Accounting Information Systems Full Notes HD

Download as pdf or txt
Download as pdf or txt
You are on page 1of 39

lOMoARcPSD|6630178

Accounting information systems full notes HD

Accounting Information System (Monash University)

StuDocu is not sponsored or endorsed by any college or university


Downloaded by Mohmed Goda ([email protected])
lOMoARcPSD|6630178

Conceptual Foundation of AIS


System: 2 or more interrelated components that interact to achieve a goal
Goal conflict: the subsystem's goals are inconsistent with the goals of another subsystem
Goal Congruence: where the subsystem achieves its goals while contributing to an organisation's
overall goal.

Information: data that has been processed. It gives companies competitive advantage, but there can
be overload, and without a proper goal in data collection or limitations on analysis overload can
occur.
Data: facts that are collected, recorded, stored and processed by an information system.
Value of information: the benefit produced less the costs to obtain the information. This determines
the effectiveness of information.
Business process: a set of related, coordinated and structured activities and tasks performed to
achieve a specific organisational goal

Characteristics of useful information:


• Relevant
• Relative
• Complete
• Timely
• Understandable
• Verifiable
• Accountable.

Traditionally silo processing was used which kept each aspect of the business separate, but now
there tends to be a central database.

Transaction processing: the process of capturing, processing, storing and producing information
output from transaction data.
Get give exchange: transactions that occur many times

Business Processes/Transaction Cycles:


• Revenue cycle: selling goods for cash or the promise of it
• Expenditure cycle: purchasing inventory/new material
• Production/conversion cycle
• Human resource/payroll cycle
• Financing cycle

Accounting information system: a system that collects, records, stores and processes data to
produce information for decision makers. The components are:
• Users
• Procedures and instructions
• Data
• Software
• IT infrastructure
• Internal controls and security measures
They add value through:
• Improving quality and reducing costs of products and services
• Improving efficiency
• Sharing knowledge
• Improving efficiency and effectiveness of supply chain

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

• Improving internal controls


• Improving decision making
• It safeguards the organisation

Primary activities of the value chain:


• Inbound logistics
• Operations
• Outbound logistics
• Marketing and sales
• Services
Different enterprises AIS can enable inter-organisation value chain transaction data processing and
information sharing.
This can be leveraged to help the organisations.

Support activities:
• Firm infrastructure
• Human resources
• Technology
• Purchasing

Data processing cycle: the four operations performed on data to generate meaningful and relevant
information.
These are:
1. Input
2. Storing
3. Processing
4. Output
Data processing activities:
• Creating
• Reading
• Updating
• Deleting
If bad data is in, then it's going to be bad information coming out

Batch processing: updating periodically. This isn't instant, so real time processing is preferred.
This data must be collected on three facets of business activity:
• Type
• Resources affected
• People who participated

Historically source documents are used to collect data

Turnaround documents: company output sent to an external party and returned as input records

Source data automation: collection of transaction data in machine readable form at the time and
place of origin.

Data in ledgers often have coding techniques, which is a system to classify and organise them.
• Sequence code: items are numbered consecutively
• Block code: blocks of numbers are reserved for various categories
• Group codes: 2+ subgroups are used to code items

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

• Mnemonic Codes: letters and numbers are interspersed to identify the item
There should be consistency, potential for growth and it should be as simple as possible.

Audit trail: a traceable path of a transaction through a data processing system from origin to final
output or the other way.
This is useful for:
• Checking the accuracy and validity of ledgers
• Ensuring data access and change security

Each entry has attributes/characteristics of interest.

Computers store data in a field and the fields about entity attributes constitute a record. A data
value is in a field within a record.
File: groups of related records
Masterfile: stores cumulative information about an organisation
Transaction file: contains records of individual business transactions during a specific time
Database: a set of interrelated centrally organised files.

Enterprise resource planning (ERP) systems: a system that integrates all aspects of an organisation's
activities into one system. It is less of an individual function and more of a business process.
It:
• Integrates enterprise data and information flows
• Streamlines inputs and minimises duplication
o Which increases productivity and work efficiency
• Increases transparency
• Allows for standardisation
• Increases faster time to market and improves customer service
• Enables real time information sharing.

These tend to be modular with the following modules:


• Financial
• Human resource/payroll
• Order to cash (revenue cycle)
• Purchase to pay (disbursement cycle)
• Manufacturing
• Project management
• Customer relationship management
• Systems
One transaction may update several modules.
This brought cross-functional design.
Advantages Disadvantages
Provides an integrated, enterprise-wide single view of the Costly
organisation's data and financial information
Data is captured once Time consuming
Greater visibility of every area Requires changes to business
processes
Better access control Complex
Procedures and reports are standardised across business units There may be resistance to
the ERP system

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

Customer service improves


Stuff happens in real time and automation occurs

Ethics and Governance


Ethical Dilemma: an individual must make a decision about which course of action is best, with
multiple courses of actions to choose form, but no matter the decision some ethical principle is
compromised.
This may involve a decision framework.

Ethics: defines the best option as the one which achieves what is good and right and is consistent
with the nature of things in question.
It looks at:
• What’s good
• What's right
• The reason for being

Accountants and auditors need to have a high level of ethics to make the right choice, which may
not benefit them.

Managerial ethics must examine the impacts of their actions and can't be limited to compliance or
non-compliance of laws and regulation.

Friedman's View: Shareholder approach: the social responsibility is to increase it's profit, and the
responsibility is to the shareholders. The goal is to make as much money while conforming to the
basic rules of society.

Freeman's View: Stakeholder approach: corporations have a responsibility to their stakeholders


who influence and are impacted by the decisions.

Values are the highest ranked in objectives.

Stakeholder Analysis:
1. Is there an ethical situation or dilemma?
a. Define what an ethical situation/dilemma is and what this one is
2. Identify the elements of the problem
a. Stakeholders who may be harmed
b. Whose rights or claims may be violated
c. Which specific interest are in conflict
d. What are my responsibilities and obligations
3. Specify alternatives and evaluate the impacts of each on various stakeholders
4. Select the best or most ethical alternatives
Always remember to consider the professional code of conduct

Governance: the system by which entities are directed and controlled.


This integrates with ethics to establish a corporate framework that defines how an organisation is
expected to behave and actions to take in order to achieve goals and manage risk.

Objectives are things to achieve on a larger scale for organisational success.

Ethics and law are not the same.

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

Accounting information systems provide information that helps ensure transparency and foster
accountability.

IT governance is also very important and is a very standardised field.

Computer Fraud and Cyber Security


Threat: a potential negative event, that may not be actualised but increases the probability or
impact of risk.
Types include:
• Natural and political disasters
• Software errors and equipment malfunctions
• Unintentional acts
• Intentional acts.

Sabotage: a deliberate act to destroy a system


Fraud: gaining an unfair advantage over another person. The true definition requires:
1. A fake statement
2. A material fact
3. Intention to deceive
4. Justifiable reliance
5. Injury or loss
People who commit fraud are often referred to as white colour criminals and they tend to be
business people and people in government.
There are two types of fraud:
• Misappropriation of Assets: theft of company assets by employees
• Fraudulent Financial Reporting: intentional or reckless conduct (By omission or act) that
results in materially misleading financial statements.

The fraud triangle:


• Pressure: the incentive or motivation to commit the fraud. There are two groups , that split
into three main categories:
o Employee Pressure:
• Lifestyle
• Financial
• Emotional
o Financial Statement Pressure
• Financial
• Management characteristics
• Industry conditions
• Opportunity: the conditions that allow the perp to commit and conceal the fraud and turn it
into personal gain.
• Rationalisation: the excuses to justify the fraud

Lapping: the concealing of the theft of cash by a series of delays in posting collections of cash
receivables

Cheque running: creating a cash lag in between the time the cheque is deposited and when it clears
the bank

Corruption: dishonest conduct by those in power

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

Investment Fraud: misrepresentation or omission of facts to promote an investment that appears


to be fantastic gain and little to no risk

Computer fraud: any fraud that requires a computer to perpetrate it. The classifications of computer
fraud include:
• Input fraud
• Processor fraud
• Computer instructions fraud
• Data fraud
• Output fraud

An auditor has a responsibility to understand fraud, discuss the risks of material fraudulent
misstatements, obtain information, identify, assess and respond to risks, and evaluate the results of
their audit tests. They should also document and communicate findings and incorporate a
technology focus.

Preventing and Detecting Fraud:


Organisational Systems
Make it less • Create a culture of integrity • Develop security policies to guide and
likely to occur • Adopt a structure that minimises design specific control procedures
fraud and creates governance • Implement change management
• Assign authority for business controls and project development
objectives and hold them acquisition controls
accountable for achieving those
objectives
• Communicate policies
Make it difficult • Develop strong internal controls • Restrict access
to commit • Segregate accounting functions • System authentication
• Use properly designed forms • Implement computer controls over
• Require independent checks and input, processing, storage and output
reconciliation of data of data
• Use encryption
• Fix bugs and update systems regularly
• Destroy hard drives when disposing of
computers
Improve • Assess fraud risk • Audit trail of transactions through the
Detection • Have external and internal audits system
Method • Have a fraud hotline • Install fraud detection software
• Monitor system activities
Reduce fraud • Insurance • Store backup copies of program and
losses • Business continuity and disaster data files elsewhere
recovery plans • Monitor system activity

Cyber Attack: unlawful data breaches or hacks executed by fraudsters or criminals to defraud or
commit crimes against someone or an organisation.

Client-Server: an ICT design model that describes how end to end users computing devices connect
with a centralised computer to provide AIS and network database services to end users

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

Hacking: unauthorised access, modification or use of an electronic device or element of a computer


system. This requires a weakness, which is typically negligence.
Hijacking: gaining control of a computer for illicit uses without the users knowledge.
Botnet/Robot Network: a network of hijacked computers to attack systems or spread malware. The
hijacked computer is a zombie and the person who creates it is a bot herder
Denial of Service or DoS Attack: sends so many requests or emails that it shuts down the server,
preventing access.
Spamming: sending the same unsolicited emails to multiple people
Dictionary Attacks: guesses emails at companies and send blank emails. The emails that don't
bounce are then added to spammer lists.
Splogs: spam blogs to improve a page's google page rank
Spoofing: making an electronic communication look like someone else sent it to gain the receivers
trust. Types include:
• Email
• Caller id
• IP address
• Address resolution protocol
• SMS
• Web-page
• DNS
Zero Day Attack: an attack between the time a vulnerability is discovered and when a patch (or
quick code to fix something) is released.
Cross Site Scripting (XSS): vulnerability in a dynamic web page that allows an attacker to bypass a
computer's security measures and instruct the victim to execute code, thinking it came from the
desired website.
Buffer Overflow Attack: the amount of data entered is greater than the memory set aside to receive
it.
SQL injection/insertion attack: malicious code in the form of an SWL query, inserted into an input so
that it can be used, passed and executed by an application.
Man in the Middle (MITM) attack: puts the hacker between a client and host to intercept traffic
between them
Masquerading/Impersonation: pretending to be someone to access a system
Piggybacking: using someone else's Wi-Fi, tapping into a communication or physically following an
authorised person into a secured room
Password Cracking: getting access to passwords and using them to gain access
War Dialling: dialling phones to find dial up modem lines
War Driving: finding unprotected wireless networks
Phreaking: attacking phone systems
Data Diddling: changing data before or during entry
Data Leaking: unauthorised copying of data
Podslurping: using a small device to steal data
Salami Technique: embezzling a small amount at a time many times
Round down fraud: rounding the interest earned to 2 decimal places, and the rest going to another
account owned by the embezzler
Economic Espionage: theft of trade secrets, information and intellectual property
Cyber Extortion: threatening to harm someone or a company if money isn't paid
Internet Terrorism: using the internet for terrorism
Internet Misinformation: using the internet to spread fake or misleading information
Internet Pump and Dump: using the internet to pump up the price of a share and then selling it
Click Fraud: manipulating click numbers to inflate advertising bills

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

Web Cramming: having a fake website with a free trial and charging people whether they use it or
not
Social Engineering: techniques to get people to comply with the perps wishes
Pretexting: using an invented scenario to increase the likelihood that the victim will do something
Posing: pretending to be a legitimate business and never fulfilling the transaction
Phishing: posing as a legitimate company to request or verify information to give them access.
Pharming: redirecting website traffic to a spoofed website
Evil Twin: a wireless network with the same name as a legitimate one
Typo spotting/URL hacking: setting up a similarly named website so that users making typos are
sent to an invalid website
Tabnapping: secretly changing an already open browser tab
Scavenging/ Dumpster Diving: searching through documents and records to gain access to
confidential information
Shoulder Surfing: looking over one's shoulder to get information
Lebanese Looping: something is inserted into the ATM that prevents it from ejecting the card
Skimming: double swiping a card or having it skimmed by a card reader for later use
Chipping: putting a chip that records transaction data in a legitimate card reader
Malware: any software designed to do harm. Types include:
• Spyware: which monitors and collects personal information
• Adware: spyware for adds
• Torpedo software: destroys competing malware
• Scareware: software used to scare someone
• Ransomware: having to pay someone to remove the malware
• Keylogging: records computer activity
Trojan Horse: malicious computer instructions in an authorised and otherwise functional program.
Time/Logic Bomb: a trojan horse that is idle until triggered
Trap/Back Door: a set of instructions that allow users to bypass normal controls.
Packet Sniffers: capture data from information packets as they travel across the network
Steganography Programs: hides data or files inside a host file
Rootkit: conceals processes, files, network connections, memory addresses, systems, utility
programs and system data from the operating system and other programs.
Superzapping: unauthorised use of special systems to bypass regular system controls and perform
illegal acts without an audit trail.
Virus: segment of self-replicating code that attaches itself to a file or program
Worm: virus that is a program rather than a segment of code
Blue Snarfing: stealing something over bluetooth
Blue Bugging: taking control of someone's phone to make or listen to calls, send or read text
messages etc.

Cyber Security: the processes, controls and technologies that are used to protect an enterprise's
computing devices, networks, data and physical facilities from unauthorised use and criminal or
malicious activities.

Control and AIS


Threat/event: potential adverse occurrence
Exploit: any means that allow attackers to break in through a vulnerability
Vulnerability: weakness in a system that allows an attack to be successful
Exposure/impact: the potential dollar loss of an event
Likelihood/Risk: the probability that a threat will happen
Internal Controls: processes implemented to provide reasonable assurance that the control
objectives are achieved.

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

This is not a set and forget thing as risks change over time.
We only need reasonable assurance as no control stops everything so we need assurance not a
guarantee
The control objectives are:
• Safeguard assets
• Maintain records in sufficient detail
• Provide accurate and reliable information
• Prepare financial reports
• Promote and improve operational efficiency
• Encourage adherence to prescribed managerial policies
• Comply with laws and regulations
General Controls: makes sure the information system and control environment is stable and well
managed.
Application control: prevent, detect and correct transaction errors and fraud in application
programs.

There are three main functions of internal controls:


1. Preventative controls: deter problems before they arrive
2. Detective controls: discover problems that are not prevented
3. Corrective controls: identify and correct and recover from problems.
These are general or application controls.

Foreign Corruption Practices Act: an Act in America to prevent companies from bribing officials and
requires publicly owned companies to maintain a record of transactions and maintain a system of
internal accounting controls.
Sarbanes Oxley Act (SOX): increases the requirements of what is known by investors in response to
the GFC. It requires full financial disclosure, creates consistent standards for internal policies,
requires transparency, increases the rights of whistle-blowers and requires to report to independent
external audit committees who have to sign off on this.
Areas of scrutiny:
• Access controls
• IT security
• Change management
• Backup procedures
SOX strengthened the control environment, improved documentation, increased audit committee
involvement, standardised processes, reduced complexity and reduced human error.
There is no equivalent law in Australia, but we are slowly getting there with the ASX corporate
governance guidelines. Which lays a solid foundation for management and oversight, structure in
the board, promotion of ethical and responsible decision making, safeguards integrity in financial
reporting, make timely and balanced disclosures, respect the rights of shareholders, recognise and
manage risk and remunerate fairly and responsibly.
Account specific problems and training and policies were identified as weaknesses of current control
systems.
Management must base it's evaluation on a recognised control framework, disclose any and all
material internal control weaknesses and conclude that there is not effective control if these are
present.

There are 4 levers of control:


1. The belief system
2. Boundary system
3. Diagnostic control system

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

4. Interactive control system

Frameworks for Internal Control


COBIT - control objectives for information and related technology. This is based on:
• Meeting stakeholders needs
• Covering the enterprise end to end
• Applying a single integrated framework
• Enabling a holistic approach
• Separating governance from management
The board of directors have a responsibility to evaluate shareholder needs to identify objectives,
provide management with direction through prioritisation and monitor their performance.
Management has a responsibility of the activities to meet the objectives.
It looks at the lifecycle of tech and separates management and governance

COSO (committee of sponsoring organisations) internal control framework. It's more compliance
based. It defines the internal control and provides guidance for evaluating and enhancing internal
control systems.

COSO enterprise risk management framework. This adds a strategic component to the internal
control framework. It defines the questions to be asked to management to manage risks.
There are four key steps:
1. Objective setting and event identification
2. Risk assessment and response.
a. Assess inherent risk, develop a response and then assess residual risk
b. Risk likelihood estimation and impact assessment
c. Risk mitigation controls with clear cost/benefit justification
d. Clear risk control implement choices
i. a risk map may be used
3. Control activities
a. Proper authorisation of transactions and activities
b. Segregation of duties
c. Project development and acquisition controls
d. Change management controls
e. Design and use of documents and records
f. Safeguarding assets, records and data
g. Independent checks of performance
4. Communication of information and monitoring
a. We need to keep track of things
b. Internal controls are a process and we need to follow up on the feedback that they give
us
The internal environment is the company culture and consists of:
• Manager's philosophies, operating styles, and risk appetites
• Commitment to integrity, ethical values and competence
• Internal control oversite by the board of directors
• Organisational structure
• Methods of assigning authority and responsibility
• Human resourcing standards
o This is to attract, develop and retain competent individuals
o Complete background checks
o Adequate compensation and training

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

o Disgruntled employees, vacations, rotation of duties and dismissals should all be


managed correctly

Objective setting is the 2nd ERM component, these may be strategic, operational, reporting or
compliance based.

Inherent Risk: the susceptibility of a set of accounts to control problems in the absence of internal
control.

Residual Risk: the risk that remains once internal controls are in place.

There are four ways to respond to risk:


1. Reduce
2. Accept
3. Share
4. Avoid

Control activities: policies, procedures and rules that provide reasonable assurance that control
objectives are met and risk responses are carried out.

Authorisations: policies that enable employees to perform organisational functions. These can be
special which requires special approval or general, which doesn't.

Segregation of duties: separating duties to prevent one employee having too much responsibility or
access.

The information the board of directors get depends on internal control.

Threats to AIS are increasing.


Companies have experienced major control failures due to:
• Access of information
• Difficulty to control information on distributed networks
• Customers and suppliers can access each other's systems and data

Companies fail to protect their data due to:


• Underestimation of control problems
• Not realising data security is crucial to survival
• Forgoing the measures to improve productivity and reduce cost
• Not understanding the control implications of moving from centralised or host based systems
to networked or internet based systems

Three main things to keep separated across people:


• Physical custody
• Record keeping
• Approvals.

Controls for Information Security and Confidentiality and Privacy


Controls
Trust services framework: Organises IT related controls around 5 principles:
1. Security: access to the system and it's data is controlled and restricted to legitimate users
2. Confidentiality: sensitive information is protected from unauthorised disclosure

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

3. Privacy: personal information is collected, used, disclosed and maintained in accordance to


policy and regulation. This focuses more on individuals.
4. Processing integrity: data is processed accurately, completely, in a timely manner and only
with proper authorisation.
5. Availability: the system and information must be available to meet operation and contractual
obligations
All five need to be considered for proper system reliability.

The generic controls that are in place link back to the frameworks we have.

Information security is often a technical and managerial problem, where managerial is just as
important.

Having protective, detective and corrective controls give us a guideline of what to do and provides
an overlay of controls. If there is a hole in one it still decreases the probability that they'll get
through the other two. They also all think of the same risk in different ways. This is the main concept
of the Swiss Cheese Model of Organisational Defences.

Time based model of security: implementing a combination of preventative, detective and


corrective controls that protect assets long enough to recognise an attack is occurring and take the
steps to thwart it before anything is lost or compromised

Defence in Depth: having layers of controls to avoid a single point failure.

Steps to attack an organisation:


1. Conduct reconnaissance
2. Attempt social engineering
3. Scan and map the target
4. Research
5. Execute the attack
6. Cover tracks

Ways to detect attacks:


• Log analysis
• Intrusion detection settings
• Continuous monitoring
• This may include monitoring and controlling what access has occurred.
Following up on things is also important.

Ways to respond to attacks:


• Computer incident response team
• Chief information security officer

Key Protection methods:


• Create a security conscious culture
• Have security awareness and accredited training
• Implement user access controls for authentication and authorisation
o It determines how to verify identity, how to determine who can access what and what
access is allowed.
• Implement internal auditors or external consults to lead prevention testing procedures
• Formalise auditable change controls and change management procedures

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

• Set up IT security solutions


o Only give people access to what they need to use.
o Cryptology and encryption is important with this.
• Implement physical access controls.
There needs to be a tone at the top encouraging this

Types of infrastructure:
• Virtualisation: running multiple systems simultaneously on one computer
o This has the risks of unsupervised access that exposes the entire network to theft or
destruction
• Cloud computing: using browser to remotely access items
o This risks the fact that public clouds are accessible via the internet and may have
reliability issues due to the use of a third party
o It can, however, improve security through implementing strong access control and
multifactor authentication
• Internet of things: objects connect themselves to the internet with sensor embedded devices.
o Risk include the fact that there is more ways to gain access to the network and it's more
difficult to secure the information.

Encryption: the process of transforming normal text (plaintext) into unreadable gibberish (cipher
text)
Plaintext: normal content that has not been encrypted
Cipher Text: plaintext that has been transformed into gibberish through encryption. It is what data
does when it's stored and being sent between people.
Factors that increase encryption strength:
• Key length, which is the size of the chunks encrypted, where the longer the better
• Encryption algorithm, a lot are widely available, however these are also the hardest to crack.
• Policies for managing encryption keys, this is the most important thing to protect.
Types of encryption systems:
• Symmetric: same key to encrypt and decrypt
o This is faster than asymmetric, but this comes with some disadvantages, including that
both parties need the key, a different key needs to be made for each party and there's
no proof as to who made the document.
• Asymmetric: two keys, a public one, which encrypts and a private one that does both are used.
o Public key: widely distributed an available to everyone
o Private key: kept secret and is only known to the owner of the pair of keys
o This solves the problems of symmetric encryption but is slow.
Key escrow: storing a copy of the encryption key in a secure location

Cryptography: the art of writing or solving codes, it involves the process of encryption.

Hashing: transforming plaintext to a short code called a hash. Used a lot with digital signatures.
This is not reversible, and both parties need to check the hash total to ensure that it has not been
edited.

Digital Certificate: an electronic document that certifies the identity of the owner of a public key and
contains the public key.
Certificate Authority: verifies the digital certificate

Virtual Private Network: using encryption and authentication to securely transfer information over
the internet, thereby creating a virtual private network.

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

Preserving confidentiality:
• Identify and classify information to be protected
• Protect confidentiality with encryption
• Control access to sensitive information
o Information rights management: software that limits access and specifies the actions
individuals can be granted
• Training

Confidential Information: any information or document that an individual or business wishes not to
be made public.

The two main privacy concerns are spam and identity theft

Good practices for managing cyber events


• Keep it rational
• Avoid wishful thinking
• Preserve the environment for diagnosis
• Do not shut down in panic
• Draw on your team's resources
• Avoid distractions
• Keep track of what you do and do not know

Process Integrity and Availability


For information to be reliable it needs to be:
• Accurate
• Complete
• Valid
• Authorised

We need to think about what could go wrong in a business when it is handling data and:
• Identify internal controls that could be used
• Relate the internal controls to the objectives of accurate, complete, timely and valid data.

We need to think about what could go wrong in each stage.

Input Controls:
This reduces the garbage in.
The first thing to consider is input forms design, which could be a pre-numbered forms sequence
test or a turnaround document.
Then we need to cancel and store source documents. Cancel means that we can identify what has
already been processed or not.
Then we may need to look at data entry controls which includes:
• Field check
• Sign check
• Limit check, this detail the max
• Range check, this detects the max and the min
• Size check
• Completeness check
• Validity check
• Reasonable test

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

• Check digit verification.


These all check if the data matches what we need i.e. the number of digits and order.

For batch processes we may also consider:


• Sequence checks: tests if the data is in the proper order
• Error logs: identifies data input errors
• Batch totals
o Financial total
• This focuses on accuracy
o Hash total
• Again this focuses on accuracy.
• This chooses a total that doesn't make sense i.e. student number
o Record count: the number of records in a batch
• This checks validity and correctness
There are time gaps between different stages which may mean that data can be lost.

For online data entry we may use:


• Prompting: the system prompts you for input
• Closed loop verification: checks the input data by using it to retrieve and display other related
information. This is like vlookup in excel
• Transaction log

Processing Controls:
• Data matching: two or more must be matched before an action takes place
• File labels checking: ensures correct and most updated file is used
• Recalculating batch totals: recomputed totals should compare to the manual totals, and
discrepancies indicate processing errors
• Cross-footing balance test: verifies accuracy by comparing two alternative ways of calculating
the same total
• Zero balance test: if there is still a balance when there shouldn't be there has been an error
• Write protection mechanisms: protects against overwriting or erasing data
• Concurrent update controls: prevents multiple users updating the same record at the same
time.

Output Controls:
• User review of outputs: verify reasonableness, completeness and routed to intended
individual
• Reconciliation procedures
• Data transmission control:
o Checksums: hash of file transmitted, where we compare the hash before and after the
transmission
o Parity bits: the AIS data is expressed in binary digits, and a bit is added to each character
transmitted, then the characters can be verified for accuracy.

Processing Integrity Controls for Spreadsheets:


• Good design principles
• Controls and checks to restrict user access and determine the type of entry a cell contains
o Cell locking
o Data validation
o IF statements
• Consistent formulae

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

• Link to data and no hard coding


• Protection features
o Ensures the data doesn't change
o We may also keep track of who changes what.

We can minimise downtime through having redundancy of programs.

Minimising downtime risks:


• Preventative maintenance
• Fault tolerance: where it can still run if there's a failure
• Data centre location and design
• Training
• Patch management

There are two key concepts in system backup and recovery:


• Recovery point objective: the maximum amount of time that a company is willing to risk the
possible loss of transaction data
• Recovery time objective: the length of time a company is willing to attempt to function
without an accounting information system.

There are two main types of backup procedures:


• Incremental backup: a partial backup that involves copying only data that has changed since
last partial backup
o This is quicker every day but takes longer to recover
• Differential backups: a partial backup that involves copying all changes since last full backup
o This takes longer everyday but it is quicker to recover

Disaster Recovery Plan: an IT focused plan to resume operations as soon as possible in the event of
a disaster.
There are three main options:
• Cold site: a facility with telecommunications but with no computing equipment set up
• Hot site: a facility with telecommunications and all necessary computing hardware and
software.
• Real-time mirror: duplicate data centre that updates and records changes in data in real time.

Critical Success Factors for a Disaster Recovery Plan:


1. Documentation
2. Steering committee and testing
3. Policy and goals
4. Training
5. Maintenance and staff involvement
6. Processing requirements
7. Top management commitment
8. Prioritisation
9. External off-site back up processing sites
10. Internal on site back up processing sites.

Business continuity plans should:


• Identify major risks of business interruption
• Develop a plan to reduce the impacts of risks
• Ensure employees know how the plan works and what it involves

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

• Be tested and regularly reviewed

Systems Documentation Techniques


Documentation: explains how a system works
Narrative description: written step by step explanation of systems components and how they
interact.
Systems documentation: a way of visually depicting the operations of a system. It depicts the
systems and their interaction across the business process.
Accountants need to be able to read documentation and understand how a system works, evaluate
the strengths and weaknesses of internal controls, determine if a proposed system meets the needs
of it's users, read documentation to follow the audit trail, for auditing responsibilities and prepare
documentation to demonstrate how a system would work and their understanding of a system of
internal controls.
Documentation is important to AIS to:
• Depict how a system works
• Train users
• Design new systems
• Control system development and maintenance costs
• Standardise communication with others
• Audit AIS
• Document business processes.

Document tools help accountants by organising very complicated systems into a form that can be
more readily understood and help new team members understand pre-existing systems.
There are three main ones we look at, with each taking a particular view of how the system works.
These are flowcharts, business process diagrams and data flow diagrams.

Flowcharts: an analytical technique that describes some aspect of an information system in a clear,
concise and logical manner. It uses a standard set of symbols to depict processing procedures and
the flow of data.
There are four types of symbols:
• Input/output
o These may be document
o Multiple copies of one paper document
o Electronic output
o Electronic data entry
o Electronic input and output device
• Processing
o Computer or manual processing
• This is important as manual entry has more risks
• Storage
o Database
o Magnetic tape
o Paper document file
o Journal/ledger
• The first two are accessed by a computer and the third is by people
• Flow and miscellaneous systems: these indicate the flow of data, where the flowcharts begin
or end, where decisions are made and how to add explanatory notes
o Document or processing flow
o Communication link
o On page connector

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

o Off-page connector
o Terminal
o Decision
o Annotation
The main strength is that they can capture data via decision points and show manual and automated
processes.
Types of flowcharts:
• Document flowcharts: illustrate the flow of documents and data among areas of responsibility
within an organisation. It only focuses on the movement of documents.
• Internal control flowchart: used to describe, analyse and evaluate internal controls
• System flowchart: depicts the relationship between system input, processing, storage and
output
• Program flowchart: shows the sequence of logical operations a computer performs as it
executes a program
The columns show an internal entity doing something with the data.
The symbols can be split into manual or electronic and the processes that occur.

Business program diagram: a visual way to describe the different steps or activities in a business
process. It describes interactions within and between entities. Thinks about what are the key
activities in a business and how do they interact.
This is less detailed but easier to read than a flow chart. It doesn't state who does it.
There is a circle that shows the start and the end, where the squares are the activity. There is a
heading of the party.
We need to discuss from one end to the other

Business Process Modelling Notation: a working group of established standards for drawing
business program diagrams.

Data flow diagrams: graphically describes the flow of data through an organisation. The symbols
depends on if they manipulate data or not. It is used to document existing systems and plan and
design new ones.
Data source: the entity that produces or sends the data. This may be called an external entity.
Data destination: the entity that receives the data. This may be called an external entity.
The distinction between internal and external entities is based on the activities that an entity
performs in relation to the process or system of interest
Data flow: the movement of data through processes, stores and destinations. These should be
labelled, and it is preferred that we distinguish when it occurs at different times.
Data Store: repository of data, this is the only time when the data flow isn't labelled.
Transformation processes: represent the transformation of data. They must have an inflow and an
outflow.
The data can't move backwards as this shows an error routine.
Context Diagram: the highest level of data flow diagrams, with a summary level of the system. It
shows the inputs and outputs of the system. These only have one circle and don't show storage. It
has the same number of squares as a data flow diagram, and we only show the arrows that go in or
come out of a square.
Level 0 DFD: shows all the activity steps of a system, processes are labelled 1.0, 2.0 etc.
Level 1 DFD: shows on major activity divided into sub activities, processes are labelled 1.1, 1.2 etc.

Errors in DFDs:
• Black hole: a process with only input flows
• Miracle: a process with only output flows

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

• Grey hole: insufficient inputs to produce the needed output


• Tardis: a logical data flow that goes from a higher to lower numbered process is wrong as the
numbering indicates the timing
• Magic: a file that moves by itself from one data store to another
• Make sure to use the correct symbols and terminology

Steps to draw Level 0 DFD:


Go through the narrative and identify:
• External entities
o If multiple entities operate depict 1 to represent all
• The information processing activities
o To transform or retrieve data
o Group the activities
o Name the activities, using an active verb
o Number the activities
• Data flows
• Data stores

Rules to follow:
Drawing data flow:
• Draw a data flow for each flow into and out of a file
• Data that travel together should be in the same data flow
Processes:
• A process begins as soon as it receives the necessary input data
• An action must transform the data to be a process step
• Group similar tasks that occur at the same time
• Task numbers indicate the time-sequence of processing
• Data should only be sent to the processes that need the data
• Never label a process with an if-then statement
• Errors/exceptions are shown on exception DFDs.

We need to label arrows correctly, with the data that is being passed over or entered.

Controlling the Revenue Cycle


Revenue Cycle: the recurring set of business activities and related information processing operations
associated with providing goods and services to customers and collecting cash in payment for these
sales. There are four basic activities, sales order entry, shipping, billing and cash collections.

The primary objective is to provide the right product in the right place at the right time for the right
price.
We need to effectively conduct, record and monitor the sales of goods and services, arrange prompt
supply of them and ensure that payments for them are correctly received, recorded and banked.

General threats to the revenue cycle:


• Inaccurate or invalid master data
o We can send to the wrong address, make sales to customers that are exceeding their
credit limit, have unanticipated shortage and over or underbill a customer.
o This can be controlled through data processing integrity controls, restriction of access
and a review of all changes.
• Unauthorised disclosure of sensitive information

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

o This can be mitigated through access controls and encryption and the tokenisation of
personal information.
• Tokenisation of information turns it into a random string of characters that has no
meaningful value if breached.
• Loss or destruction of master data
o Mitigated through backups and disaster recovery plans.
• Poor performance
o Dashboards are useful for this as are managerial reports.

Sales Order: the document created during the sales that shows the item, quantity, prices and terms
of sales
When this is entered we:
• Take the customer's order
• Check their credit
• Check the available inventory
• Respond to customer enquiries.
We can leverage IT to have customers do the data entry themselves, by having them complete the
form on their website, use electronic data interchange or using QR codes.
IT can be used to improve efficiency and effectiveness through using the sales history to customise
solicitations, choice boards to customise orders and linking a company directly with its customers to
receive orders or manage their inventory.
Threats include incomplete or inaccurate records and invalid orders. These can be mitigated through
data entry edit controls, restriction of access to master data and the use of digital or physical
signatures.
Electronic Data Exchange: the use of computerised communications and a standard coding scheme
to submit business documents electronically to be automatically processed.

Credit sales should be approved before the order is processed any further. General authorisations
may be done by a clerk for simple customers i.e. existing customers, those who are under their
credit limit and with no outstanding balances, while a credit manager may look at more complex
customers.
The main threat is uncollected accounts, which can be mitigated through credit limits, specific
authorisations depending on the situation and aging of accounts receivable.

If there are also sufficient units to fill the order we:


• Complete the order
• Update the quantity available of the stock
• Create a picking ticket to authorise the transaction and release the goods
• Notify the warehouse, shipping and billing departments
• Send an acknowledgement to the customer.
If there are insufficient units we create a back order, which notifies the production department for
manufacturing firms and purchasing for retail firms.
Picking Ticket: a document that lists the items and quantities ordered and authorises the inventory
control function to release the merchandise to the shipping department
Threats include stock outs or excessive inventory, so we mitigate it though perpetual inventory
control system, the use of bar codes or RFID tags, training and sales forecast and activity reports.

We can respond to customer inquiries before or after the order is placed and the quality of this is
critical to customer success. This has the threat of the loss of customers, so we use customer
management systems, self-help websites, and a proper evaluation of service ratings.
Some companies use customer management systems to ensure customer relations are maintained.

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

The process design may change, as credit checks may not be necessary, and it depends on the
business. If goods are shipped before payment then we need to do the credit check first, if goods are
paid for then shipped we need to do a stock check before taking payment.

The primary objective of shipping is to fill customer's orders sufficiently and accurately and
safeguard inventory. There are two steps, picking and packing the order, usually done by the
warehouse department, and shipping it, done by the shipping department.
A picking ticket is printed by the sales order entry and triggers the pick and pack processes. The
warehouse workers record the quantities picked on the picking ticket, and this inventory is then
transferred to the shipping department.
RFID technology can speed up the movement of inventory and improve the accuracy of perpetual
inventory records, as they eliminate the need to align goods with a scanner and use electromagnetic
fields to automatically identify and track tags attached to inventory as it moves through the
warehouse.
Threats include picking the wrong item or quantity and theft of inventory. This can be mitigated
through barcode and RFID technology, reconciling picking lists to sales order details, restriction of
physical access to inventory, documentation of all inventory transfers and periodic physical counts of
inventory and reconciliation to the recorded quantities.

The shipping department compares the physical count of inventory, the quantities on the picking
ticket and the quantities on the sales order. Discrepancies can occur if inventory records were
inaccurate or items were not stored in the location indicated. If this occurs then a back order is
initiated. They then record the sales order number, items ordered and quantities shipped. This
updates the on-hand inventory and produces a packing slip and bill of lading. This then goes to
accounts receivable to create an invoice.
Threats include shipping errors, which are mitigated through RFID systems to identify delays, data
entry using barcodes or RFID, and data entry controls, configuration of ERP systems and
reconciliation of shipping documents with sales orders, picking lists and packing slips.
Bill of Lading: a legal document that defines who's responsible for the goods while they're in transit.

The purpose of billing is to ensure customers are billed for all sales, invoices are accurate and
customer accounts are accurately maintained. This has two steps, invoicing and updating accounts
receivable.
Accurate and timely billing is essential, and requires information from the shipping and sales
departments. They also create invoices.
Errors that could occur include a failure to bill and billing errors. This is mitigated through the
separation of billing and shipping functions, periodic reconciliation of invoices with other documents
and orders, configuring the system to automatically enter pricing data, data entry edit controls and
restrictions of access to pricing master entry.

There are two basic tasks by the accounts receivable personal, the debits which is when the invoice
is sent and credits when they are paid.
If there is a return the credit manager receives confirmation that the goods were received back, and
issues a credit memo. This allows for a segregation of duties. Refunds and adjustments are rare and
thus are hard to program.
Threats include posting errors, and inaccurate or invalid credit memos. These are mitigated through
data entry controls, reconciliation of batch totals, mailing of monthly statements, reconciliation of
subsidiary accounts to general ledger, segregation of duties and configuring the system to block
credit memos without correct documentation or authorisation.

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

The final activity is collecting cash from customers, which aims to safeguard customer remittances.
This can be speed up through using remote deposit capture software, electronic lockboxes,
electronic funds transfer and financial electronic data interchange.
The two main threats are cash flow problems and theft. These can be mitigated through separation
of duties, and use of the speed up procedures above.

Open-Invoice Method: the customers pay according to each invoice.

Balance Forward Method: pay on a monthly statement, which lists all the transactions and states
the account balance.

Lockbox: a postal address to which customers send their remittances to.

There are several different parts of the business involved in the revenue cycle.

Controlling the Expenditure Cycle


Expenditure Cycle: a recurring set of business activities related to data processing operations
associated with the purchase and payment of goods and services
Expenditure activities mirror revenue activities
We want to minimise the total cost of acquiring and maintaining inventories, suppliers and various
services that the organisation needs to function.

Our master data is typically good.


There are four basic activities performed:
• Ordering
• Receiving
• Approving invoices
• Cash disbursements

General threats:
• Inaccurate or invalid master data
o Controlled through data processing controls, restriction of access and a review of all
changes
• Unauthorised disclosure of information
o Controlled through access controls and encryption
• Loss or destruction of data
o Controlled through backup and disaster recovery procedures
• Poor performance
o Controlled through managerial reports

Ordering:
Key activities:
• Identify the need for items/services
• Prepare a request for the order
• Select the supplier
• Send a purchase order to supplier.
This is done through a purchase requisition. The structural approach occurs as all suppliers relate to
one person in the organisation, otherwise each order would be shipped separately.
Purchase Requisition: document that specifies various things about each item requested

Ways to identify what, when and how much to order:

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

• Inventory control
o Economic Order Quantity: the optimal order size to minimise the sum of ordering,
carrying and stockout costs
o Material Requirements Planning: an approach to inventory management that seeks to
minimise required inventory levels by improving forecasting
o Just in Time Inventory: attempts to minimise or eliminate finished goods inventory by
purchasing and producing goods in response to actual sales
• Employees notice a shortage

We choose suppliers by considering price, quality and dependability.


IT can help by using EDI to transmit purchase orders and vendor managed inventory programs may
be used.

Purchase Order: a document or form that requests a supplier to give goods at a specified price
Blanket Order/Blanket Purchase Form: a commitment to purchase specified items at designated
prices from a set supplier for a period of time
Vendor Managed Inventory: practice in which manufacturers and distribution agents managers
customer's inventory

Ordering Threats:
• Stockouts and excessive inventory
o Controlled using perpetual inventory, barcoding/RFID and periodic reconciliation of
inventory and their records
• Purchasing items not necessary
o Controlled through perpetual inventory, review and approval of purchases and
centralised purchased function
• Purchasing at inflated prices
o Controlled through approved price lists, competitive tendering or bidding, reviewing
purchase orders and budget preparation and monitoring
• Purchasing goods on inferior quality
o Controlled through only purchasing from approved suppliers, tracking and monitoring
quality and holding purchasing responsible for reworks and scraps
• Unreliable suppliers
o Controlled through requiring quality certification for suppliers and collecting, monitoring
and reviewing supplier performance data.
• Purchasing from unauthorised suppliers
o Controlled through maintaining a list of approved suppliers and only allow purchase
from this and review and approval of purchases from new suppliers
• Kickbacks
o Controlled through prohibiting acceptance of gifts and requiring purchasing agents to
disclose interest in suppliers, as well as job rotation and mandatory vacations.

Receiving the goods:


Key activities:
• Deliveries arrive
• Verify the delivery is valid
• Record details
• Prepare the receiving report
• Send goods to warehouse
We need to check if we ordered what is being delivered and what has been delivered. They have to
check and update what we have actually received.

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

We need to decide whether to accept the deliver and verify the quantity and quality, which is done
using a receiving report.

Receiving report: a document that records details about each delivery


Debit Memo: a document used to record a reduction to the balance due to a supplier

Threats:
• Accepting unordered goods
o Controlled by only accepting goods where there is an approved purchase order
• Mistakes in counting received goods
o Controlled by not informing receiving employees of the quantities ordered, having them
sign a receiving report, barcodes and RFID tags, compare quantities received to ordered
and follow up on discrepancies between this.
• Not verifying received services
o Controlled through budget controls and audits
• Theft of inventory
o Controlled by restricting access to inventory, documenting all transfers of inventory,
periodic stock takes and reconciliation to recorded quantities and segregation of duties.

Then we need to store the goods and update inventory.

Approving Supplier Invoices:


Key activities:
• Supplier invoice arrives
• Verify invoice is valid
• Update accounts payable.
We can do this in differing orders.
This is done by the accounts payable department.

Threats:
• Errors in supplier invoices
o Controlled through comparing quantities in supplier invoice with the quantities received,
requiring receipts, using an evaluated receipt settlement system, restricting access to
supplier master data, and verifying shipping and transportation costs.
• Mistakes in posting to accounts payable
o Controlled by having data entry edit controls, reconciling accounts payable subsidiary
ledgers to general ledgers and using batch totals if batch processing is used.
Evaluated Receipt Settlement: a two way matching of a report and a purchase order with no invoice

Cash Disbursement:
Key activities:
• Identify accounts payable that are due to be paid
• Prepare payment details
• Approve payment
• Make payment
• Record payment details

Threats:
• Missing out on supplier discounts
o Controlled through filing invoices by due date and cash budgeting

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

• Paying for items/services not received


o Controlled through requiring a pack of supporting documents, expenditure budgets and
requiring receipts for reimbursement
• Duplicate payments on an invoice
o Controlled by approving invoices for payment when accompanied with a purchase order
and receiving report only, paying only originals of the invoice and once paid mark
voucher package as paid.
• Theft of cash
o Controlled by security over payment documentation, sequence check on cheques, a
dedicated banking terminal, dual signatures on cheque payments, regular bank
reconciliations, restricted access to supplier master data and segregation of duties
• Theft of cash through cheque alteration
o Controlled through arranging positive pay with the bank so the bank only a list of
cheques provided by the company are paid.

Voucher Package: a set of documents used to authorise payment to a supplier

Non-voucher system: each approved invoice is posted to each supplier, it records an accounts
payable file and then stored in an open invoice file
Voucher system: a disbursement voucher is also created when a supplier invoice is approved
Disbursement Voucher: indicates the next amount to be paid

Procurement Card: a corporate card that employees can use to purchase specific items

Impress Fund: set at a fixed amount and requires vouchers for every disbursement

Systems Development Process


If businesses don't change they will not be able to keep up and are likely to fail.
Reasons for Changing Software:
• Changes in business or user needs
• Technological changes
• Improved business processes
• Competitive advantage
• Productivity gains
• Systems integration
• Systems age and need replacing

Stakeholders are essential to be considered when development systems.


The key stakeholders are management, the users, the project development team, information
systems steering committee and any external players.

Systems Development Life Cycle


Systems Analysis: the information needed to purchase, develop or modify a system is gathered. It
also describes the current environment and issues of a system, the systems objectives, justifies a
new or enhanced system and anticipates the cost-benefits.
Steps include:
• Initial investigation
• Systems survey
• Feasibility study
• Information needs and system requirement
• Systems analysis report

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

The methods of gathering data include interviews, questionnaires, observations and the review of
systems documentation.
Conceptual Design: identify and evaluate design alternatives
Physical design: develop specifics
Implementation and conversion
• Users need to be able to use the system before it becomes the main system.
Operations and maintenance

Planning systems development requires two plans a project development plan and a master plan.
The master plan is a long term information systems corporate plan developed by the steering
committee, while the project plan is developed by the project manager and their team.
IS Scope Planning: a project scope details the work breakdown structures.

Scheduling requires the consideration of many unknowns.

Program Evaluation and Review Technique (PERT): a way to develop, coordinate, control and
schedule systems development activities
Critical path: the PERT path that requires the most amount of time to do. This is the most detailed
one.
Gannt Chart: a bar chart formatted schedule that shows the timeline to the lowest level of tasks.

As changes may occur during the project the management often set a common change management
procedure to control these changes.

Feasibility is also something that needs to be considered.


IS Feasibility: develops and reports the business case of an information systems project. There needs
to be identification of the impacts of the business case.
The five analysis perspectives:
• Economic feasibility. This may considered
o Payback period
o NPV
o IIR
• Technical feasibility
• Legal feasibility
• Scheduling feasibility
• Operational feasibility

Change management needs to be considered as is essential as jobs often get cut when automation
occurs thus workers are unlikely to be fans of automation.
People may resist because of:
• Fear of the unknown
• Perception of lacking top management support
• Prior bad experiences
• Disruption to routines
• Poor communications
• Poor manners in introducing the system
• Bias and emotions due to their ability to change
• Personal characteristics and background
This may lead to:
• Aggression
• Avoidance

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

• Projections: blaming the system for everything that goes wrong


To prevent this behaviour we need to:
• Have senior management support
• Meet user needs
• Manage fears and show the new opportunities
• Avoid emotionalism
• Provide training
• Examine performance appraisal
• Keep communication lines open
• Test the system and make sure it works when installed
• Humanise the system and keep it simple
• Manage user's expectations.

Capital Budgeting Model: return on investment techniques used to compare estimated benefits and
costs to determine whether a system will be cost beneficial.

Physical Models: illustrates how a system functions

Logical Functions: illustrates what's being done and the flow of information

Four strategies to determine AIS requirements:


• Ask users what they need
• Analyse external systems
• Examine existing systems
• Create a prototype

Data modelling: defining a database so that it faithfully represents the key components of an
organisation's environment.

Entity relationship diagram: a graphical representation to portray a database schema.

REA Data Model: a data model that is used in designing AIS databases. There are three types of
entities, resources, which are things with economic value, events which are business activities and
agents which are people and organisations.
The basic template:
• Each event is linked to at least one resource it effects
• Each event is linked to at least one other event
• Each event is linked to 2+ participating agents.
Steps to identify a REA diagram:
1. Identify relevant events
2. Identify the resources it effects and the agents
3. Determine the cordialities of each. Cordialities describe the relationship by indicating how
many instances one entity can be linked to each specific instance of another agent.
a. The minimum can be 0 or 1 and the max can be 1 or many.
There are three types of relationships:
• One to one: the max cordiality is 1 for all
• One to many: the max cordiality is 1 for one but not for the rest.
• Many to many: the max cordiality is not one for any.

Auditing AIS

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

Auditing: objectively obtaining and evaluating evidence regarding an assertion about economic
actions and events in order to determine how well the correspond with established criteria.
Internal Audit: assurance and consulting activity to add value and improve organisational
effectiveness and efficiency. This is usually independent and objective, and looks at both financial
and non-financial aspects. It looks at the objective of the company and how do we know it's being
achieved
Types:
• Financial audit: audit of financial transactions
• Information Systems Audit: audit of AIS controls
• Operational Audit: audit of resource use
• Compliance audit
• Investigative audit: audit of fraud or other improper activities

Audit Process:
1. Audit planning. This considers the why, how, when and who. The scope and objectives are
established and we identify the risks, and prepare the audit program, which identifies the
probabilities of the risks.
• Collection of audit evidence
• Evaluation of audit evidence. It considers if the audit presents a favourable or unfavourable
conclusion and materiality.
o This can only provide reasonable assurance.
• Communications of audit results, usually in the form of a report. The recipient depends on the
type of audit.

Materiality: the amount of error we can accept without affecting the user's decision making. The
more materiality is accepted the more tests we need to perform.

3 types of audit risk:


• Inherent risk
• Control risk: risk that misstatements will get through internal controls
• Detection risk: the risk that an error won't be detected

Types of audit evidence What is it useful for


Observation Seeing how things are done
Reviewing documentation How are processes supposed to operate
Discussions Get the accounts from those who perform the activities
Questionnaires Gathering information about a process
Physical examination Verifying the items actually exist
Confirmation Checking accuracy as it comes from a third party
Reperformance Computational accuracy checking
Vouching Validity through working back through the stages of
supporting documentation
Analytical review of financial Identifying changes in relationships between key items
statements
Tracing Completeness as it works forward through the stages of
documentation

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

Observation and reviewing documentation can be used effectively in combination as they see what
happens and what should happen.
Vouching and tracing both look at matching documents but in opposite orders

Risk based audit approach:


1. Determine the threats
2. Identify control procedures
3. Evaluate control procedures using a systems review or tests of controls
a. The more risks the more tests need to occur
4. Evaluate control weaknesses to determine their effect of auditing procedures

Objectives of auditing AIS:


• Protect overall security.
o This asks how do we now that the controls are in place and that they work correctly
• Program development and acquisition occur under management authorisation
• Program modification occurs under management authorisation
• Computer processing is accurate
o This may include:
• Processing test data
▪ This looks at hypothetical and invalid test data processed in the system to
see how it is handled. We can also compare actual results to expected
results. In doing this we need to ensure that the test data does not impact
live data.
• Perform concurrent audit techniques
▪ We monitor the operation of the system and gather evidence in real time
• Analyse program logic
o This looks at the way they can track things and gather evidence in an audit
• Source data is protected
• Data files are accurate complete and protected.

Objective Threats Controls


Protect Overall Theft of hardware Information security/protection
Security Damage of hardware plan
Loss, theft or unauthorised access to Limit physical access to computer
programs, data and other resources equipment
Unauthorised use of modification of Limit logical access to system using
data or programs authentication and authorisation
Loss, theft, or unauthorised disclosure controls
of confidential data Data storage and transmission
interruption of crucial business controls
activities Virus protection and firewalls
Fault tolerant systems design
Disaster recovery plan
Preventative maintenance
Firewalls
Casualty and business interruption
insurance
Program Inadvertent programming errors Review software license
Development and Unauthorised computer code agreements
Acquisition Management authorisation for

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

program development and


software acquisition
Management and user approval of
programming specifications
Testing and user acceptance of
new programs
Systems documentation
Program Inadvertent programming errors List program components to be
Modification Unauthorised computer code modified
Management authorisation and
approval for modifications
User approval for program change
specifications
Test changes to program
System documentation of changes
Changes by personnel independent
of users and programmers
Logical access controls.
Computer Processing Failure to detect incorrect, incomplete Data editing routines
or unauthorised input data Proper use of internal and external
Failure to correct errors identified file labels
from data editing procedures Reconciliation of batch totals
Introducing errors to files or databases Error correction procedures
during updating understandable documentation
improper distribution of output Competent supervision
Inaccuracies in reporting Effective handling of data input
and output by data control
personnel
File change listings and summaries
for user department review
Maintenance of proper
environmental conditions in
computer facilities.
Source Data Inaccurate source data User authorisation of source data
Unauthorised source data input
Batch control totals
Log receipt, movement and
disposition of source data input
Turnaround documents
Check digit and key verification
Data editing routines
User department review of file
change listings and summaries
Effective procedures for correcting
and resubmitting erroneous data
Data files Destruction of stored data from errors, Secure storage of data and restrict
hardware or software malfunctions or physical access
sabotage Logical access controls
Unauthorised modification or Write-protection and proper file
disclosure of stored data labels

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

Concurrent update controls


Data encryption
Virus protection
Backup of data files (offsite)
System recovery procedures.

There may not be a specific control for every risk.

When looking at the source data we may look at an input controls matric, which allows for the
matching of which input controls are relevant for each data item. Comments can be added, and
there is a tick for each control relevant for the data.

Audit techniques to test programs:


• Integrated test facility, which users fictitious inputs
• Snapshot technique, which looks at master files before and after an update for specially
marked transactions
• System control audit review file, which is continuous monitoring and storing of transactions
that meet pre-specifications
• Audit hooks, which notify auditors of questionable transactions
• Continuous or intermittent simulation

Software tools used to test program logic:


• Automated flowcharting programs, which interprets source code to generate flowcharts
• Automated decision table programs, which interprets source code and generates a decision
table
• Scanning routines, which searches programs for specified items
• Mapping programs which identify unexecuted code
• Program tracing, prints program steps with regular output to observe the sequence of
program execution events.

We can also use audit software to help us with this.

AIS Development Strategies


Software Acquisition Methods:
1. Software purchase
2. Software customisation
3. Software outsourcing
4. Software development
This is applicable to any software

Software can be purchased a package, or rented from a service provider.


Canned Programs: programs sold as is for users with similar needs.
Turnkey Systems: software and hardware sold as a package
Application Service Providers: companies that deliver software over the internet.
Request for Proposals: a request for a bid on a system to suit the company's needs.
Purchasing saves time, simplifies the decision-making process, reduces errors and avoids potential
for disagreement.

Evaluating Vendor's Proposals:


1. Define you evaluation criteria
2. Score each vendor's proposal

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

3. Select the ones with the highest scores


4. Assess each short-listed proposal risks
5. Choose the one who's risks exposure meets your firm's risk appetite.

Benchmark Problems: comparing systems by executing an input, processing and output task on
different systems and evaluating the results.

Point Scoring: evaluating the general merits of vendor proposals by assigning a weight to each
criterion based on its importance.

Requirement Costing: estimates the cost of purchasing or developing a system.

Software can also be customised by inhouse teams or outsourced.


End users can only customise software if they have access to end user computing tools to develop,
use and control their systems they created.

End User Computing: hands on development use and control of computer based information
systems by users.
Advantages Disadvantages
User creation, control and Logic and developmental errors
implementation
System meets users' needs Inadequately tested applications
Timeliness Inefficient systems
Freeing up of system resources Poorly controlled and documented system
Versatility and ease of use System incompatibilities
Duplication of systems and data leading to wasted
resources
Increased costs

Outsourcing
Advantages Disadvantages
Business solution Inflexibility
Asset utilisation Loss of control
Access to greater expertise and technology Reduced competitive advantage
Lower costs Locked in system
Less development time Poor service
Elimination of peaks and valleys usage Unfulfilled goods
Facilitation of downsizing Increased risk

Software Development Methodologies.


Business Process Engineering: the thorough analysis and redesign of business processes and
information systems. It's a once off.
• Business Process Management: a systematic approach to continuously improving and
optimising business processes

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

• Business Process Management System: systems that automates and facilitates business
process improvements
• The process digitalisation enables better processes to produce a competitive advantage,
better control of business processes, business processes become agile and they align with
organisational strategic needs

Prototyping: that simplifies a working system without full coding and then redesign to deliver a fully
functional system
Advantages Disadvantages
Faster development time Significant user time
Fewer design errors Less efficient use of resources
More opportunities for change during Inadequate testing and documentation
SDLC activities
Less costly Negative behavioural reactions when requests for
change are not met
May result in never ending development

Agile SDLC Methodologies: a set of guiding procedures and principles based on developing software
in an unknown, rapidly changing environment. Types include SCRUM and Extreme Programming.

Unified Processes: a software development framework with 4 Phases:


1. Inception
2. Elaboration
3. Construction
4. Transition
The last three are iterative

Computer Aided Software Engineering: an integrated suite of tools that skilled software designers
and coders use to plan, analyse, design, code and maintain a system.
Advantages Disadvantages
Improved productivity Incompatible with other system development tools
Improved program quality Expensive acquisition costs
Cost savings Unmet user expectations may be high
Improved control procedures
Simplified system documentation

Excel Basics
Industry wants excel use, but it can be cross applied.

There is a triangle with a line over it which is short cuts to add to toolbar, at the very top of the
screen.

There is a name box next to the formula bar to name a cell or group of cells. We can also use this to
move our cursor to the cell with that name by clicking on it.
These can be used to:
• Make formulas easier to follow

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

• Avoid absolute referencing


• Create dropdown lists of off sheet sources
• Link to external files
They must not use spaces of special characters

Bottom right corner has the different layouts of the spreadsheet which is useful for printing.

Control + semi colon timestamps the excel

We can use ctrl and n to get to the bottom right cell in the model and ctrl + home to get to the top
left

We can use the page up and down to move or the scroll bars.

Cell formatting changes the way a cell looks without actually changing the content.

Excel saves dates as numbers.

We can format cells by right clicking it.

Esc cancels an action midway through it

Format painter shows where we want the format to apply.

Some formatting may enable the spreadsheet to look professional.

There are more errors if you type the cell in rather than click the cell.
Types of cell reference:
• $A$1 - absolute, will use A1 no matter where
• A$1 - mixed referencing, will always use the first row
• $A1 - mixed referencing, will always use the first column
• A1 - relative, changes that position relative to the new cell
We can filter through these using F4
Don't hardcode anything - i.e. write 100 if the cell says 100

If we write the formula in the exam use * and / not the multiplication or division sign

Just because there is no error warning up doesn't mean that there are no errors

IF(statement being used, value if true, value if false) looks at a logical expression.

Good Modelling Practices


1. Clearly state inputs and assumptions
a. Set parameters, add comments and document the sources and assumptions
2. Separate model inputs from analysis
a. Don't hard code
b. Use proper layouts
3. Reliably perform analysis in easy to debug steps
a. Keep formulas short and simple
b. Use consistent formulas and highlight when they should be inconsistent
4. Design model to enable understanding and use by others

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

a. Label and format for clarity


b. Have a logical flow
c. Communicate results of analysis

Advanced Functions
Logical functions allow decision making when executing formulas and functions
This involves the IF, AND, and OR functions. These may also be nested.
IF - tests a cell and performs a function
AND - tests statements and returns TRUE if they are all true
OR - one or more statements are true
Lookup functions allow us to retrieve them from another location.
VLOOKUP() - vertical lookup
HLOOKUP() - horizontal lookup
LOOKUP - looks either way but not useful with text and the data must be sorted already.
AVERAGE() only counts cells with a value in it

Putting a FALSE in any of the lookups finds an exact match.

SUMIF, COUNTIF and AVERAGEIF find the information if a certain criteria or multiple criterion are
met.

Financial Functions
NPV and IRR can be calculated using NPV and IRR functions.
Adding an X means it doesn't discount the first cash amount and we have to add the time. It allows
out of order values to be used.
EFFECT calculates the effective interest rate

Data Analysis Tools for Financial Modelling


We can use =round to round to the nearest X.

Bullet-proofing your model:


Protection:
1. Protect the file, and require a password
2. Protect the structure
3. Unlock individual cells and protect the sheet
Data validation may be useful

We need to clean the data before using it this can be done through:
• Auto filter
• Conditional formatting
• Find and replace.
Then we need to summarise the data using:
• Sort either on one or more columns
We then might want to group the data through:
• Subtotals and outlines to analyse and Excel list
• Outline to create levels of the data.

We also might prefer using an excel table over the spreadsheet as a whole.

Ways to display data without charts:

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

• Sparklines
• Data bars.

Data Validation Functions


Formatting our models is very important

Data validation: controls what a user can put into a cell, it must meet certain criteria. There can be
an input message which tells users what is allowed and an error message to stop invalid user input.

We may need to prevent unauthorised access to the cell, worksheet and workbook.

We also need to back up our data.

Pivot Tables, Pivot Charts and Slicers


To make our modelling better we can hide sheets or pages, but to unhide it we need to select it.
Hiding columns, rows or sheets may also cause problems down the track.

Pivot tables are used to analyse and sort out our data, and organises data into a meaningful
summary, where we can group into categories and use functions to summarise the data.
We can rearrange, hide and display different category columns to provide alternative views of the
data.
Pivot tables are not widely used as they are static until refreshed.
Fields that contain summary data are in the values field, and fields that group the values are in the
category fields.
We can create a slicer to filter a pivot table.
Pivot charts create graphical representations of pivot tables.

Dashboard: a data visualisation that presents a useful overview of consolidated business


information.
It informs rather than overwhelms and is useful for key decision makers.

Macros: a collection of commands in a set order. There are some malicious macros, hence why some
people don't use them.

Try and make models as simple as possible and as complex as necessary

Data Visualisation
Test everything before presenting it.

Tips for charting:


• Reduce clutter by representing less data
• Use gridlines sparingly
• Limit the number of bars and lines
• Use standard imagery
• Utilise space efficiently
• Keep things simple
• If there is no natural ordering sort from smallest to largest.

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

Form controls are objects that sit over the top of Excel worksheets and enables us to control what
we view.

Combo Boxes: used when you want a user to select from a predefined number of options.

Combination Charts: combines two chart types enabling the display of two sets of data, with two
vertical axes

Sensitivity Analysis
Scenarios are an important part of financial modelling.
We have numerous decisions in life and business, and we can use computers to analyse the potential
outcomes of alternatives.

Types of decision analysis:


• Sensitive analysis
• Base case selection
• Breakeven analysis
• Optimisation analysis
• Risk analysis

Sensitivity Analysis: examines how sensitive the results of an analysis are changes to the
assumptions
We can do this over a one variable data table which only changes one aspect or a two variable data
table which changes multiple. We can't change the data once the table is made.

Scenario Manager: a tool to create multiple scenarios

Base Case Selection: the expected case of the model using the assumptions that management
deems most likely to occur. It is between the pessimistic and optimistic scenarios
We need to choose the most appropriate base case, usually where the current policy is usual and the
most likely scenario.
We can compare using a scenario manager in excel, where we perform a what if analysis with more
than two input cells. It defines and save sets of values as scenario and we can view and change them
to produce and compare different results.
Requirements for running a scenario:
• Well-structured input and output selection
• Output depends on input through the use of formulas
• Changing cells and results cells must be on the same worksheet

Breakeven Analysis: trying to find the point at which profit is 0. We can do this using goal seek.
Goal seek: set a goal it finds the input parameters to meet the goal.

Auditing Tools in Excel


If we are given a model to rebuild or work with we try and talk to the developer, and we may also
remove redundant cells and audit the formula.

In auditing formula we may use trace dependents, which is where it shows us where a cell is used,
and trace precedents which is where we can identify what cells are used in a formula. This can help
us understand how it works

To improve model performance we can reduce the file size.

Downloaded by Mohmed Goda ([email protected])


lOMoARcPSD|6630178

Levels of auditing:
• Informal check
• Quality assurance procedure
• Formal audit

Spreadsheet Design Principles:


• Clear sections for input/calculation/outcomes
• Validity checks/input controls
• Navigation
• Presentation of data
• Hardcode once
• Formula design

Spreadsheet errors can have consequences due to the wide use of them and they may acquire
critical roles in processes.

Inbuilt audit tools:


• Trace precedents: shows what cells are used in the formula
• Trace dependents: shows where a cell is used
• Trace errors: shows where the error in the formula is
• Green triangles: shows where what we are doing is not consistent or where we may be missing
data

Inbuilt audit tools only check the formula and data ranges so they do not detect logic errors.
We may need to manually calculate the result and test using extreme and out of range values. These
should be done by an independent person

Downloaded by Mohmed Goda ([email protected])

You might also like