Solution Manual For Accounting Information Systems 11th Edition Gelinas
Solution Manual For Accounting Information Systems 11th Edition Gelinas
Solution Manual For Accounting Information Systems 11th Edition Gelinas
Discussion Questions
DQ 8-1 “The Enterprise Risk Management (ERM) framework introduced in Chapter 7
can be used by management to make decisions on which controls in this chapter
should be implemented.” Do you agree? Discuss fully.
ANS. Several issues might be included in an answer to this question. Here are some of
those issues:
• The quote implies that not all controls need to be implemented. Perhaps the
costs and benefits of controls should be considered.
• Using the ERM framework provides an alternative whereby the benefits, or
return on investment, might be difficult to determine. Using the ERM
framework will focus attention on management of risk by employing certain
control techniques and security measures.
• Security measures might be implemented on the basis of the probability of
loss or disruption (i.e., risk assessment).
• Security measures should be directed at information assets that must be
protected to help achieve objectives (and strategies).
• Security measures must address business requirements. Information security is
a business problem.
DQ 8-2 “In small companies with few employees, it is virtually impossible to implement
the segregation of duties control plan.” Do you agree? Discuss fully.
ANS. Obviously, whether one agrees or disagrees with the statement depends on how
few “few” employees actually are. (47 percent of all U.S. employers have fewer
than five workers. Source: Jim Hopkins, “How Small Firms Lock Data Down,”
USA Today, July 19, 2006, p. 6B.) Ideally, to maximize segregation of duties, the
four events-processing functions would reside in four separate individuals.
However, the plan can be implemented with as few as three employees, as follows
(the employees are called A, B, and C in the following example, and a cash
payment is used as an illustrative transaction):
© 2018 Cengage®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or
school-approved learning management system for classroom use.
Notes:
* Employee A might very well be the sole proprietor of the organization or hold an equivalent
supervisory position.
** To compensate for the fact that functions 2 and 4 both reside in employee B, the monthly bank
statement is mailed by the bank directly to employee A, who prepares the independent bank
reconciliation. In the chapter, we discussed such an alternative under the rubric of compensatory
controls.
Assuming that employee A is the sole proprietor, we could even collapse the four
functions into two employees by having A perform functions 1 and 3 and having
B perform functions 2 and 4. But note that if we do that, we are really substituting
a personnel control plan (i.e., trust in employee B’s honesty) for a segregation of
duties control plan.
DQ 8-3 “No matter how sophisticated a system of internal control is, its success
ultimately requires that you place your trust in certain key personnel.” Do you
agree? Discuss fully.
ANS. Yes and no. We say no because we believe that a control system should monitor
the quantity, quality, and legitimacy of each employee’s work. Procedures should
be in place, therefore, to make sure that each employee performs his/her duties as
planned. We say yes because many control procedures are performed by an
organization’s employees and we must assume that control procedures will be
performed as prescribed. That assumption is invalidated when employees
conspire—collude—to bypass control procedures. We do have to trust that key
personnel will not collude to bypass prescribed procedures.
DQ 8-4 “If personnel hiring is done correctly, the other personnel control plans are not
needed.” Do you agree? Discuss fully.
ANS. Emphatically no. While sound hiring practices are a crucial personnel policy,
employees can change over time. An employee’s need for ongoing training might
not be addressed (a personnel development control plan), or they may become
disgruntled due to lack of advancement or appropriate raises (retention control
plans). Outside factors, such as a change in the employee’s personal life, might
cause a change in the employee’s work attitude or behavior. These changes should
be noticed during performance evaluations (personnel development control plan)
or supervision (personnel management control plan). Further, while hiring good
people is important to a company, keeping good people (e.g., preventing turnover
of trained employees) is equally important. This is addressed with use of
appropriate development and retention control plans.
© 2018 Cengage®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or
school-approved learning management system for classroom use.
Accounting Information Systems, 11e 3
© 2018 Cengage®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or
school-approved learning management system for classroom use.
4 Solutions for Chapter 8
DQ 8-8 “Contracting for a hot site is too cost-prohibitive except in the rarest of
circumstances. Therefore, the vast majority of companies should think in terms of
providing for a cold site at most.” Discuss fully.
ANS. The key discussion point in this question should be the trade-off between timely
recovery of critical business functions on the one hand and the cost of providing
the backup facilities on the other. As mentioned in the chapter, in some industries,
such as the airline industry’s reservation system, near-immediate recovery is a
must. In that situation, the remedy is even more expensive than contracting for a
backup hot site; the airline itself owns and maintains duplicate processing
facilities.
Therefore, the quotation must be discussed in relative, rather than absolute, terms.
For some companies (or some applications within a company), a cold site
recovery strategy would be adequate or more than adequate. For other companies
or applications, more immediate recovery is required because the exposures of a
serious business disruption carry a cost that exceeds the cost of providing the
backup facility.
The solution to this question is strengthened if one emphasizes the importance of
risk analysis in developing the contingency plan.
DQ 8-9 “Preventing the unauthorized disclosure and loss of data has become almost
impossible. Employees and others can use iPods, flash drives, cameras, and
PDAs, such as iPhones, to download data and remove it from an organization’s
premises.” Do you agree? Describe some controls from this chapter that might be
applied to reduce the risk of data disclosure and loss for these devices.
ANS. These devices can certainly be used to circumvent physical access controls and
logical access controls, such as physically restricting access to a computer facility,
library controls, and access control software with identification and authentication
techniques. However, some controls that might be used to reduce the risks of
disclosure and loss include the following:
DQ 8-10 Your boss was heard to say, “If we implemented every control plan discussed in
this chapter, we’d never get any work done around here.” Do you agree? Discuss
fully.
ANS. Yes and no. In rebutting your boss’s statement, you could point out at least two
things:
© 2018 Cengage®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or
school-approved learning management system for classroom use.
Accounting Information Systems, 11e 5
1. The authors never intended that the plans be applied to all situations in all
companies. Some are appropriate for some environments, whereas others are
geared to different environments. Although the four broad categories of
control plans should be considered by all organizations, the specific plans
within those categories must be tailored to each particular organization. For
example:
• Many of the plans presented in the chapter relate to computerized
operations. Naturally, they would not be appropriate for manual systems.
• Several of the specific control plans were discussed in the context of an
information systems organization such as that depicted in
<XREF>Figure 8.2</XREF>. Many of those plans would not be suitable
for organizations whose ISs were organized differently (e.g., a
decentralized organization with IS functions located throughout the
organization).
2. The authors recognize that some plans simply cannot be employed in some
situations because it is impossible or impractical to do so. For instance, as
discussed in the chapter, smaller companies may not have the personnel to
fully implement the segregation of duties control plan. In that case, they have
to consider alternative, compensatory controls, such as greater care in their
selection and hiring procedures and closer managerial supervision of their
personnel.
On the other hand, your boss is right on the money if his or her remark was
intended to identify the following interdependent issues:
1. Assessing risks before deciding on which controls to implement: Recall from
<XREF>Chapter 7</XREF> that Enterprise Risk Management describes a
process for identifying and responding to risks. For example, some
organizations, by the very nature of their businesses, are simply more
vulnerable or susceptible to loss or injury than other organizations. Naturally,
they should consider instituting tighter controls than would those subject to
less risk.
2. Control redundancy: As discussed in <XREF>Chapter 7</XREF>, situations
can exist where multiple plans are directed at the same control goal, in which
case, the organization could suffer from control overkill. For instance, this
chapter discusses many different backup and recovery strategies. No single
entity would ever contemplate using all of these strategies; doing so is
impractical, unnecessary, and cost-prohibitive.
Also, because over-control has the potential to encourage unwanted, negative
behavioral reactions, it often can be as injurious to an organization as can
under-control. Employees may rebel at controls that they perceive as unduly
constraining or distasteful. Their rebellion might well manifest itself in petty
acts of fraud, thievery, or other forms of covert and overt resistance.
© 2018 Cengage®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or
school-approved learning management system for classroom use.
6 Solutions for Chapter 8
a. Credit approval
ANS. The CFO reviews a list of new customers for the last month and the supporting
documentation used to approve credit.
Short Problems
SP 8-1 ANS.
2. D
© 2018 Cengage®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or
school-approved learning management system for classroom use.
Accounting Information Systems, 11e 7
3. E
4. C
5. B
SP 8-2 ANS.
2. B
3. A
4. E
5. D
SP 8-3 ANS.
1. CAEMWLVGPE, A becomes C by adding 2, C becomes A by subtracting 2, C
becomes E by adding 2, O becomes M by subtracting 2, and so on.
2. Answers will vary depending on professor name.
SP 8-4 ANS. Student answers will vary. At a minimum, each answer should include: (1) a brief
description of the case, including the IT involved; (2) the pervasive controls that
failed; (3) how the pervasive controls failed; (4) lower-level controls affected; and
(5) sources.
SP 8-5 ANS. Student answers will vary. At a minimum, each answer should include: (1) a brief
description of the policy; (2) an explanation of how the policy enhances pervasive
controls; (3) whether the student thinks the policy is reasonable; and (4) sources.
SP 8-6 ANS. Student answers will vary. At a minimum, each answer should include five
answers with a COBIT 5 process number and a control plan from the chapter.
Problems
P 8-1 ANS.
© 2018 Cengage®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or
school-approved learning management system for classroom use.
8 Solutions for Chapter 8
Note: This problem and solution were adopted from Thomas Wailgum, “Security: 50-Cent
Holes,” CIO Magazine, October 15, 2005.
A. The personal information can be used to perpetrate identify theft. Releasing the data
may violate privacy laws and regulations. To prevent this problem, train employees and
customers on how to recognize and respond to phishing and other related attacks. Install
systems to screen out suspicious e-mails.
B. The default password can be used by hackers to gain access to her network and intercept
her transmissions. The data accessed in this manner can be used for a variety of
fraudulent activities or to create a competitive advantage. To prevent this problem,
employees need to be trained on how to set up and secure (passwords, firewall,
antivirus, and so on) a wireless network. Perhaps the organization can provide
assistance to employees to ensure their proper installation.
C. The use of the consumer-grade IM precludes the organization from enforcing virus,
spam, and regulatory compliance. Also, the user can take their IM name, and therefore
their customers, with them when they leave the organization. To prevent these problems,
organizations should establish policies for acceptable use of IM. Organizations can also
deploy security functions such as blocking file transfers or mapping IM names to
identifiers (e.g., user IDs) assigned by the organization. Or the organization can replace
the consumer-grade IM with an enterprise-grade system.
D. The information on the laptop can be used to perpetrate identify theft. Releasing the
data may violate privacy laws and regulations. To prevent this problem, management
should perform risk assessment to determine what data must be protected and then
implement security policies based on that assessment. Security protection may include
password protection, encrypted data, and biometric access.
E. A hacker, or any individual for that matter, could use the passwords to access computer
systems and cause many kinds of problems. To prevent this problem, establish an
organization-wide policy prohibiting the creation and storage of electronic files listing
passwords. Educate employees as to the importance of this policy, and enforce the
policy by taking disciplinary action against those violating the policy (assumes that
network files are scanned on a regular basis, looking for files that violate the policy).
Management might consider implementing single sign-on systems to reduce the number
of passwords that individuals must create and remember.
F. The information on the backup disks can be used to perpetrate identify theft and execute
fraudulent credit card charges. Releasing the data may violate privacy laws and
regulations and subject the company to financial loss as it indemnifies customers for
any losses. To prevent this problem, the credit card company should send the data
encrypted and electronically.
G. Such e-mails would violate privacy laws and regulations and cause embarrassment to
the senders and recipients of the messages. To prevent this problem, establish an
organization-wide policy that explicitly states what can and cannot be sent via e-mail or
instant messaging. Educate employees as to the importance of this policy, and enforce
© 2018 Cengage®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or
school-approved learning management system for classroom use.
Accounting Information Systems, 11e 9
the policy by taking disciplinary action against those violating the policy. Management
might consider scanning messages for violation of the policy. For example, systems can
scan for messages with 16-digit numbers (i.e., credit card numbers).
H. The account information can be used to steal funds from the individuals’ accounts and
to perpetrate identify theft. To prevent this problem, establish an organization-wide
policy specifying who can access what information, how they can access it, and how
often. Then implement the policy through library controls and access control software to
limit employee access to data. An employee education program about the importance of
this policy should be conducted.
I. The credit card data can be used to perpetrate identify theft and execute fraudulent
credit card charges. Releasing the data may violate privacy laws and regulations and
subject the company to financial loss as it indemnifies customers for any losses. To
prevent this problem, the organization needs to implement policies and procedures, such
as firewalls, access control software, and other access controls, to limit access to data to
authorized users for authorized purposes.
J. The business related e-mails could find their way into competitors’ hands and be used to
gain a competitive advantage. Some data may be sensitive or subject to privacy laws
and regulations. Organizations should establish and enforce policies related to the use
and return of laptops, cell phones, and other information devices. Assuming that this
individual has left the organization, a personnel termination procedure should include
handing in the cell phone.
P 8-2 ANS.
P 1. P&D 11.
P 2. P&C 12.
P 3. P&D 13.
C 4. P 14.
C 5. P&D 15.
C 6. P 16.
P&C 7. C 17.
P 8. P 18.
P&D 9. P&D 19.
P 10. P&D 20.
Note: We have offered multiple possibilities for answers to some of the preceding
items:
• Item 1: Library controls will manage access to programs and data and thus
prevent unauthorized access. These controls also log all uses of programs and
data and thus can detect any unauthorized uses that may take place.
• Item 7: The service level agreement may provide for a minimum level of
service, may prevent service disruptions, may have sanctions for
nonperformance, and may be a corrective control.
© 2018 Cengage®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or
school-approved learning management system for classroom use.
10 Solutions for Chapter 8
P 8-3 ANS.
P 8-4 ANS.
© 2018 Cengage®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or
school-approved learning management system for classroom use.
Accounting Information Systems, 11e 11
Explanation:
Option 1, vendor data maintenance, should be performed by the purchasing office. By doing so,
we separate authorization to engage in business with a particular vendor from the approval to
create accounts payable records and to disburse payments.
Menu options 2, 3, and 4 could be segregated among the three accounts payable personnel. One
clerk records invoices, one clerk selects invoices for payment, and the manager makes required
adjustments. This authorization pattern prevents any one person from entering and paying (or
otherwise eliminating) a vendor invoice.
Option 5, check printing, should be reserved for the treasurer’s office.
Option 7, accounts payable reports, should be available to all three accounts payable personnel.
This read-only option provides information necessary for each person to perform his or her
functions.
P 8-5 ANS.
Employee Function
Grant 1, 6, 7
Jordyn 2, 3, 10
James 4, 5, 8, 9
Comment: The preceding solution represents but one of many possible solutions.
Our primary goal in solving this problem should be to segregate the handling of
cash from the recording of the cash-related transactions. This solution segregates
duties as follows:
a. Grant performs cashier (i.e., treasurer) functions, such as receiving the checks
from the customers (function 1), depositing checks in the bank (function 6),
and signing and mailing checks to vendors (function 7).
b. Jordyn performs accounting (i.e., controller) functions, such as approving
vendor invoices for payment (function 2) and approving credit memos
(function 3). This employee also reconciles the bank account (function 10).
The bank reconciliation safeguards the cash, for example, by comparing the
checks deposited by Grant to the customer payments recorded by James. We
prefer to have a fourth person, independent of the treasurer and controller
functions, to reconcile the bank account.
c. James is a clerk who performs all record-keeping (i.e., controller) functions
(4, 5, 8, 9).
© 2018 Cengage®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or
school-approved learning management system for classroom use.
12 Solutions for Chapter 8
P 8-6 ANS.
P 8-7 ANS.
1. Access Control Officer: The control concerns for the access control officer is
that users that can enter or modify data improperly leading to fraud. Use of
access control software is the method used to avoid this risk.
2. Chief Information Officer (CIO): The Strategic IT Plan sets the long-term
agenda for the IS organization. When synchronized with the organization’s
strategic plan, the Strategic IT Plan (along with the IT steering committee)
directs IS resources toward the achievement of the organization’s mission.
© 2018 Cengage®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or
school-approved learning management system for classroom use.
Solution Manual for Accounting Information Systems 11th Edition Gelinas
© 2018 Cengage®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or
school-approved learning management system for classroom use.