Solution Manual For Accounting Information Systems 11th Edition Gelinas

Solution Manual for Accounting Information Systems
11th Edition Gelinas
To download the complete and accurate content document, go to:

https://testbankbell.com/download/solution-manual-for-accounting-information-system
s-11th-edition-gelinas/
Solution Manual for Accounting Information Systems 11th Edition Gelinas
Accounting Information Systems, 11e 1
SOLUTIONS FOR CHAPTER 8
Discussion Questions
DQ 8-1 “The Enterprise Risk Management (ERM) framework introduced in Chapter 7
can be used by management to make decisions on which controls in this chapter
should be implemented.” Do you agree? Discuss fully.
ANS. Several issues might be included in an answer to this question. Here are some of
those issues:
• The quote implies that not all controls need to be implemented. Perhaps the
costs and benefits of controls should be considered.
• Using the ERM framework provides an alternative whereby the benefits, or
return on investment, might be difficult to determine. Using the ERM
framework will focus attention on management of risk by employing certain
control techniques and security measures.
• Security measures might be implemented on the basis of the probability of
loss or disruption (i.e., risk assessment).
• Security measures should be directed at information assets that must be
protected to help achieve objectives (and strategies).
• Security measures must address business requirements. Information security is
a business problem.
DQ 8-2 “In small companies with few employees, it is virtually impossible to implement
the segregation of duties control plan.” Do you agree? Discuss fully.
ANS. Obviously, whether one agrees or disagrees with the statement depends on how
few “few” employees actually are. (47 percent of all U.S. employers have fewer
than five workers. Source: Jim Hopkins, “How Small Firms Lock Data Down,”
USA Today, July 19, 2006, p. 6B.) Ideally, to maximize segregation of duties, the
four events-processing functions would reside in four separate individuals.
However, the plan can be implemented with as few as three employees, as follows
(the employees are called A, B, and C in the following example, and a cash
payment is used as an illustrative transaction):
Function Number Function Description Performed by

Employee
1 Authorize the cash payment. A*
2 Execute (make) the cash payment. B
© 2018 Cengage®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or
school-approved learning management system for classroom use.
Visit TestBankBell.com to get complete for all chapters

2 Solutions for Chapter 8
Function Number Function Description Performed by

Employee
3 Record the cash payment. C
4 Safeguard the cash asset (i.e., have custody of B**

blank checks).
Notes:
* Employee A might very well be the sole proprietor of the organization or hold an equivalent
supervisory position.
** To compensate for the fact that functions 2 and 4 both reside in employee B, the monthly bank
statement is mailed by the bank directly to employee A, who prepares the independent bank
reconciliation. In the chapter, we discussed such an alternative under the rubric of compensatory
controls.
Assuming that employee A is the sole proprietor, we could even collapse the four
functions into two employees by having A perform functions 1 and 3 and having
B perform functions 2 and 4. But note that if we do that, we are really substituting
a personnel control plan (i.e., trust in employee B’s honesty) for a segregation of
duties control plan.
DQ 8-3 “No matter how sophisticated a system of internal control is, its success
ultimately requires that you place your trust in certain key personnel.” Do you
agree? Discuss fully.
ANS. Yes and no. We say no because we believe that a control system should monitor
the quantity, quality, and legitimacy of each employee’s work. Procedures should
be in place, therefore, to make sure that each employee performs his/her duties as
planned. We say yes because many control procedures are performed by an
organization’s employees and we must assume that control procedures will be
performed as prescribed. That assumption is invalidated when employees
conspire—collude—to bypass control procedures. We do have to trust that key
personnel will not collude to bypass prescribed procedures.
DQ 8-4 “If personnel hiring is done correctly, the other personnel control plans are not
needed.” Do you agree? Discuss fully.
ANS. Emphatically no. While sound hiring practices are a crucial personnel policy,
employees can change over time. An employee’s need for ongoing training might
not be addressed (a personnel development control plan), or they may become
disgruntled due to lack of advancement or appropriate raises (retention control
plans). Outside factors, such as a change in the employee’s personal life, might
cause a change in the employee’s work attitude or behavior. These changes should
be noticed during performance evaluations (personnel development control plan)
or supervision (personnel management control plan). Further, while hiring good
people is important to a company, keeping good people (e.g., preventing turnover
of trained employees) is equally important. This is addressed with use of
appropriate development and retention control plans.
DQ 8-5 “Monitoring must be performed by an independent function such as a CPA.” Do

you agree? Discuss fully.
ANS. All internal controls need to be reviewed periodically to determine that they
continue to function effectively and efficiently. This review may be one of three
types:
First, the business process owner or IS organization may perform a so-called
control self-assessment. The benefits of this approach include acceptance on the
part of these entities of the ownership of the internal controls and development of
an appreciation for how control systems can help entities achieve their objectives.
Second, an entity’s internal audit function may add objectivity to the monitoring
operation. If organizationally independent of the units being reviewed, the internal
auditor can also provide an independent assessment.
Third, a function independent of the entity, such as a CPA or consultant, can
provide an objective and independent monitoring function to complement the self-
assessments and internal audits.
DQ 8-6 A key control concern described in <XREF>Table 8.2</XREF> regarding the
systems development manager is that “systems development can develop and
implement systems without management approval.” Discuss a control described
in this chapter that reduces the risk that unauthorized systems will be
implemented.
ANS. Program change controls address this risk. As depicted in <XREF>Figure
8.6</XREF>, any new or revised programs must go through three sets of hands:
First, a programmer must write or revise a program; Then the new or revised
program must be tested, typically by Quality Assurance with input from the
business process owner; Finally, management, including the business process
owner, must give their approval before the new/revised program can be put into
production. Collusion between two or more of these individuals could circumvent
this control. But an audit trail of changes to production programs would allow the
eventual detection of any unauthorized program changes.
DQ 8-7 Debate the following point: “Business continuity planning is really an IT issue.”
ANS. Yes. IT needs to ensure the continued operation of IT, one of the organization’s
major resources.
No. Management and IT users are responsible for planning, and in many ways
implementing, the business continuity plan. This plan will include, in addition to
plans for IT, plans for the continued availability of people, documents, offices,
communications, and so on. It is, after all, a business continuity plan, not an IT
continuity plan.
DQ 8-8 “Contracting for a hot site is too cost-prohibitive except in the rarest of
circumstances. Therefore, the vast majority of companies should think in terms of
providing for a cold site at most.” Discuss fully.
ANS. The key discussion point in this question should be the trade-off between timely
recovery of critical business functions on the one hand and the cost of providing
the backup facilities on the other. As mentioned in the chapter, in some industries,
such as the airline industry’s reservation system, near-immediate recovery is a
must. In that situation, the remedy is even more expensive than contracting for a
backup hot site; the airline itself owns and maintains duplicate processing
facilities.
Therefore, the quotation must be discussed in relative, rather than absolute, terms.
For some companies (or some applications within a company), a cold site
recovery strategy would be adequate or more than adequate. For other companies
or applications, more immediate recovery is required because the exposures of a
serious business disruption carry a cost that exceeds the cost of providing the
backup facility.
The solution to this question is strengthened if one emphasizes the importance of
risk analysis in developing the contingency plan.
DQ 8-9 “Preventing the unauthorized disclosure and loss of data has become almost
impossible. Employees and others can use iPods, flash drives, cameras, and
PDAs, such as iPhones, to download data and remove it from an organization’s
premises.” Do you agree? Describe some controls from this chapter that might be
applied to reduce the risk of data disclosure and loss for these devices.
ANS. These devices can certainly be used to circumvent physical access controls and
logical access controls, such as physically restricting access to a computer facility,
library controls, and access control software with identification and authentication
techniques. However, some controls that might be used to reduce the risks of
disclosure and loss include the following:
• Implement portable device policies and education programs for employees.

• Encrypt flash drives to protect data in the event that the device is lost.
• Dismiss employees violating portable device policies.
• Some organizations have gone to the extreme of limiting their network’s
capability to write to portable storage devices.
DQ 8-10 Your boss was heard to say, “If we implemented every control plan discussed in
this chapter, we’d never get any work done around here.” Do you agree? Discuss
fully.
ANS. Yes and no. In rebutting your boss’s statement, you could point out at least two
things:
1. The authors never intended that the plans be applied to all situations in all
companies. Some are appropriate for some environments, whereas others are
geared to different environments. Although the four broad categories of
control plans should be considered by all organizations, the specific plans
within those categories must be tailored to each particular organization. For
example:
• Many of the plans presented in the chapter relate to computerized
operations. Naturally, they would not be appropriate for manual systems.
• Several of the specific control plans were discussed in the context of an
information systems organization such as that depicted in
<XREF>Figure 8.2</XREF>. Many of those plans would not be suitable
for organizations whose ISs were organized differently (e.g., a
decentralized organization with IS functions located throughout the
organization).
2. The authors recognize that some plans simply cannot be employed in some
situations because it is impossible or impractical to do so. For instance, as
discussed in the chapter, smaller companies may not have the personnel to
fully implement the segregation of duties control plan. In that case, they have
to consider alternative, compensatory controls, such as greater care in their
selection and hiring procedures and closer managerial supervision of their
personnel.
On the other hand, your boss is right on the money if his or her remark was
intended to identify the following interdependent issues:
1. Assessing risks before deciding on which controls to implement: Recall from
<XREF>Chapter 7</XREF> that Enterprise Risk Management describes a
process for identifying and responding to risks. For example, some
organizations, by the very nature of their businesses, are simply more
vulnerable or susceptible to loss or injury than other organizations. Naturally,
they should consider instituting tighter controls than would those subject to
less risk.
2. Control redundancy: As discussed in <XREF>Chapter 7</XREF>, situations
can exist where multiple plans are directed at the same control goal, in which
case, the organization could suffer from control overkill. For instance, this
chapter discusses many different backup and recovery strategies. No single
entity would ever contemplate using all of these strategies; doing so is
impractical, unnecessary, and cost-prohibitive.
Also, because over-control has the potential to encourage unwanted, negative
behavioral reactions, it often can be as injurious to an organization as can
under-control. Employees may rebel at controls that they perceive as unduly
constraining or distasteful. Their rebellion might well manifest itself in petty
acts of fraud, thievery, or other forms of covert and overt resistance.
3. Balancing effectiveness and efficiency: This topic was also mentioned in

<XREF>Chapter 7</XREF>, when the authors talked about controls being
built in rather than built on. Controls impose some overhead on a firm.
Therefore, management must attempt to integrate the control system as
seamlessly as possible with the work system so that normal operations are not
unduly burdened or impeded.
4. Cost/benefit analysis: Closely related to the previous three issues is
management’s evaluation of the costs and benefits associated with any control
plans being contemplated. Control plans cost money. Therefore, to justify the
expenditure of resources, management should be convinced that the benefit to
be derived will exceed the cost involved. Calculations such as residual
expected risk can help in making a determination that enough controls have
been put in place.
DQ 8-11 For each of these control plans, suggest a monitoring activity:
a. Credit approval
ANS. The CFO reviews a list of new customers for the last month and the supporting
documentation used to approve credit.
b. Removal of terminated employee access to computer system

ANS. The Chief Information Officer compares a list of employees terminated in the last
month (supplied by Human Resources) with a list of access level changes
(supplied by the security manager).
c. New employee background check

ANS. Each employee’s manager compares the applications of newly hired employees
under their supervision for the last month with the supporting documentation of
the reference checks.
Short Problems
SP 8-1 ANS.
Control Situation Control Plan

1. A
2. D
3. E
4. C
5. B
SP 8-2 ANS.

1. F
2. B
3. A
4. E
5. D
SP 8-3 ANS.
1. CAEMWLVGPE, A becomes C by adding 2, C becomes A by subtracting 2, C
becomes E by adding 2, O becomes M by subtracting 2, and so on.
2. Answers will vary depending on professor name.
SP 8-4 ANS. Student answers will vary. At a minimum, each answer should include: (1) a brief
description of the case, including the IT involved; (2) the pervasive controls that
failed; (3) how the pervasive controls failed; (4) lower-level controls affected; and
(5) sources.
SP 8-5 ANS. Student answers will vary. At a minimum, each answer should include: (1) a brief
description of the policy; (2) an explanation of how the policy enhances pervasive
controls; (3) whether the student thinks the policy is reasonable; and (4) sources.
SP 8-6 ANS. Student answers will vary. At a minimum, each answer should include five
answers with a COBIT 5 process number and a control plan from the chapter.
Problems
P 8-1 ANS.
Note: This problem and solution were adopted from Thomas Wailgum, “Security: 50-Cent
Holes,” CIO Magazine, October 15, 2005.
A. The personal information can be used to perpetrate identify theft. Releasing the data
may violate privacy laws and regulations. To prevent this problem, train employees and
customers on how to recognize and respond to phishing and other related attacks. Install
systems to screen out suspicious e-mails.
B. The default password can be used by hackers to gain access to her network and intercept
her transmissions. The data accessed in this manner can be used for a variety of
fraudulent activities or to create a competitive advantage. To prevent this problem,
employees need to be trained on how to set up and secure (passwords, firewall,
antivirus, and so on) a wireless network. Perhaps the organization can provide
assistance to employees to ensure their proper installation.
C. The use of the consumer-grade IM precludes the organization from enforcing virus,
spam, and regulatory compliance. Also, the user can take their IM name, and therefore
their customers, with them when they leave the organization. To prevent these problems,
organizations should establish policies for acceptable use of IM. Organizations can also
deploy security functions such as blocking file transfers or mapping IM names to
identifiers (e.g., user IDs) assigned by the organization. Or the organization can replace
the consumer-grade IM with an enterprise-grade system.
D. The information on the laptop can be used to perpetrate identify theft. Releasing the
data may violate privacy laws and regulations. To prevent this problem, management
should perform risk assessment to determine what data must be protected and then
implement security policies based on that assessment. Security protection may include
password protection, encrypted data, and biometric access.
E. A hacker, or any individual for that matter, could use the passwords to access computer
systems and cause many kinds of problems. To prevent this problem, establish an
organization-wide policy prohibiting the creation and storage of electronic files listing
passwords. Educate employees as to the importance of this policy, and enforce the
policy by taking disciplinary action against those violating the policy (assumes that
network files are scanned on a regular basis, looking for files that violate the policy).
Management might consider implementing single sign-on systems to reduce the number
of passwords that individuals must create and remember.
F. The information on the backup disks can be used to perpetrate identify theft and execute
fraudulent credit card charges. Releasing the data may violate privacy laws and
regulations and subject the company to financial loss as it indemnifies customers for
any losses. To prevent this problem, the credit card company should send the data
encrypted and electronically.
G. Such e-mails would violate privacy laws and regulations and cause embarrassment to
the senders and recipients of the messages. To prevent this problem, establish an
organization-wide policy that explicitly states what can and cannot be sent via e-mail or
instant messaging. Educate employees as to the importance of this policy, and enforce
the policy by taking disciplinary action against those violating the policy. Management
might consider scanning messages for violation of the policy. For example, systems can
scan for messages with 16-digit numbers (i.e., credit card numbers).
H. The account information can be used to steal funds from the individuals’ accounts and
to perpetrate identify theft. To prevent this problem, establish an organization-wide
policy specifying who can access what information, how they can access it, and how
often. Then implement the policy through library controls and access control software to
limit employee access to data. An employee education program about the importance of
this policy should be conducted.
I. The credit card data can be used to perpetrate identify theft and execute fraudulent
credit card charges. Releasing the data may violate privacy laws and regulations and
subject the company to financial loss as it indemnifies customers for any losses. To
prevent this problem, the organization needs to implement policies and procedures, such
as firewalls, access control software, and other access controls, to limit access to data to
authorized users for authorized purposes.
J. The business related e-mails could find their way into competitors’ hands and be used to
gain a competitive advantage. Some data may be sensitive or subject to privacy laws
and regulations. Organizations should establish and enforce policies related to the use
and return of laptops, cell phones, and other information devices. Assuming that this
individual has left the organization, a personnel termination procedure should include
handing in the cell phone.
P 8-2 ANS.
P 1. P&D 11.
P 2. P&C 12.
P 3. P&D 13.
C 4. P 14.
C 5. P&D 15.
C 6. P 16.
P&C 7. C 17.
P 8. P 18.
P&D 9. P&D 19.
P 10. P&D 20.
Note: We have offered multiple possibilities for answers to some of the preceding
items:
• Item 1: Library controls will manage access to programs and data and thus
prevent unauthorized access. These controls also log all uses of programs and
data and thus can detect any unauthorized uses that may take place.
• Item 7: The service level agreement may provide for a minimum level of
service, may prevent service disruptions, may have sanctions for
nonperformance, and may be a corrective control.
• Item 9: A security officer may prevent intruders as well as detect intruders

after they have gained access.
• Items 11, 13, and 15: These may encourage personnel to perform their jobs
well (or discourage bad behavior) or provide a means to detect poor
performance and bad behavior.
• Item 19: May prevent unauthorized personnel from gaining access to a
computer system or detect attempts to gain unauthorized access.
• Item 20: May prevent poor personnel performance by ensuring that employees
are trained to perform their jobs or may detect poor performance through
ongoing evaluation.
P 8-3 ANS.

1. H
2. F
3. B
4. G
5. C
6. J
7. I
8. M
9. K
10. E
P 8-4 ANS.
Option Manager Matthew Mark

1 No No No
2 No Yes No
3 Yes No No
4 No No Yes
5 No No No
6 Yes Yes Yes

7 Yes Yes Yes
Explanation:
Option 1, vendor data maintenance, should be performed by the purchasing office. By doing so,
we separate authorization to engage in business with a particular vendor from the approval to
create accounts payable records and to disburse payments.
Menu options 2, 3, and 4 could be segregated among the three accounts payable personnel. One
clerk records invoices, one clerk selects invoices for payment, and the manager makes required
adjustments. This authorization pattern prevents any one person from entering and paying (or
otherwise eliminating) a vendor invoice.
Option 5, check printing, should be reserved for the treasurer’s office.
Option 7, accounts payable reports, should be available to all three accounts payable personnel.
This read-only option provides information necessary for each person to perform his or her
functions.
P 8-5 ANS.
Employee Function
Grant 1, 6, 7
Jordyn 2, 3, 10
James 4, 5, 8, 9
Comment: The preceding solution represents but one of many possible solutions.
Our primary goal in solving this problem should be to segregate the handling of
cash from the recording of the cash-related transactions. This solution segregates
duties as follows:
a. Grant performs cashier (i.e., treasurer) functions, such as receiving the checks
from the customers (function 1), depositing checks in the bank (function 6),
and signing and mailing checks to vendors (function 7).
b. Jordyn performs accounting (i.e., controller) functions, such as approving
vendor invoices for payment (function 2) and approving credit memos
(function 3). This employee also reconciles the bank account (function 10).
The bank reconciliation safeguards the cash, for example, by comparing the
checks deposited by Grant to the customer payments recorded by James. We
prefer to have a fourth person, independent of the treasurer and controller
functions, to reconcile the bank account.
c. James is a clerk who performs all record-keeping (i.e., controller) functions
(4, 5, 8, 9).
P 8-6 ANS.
1. Controls related to the control H Establishment of a code of conduct

environment O Use of control frameworks such as COBIT and
COSO
2. Controls over management K Segregation of duties
override N Supervision
3. The company’s risk assessment G Development of a business interruption plan
process C A report on IT risks and a risk action plan
4. Centralized processing and E A systems development life cycle methodology

controls, including shared (SDLC)
service environments J Program change controls
5. Controls to monitor the results of F Budgetary controls

operations M Service level agreements and reporting
processes
6. Controls to monitor other B A report of all employees not taking required
controls, including activities of vacation days
the internal audit function, the A A file of signed code of conduct letters
audit committee and self-
assessment programs
7. Controls over the period-end I Not covered

financial reporting process
8. Policies that address significant D Access control software

business control and risk L Selection and hiring control plans
management practices
P 8-7 ANS.
1. Access Control Officer: The control concerns for the access control officer is
that users that can enter or modify data improperly leading to fraud. Use of
access control software is the method used to avoid this risk.
2. Chief Information Officer (CIO): The Strategic IT Plan sets the long-term
agenda for the IS organization. When synchronized with the organization’s
strategic plan, the Strategic IT Plan (along with the IT steering committee)
directs IS resources toward the achievement of the organization’s mission.
Solution Manual for Accounting Information Systems 11th Edition Gelinas
3. Structural Security/Disaster Recovery Manager: Risks include that hardware,

software, or data are compromised or that a disaster occurs and the firm goes
out of business. A key control plan is a BCP. Business continuity planning can
help an organization recover quickly from natural disasters such as hurricanes
and losses of data and computing resources such as those perpetrated by
hackers.
4 Testing Quality assurance: Prevent risks such as a new system that does not
operate properly or that lacks documentation. Development of a test plan will
help ameliorate this risk.
5. Database administration (DBA): The database administrator must protect
against risks such as data not available or data that does not meet company
needs. An entity relationship diagram of the database will help show the data
and the data relationships.
P 8-8 ANS. Student answers will vary. At a minimum, each answer should include: (1) a
description of the incident(s), with background; (2) how long the site(s) were not
available; (3) how they came to be out of service; (4) which controls would have
prevented, detected, or corrected the outages; and (5) sources.
P 8-9 ANS. Student anwers will vary. At a minimum, each answer should include: (1) a
description of the incident(s), with background; (2) how long the site(s) were not
available; (3) how they came to be out of service; (4) which controls would have
prevented, detected, or corrected the attacks/outages; and (5) sources.
Visit TestBankBell.com to get complete for all chapters

Solution Manual For Accounting Information Systems 11th Edition Gelinas

Uploaded by

Copyright:

Available Formats

Solution Manual For Accounting Information Systems 11th Edition Gelinas

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Solution Manual For Accounting Information Systems 11th Edition Gelinas

Uploaded by

Copyright:

Available Formats

What are some of the issues that might be included in an answer to whether ERM can be used to decide which controls to implement?

What are some of the issues that might be included in an answer to whether ERM can be used to decide which controls to implement?

What is one way to implement segregation of duties with three employees?

What is one way to implement segregation of duties with three employees?

Solution Manual for Accounting Information Systems

11th Edition Gelinas

To download the complete and accurate content document, go to:

Accounting Information Systems, 11e 1

SOLUTIONS FOR CHAPTER 8

Function Number Function Description Performed by

2 Execute (make) the cash payment. B

Visit TestBankBell.com to get complete for all chapters

Function Number Function Description Performed by

4 Safeguard the cash asset (i.e., have custody of B**

DQ 8-5 “Monitoring must be performed by an independent function such as a CPA.” Do

• Implement portable device policies and education programs for employees.

3. Balancing effectiveness and efficiency: This topic was also mentioned in

DQ 8-11 For each of these control plans, suggest a monitoring activity:

b. Removal of terminated employee access to computer system

c. New employee background check

Control Situation Control Plan

Control Situation Control Plan

• Item 9: A security officer may prevent intruders as well as detect intruders

Control Situation Control Plan

Option Manager Matthew Mark

6 Yes Yes Yes

1. Controls related to the control H Establishment of a code of conduct

4. Centralized processing and E A systems development life cycle methodology

5. Controls to monitor the results of F Budgetary controls

7. Controls over the period-end I Not covered

8. Policies that address significant D Access control software

Accounting Information Systems, 11e 13

3. Structural Security/Disaster Recovery Manager: Risks include that hardware,

Visit TestBankBell.com to get complete for all chapters

You might also like