value chain can be connected with the value chains of its customers, suppliers, and distributors.
ROLE OF THE AIS IN THE VALUE CHAIN
Pharmaceuticals, Inc.
Inbound Logistics
Operations
Outbound Logistics
Marketing & Sales
Service
ROLE OF THE AIS IN THE VALUE CHAIN Smith Supply Co. Inbound Logistics Operations Outbound Logistics Marketing & Sales Service Customer Pharmacy Inbound Logistics Operations Outbound Logistics Marketing & Sales Service For example, the inbound logistics of Pharmaceuticals, Inc., links to the outbound logistics of its suppliers.
Pharmaceuticals, Inc.
Inbound Logistics
Operations
Outbound Logistics
Marketing & Sales
Service
ROLE OF THE AIS IN THE VALUE CHAIN Smith Supply Co. Inbound Logistics Operations Outbound Logistics Marketing & Sales Service Customer Pharmacy Inbound Logistics Operations Outbound Logistics Marketing & Sales Service And the outbound logistics of Pharmaceuticals, Inc., links to the inbound logistics of its customers.
Pharmaceuticals, Inc.
Inbound Logistics
Operations
Outbound Logistics
Marketing & Sales
Service
ROLE OF THE AIS IN THE VALUE CHAIN Smith Supply Co. Inbound Logistics Operations Outbound Logistics Marketing & Sales Service Customer Pharmacy Inbound Logistics Operations Outbound Logistics Marketing & Sales Service The linking of these separate value chains creates a larger system known as a supply chain .
Pharmaceuticals, Inc.
Inbound Logistics
Operations
Outbound Logistics
Marketing & Sales
Service
ROLE OF THE AIS IN THE VALUE CHAIN Smith Supply Co. Inbound Logistics Operations Outbound Logistics Marketing & Sales Service Customer Pharmacy Inbound Logistics Operations Outbound Logistics Marketing & Sales Service The linking of these separate value chains creates a larger system known as a supply chain . Information technology can facilitate synergistic linkages that improve the performance of each company’s value chain.
There is variation in the degree of structure used to make decisions:
Structured decisions
ROLE OF THE AIS IN THE VALUE CHAIN
Repetitive and routine
Can be delegated to lower-level employees
EXAMPLE: Deciding whether to write an auto insurance policy for a customer with a clean driving history.
There is variation in the degree of structure used to make decisions:
Structured decisions
Semistructured decisions
ROLE OF THE AIS IN THE VALUE CHAIN
Incomplete rules
Require subjective assessments
EXAMPLE: Deciding whether to sell auto insurance to a customer with a tainted driving history.
There is variation in the degree of structure used to make decisions:
Structured decisions
Semistructured decisions
Structured decisions
ROLE OF THE AIS IN THE VALUE CHAIN
Non-recurring and non-routine
Require a great deal of subjective assessment
EXAMPLE: Deciding whether to begin selling a new type of insurance policy
There is also variation in the scope of a decision’s effect:
Occupational control decisions
ROLE OF THE AIS IN THE VALUE CHAIN
Relate to performance of specific tasks
Often of a day-to-day nature
EXAMPLE: Deciding whether to order inventory
There is also variation in the scope of a decision’s effect:
Occupational control decisions
Management control decisions
ROLE OF THE AIS IN THE VALUE CHAIN
Relate to utilizing resources to accomplish organizational objectives
EXAMPLE: Budgeting
There is also variation in the scope of a decision’s effect:
Occupational control decisions
Management control decisions
Strategic planning decisions
ROLE OF THE AIS IN THE VALUE CHAIN
The “what do we want to be when we grow up” types of questions
Involves establishing
Organizational objectives
Policies to achieve those objectives
EXAMPLE: Deciding whether to diversify the company into other product lines
In general, the higher a manager is in the organization, the more likely he/she is to be engaging in:
Less structured decisions
Broader scope (i.e., strategic planning) decisions
ROLE OF THE AIS IN THE VALUE CHAIN
Corporations have:
Unlimited opportunities to invest in technology
Limited resources to invest in technology
Consequently, they must identify the improvements likely to yield the highest return.
This decision requires an understanding of the entity’s overall business strategy.
THE AIS AND CORPORATE STRATEGY
Michael Porter suggests that there are two basic business strategies companies can follow:
Product-differentiation strategy
Low-cost strategy
THE AIS AND CORPORATE STRATEGY
Michael Porter suggests that there are two basic business strategies companies can follow:
Product-differentiation strategy
Low-cost strategy
THE AIS AND CORPORATE STRATEGY
A product differentiation strategy involves setting your product apart from those of your competitors, i.e., building a “better” mousetrap by offering one that’s faster, has enhanced features, etc.
THE AIS AND CORPORATE STRATEGY
Michael Porter suggests that there are two basic business strategies companies can follow:
Product-differentiation strategy
Low-cost strategy
THE AIS AND CORPORATE STRATEGY
A low-cost strategy involves offering a cheaper mousetrap than your competitors. The low cost is made possible by operating more efficiently.
THE AIS AND CORPORATE STRATEGY
Sometimes a company can do both, but they normally have to choose.
THE AIS AND CORPORATE STRATEGY
Porter also argues that companies must choose a strategic position among three choices:
Variety-based strategic position
THE AIS AND CORPORATE STRATEGY
Offer a subset of the industry’s products or services.
EXAMPLE: An insurance company that only offers life insurance as opposed to life, health, property-casualty, etc.
Porter also argues that companies must choose a strategic position among three choices:
Variety-based strategic position
Needs-based strategic position
THE AIS AND CORPORATE STRATEGY
Serve most or all of the needs of a particular group of customers in a target market.
EXAMPLE: The original Farm Bureau-based insurance companies provided a portfolio of insurance and financial services tailored to the specific needs of farmers.
Porter also argues that companies must choose a strategic position among three choices:
Variety-based strategic position
Needs-based strategic position
Access-based strategic position
THE AIS AND CORPORATE STRATEGY
Serve a subset of customers who differ from others in terms of factors such as geographic location or size..
EXAMPLE: Satellite Internet services are intended primarily for customers in rural areas who cannot get DSL or cable services.
Porter also argues that companies must choose a strategic position among three choices:
Variety-based strategic position
Needs-based strategic position
Access-based strategic position
These strategic positions are not mutually exclusive and can overlap.
THE AIS AND CORPORATE STRATEGY
Choosing a strategic position is important because it helps a company focus its efforts as opposed to trying to be everything to everybody.
EXAMPLE: A radio station that tries to play all types of music will probably fail.
It’s critical to design the organization’s activities so they reinforce one another in achieving the selected strategic position. The result is synergy, which is difficult for competitors to imitate.
THE AIS AND CORPORATE STRATEGY
The growth of the Internet has profoundly affected the way value chain activities are performed:
Inbound and outbound logistics can be streamlined for products that can be digitized, like books and music.
The Internet allows companies to cut costs, which impacts strategy and strategic position.
Because the Internet is available to everyone, intense price competition can result. The outcome may be that many companies shift from low-cost to product-differentiation strategies.
The Internet may impede access-based strategic positions.
THE AIS AND CORPORATE STRATEGY
The AIS should help a company adopt and maintain its strategic position.
Requires that data be collected about each activity.
Requires the collection and integration of both financial and nonfinancial data.
THE AIS AND CORPORATE STRATEGY
The authors believe:
Accounting and information systems should be closely integrated.
The AIS should be the primary information system to provide users with information they need to perform their jobs.
THE AIS AND CORPORATE STRATEGY
SUMMARY
What we’ve learned so far:
The meaning of system , data , and information
What an AIS is
Why it’s an important topic to stody
What its role is in the value chain
How it provides information for decision making
What are the basic strategies and strategic positions an organization can pursue
How these interact with the AIS

Download

2009-11-01T06:28:00.000-08:00

sharing notes 123

2009-11-01T05:53:00.000-08:00

sharing notes 123