Kel 2 Boczko, Tony 2007 Corporate Accounting Information System
Kel 2 Boczko, Tony 2007 Corporate Accounting Information System
Kel 2 Boczko, Tony 2007 Corporate Accounting Information System
Corporate Accounting
Tony Boczko
Information Systems
Corporate Accounting
Information Systems
Corporate Accounting
Information Systems
We live in a competitive world dominated almost exclusively by flows of knowledge and information by
technologies designed not only to sustain but also increase the socio-economic need and desire for more
and more information. This book offers a unique insight into the nature, role and context of accounting
related information within the competitive business environment, and explores how business organisations
- in particular companies - use a range of theories, practices, and technologies to manage and control
flows of data, information and resources, and maximise the wealth of organisational stakeholders.
Key aims:
• promote an understanding of the role of corporate accounting information systems in the
maintenance, regulation and control of business related resources
• develop an appreciation and understanding of the practical issues and organisation problems
involved in managing contemporary accounting information systems
• promote an understanding of the political contexts of contemporary accounting information systems
• develop a recognition of the importance of information and communication technology in corporate
accounting information systems management, development and design
• promote an understanding of the importance of effective information management and transaction
processing controls in reducing risk, and
• provide a framework for the evaluation of corporate transaction processing cycles, systems and
processes
www.pearson-books.com
An imprint of Cover Image © Getty Images
Corporate Accounting
Information Systems
..
CORA_A01.qxd 9/9/07 7:25 PM Page ii
..
CORA_A01.qxd 9/9/07 7:25 PM Page iii
Tony Boczko
Corporate Accounting
Information Systems
..
CORA_A01.qxd 9/9/07 7:25 PM Page iv
Edinburgh Gate
Harlow
Essex CM20 2JE
England
The right of Tony Boczko to be identified as author of this work has been
asserted by him in accordance with the Copyright, Designs and Patents Act 1988.
All trademarks used herein are the property of their respective owners. The use of any
trademark in this text does not vest in the author or publisher any trademark ownership rights
in such trademarks, nor does the use of such trademarks imply any affiliation with or
endorsement of this book by such owners.
ISBN: 978-0-273-68487-9
10 9 8 7 6 5 4 3 2 1
10 09 08 07
..
CORA_A01.qxd 9/9/07 7:25 PM Page v
..
CORA_A01.qxd 9/9/07 7:25 PM Page vi
..
CORA_A01.qxd 9/9/07 7:25 PM Page vii
Brief contents
Overview 2
Chapter 1 Information systems in accounting and finance:
a contemporary overview 3
Chapter 2 Systems thinking: understanding the connections 31
Chapter 3 Control theories: management by design 80
Overview 112
Chapter 4 AIS and ICT: welcome to the information age 113
Chapter 5 Network architectures and topologies: making connections 178
Chapter 6 Contemporary transaction processing: categories, types, cycles
and systems 230
Chapter 7 Data management, data processing and databases:
storage and conversion 265
Overview 356
Chapter 8 Corporate transaction processing: the revenue cycle 357
Chapter 9 Corporate transaction processing: the expenditure cycle 422
Chapter 10 Corporate transaction processing: the conversion cycle 488
Chapter 11 Corporate transaction processing: the management cycle 536
vii
..
CORA_A01.qxd 9/9/07 7:25 PM Page viii
Brief contents
Overview 672
Chapter 13 Risk and risk exposure: fraud management and computer crime 673
Chapter 14 Internal control and system security: minimising loss and
preventing disaster 727
Chapter 15 Accounting information systems audit: towards a world of CAATs 771
Chapter 16 Accounting information systems development: managing change 821
Index 905
viii
..
CORA_A01.qxd 9/9/07 7:25 PM Page ix
Contents
Overview 2
ix
..
CORA_A01.qxd 9/9/07 7:25 PM Page x
Contents
.. ..
CORA_A01.qxd 9/9/07 7:25 PM Page xi
Contents
Overview 112
xi
.. ..
CORA_A01.qxd 9/9/07 7:25 PM Page xii
Contents
xii
.. ..
CORA_A01.qxd 9/9/07 7:25 PM Page xiii
Contents
Overview 356
Introduction 357
Learning outcomes 358
Revenue cycle and revenue income: an integrated
‘market-based’ context 359
Revenue cycle 362
Debtor-based revenue cycle 364
Debtor-based revenue cycle – risks 394
Non-debtor-based revenue cycle 395
Non-debtor-based revenue cycle – risks 407
Revenue cycle – internal control and systems security 407
Revenue cycle and capital income 412
Revenue cycle information requirements 412
Concluding comments 414
Key points and concepts 414
Bibliography 415
Self-review questions 415
Questions and problems 416
Assignments 418
Chapter endnotes 419
Introduction 422
Learning outcomes 424
Expenditure cycle – revenue expenditure 424
Expenditure cycle – types 426
Creditor-based expenditure cycle 427
Creditor-based expenditure cycle – risks 454
Non-creditor-based expenditure cycle 456
Non-creditor-based expenditure cycle – risks 457
Expenditure cycle – internal control and systems security 457
Expenditure cycle – capital expenditure 461
Expenditure cycle – information requirements 461
Expenditure cycle – human resource management/payroll 462
Outsourcing 476
Concluding comments 479
Key points and concepts 479
Bibliography 479
Self-review questions 480
Questions and problems 480
Assignments 482
Chapter endnotes 485
xiii
.. ..
CORA_A01.qxd 9/9/07 7:25 PM Page xiv
Contents
Introduction 488
Learning outcomes 489
Conversion cycle – key activities and processes 489
Product development 490
Production planning/scheduling 495
Manufacturing operations 496
Production management 500
Cost management 500
Conversion cycle – data input 500
Conversion cycle – data processing 505
Conversion cycle – data management 510
Cost management – the accounting information systems
connection 511
Conversion cycle – risks 521
Conversion cycle – internal controls and systems security 525
Conversion cycle – information requirements 529
World class manufacturing 530
Concluding comments 530
Key points and concepts 530
References 531
Bibliography 531
Self-review questions 531
Questions and problems 532
Assignments 532
Chapter endnotes 534
Introduction 536
Learning outcomes 537
Finance management 537
Fund management 548
Assets management 559
Fixed assets management 560
Current assets management 569
Liabilities management 589
Gearing (or leverage) management 589
Creditor management 592
General ledger management 594
Concluding comments 599
Key points and concepts 600
References 600
Bibliography 600
Self-review questions 601
Questions and problems 601
Assignments 602
Chapter endnotes 603
xiv
.. ..
CORA_A01.qxd 9/9/07 7:25 PM Page xv
Contents
12 From e-commerce to m-commerce and beyond: ICT and the virtual world 610
Introduction 610
Learning outcomes 611
E-commerce and the changing world of business – towards a
self-service economy! 611
Categories of e-commerce 616
Other e-commerce-related activities 619
Barriers to e-commerce 621
Removing the barriers to e-commerce – protection schemes 627
B2C e-commerce 628
B2B e-commerce 636
Using e-money 637
M-commerce 639
Benefits of e-commerce 642
Problems of e-commerce 642
E-commerce – and the matter of regulation! 643
Concluding comments 660
Key points and concepts 661
Bibliography 661
Websites 662
Self-review questions 662
Questions and problems 662
Assignments 663
Chapter endnotes 664
Overview 672
13 Risk and risk exposure: fraud management and computer crime 673
Introduction 673
Learning outcomes 675
Social and economic context of risk 675
Risk exposure 680
Minimising risk exposure – ensuring information security 683
Corporate accounting information systems – problem conditions
and exposure to risk 685
Fraud 685
Fraud management – fighting fraud and minimising loss 690
Computer crime 691
Concluding comments 714
Key points and concepts 717
References 717
Bibliography 718
Websites 718
Self-review questions 719
Questions and problems 720
Assignments 721
Chapter endnotes 722
xv
.. ..
CORA_A01.qxd 9/9/07 7:25 PM Page xvi
Contents
Introduction 727
Learning outcomes 728
Internal control and systems security – a contemporary context 728
Internal control and the priorities of capital 730
Context filtering – an imposed hierarchical context 731
Internal control – a composed framework 737
Classification of controls 745
Systems security and internal control – purpose and scope 754
Internal control and the security of tangible/non-tangible resources 754
Internal control and the security of data/information 755
Internal control and the security of company/organisational networks 755
Disaster contingency and recovery planning 756
Information and communication technology enabled innovations –
internal control and systems security issues 760
Concluding comments 765
Key points and concepts 766
References 766
Self-review questions 767
Questions and problems 767
Assignments 768
Chapter endnotes 770
Introduction 771
Learning outcomes 772
The role of the auditor 772
Types of auditor 773
Types of audit 780
Accounting information systems audit – a context 784
Purpose of an audit 787
Auditing techniques 788
Auditing computer-based accounting information systems 795
Content (or application) audit 796
Context (or environment) audit 805
Accounting information systems architecture – general controls 806
Auditing computer-based accounting information systems – more issues 809
Concluding comments 813
Key points and concepts 813
References 814
Bibliography 814
Websites 814
Self-review questions 815
Questions and problems 815
Assignments 816
Chapter endnotes 817
xvi
.. ..
CORA_A01.qxd 9/9/07 7:25 PM Page xvii
Contents
Index 905
Supporting resources
Visit www.pearsoned.co.uk/boczko to find valuable online resources
For instructors
n Complete, downloadable Instructor’s Manual
n PowerPoint slides that can be downloaded and used for presentations
n Additional questions and assignments with suggested solutions
For more information please contact your local Pearson Education sales
representative or visit www.pearsoned.co.uk/boczko
xvii
.. ..
CORA_A01.qxd 9/9/07 7:25 PM Page xviii
List of articles
xviii
..
CORA_A01.qxd 9/9/07 7:25 PM Page xix
List of articles
13.3 Internal hackers pose the greatest threat – beware the enemy within 689
13.4 Hacking and phishing soars in May (A) 692
13.5 Hacking and phishing soars in May (B) 693
13.6 Banks double up on security 705
13.7 MyDoom worm spreads as attack countdown begins 710
13.8 UK infrastructure under Trojan attack 712
13.9 Tesco’s call centre staff sacked for massive online fraud 715
13.10 Sharp eyes of Laura Ashley captured massive fraud gang 716
14.1 Corporate character is not just a legal construct 735
14.2 Inquiry launched after biggest ever credit card heist 739
14.3 AIB fraud ‘going on for years’ 741
14.4 Satellite TV card details posted on pirate websites 741
14.5 Citigroup pays $75m to end action 742
15.1 ‘True and fair’ view of British audits is in jeopardy 775
15.2 Big four bristle at claims that too much power rests in their hands 776
15.3 IFAC under fire over audit standards 780
16.1 Firms must get tough on hosts 891
xix
..
CORA_A01.qxd 9/9/07 7:25 PM Page xx
List of examples
xx
..
CORA_A01.qxd 9/9/07 7:25 PM Page xxi
List of figures
xxi
..
CORA_A01.qxd 9/9/07 7:25 PM Page xxii
List of figures
xxii
.. ..
CORA_A01.qxd 9/9/07 7:25 PM Page xxiii
List of figures
xxiii
.. ..
CORA_A01.qxd 9/9/07 7:25 PM Page xxiv
List of figures
xxiv
..
CORA_A01.qxd 9/9/07 7:25 PM Page xxv
List of tables
xxv
..
CORA_A01.qxd 9/9/07 7:25 PM Page xxvi
Contents
Introduction
To paraphrase an old Chinese proverb, we not only live in interesting, but in changing times.
We live in an ever-changing world. A world dominated not by the changing nature of global
politics, or by the international flows of goods and services, or indeed by the turbulent unpredict-
ability of the global capital markets. We live in a world dominated almost exclusively by flows
of knowledge and information – by technologies designed not only to sustain but also increase
the socio-economic need and desire for more and more information.
This book offers an insight into the nature, role and context of accounting-related information
within the competitive business environment, and explores how business organisations – in
particular companies – use a range of theories and technologies not only to assist in the maximis-
ation of shareholder wealth, but also in the management and control of organisational resources.
It is concerned primarily with corporate accounting information systems – as an organisational
arrangement of processes and procedures that employ both tangible and intangible resources to
transform data – more specifically economic data – into accounting information. In doing so,
such systems play an important role in four related areas of corporate activity:
n transaction processing management and the supporting of business operations,
n resource management and the fulfilment stewardship obligations,
n information management and the supporting of decision-making processes, and
n financial management and the fulfilment of legal, political and social obligations.
It is an understanding of each of these roles that informs the issues addressed by this book, a
book which considers the following areas:
n systems thinking,
n control theories,
n accounting information systems and information and communication technology,
n architectures, topologies and networks,
n contemporary transaction processing cycles and systems,
n systems analysis, development and design,
n information systems and database management,
n e-commerce and the virtual economy,
n risk and fraud management,
n internal control and systems security, and
n accounting information systems audit.
xxvi
..
CORA_A01.qxd 9/9/07 7:25 PM Page xxvii
Introduction
Practical orientation
Corporate accounting information systems are real-entities – they exist within a real-world
environment. To provide a balanced overview this book not only provides an exploration of
the practical and technical aspects of corporate accounting information systems but, more
importantly, a consideration of the social, political and economic pressures that continue to
shape the very nature of such systems.
Accessibility
Where at all possible, a clear, informal linguistic style is used. The use of complex jargon and
obscure terminology that seems to litter practical inter-disciplinary subjects such as corporate
accounting information systems is, where possible, reduced to a minimum. Where this is inevitable,
definitions and explanations of key terms and concepts are provided.
In addition, because much of the discussion on accounting information systems requires not
only an appreciation of a range of theoretical ideas, but perhaps more importantly the under-
standing of a number of sometimes very diverse and very complex practical issues, an incremental
approach is adopted in the presentation, analysis and development of such discussion.
xxvii
..
CORA_A01.qxd 9/9/07 7:25 PM Page xxviii
Introduction
Introduction
This section presents a brief discussion of the relevance and importance of the issues discussed
in the chapter.
Learning objectives
This section presents a summary of expected competencies to be gained by the reader.
Self-review questions
At the end of each chapter a selection of short review questions are provided. These are designed
to encourage the reader to review key issues presented in the chapter and, where appropriate,
can be used as a review and revision aid.
Assignments
At the end of each chapter a selection of assignments is provided. These assignments are larger
case studies that require the reader to develop and examine a range of relationships between
corporate accounting information systems and the larger corporate/business environment. These
assignments integrate a range of theoretical ideas/practical issues and provide a real-world
context to corporate accounting information system problems.
xxviii
.. ..
CORA_A01.qxd 9/9/07 7:25 PM Page xxix
Introduction
Appendices
Where appropriate, appendices are included at the end of each chapter.
Website support
A website supporting this book is available and contains;
n powerpoint slides relating to each chapter,
n a selection of additional end-of-chapter questions, including multiple-choice questions, and
n links to useful websites.
Lecturer’s guide
An online lecturer’s guide is available.
The guide contains supplementary material for each chapter including learning objectives,
a key point listing and glossary, a selection of multiple-choice questions, and answers to all end
of chapter questions and assignment questions.
Target readership
Perhaps because of the increasingly volatile nature of financial/accounting regulation, the grow-
ing interconnectedness of both national and international markets, or indeed the increasing
impact of information and communication technologies on accounting-related activities, it is
only in the past 20 to 25 years that courses on corporate accounting information systems have
begun to find their place not only on under-graduate degrees and professional accountancy
courses but also increasingly on post-graduate MBA and MSc courses.
This book is aimed primarily at undergraduate students studying accounting/finance degrees,
and intermediate-level professional students studying for ACCA, CIMA and ICAEW qualifica-
tions. It is, however, hoped that the critical underlying theme of the discussion in this book will
also appeal to post-graduate MBA/MSc students studying accounting, finance and/or information
systems.
xxix
.. ..
CORA_A01.qxd 9/9/07 7:25 PM Page xxx
Topics covered
xxx
..
CORA_A01.qxd 9/9/07 7:25 PM Page xxxi
Topics covered
xxxi
..
CORA_A01.qxd 9/9/07 7:25 PM Page xxxii
Topics covered
xxxii
.. ..
CORA_A01.qxd 9/9/07 7:25 PM Page xxxiii
Topics covered
xxxiii
.. ..
CORA_A01.qxd 9/9/07 7:25 PM Page xxxiv
Topics covered
xxxiv
..
CORA_A01.qxd 9/9/07 7:25 PM Page xxxv
Acknowledgements
My thanks to the following people for their assistance in the preparation of this book:
n Ron Hornsby for his inspiration, ideas and enthusiasm,
n Christopher James Boczko for his assistance and expertise on numerous technical aspects of
this book,
n Matthew Smith at Pearson Education for his endless patience, professionalism and belief,
and
n the various anonymous reviewers for their constructive and helpful comments.
xxxv
..
CORA_A01.qxd 9/9/07 7:25 PM Page xxxvi
Acknowledgements
‘Corporate character is not just a legal construct’ by John Kay published in The Financial Times
13th December 2004; Booz Allen Hamilton Inc. for Figure 10.2; McGraw Hill Education for
Table 13.4 by McClure/Scambray/Kutz, Hacking Exposed, 5th edition © 2005.
In some instances we have been unable to trace the owners of copyright material and we would
appreciate any information that would enable us to do so.
xxxvi
..
CORA_C01.qxd 6/1/07 10:48 Page 1
Part 1
A contextual framework
..
CORA_C01.qxd 6/1/07 10:48 Page 2
Part overview
Chapter 1 provides an overview of the social, political and economic context of corpor-
ate accounting information systems, and considers their role in supporting organisational
decision-making processes and the fulfilment of stewardship obligations and responsibilities.
Chapter 2 explores the key features of contemporary systems thinking and considers why
such thinking has become fundamental not only to the contemporary priorities of capital
but, more importantly, business organisations and corporate accounting information systems.
Finally, Chapter 3 explores the issue of control – as a political construct dominated by the
priorities of capital, and considers the application of control theory in the development and
management of corporate accounting information systems.
..
CORA_C01.qxd 6/1/07 10:48 Page 3
Introduction
Corporate accounting information systems are significant inasmuch as they are socially
created mechanisms through which symbolic forms of knowledge1 that play an increasingly
central role in portraying, evaluating and govern expanding domains of social and economic
life are constructed. Symbolic forms of knowledge that have become a fundamental part
of the struggle for corporate survival, as companies undertake economic transactions in a
business world increasingly dominated by and concerned with a spatial context of ‘oneness’.
A business world in which the controlling mechanism of the marketplace has become pre-
occupied with the notion of singularity – a single market, a single world society, a single
global culture. With a single borderless society in which the once established cartography
of political sovereignty continues to be reconfigured by a market dominated movement
where the reduction of institutional and economic diversity is seen as paramount, and con-
tinuing socio-political heterogeneity is seen as increasingly unacceptable.
In a business world increasingly dominated by and indeed reliant upon information,
corporate accounting information systems have become central to enabling social, polit-
ical and economic activities to be rendered knowable, measurable, accountable and
manageable. More importantly, such systems have become pivotal in the adjudication of
rival business claims between competing social constituencies both inside and outside the
company. Corporate accounting information systems are implicated not only in condition-
ing the global flows of capital investment and business resources, but also in assisting in
determining/measuring the effectiveness of business institutions and organisations, institu-
tions and organisations through which differing levels of social, political and economic
power are expressed.
Clearly, the pervasive influence of corporate accounting information systems provokes
many questions. Questions about how such accounting information systems develop;
why particular accounting information systems and practices are adopted; and how such
accounting information systems are regulated within business organisations. More import-
antly perhaps such influence provokes questions about how such corporate accounting
..
CORA_C01.qxd 6/1/07 10:48 Page 4
information systems are utilised, and about the adequacy of the understandings distilled
from the information such accounting information systems generate.
This chapter provides a critical review not only of the over-riding economic nature of
corporate accounting information systems, but also considers their social and political context.
Issues relating to the role of corporate accounting information systems in the supporting of
organisational operations and decision-making processes, and the fulfilment of stewardship
obligations and responsibilities, are also explored.
Learning outcomes
This chapter covers a wide range of preliminary issues and provides an introduction to
corporate accounting information systems in the context of an increasingly dynamic and
hectic (some would say chaotic) business world. By the end of this chapter, the reader
should be able to:
n describe the major influences that change the nature and context of corporate account-
ing information systems,
n describe the major characteristics of contemporary corporate accounting information
systems,
n critically comment on the social, economic and political roles of corporate accounting
information systems,
n illustrate an awareness of the role of accountants and accounting and finance related
specialists in contemporary corporate accounting information systems, and
n demonstrate an understanding of the structure of corporate accounting information
systems.
Whatever chronology is imposed on understanding the nature and context of social and
economic change, the very idea of globalisation is not only socially emotive but economically
and politically divisive. In a 21st century world increasingly preoccupied with:
n the maintenance of local culture(s) and social identities,
n the securing of traditional political boundaries and democratic constituencies,
n the continued development of market arrangements and economic interrelationships, and
n the assessment of the social consequences of capital mobility,
globalisation remains a rich source of critical analysis, political rhetoric and economic debate.
But a debate between whom? Between those who decry globalisation as a destructive process
facilitating:
n the destruction of local traditions,
n the continued subordination of poorer nations and regions by richer ones, and
n the gradual elimination of culture and everyday life,
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 5
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 6
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 7
and socially detached from the economic consequences such global priorities seek to both
encourage and promote.
Clearly, the increasing dominance of the global marketplace and associated flows of capital
that today not only create (and recreate), but also sustain, contemporary forms of global inter-
dependencies and interconnectedness represents one of the most wide-ranging (and for some)
one of the most unsettling systemic trends in contemporary history (Scholte, 1995). Why?
Because such trends encapsulate more than a process of reconstruction, reconstitution or global
restructuring! They represent a transition, one dominated not by the chaotic flows of social
identities and/or political ideologies, but by the erratic flows of commodity capital, investment
capital and human capital.
Indeed, whether globalisation is regarded as constructive – that is facilitating positive social,
economic and political change – or destructive – that is facilitating the elimination of local culture
and local tradition – it clearly encapsulates a process of continuing radical change, of transition
– of transformation. A transformation of modern society and the business environment in
which the historical and contemporary settings of everyday social, economic and political activity
have been shifted to what some have called a hyper-realism of a postmodern new world order
(Luke, 1995). A new world order in which wealth maximisation and the search for competitive
advantage have become central to the global logic of corporate capital and its desire to forge
institutional interdependencies consistent with its continued survival and expansion. A new
world order increasingly dependent upon the availability of evermore complex symbolic forms of
knowledge, ephemeral technologies and knowledge based systems and on evermore transferable
forms of information . . . on accounting!
As suggested earlier, the continued dominance of capital mobility and freedom of accumulation
(Surin, 1998) – of contemporary market capitalism and its interrelated notions of borderless
private ownership, the free pursuit of profit and the existence of free (or at least a managed)
market mechanism (McChesney, 1999) – remains a central feature of today’s global business
environment. A global business environment in which the primary aim of traditional market-
based economic activity is the achievement and maintenance of competitive advantage and wealth
maximisation. An environment in which success is measured and assessed, principally on
the level of economic returns such activities generate for corporate stakeholders – in particular
corporate shareholders (Rapaport, 1986). Clearly, the transformative consequences of global
capital and the dominance of market economics in the late 20th and early 21st century have
produced many social, political and economic benefits.3 However, such benefits have been, and
indeed continue to be, achieved at some cost. As suggested by Boczko (2000):
the often turbulent and erratic search for profit and gain – for new products and markets, new
technologies, new spaces and locations, new processes of organisation and control – have
increasingly produced the very market crises that such global competition and global change
had sought to escape (2000: 139).
The achievement and maintenance of competitive advantage, the development and mainten-
ance of key success factors, the extending of product and service life cycles and the continued
maximisation of product and service profitability, have all become evermore difficult to attain
in a highly competitive global marketplace in which corporate success has become increasingly
ephemeral. A global marketplace in which the traditional business philosophies that once formed
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 8
the foundation of long-term financial survival have become subservient to highly competitive/
speculative strategies founded on notions of:
n emergent innovation,
n flexible accumulation, and
n freewheeling opportunism.
Speculative strategies that have become heavily dependent on information, on information and
communication technologies and on intangible knowledge-based systems (specifically accounting
information) to ensure the effective management of corporate resources, the accurate measure-
ment of corporate performance and to provide a necessary determination of continued corporate
survival.
Whilst the need for information is by no means a new phenomenon, in a global business
environment increasingly shaped by the complex business transactions that have become evermore
uncertain, compressed and increasingly lacking in transparency, corporate business activities
have, out of necessity, become bound up with a growing dependency on networks of surveillance,
on regulation and control and on the development of sophisticated systems for collecting, storing
and processing information.
The need to know and the ability to control have not only become a central feature in the
search for competitive advantage, profit and the maximisation of corporate wealth, but more
importantly a central feature of a society increasingly dominated by the economics of gain and
the need to know first. A society in which the politics of global competition and the economics
of the marketplace have not only contributed to changing the structure, nature and context
of contemporary society itself, but more importantly contributed to changing contemporary
notions/perceptions of the company – the corporate entity. A company is no longer just a legal
entity, a collection of rights or a collection of tangible and intangible assets and/or physical and
virtual resources. Instead it is a complex social mosaic of people, systems and procedures. A
complex interaction founded on the philosophy of agency, on the separation of ownership and
control which requires trust,4 not in people or in an abstract politicised legislative framework
or market-based rules and regulations (although these are clearly important) but in procedures,
information, technologies and systems.
n the corporate search for comparative advantage and the elimination of competitive threats
and environmental disturbances,
n the development of market opportunities and the optimisation of the long-term rate of
return,
n the management of social, political and economic change, and
n the maximisation of shareholder wealth,
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 9
profit or not, every organisation needs information to survive’ (Lynch, 2003: 402). Information
that is not only used to:
n justify expansion and contraction,
n rationalise closure,
n defend closure and relocation, and
n justify increases in product/service prices,
but which can also be used to:
n control activity,
n compare performance,
n ensure accountability,
n facilitate surveillance and, perhaps most important of all,
n enforce regulations.
Such information (such symbolic forms of knowledge) can of course take many forms. From
marketing information on customer relations and product pricing strategies, to human resources
management information on organisational employment levels/policies and staff profiling/
recruitment strategies, to operations management information on production timetable/schedules,
to financial accounting/management information on corporate profitability, investment/financing
strategies and dividend policies.
This book is however primarily concerned with accounting/financial management information,
and with the systems, processes and procedures involved in its production and dissemination.
Information such as:
n external financial reporting statements – for example the profit and loss account, balance
sheet, and cash flow statement,
n internal management accounting statements – for example performance budgets, costing
reports and activity reports, and
n financial management information – for example short-term working capital management,
long-term investment strategies and dividend/debt policies.
Whilst the provision of such accounting/financial management information can and indeed
does provide many benefits such as:
n the reduction of transaction uncertainty and business risk,
n the promotion of business confidence,
n the reduction of risk of financial loss, and
n the facilitation of organisational planning and control,
the central role of such information is one of governance – whether internal governance in
terms of operational management processes and strategy development, or external governance
in terms of corporate financial statements and corporate accountability. However, it is also
important to recognise that information does not just facilitate business procedures and pro-
cesses or business governance and accountability. Neither does it just assist in facilitating
controllability. Its purpose is not merely the minimising of complexity and the promotion of
maintainability – of survival. Information is a business resource. It is, as suggested by Vassen
(2002), the fourth production factor.
Information has value. Whilst the measurement of this ‘value’ is an issue of continued heated
debate – for example, for some, such value is normative (identifiable and measurable) so that
it is based on realisable benefits, while for others such value is relative (indeterminate and
ambiguous) and depends heavily on utility and context of use – information is nevertheless
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 10
a valuable business resource. A marketable commodity that is not only political in context
but, more importantly, social in construction, and as far as accounting/financial management
information is concerned, economic in consequence.
But what do we mean by the term information?
There are many definitions of ‘what’ information is, some of which are complementary, others
of which are contradictory. For example Stafford Beer (1979) suggested that information is that
which changes us. Davis and Olsen (1984) extended this notion of change by suggesting that
information is:
data that has been processed into a form that is meaningful to the recipient and is of real
perceived value in current or prospective actions or decisions (1984: 200).
This theme was also continued by Murdick and Munson (1986) who suggested that information
can be defined as a coherent pattern of characters that can stimulate both action and reaction.
Blokdijk and Blokdijk (1987) however suggested that information is not merely concerned
with action – process – reaction. They suggested a more value orientated definition, suggesting
that information was what connects with man’s consciousness being and contributes to his
knowledge and ultimately his well being.
A common theme in all the above is the notion that information is data that have been
processed in such a way as to be useful to the recipient. Such a theme suggests three separate
but clearly interrelated contexts.
Firstly, ‘data that have been processed’ suggests a processing context – that is it implies that
the value of information is associated with a notion of change, of transformation.
Secondly, ‘in such a way as to be useful’ suggests a structural context – that is the value
of information resides not only in its component parts and their relationship but also in
the underlying structure, the logical arrangement, the nature/context of the language/sets of
symbols used.
Thirdly, ‘to the recipient’ suggests a communication context – that is it implies that the value
of information is also associated with the notion of assembly, recording, transmission and com-
munication using a shared symbol set designed to promote understanding. In other words,
information is not information until it has been communicated and understood (see Figure 1.2).
Vaguely implied in all the above definitions is however the idea that information can in
some way ‘reflect’ reality. That is, information possesses objective characteristics independent
of the user and can therefore be processed like any other business resource. Such a ‘reflectivist’
perspective assumes that reality can be mirrored, more or less ‘truly’ or ‘fairly’, and that
accounting/financial management information can not only provide a faithful picture of that
economic reality, but as the nature of business transactions and economic activity evolves, refine-
ments to accounting/financial management information and accounting systems and practices
can be introduced to ensure their continuing faithfulness.
Clearly, this is not the case since information as, a ‘body of knowledge’ or as a ‘set of rules
and procedures’ is created/designed for a purpose – to satisfy an ‘assigned’ role, for example to:
n promote order and control,
n reduce entropy and uncertainty,
n minimise waste, and/or
n maximise shareholder return.
10
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 11
This assigned ‘political’ role is imposed by human agency. Interrelated notions of process,
structure and communication are clearly dependent upon human agency and can therefore be
neither politically nor socially neutral. They are embedded within social arrangements – within
cultural and organisational contexts. The generation, management and application of infor-
mation have social, political and economic consequences. Consequences often designed to sustain
existing socio-political relationships and arrangements. In other words, information (or more
appropriately the use of information) is not only intentional, it is perhaps more importantly
politically constructive.
Such a ‘constructivist’ perspective contends that information communicated by a shared set
of understandable signs and/or symbols can neither ‘reflect’ reality, nor neutrally express the
intentions of those involved. Meanings communicated through the use of language(s) and/or a
shared set of symbols are constructed within negotiated representational systems – representational
systems that often conceal the social relations that not only comprise them, but more importantly
construct them. What is capable of being known depends fundamentally on the social traditions/
political contexts through which the world is rendered knowable.
Whilst the importance of information, especially accounting/financial management
information, in the promotion of business efficiency and management effectiveness, and wealth
maximisation cannot be understated, it is however important to recognise that the generation
and communication of information is, contrary to the illusions of liberal economics anything
but a neutral and unbiased technical activity (see Gray et al., 1996). Such a political context,
such a constructivist view of information clearly has implications on any assumed neutrality
that the qualitative characteristics of information may appear to possess. Notions of relevance,
reliability, understandability, validity, usefulness and timeliness are all ‘imposed’ characteristics,
or more appropriately ‘constructed’ characteristics.
Above we considered the issue of information. Before considering the broad nature, context
and purpose of corporate accounting information systems, it would be useful to consider first
a broad introductory definition of the notion/idea of ‘system’. (The notion of system and
systems thinking will be considered in more detail in Chapter 2.)
11
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 12
So, what is a system? Harry (1994) suggested there was no universally accepted definition of
the term/notion of system. True or false? Probably both!
Where as a biologist/medical scientist may use the term ‘system’ to define for example bodily
parts or structures anatomically or physiologically related, a chemist may use the term to describe
matter in which there exists more than one substance in a number of different phases. A geologist
may use the term ‘system’ to describe a formation of rock strata created during a period of
geological time, whilst a minerologist may for example use the term to define categories and/or
divisions into which crystals may be placed on the basis of uniquely identifiable characteristics.
Whereas an astronomer may use the term ‘system’ to describe a group of associated extraterrestrial
bodies, an engineer may use the term to define any independent assembly of electronic, electrical
or mechanical components forming a self-contained unit.
A sociologist may use the term ‘system’ to describe any scheme of economic classification, social
arrangement and/or political stratification, whilst a psychologist may use the term to describe
an individual’s physiological or psychological makeup. And, finally, perhaps an economist
may use the term ‘system’ to describe a group or combination of interrelated, interdependent
or interacting elements forming a collective entity, whereas a political scientist may use the
term to define opinions of thought, points of view or established doctrine(s) used to interpret
a branch of knowledge.
Clearly, the notion or context of what a system is in each of the above definitions varies,
depending on the nature of the knowledge/characteristics/components being considered.
Yet they all nevertheless contain a number of similar themes – if sometimes by implication
only.
Firstly, they all contain a common root meaning – that is there is a notion of methodical or
coordinated assemblage. A collection or grouping of similar items, objects elements, and/or
components.
Secondly, they all suggest that in general, stronger correlations (relationships) exist between
one part of the system and another, than between one part of the system and parts outside the
system. That is a system can broadly be regarded as a set of related objects/components whose
relationship to each other is stronger than their relationship to their environment, a relation-
ship resulting in the constitution (some would say ‘perceived constitution’) of an identifiable
whole – separate from the environment (see Schoderbeck et al., 1985).
Thirdly, as a complex of directly and/or indirectly related significant objects or elements,
they all suggest that such components of a system operate together to attain a prescribed goal,
aim or objective. Whatever professional perspective is adopted – whether a biologist/medical
scientist, an engineer, a sociologist, an economist – they all imply, to a greater or lesser extent,
that as a bounded set of objects/components, a system is capable of responding to external
stimuli to undertake whatever function or change is required to achieve/maintain the system’s
objective.
For example the discovery of a new virus strain may cause biologists to review their under-
standing of medical physiology. The emergence/development of a new global economic cycle
may cause economists to review understanding of how social and political interrelationships
impact on economic institutions or the discovery of a new star cluster may cause astronomers
to review their understanding of the universe as a developing system.
It should however be noted that such responses to new data/new conditions/new relation-
ships are neither automatic nor apolitical. Such responses/interpretations are imposed by
human agency – they are not only socially created, they are politically constructed.
So, what is a system? These core attributes of collection and commonality, relationship, and
purpose, aim and response to change were perhaps best summarised by Beishon and Peters
(1972), who suggested that a system was merely:
12
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 13
an assembly of parts, where the parts or components are connected together in an organised
way, . . . the parts or components are affected by being in the system and are changed by
leaving it, . . . the assembly does something, . . . (and) . . . the assembly has been identified
by a person as being of special interest (1972: 12).
Such a definition is related to what are often described as the organisational/relational contexts
of corporate accounting information systems.
Wilkinson et al. (2001) however suggested that an accounting information system is:
a unified structure within a business entity such as a business firm that employs physical
resources . . . to transform economic data into accounting information (2001: 7).
Such a definition is related to what are often described as the procedural and/or functional con-
texts of corporate accounting information systems. (These alternative contexts will be explored
later in this chapter.)
Whilst each of the above definitions do differ in some minor aspects, a common identifiable
theme in each of the above definitions is the notion that an accounting information system is
a cohesive organisational structure: a set of directly and indirectly interrelated processes and
procedures, objects and elements, events and activities.
So, a collection of resources and other components designed for a purpose. But what purpose?
Romney and Steinbart (2006) suggested that the purpose of an accounting information system
is to process transaction data to provide users with information, a system that:
collects, records, stores and processes data to produce information for decision makers
(2000: 6),
whereas Vaassen (2002) suggested that the purpose of an accounting information systems is to:
provid(e) information for decision making and accountability to internal and external stake-
holders, . . . provid(e) the right conditions for decision making, . . . (and) . . . ensur(e) that no
assets illegitimately exit the organisation (2002: 3).
Again a common theme in each of the above quotes is the notion that accounting information
systems possess two common interrelated purposes:
n to provide users with information, or a decision facilitating function – that is a function con-
cerned with assisting decision making/decision makers by providing ‘useful’ information,
and
n to support decision making and facilitate control, or a decision influencing/mediating
function – that is a function concerned with controlling and inducing alternative forms of
behaviour in transacting parties where conflict exists and/or mediation is required.
13
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 14
14
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 15
As suggested earlier, the basis of contemporary market-based capitalism concerns the notion of
resource movement/exchange – that is the temporal and spatial displacement of resources5 is the
foundation of conventional economic activity, corporate profitability and wealth maximisation.
(This issue will be explored further in Chapter 2.) More importantly, from a liberal economic
perspective at least, such resource movement/exchange is also the foundation of continued
corporate survival. Indeed, in today’s highly competitive (some would say chaotic) global market-
place companies must not only be flexible and adaptive, but also responsive to social, political and
economic change. One consequence of this need/desire for continued flexibility/adaptability in
an evermore hectic business environment, is that corporate accounting information systems as
an essential part of a company’s arsenal of competitive technologies have become increasingly
complex – a complexity directly related to notions of security, control and risk reduction. A
complexity directly influenced by:
n ever-increasing volumes of accounting/financial management data and business data
processing,
n ever-increasing demands of internal and external users to reduce data processing times,
n an evermore critical emphasis placed on correct processing,
n an increasing importance on detail management,
n ever-increasing computerisation of accounting/financial management transactions, and
n an ever-increasing requirement/demand of market participants to minimise management/
regulatory intervention in competitive business activities.
However, despite such ever-increasing pressures, as suggested earlier, corporate accounting
information systems are by their very nature created resource structures – that is they emerge
from a need/desire to protect, control and manage resource activities and wealth creation
processes. The purpose of such systems is to provide two clear functions:
n a decision facilitating function, and
n a decision influencing/mediating function.
Such a duality of function can and indeed often is interpreted in a number of alternative contexts
(see Figure 1.4). Such contexts include:
15
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 16
n a procedural/processing context,
n an organisational and relational context, and
n a functional context.
Procedural/processing context
From a procedural/processing context, corporate accounting information systems are essenti-
ally ‘data transformation management systems’. That is such a contextualisation of corporate
accounting information systems suggests that the purpose of such a system is to facilitate five
key procedures (see Figure 1.5):
16
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 17
n data collection,
n data maintenance,
n data management,
n data control, and
n information generation.
The procedural context is of course closely related to notions of input (data collection), process
(data maintenance/data management) and output (data control and information generation),
and is concerned primarily with ensuring the proper execution of a certain procedure and/
or series of procedures to guarantee appropriate processing – to ensure correct data storage,
data maintenance and data/information retrieval and removal/disposal. Key issues within this
procedural/processing context are often related to:
n limiting data redundancy (reliability)
n ensuring data consistency and standardisation (efficiency)
n promoting where possible data integration (spatial constraints)
n ensuring data accessibility (user control) and providing data flexibility (modification), and
n ensuring data security (integrity) by providing appropriate data capture and entry facilities
(accuracy).
This generally involves ensuring:
n the provision of appropriate data capture and data input procedures, for example hard copy
(physical) input or pre-formatted data-entry (virtual) input,
n the adoption of appropriate processing methodology, for example periodic (batch) processing,
immediate processing, online processing, real-time processing and/or distributed processing,
n the development of appropriate maintenance procedures, for example data correctness, data
accuracy, data relevancy, master file security and media access restriction, and
n the development and implementation of appropriate output procedures.
From an organisational context corporate accounting information systems are essentially hier-
archical information systems (see Figure 1.6). That is they are designed to:
n assist in defining business strategies/policies,
n embed information into tactical decision-making processes, and
n provide useful information for operational control purposes.
From a relational context, corporate accounting information systems are essentially a com-
ponent part of an integrated corporate information system (see Figure 1.7). That is they exist as
an essential part/component of a company’s overall management information system.
Such organisational and relational contexts are of course related to a range of internal/
external factors such as:
n size of the company and the complexity of corporate structures/lines of accountability,
n organisation of the company and the intricacy of data/information flows,
17
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 18
18
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 19
Key issues within this organisation and relational context are often related to:
n ensuring information standardisation,
n promoting where possible information consistency,
n ensuring appropriate levels of accessibility,
n ensuring appropriate levels of integration, and
n providing sufficient levels of information flexibility.
This generally involves ensuring:
n the provision of appropriate communication structures/procedures,
n the adoption of appropriate procedures of accountability, and
n the development of appropriate information models.
Functional context
From a functional context, corporate accounting information systems are essentially trans-
action processing systems. That is they are designed to mirror a company’s cycles of operation
and/or business activity – the temporal and spatial displacement of resources founded on the
following:
n tangible/intangible products and services absorb resource expenses,
n resources are bought and sold,
n resources are converted,
n equity is increased and/or diminished, and
n debts are incurred and/or liquidated.
Such activities can be analysed within the context of four functional sub-systems (see Figure 1.8):
n an expenditure cycle – generally consisting of an acquisition control system, a receiving and
inspection system, and a purchasing and creditor system,
n a conversion cycle – generally consisting of a stock control system, a production control
system, and a payroll system,
n a revenue cycle – generally consisting of a marketing system, a transportation system, and
sales and debtors system, and
n a management – generally consisting of a cash receipts and payments system, a fixed assets
and property system, and a general ledger system.
In general two categories of functional contexts can be identified.
19
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 20
Each of the above will of course place different emphasis on different aspects of their trans-
action processing systems.
Key issues within this functional context are often related to the need to control, authorise
and record the impact of resource movements. That is, issues related to internal control and the
separation of administrative procedures and the separation of functional duties.
It generally involves ensuring;
(This functional context informs a range of corporate accounting information systems ideas
and will be explored further in Part 3.)
20
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 21
Organisational context
As suggested earlier, corporate accounting information systems are created resource structures,
political structures that possess a range of general characteristics:
n they are goal orientated – that is they are purposeful,
n they are generally comprised of a range of interacting components (sub-systems),
n they exist/function within a hierarchical context,
n as a system they have a defined boundary, and
n as a system they possess synergistic qualities.
Corporate accounting information systems have many users and involve many different groups
of stakeholders. More importantly such systems are subject to a range of social, political and
economic influences and controls – both internal and external to the company.
Organisational users
Because of the vast range of influences affecting the functional nature/capacity of corporate
accounting information systems, the continued survival and growth of a company increasingly
depends on the supply of effective accounting information to a wide range of diverse stakeholder
groups, both internal and external to the company (see Figure 1.9).
Clearly the nature, size, location and complexity of the company will have a direct impact
not only on the range of corporate accounting information systems users, but also on the types
of information various stakeholder groups may require. For example, a large, diversified, UK-
based multinational company would have a greater range of accounting information systems
users and information demand requirements than say a small, regional, single-purpose private
limited company. So who uses corporate accounting information systems?
21
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 22
22
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 23
Again, as with internal users, some external users would of course also be interested in inputs,
process and relevant controls. Such users would for example include the external auditor, govern-
ment regulators, market regulators and, of course, taxation authorities, and their interest would
generally derive from some legal and/or institutional requirement.
Like many created resource structures – often very bureaucratic ones – there are many problems
and fallacies surrounding the effective use of corporate accounting information systems. Some
of these problems and fallacies emerge from the narrow perspective and role assigned to such
systems. Others emerge from misunderstandings over the nature, purpose and use of information.
23
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 24
Secondly, such systems, because of the underlying political nature of information and infor-
mation systems only generate information consistent with a particular perspective or ‘world view’
– a functional, liberal, economic/market-based view. The reason for this is purely historical.
Traditionally, corporate accounting information systems were, and to some extent still are,
grounded in what has often been called a ‘value driven approach’ – that is an approach in which
the management of financial outcomes such as profitability, levels of shareholder dividend,
gearing and other financing issues often take priority over other issues. Such an approach – such
an ‘output driven approach’ – whilst clearly supporting conventional liberal economic wisdom,
that is the maximisation of shareholder wealth, unfortunately leads to:
An alternative approach is an approach that has often been called an ‘events based approach,’
one which advocates that a company should focus on managing relevant business events or
sequence of events as opposed to managing values in financial statements. Such an approach
not only supports a business ‘multi-stakeholder’ view rather than the ‘single-stakeholder’ view,
but also acknowledges the shortcomings of conventional notions of accounting and accounting
information systems.
There are many fallacies surrounding not only corporate accounting information systems in
particular but also information systems in general.
Firstly, more is better – that is the greater the quantity of data processed, the greater the
quantity of information produced, the more efficient and effective the company and/or organ-
isation will become. False! Whilst clearly some relationship exists between information and
corporate efficiency, there is no direct correlation between the quantity of processing and
levels of corporate efficiency – such efficiency is normally related to the ‘quality’ of information
produced.
Secondly, more communication means better performance. False! Improved performance is
again related to the quality of information not the amount of times communication takes place.
Although increased communication can provide some performance-related benefits, there is
a level beyond which further communication can have a dysfunctional impact – that is, it can
reduce efficiency and as a consequence decrease levels of performance.
In both the above it should however be noted that the term ‘quality’ is not only subjective
but more importantly political in context.
Thirdly, providing users/managers with the information they ‘need’ will automatically
improve decision-making procedures and processes. And, fourthly, users/manager know what
they need, and need what they want. Both false!
Catering for individual needs and requirements whilst useful in a limited context may not
only be excessively costly, but more importantly short sighted. Whilst many users/managers
would like to believe they have a clear view of what they need, such users/managers generally
function within a limited context – within their individual ‘world view’ – and as a consequence
may not be fully aware of the bigger corporate picture.
24
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 25
A key theme throughout the book is an acknowledgement that accounting6 is a creative process
– a social construct, designed to portray (in a particular way) the outcome of the temporal and
spatial displacement of resources. It is an active ‘political’ technology of capital accumulation –
wealth creation – directed towards preserving already dominant social structures and hierarchies,
and is as such purposive rather than inherently purposeful.
More importantly, corporate accounting information systems as created resource structures
– albeit increasingly virtual/intangible resource structures – are the ‘practical embodiment’
of this ‘socially constructed’ art form. Such systems are designed to maintain a particular set of
processes consistent with the implied ‘socio-political’ purpose of accounting.
So, given the ‘socio-political’ nature of accounting/accounting information and the con-
structed political nature of corporate accounting information systems, is it possible to have a
theory of corporate accounting information systems? Not really!
As with accounting/accounting information, the search for an underlying theory of corpor-
ate accounting information systems is the ‘search for the holy grail’. An underlying theory of
accounting/accounting information does not and will never exist.
Whilst some academics and some accountants may refer to the Statement of Principles
issued by the Accounting Standards Board (1999) as a broad conceptual framework – a possible
theoretical framework – such a view is mistaken and founded on misconceived notions of
accounting/accounting information’s neutrality and objectivity. Similarly an underlying theory
of corporate accounting information systems does not and will never exist.
However, that is not to say a broad theoretical framework – or more appropriately a broad
thematic context – cannot exist. It is this thematic context that forms the basis of discussion in
Part 2 of this book – a thematic context founded on three interrelated notions/ideas/theories:
n systems thinking,
n control theory, and
n information theories.
25
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 26
Concluding comments
As we have seen, corporate accounting information systems are socially, politically and econ-
omically important. Not only do they affect all levels of management decision making and
various internal and external groups of stakeholders, they are more importantly an enabling
‘political’ resource that plays a leading role in:
More importantly, they are without doubt an increasing critical success factor in the search for
corporate survival.
References
26
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 27
Websites
Gray, R., Owen, D. and Adams, C. (1996) Accounting and Accountability, Prentice Hall, London.
Harry, M. (1994) Information Systems in Business, Pitman, London.
Harvey, D. (1990) The Condition of Post Modernity, Basil Blackwell, London.
Luke, T. (1995) ‘New World Order or Neo-World Order: Power, Politics and Ideology in Informal-
izing Glocalities’, in Featherstone, M., Lash, S. and Robertson, R., (eds) Global Modernities, Sage,
London, pp. 91–107.
Lynch, R. (2003) Corporate Strategy, Prentice Hall, London.
McChesney, R. (1999) ‘The New Global Media: It’s a Small World of Big Conglomerates’,
The Nation, 269(18), pp. 11–15.
Marx, K. (1976) Capital: A Critique of Political Economy, vol. 1., translated by Fowkes, B., Penguin,
London. (Original 1867)
Morgenthau, Hans, J. (1985) Politics Among Nations: the Struggle for Power and Peace, Knopf, New York.
Mosco, V. (1996) The Political Economy of Communication, Sage, London.
Murdick, R.G. and Munson, J.C. (1986) Management Information Systems: Concepts and Design,
Prentice Hall, London.
Nederveen Pieterse, J. (1995) ‘Globalisation as Hybridization,’ in Featherstone, M., Lash, S. and
Robertson, R. (eds) Global Modernities, Sage, London, pp. 45–68.
O’Brien, R. (1992) Global Financial Integration: The End of Geography, Pinter, London.
Rapaport, A. (1986) Creating Shareholder Value. The New Standard for Business Performance, Free
Press, London.
Riggs, F.W. (1998) Globalisation. Key Concepts @ http://www2.hawaii.edu/~fredr/glocon.htm.
Ritzer, G. (1993) The McDonaldization of Society, Pine Forge Press, Thousand Oaks, California.
Romney, M. and Steinbart, P. (2006) Accounting Information Systems, Prentice Hall, New Jersey.
Schoderbeck, P.P., Schoderbeck, C.G. and Kefalas, A.G. (1985) Management Systems: Conceptual
considerations, Business Publications Inc. Plano, Texas.
Scholte, J.A. (1996) ‘Beyond the buzzword: toward a critical theory of globalisation’, in Kofman, E.
and Youngs, G. (eds) Globalisation: Theory and Practice, Pinter, London.
Surin, K. (1998), ‘Dependency’s theory reanimation in an era of financial capital,’ Cultural Logic,
volume 1, Number 2.
Vaassen, E. (2002) Accounting Information Systems – A Managerial Approach Wiley, Chichester.
Wilkinson, J.W., Cerullo, M.L., Raval, V. and Wong-On-Wing, B. (2001) Accounting Information
Systems, Wiley, New York.
Bibliography
Bodnar, G.H. and Hopwood, W.S. (2001) Accounting Information Systems, Prentice Hall, London.
Hall, J.A. (2004) Accounting Information Systems, South Western, Cincinnati, Ohio.
Lucy, T. (2000) Management Information Systems, Letts, London.
Mosgrove, S.A., Simkin, M.G. and Bagranoff, N.A. (2001) Core Concepts of Accounting Information
Systems, Wiley, New York.
Websites
No specific websites are recommended for this chapter. However, you may find the following
websites helpful in gaining an insight into some of the more business-related issues associated
with corporate accounting information systems.
27
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 28
www.accaglobal.com
(Chartered Association of Certified Accountants)
www.cimaglobal.com
(Chartered Institute of Management Accountants)
www.cbi.org.uk
(Confederation of British Industry)
www.icaew.co.uk
(Institute of Chartered Accountants in England and Wales)
www.ft.com
(Financial Times)
www.economist.com
(Economist)
www.guardian.co.uk
(Guardian)
www.accountingweb.co.uk
(General accounting website)
Self-review questions
Question 1
The long-term financial objective of a company is often seen as being ‘the maximisation of shareholder wealth’.
Briefly describe how a company’s accounting information system can assist in achieving this objective.
Question 2
‘Contemporary accounting information systems are ultimately political in nature.’ Discuss.
28
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 29
Assignments
Question 3
‘The increasing uncertainty and risk of organisational activity has resulted in an increasing dependency on
trust systems.’ Explain to what extent contemporary accounting information systems can be regarded as a
trust system and illustrate how such a system is related to the changing nature of capital.
Question 4
‘All users of corporate accounting information systems are interested in one issue only – how profitable is the
company/will the company be.’ Discuss.
Question 5
‘Contemporary accounting information systems can be regarded the fundamental/core resource/asset of any
corporate organisation.’ Discuss.
Assignments
Question 1
Deltum Ltd is an established retail company located in the north east of England. The company has been
operating successfully for over 50 years. In 2000, following a rather aggressive takeover bid Deltum Ltd finally
acquired the company’s only regional retail competitor, Hetmex Ltd.
Although the combined company did experience some early operating successes, the overall profitability and
efficiency of the combined company has recently fallen sharply, market share and product quality are now at
record lows with the combined company recording its first annual trading loss in 2003.
Despite attempts by the management of Deltum Ltd to combine the two companies’ accounting information
systems, a recent external consultants’ report was highly critical suggesting that the core problems being
experienced by the company have resulted from Deltum Ltd’s management’s inability to understand the
nature, context and purpose of a company’s accounting information system.
Required
Provide a report for the management of Deltum Ltd explaining the nature, purpose and uses of a company’s
accounting information system, and offer reasons why Deltum Ltd has faced such significant problems.
Question 2
Jeamer plc was an UK listed company that produced digital audio equipment for the retail market. The
company’s products were sold throughout Europe, North America, Australia and Canada, and were widely
regarded as the best in the market. Indeed during the period 1995 and 2001 the company’s digital audio
equipment consistently won high praise from both consumer groups and retail critics.
In January 2003, however, Jeamer plc suddenly went into liquidation. The company failed with debts amounting
to £125m. The failure of the company was headline news around the world with press speculation focusing
on the possibility of large-scale financial reporting irregularities and potential management fraud. However in
April 2003, following extensive enquiries, the company receivers published their findings. Their report indicated
that whilst some unacceptable accounting irregularities had been evident in the company’s published financial
reports for a number of years, the principal cause of Jeamer plc’s failure had been an inadequate accounting
information system.
‘
29
.. ..
CORA_C01.qxd 6/1/07 10:48 Page 30
Required
Describe the main function of an accounting information system for a company such as Jeamer plc and
explain the possible risks associated with the failure of such a system.
Chapter endnotes
1
Such symbolic forms of knowledge include financial reporting statements such as profit and
loss account, balance sheet and cash flow statement, and internal management accounting
statements such as budgets, performance reports, costing reports, activity reports and invest-
ment appraisal reports.
2
The term ‘commodification’ is used here in a Marxian context to describe the ‘way capital(ism)
carries out its objective of accumulating capital or realising value through the transformation
of use values into exchange value’ (Mosco, 1996: 140). In a conventional context this presumes
an increasing use of competitive markets, an important issue in the accumulation process since
the most common embodiment of capitalism is as ‘an immense collection of commodities’
(Marx, 1976: 126).
3
Such benefits not only include macro benefits such as sustained national/international
economic growth, national/international market stability, social and political security, but in a
micro context, low investment risk, stable corporate growth and increasing market/product
opportunities/development.
4
Trust is a confidence in the reliability of a person or a system regarding a set of outcomes or
events. The requirement for trust is not a lack of power but lack of knowledge. Trust in systems
provide a means of understanding the causes of change, controlling the effects of change and
regulating the impact of change.
5
The term ‘temporal and spatial displacement’ is used here in the context of the increasing
international movement of capital as a product of time-space compression (Harvey, 1990) or
time-space distanciation (Giddens, 1990).
6
The term accounting is used here to describe a ‘regulated institutional process, a constructed
model . . . for reporting and communicating the impact of temporal and spatial displacements
on economic activity and associated regimes of accumulation’ (see Boczko, 2000).
30
..
CORA_C02.qxd 6/1/07 10:56 Page 31
Systems thinking:
2 understanding the connections
Introduction
The business environment is a complex and often chaotic collection of interrelated social
institutions. A collection of social institutions that not only have an unpredictable and
somewhat uncertain future but, more importantly, a complex and rather chaotic historical
evolution – an evolution that has been overwhelmingly influenced by the changing patterns
and nature of modern society, especially the emergence of contemporary capitalism as a
dominant social force in the late 19th and early 20th centuries.
Characterised by a group of closely interrelated institutions/systems, modern society
has (as suggested in Chapter 1) become (or at least is perceived to have become) increas-
ingly global and as a consequence evermore risky, volatile, uncertain and unpredictable.
Yet whilst it is important to realise that the business environment is an intrinsic product of
modern society, and has as such become fashioned by the changing patterns of society,
it is also important to recognise that society has itself become a product of the ever-
changing whims and desires of the marketplace in the late 20th and early 21st centuries
inasmuch as the constitutive dimension of nearly all social change has become market-
based economic power, that is market-based capitalism.
This chapter provides a discussion of the changing nature and proactive involvement of
regimes of capital accumulation/wealth maximisation and market-based economic power
within a contextual review of systems thinking, and explores a range of systems ideas com-
monly assumed to be underpinning notions of contemporary accounting information systems.
It provides a critical review of their implication on and contribution to understanding not
only the function, nature and context of market-based corporate organisations, but also the
contemporary role of corporate accounting information systems in the management of such
organisations. In addition, problematic issues inherent in the use of soft and hard systems
methodologies in conceptualising corporate accounting information systems are also explored.
The aim of this chapter is not only to ascertain the key features of systems thinking1
but, more importantly, to explore why such thinking has become fundamental not only to
contemporary capitalism but to business organisations.
31
..
CORA_C02.qxd 6/1/07 10:56 Page 32
Learning outcomes
This chapter explores a wide range of issues related to contemporary systems thinking
and provides an introduction to how systems thinking has been, and indeed continues to
be, an increasingly important framework in understanding the evermore dynamic and
chaotic business world.
By the end of this chapter, the reader should be able to:
n define a system and describe the main features of systems thinking,
n distinguish between soft systems and hard systems,
n critically comment on the importance of systems thinking to contemporary capitalism
and wealth maximising organisations,
n illustrate an awareness and understanding of systems terminology, and
n describe and critically evaluate from a systems perspective the key socio-political factors
that constrain wealth maximising organisations.
Before we explore the main theoretical and somewhat abstract features of systems thinking,
it would be useful to offer some context to our discussion – to explore the bigger picture so to
speak, and provide some understanding of why such thinking has become central not only to
a modern society entrenched within a market-based philosophy of competition and wealth
accumulation, but more importantly corporate organisations in their search for profit and
wealth maximisation.
Perhaps a useful staring point would be modern society or to use a more appropriate term
often used by political economists, sociologists and other social scientists – ‘modernity’.
So, what do we mean by modernity and why is it important?
What is modernity?
This is one of those really big questions that has many possible answers. In its broadest sense,
modernity refers to the modes of social organisation which emerged in western Europe from about
the 17th century and which have subsequently developed throughout the world – the key forces
in this global spread being the hegemonic social, economic and political power western Europe
in the late 17th and early 18th centuries. At the core of modernity was, and still is (assuming we
believe we live in a modern, and not as some sociologists would suggest, in a postmodern society),
the prospect of limitless advancement in science and technology, of limitless improvement in
moral and political thought, and of limitless rationalisation and economic gain.
Whereas a politician may view modernity or modern society from a purely institutional
context, in terms of the changing cartographies of electoral power and increasing global demo-
cratisation, a liberal economist may view modern society as merely a combination of interrelated,
interdependent, interacting marketable resources, a society governed by the supply of and
demand for economic resources, and a sociologist may view modern society in terms of its
social stratification, the distribution of cultural characteristics within society and/or the uneven
distribution of political/economic power.
32
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 33
So what does the modern in modernity and modern society really mean? Berman (1982)
suggested that to be modern and hence part of modern society (and modernity) was:
to find ourselves in an environment that promotes adventure, power, joy, growth, transfor-
mation of ourselves and the world – and at the same time that threatens to destroy everything
we have, everything we know, everything we are (1982: 15).
What this illustrates is the contradictory nature of modernity – that modern society is not
only fragmented, ephemeral and chaotic, but also enduring, complex and ever-changing – full
of choice but also full of control – full of variety.
Given this complex multiplicity, we could clearly define modern society using a range of
different criteria, for example in terms of cultural demographics, economic wealth, ecological
sustainability, political arrangements/institutions, and/or territorial/geographical associations.
For our purposes, however, we will simply define modern society (see Giddens, 1990), or
modernity, as a collection of four fundamentally interrelated institutions/processes (to use
systems terminology – but more of that later), these being:
n market capitalism – that is the market-based process of wealth accumulation in the context
of competitive labour and product markets,
n state management – that is the governmental/legislative framework through which the con-
trol of social and organisational institutions is exercised,
n industrialism – that is the constructed institutional processes purposefully designed to
develop and maintain a created environment, and
n surveillance – that is the process of information control and the concept of social supervision.
Whilst such sociological terminology may appear a little too abstract for what is essentially a
discussion on systems thinking – perhaps a more business approximation of each of the above
would be a form of PEST analysis, that is:
n the political environment – the nation state,
n the economic environment – market-based capitalism,
n the social environment – processes of surveillance, and
n the technological environment – industrialism.
Clearly, such a simplistic definition of modernity has many limitations.
Society is undeniably much more complex, undeniably much more obscure. In reality it
cannot be sub-divided into simple semi-autonomous institutions/processes. Not only are such
interrelated institutions/processes ephemeral and transitory, but their relationship is neither stable
nor permanent. Modern society is always changing – for better or worse. It is both transient and
chaotic. We live in a world in which social and institutional connections are continually being
reorganised, in which relationships are constantly being reclassified, and, in which institutional
expressions of power and control are frequently being redefined.
We live in society in which the only certainties in life are change and uncertainty (see
Article 2.1).
It is this issue of change, not only in the structure and organisation of social and economic
activity, in particular within market-based systems, but also in the interrelationships between
institutions/processes, that is of importance. However, before we look at why this is the case,
perhaps it would be useful to explore briefly why such changes occur and more importantly the
possible consequences/effects of such changes.
33
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 34
Article 2.1
34
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 35
‘Complexity is the world we live in. People still magic to us, people such as the cattle-herding Fulani
think it isn’t. People still think that when they go to of Nigeria and Cameroon make no distinction between
a supermarket and buy a pound of meat it’s exactly magic and technology when they are seeking to cure
the same thing they used to do 30 years ago when their livestock.
they went to a shop up the road. In no respect is The Fulani have a wealth of ancestral veterinary
it the same. The meat has gone through the hands knowledge to fall back on – they practise a form of
of 75 different people. It might be a French sheep, vaccination against foot and mouth disease in their
slaughtered in Belgium, butchered in Germany, part cattle, for instance – but also go to wise men who,
sent to Saudi Arabia and part sent here. they believe, might cure their beasts by picking out
‘I blame the training of today’s managers. good verses from the Koran.
They’ve not been trained to think about robustness Their low-tech world leaves them and their livestock
and stability. They’ve been trained to think about vulnerable to a host of diseases such as rinderpest
efficiency. Efficiency, to a modern manager, means and HIV. They are at the mercy of the weather. At the
that every conceivable component is just about to same time, they are less reliant on technology they
break down. don’t understand; they may have radios and bicycles,
‘The big problem here is reductionist managers but they don’t depend on them. The lack of a media
operating with a complex system as if it was blanket such as the one covering Britain means that
simple.’ a tragedy that affects one group has little impact on
In complex Britain, a problem can not only spread another 50 miles away. The lack of functioning African
rapidly, as it has with foot and mouth disease, but governments means that compensation and inquiries
problems can be compounded by other problems. are not expected.
In the Scottish Borders, where snowfalls have been ‘Here there’s the expectation of a safety net arrange-
so deep that they have been compared with the ment, of society owing something to them,’ says Phil
savage winter of 1947, many farmers postponed Burnham, professor of social anthropology at Univer-
deliveries of feed and fuel and didn’t clear the sity College, London, who has worked with the Fulani.
snow from their roads as normal because of fear of ‘Out there, they may feel their kin owe them help in
infection. Now, with electricity supplies cut off by the times of crisis, but there’s no one else they can turn
weather, many are in desperate need for fuel for to, other than to pray.’
emergency generators – but the snow is still blocking In spite of the small backlash from environmental-
their roads. ists and anti-globalism protesters, compared to the
The speed and efficiency of the rescue operation Fulani, we remain wedded to progress, demanding
around the Selby crash was an example of complexity of efficiency, and condemning when something goes
at its best. The reason why the car and its trailer wrong. We’re hooked on complexity.
came off the motorway are not yet known. But the ‘The classic difference between peoples like the
conjunction of the country’s fastest rail line and one Fulani and a modernist society like ours is that we
of its major roads were ultimately summoned up by believe things are going to get better, that we’re going
our demand for speed and efficiency, our impatience to continue to develop new technologies, knowledge
with delays and hitches. and science,’ says Prof Burnham.
‘We’re a very intolerant society nowadays,’ says ‘If something happens to suggest things aren’t
Andrew Porteous, professor of environmental science going to get better, somebody immediately starts blam-
and technology at the Open University. ‘We expect ing somebody, because there’s a faith that science
instant perfection. You see it everywhere. People have should be able to sort it. The idea that there are things
a fit when their computer crashes. They don’t expect we don’t know about, or beyond our control – that’s
it to happen.’ not a part of the modernist orientation. In so-called
In low-tech societies, such as Britain in the past, traditional societies, they think there are things you
or parts of the developing world today, societies can’t control. You can’t just invest more money and
tend to take a more fatalistic attitude to disasters get a breakthrough. Things aren’t always going to get
and crises. It doesn’t protect them from destitution or better tomorrow.’
suicidal despair. Nor does it stop them doing every-
thing they can to put things right. If we have become Source: The Guardian, 1 March 2001,
impatient with technology which might as well be www.guardian.co.uk.
35
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 36
In a societal context, the causes of social change, certainly in terms of modernity, can be
divided into two distinct (but closely interrelated) groups, these being:
Clearly, whilst the latter has gained in importance, the former, although remaining significant,
has nonetheless diminished in its consequence.
As suggested earlier, whilst the effects/consequences of such causes continue to remain both
unpredictable and uncertain, some of the effects have been, (and indeed continue to be):
n social space – that is the geographical area of business and trade, and
n social time – that is the speed, nature and context of business and trade.
It is therefore perhaps not surprising that the history of technological and organisational
innovation has become synonymous with the search for increasingly more profitable regimes
of wealth accumulation to such an extent that the singular, overarching motivating force in
contemporary modern society has become market-based capitalism – that is the search for
profit and the accumulation of capital (Harvey, 1990). See Articles 2.2 and 2.3.
36
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 37
Article 2.2
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 38
equivalents across the country, who will work with number of entrants; in 1999, 236 companies applied
companies on anything from building an effective to the scheme. This grew to a massive 1,683 entries
website to getting the right purchasing software. UK in 2002. As the awards have evolved to respond to
Online for Business is also developing tools to help changing business needs and new technologies, so
businesses take up and maximise the use of techno- the quality of entries has improved.
logy. The E-business Toolkit outlines e-business models Back in 1999 the awards were focused on the use
and the Benchmarking Tool allows companies to of internet and electronic trading applications. The
measure their progress against similar companies. 2003 awards will focus on the key ICT issues affect-
The planning tool, Be Online for Business, also offers ing organisations today. Truly e-enabled companies
practical and tailored advice on how to create and are those that have integrated ICT throughout their
apply a realistic e-business strategy. business.
Many small and medium sized companies in the E-business offers real benefits to small companies
UK are already harnessing the benefits of new tech- – allowing better and faster communication, improv-
nologies. We are keen to reward that innovation. This ing efficiency and opening up new markets. With new
year marks the fifth annual E-commerce Awards, set technologies behind them, smaller businesses can
up to celebrate organisations that are successfully succeed in an evermore competitive marketplace.
using new technologies to improve their business.
Since their inception, we have seen rapid growth in the Source: The Guardian, 29 May 2003, www.guardian.co.uk.
Article 2.3
38
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 39
understand the impact of technology, we have to get email, the internet and mobile phone technology
involved in this kind of project. The research will be meant they communicated more often with friends
available to all IT firms, allowing them to develop and and family.
market their products better.’ n Almost 90% believed technology had increased
The rapid pace of change and the shifting nature opportunities.
of public attitudes has left question marks over n Around 50% of respondents said technology had
whether the project will ever establish the true impact helped fight crime and 50% said it had improved
of technology. healthcare. But almost 40% said it had increased
But, Will Hutton, the Industrial Society’s chief inequality and less than 30% said it allowed them
executive, said: ‘We have to try. There is no doubt in more free time.
my mind that the impact of information and commun- n Only 20% agreed that the world would be a
ications technology over the next 10 to 15 years is better place without computers and mobiles, but
the critical social and economic question of our age.’ over 70% said technology had made life busier
and less than 30% said work had become more
Most see benefit of innovation flexible.
n Around 50% said technology had actually increased Source: Stuart Millar, The Guardian, 16 March 2001,
the number of friends they had, and 60% said www.guardian.co.uk.
And there lies the problem! Whilst some parts of contemporary society have clearly benefited
from the growth in market-based capitalism (e.g. some western European countries, the USA
and commonwealth countries), other parts have not (e.g. some south-east Asian countries and
many central and north African countries). The success of such change – the ongoing search
from growth for profit and shareholder wealth – has often been achieved at some social and
political cost. But why?
Although capitalism (as a social system) is no more than an abstract social construct, it can
nonetheless be defined in many ways. For our purposes we will define capitalism (see Chapter 1)
as a system in which individuals or combinations of individuals compete with each other to
accumulate wealth. More importantly, as a social system, we will characterise capitalism as a
diverse construct comprising of a range of alternative forms of commodity/service exchange
(that is production, distribution and exchange) within a market-based supply and demand
economy, the key elements being:
n the existence of private property ownership – including the right to exclusive control, the
right to benefit and the right to disposal,
n the right to free pursuit of profit/wealth accumulation, and
n the existence of a free market (or at least partially free) market mechanism for the deter-
mination of exchange prices.
But why is this relevant? Clearly, as a social process of commodity/service exchange in which all
the advanced economies of the world have become implicated and involved, contemporary
capitalism has been, and indeed continues to be, constrained by few discernible physical, political
or technological boundaries. Nevertheless, as an invasive element capitalism is neither permanent
nor stable. It is ephemeral, transitory and seemingly apathetic towards socio-culturally deter-
mined political, social or economic restrictions and regulations with a history which is less a
predetermined timetable of predictable events and more an open contest of crisis and chaos.
39
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 40
It is, and perhaps has always been, a system founded on the speculative determination of
profitable activities – new products and markets, new technologies, new spaces and locations,
and new processes of organisation and control. Consequently, no matter how erratic, unstable,
ambiguous, uncertain, and/or risky the process may appear to be, at the heart of capital’s dis-
tinctive historical geography is the single-minded desire of its dominant market-based institutions,
networks and alliances to accumulate further wealth in ever-increasing proportions.
More importantly it is this desire – the desire to ensure and maintain the deliberate trans-
formation of the very society within which it is embedded – that charms and disguises, creates
and destroys need and wants, exploits desires and fantasies, and transforms both time and space.
Indeed, the social/economic history of market-based capitalism is littered with fraught attempts
at identifying, minimising and where possible alleviating, if only temporarily, the causes of these
crisis of wealth accumulation, not only on a corporate level, but more importantly on a national
and international level.
Clearly, whilst history may seem to council caution, capitalism’s inherent nature of speculative
profitability – a process founded on the notions of opposition, rivalry and market competition
– is responsible for generating its ever-present and ever-increasing crisis of accumulation; a
crisis for which there exists but a few possible, albeit severely limited, responses. It is this
central anathema of capitalism – the contradictory nature of its very substance – that is of
great importance to the study of organisational systems generally, and corporate accounting
information systems specifically.
The increasingly risky and turbulent search for profit seemingly produces the very crisis
of accumulation it seeks to escape; a search in which contemporary accounting information
systems as constructed organisational systems have been and indeed continue to be clearly
implicated. Indeed, it is the inherent contradictions of capitalism, its expansionist nature, its
endless and incessant reorganisation of regimes of accumulation, that companies have increas-
ingly sought to proffer solutions and strategies that have become more and more dependent
on the created representations generated from corporate accounting information systems. See
Article 2.4.
Article 2.4
40
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 41
capitalism. Even in the toughest situations, there is much of the rest of the developing world. Income
little interest in returning to the past. ‘The more open in Latin America expanded by 75% during the 1960s
the Russian economy is to the rest of the world, the and 1970s, when the region’s economies were rela-
better,’ says Yevgeny Gavrilenkov, an architect of tively closed. But incomes grew by only 6% in the
President Vladimir Putin’s economic plan. past two decades, when Latin America was opening
RETHINKING. Yet it would be a grave mistake to up. Average incomes in sub-Saharan Africa and the
dismiss the uproar witnessed in the past few years in old Eastern bloc have actually contracted. The World
Seattle, Washington, D.C., and Prague. Many of the Bank figures the number of people living on $1 a day
radicals leading the protests may be on the political increased, to 1.3 billion, over the past decade.
fringe. But they have helped to kick-start a profound The downside of global capitalism is the disruption
rethinking about globalisation among governments, of whole societies, from financial meltdowns to prac-
mainstream economists, and corporations that, until tices by multinationals that would never be tolerated
recently, was carried on mostly in obscure think tanks in the West. Industrialized countries have enacted all
and academic seminars. sorts of worker, consumer, and environmental safe-
This reassessment is badly overdue. In the late guards since the turn of the century, and civil rights
20th century, global capitalism was pushed by leaps have a strong tradition. But the global economy is
in technology, the failure of socialism, and East Asia’s pretty much still in the robber-baron age.
seemingly miraculous success. Now, it’s time to get If global capitalism’s flaws aren’t addressed, the
realistic. The plain truth is that market liberalization by backlash could grow more severe. Already, the once
itself does not lift all boats, and in some cases, it has impressive forward momentum for new international
caused severe damage to poor nations. What’s more, free-trade deals has been stopped cold. An ambitious
there’s no point denying that multinationals have con- Multilateral Agreement on Investment, which would
tributed to labor, environmental, and human-rights have removed all remaining restrictions on cross-
abuses as they pursue profit around the globe. border investment by corporations, fizzled last year.
For global capitalism to move into the next stage So have hopes for a new global trade round through
will require a much more sophisticated look at the the World Trade Organisation. In the U.S., Congress
costs and benefits of open markets. To assess these has refused to give the President fast-track authority
increasingly important trade-offs, Business Week sent to strike new trade deals.
more than a dozen reporters around the world, from The longer-term danger is that if the world’s poor
the deserts of Chad to the factories of Guatemala, see no benefits from free trade and IMF austerity pro-
to witness firsthand the effects of global capitalism. grams, political support for reform could erode. The
They met workers who toil 16 hours a day for miserly current system is ‘unsustainable,’ says United Nations
pay making garments sold in the U.S. as well as Assistant Secretary General John G. Ruggie, who, as
villagers who want oil companies off their land. But a political economist at Columbia University, examined
they also talked to factory laborers who have seen big how previous golden ages of global capitalism, such
gains in their standards of living as well as creative as the one at the turn of the 19th century, unraveled.
bureaucrats who have used markets to coax growth ‘To survive,’ says Ruggie, ‘it must be imbedded in
out of once moribund economies. broader social concerns.’
The overwhelming conclusion of this reporting is NAIVETE. It all adds up to a breakdown of what was
that there are many examples of where reckless invest- known as the Washington Consensus. The grandiose
ment has done harm – but there is no case where the term refers to a world view pushed aggressively by
hazards can’t be addressed with better government the U.S. Treasury, the IMF, and the World Bank in the
and corporate policy. The real question isn’t whether early 1990s. This dictum held that all countries should
free markets are good or bad. It is why they are open their markets to trade, direct investment, and
producing such wildly different results in different short-term capital as quickly as possible. The tran-
countries. Figuring out that answer is essential if busi- sition would be painful, but inevitably, markets would
nesses, government leaders, and workers are all to achieve equilibrium, and prosperity would result.
realize the benefits of global markets. In hindsight, it was a naive and self-interested view.
The extremes of global capitalism are astonishing. Free capital markets, which have proved the most dis-
While the economies of East Asia have achieved ruptive part of the formula, were largely championed
rapid growth, there has been little overall progress in by Wall Street – which saw new trading opportunities
‘
41
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 42
– over the objection of many economists. To be sure, A similar view is forming in Romania, whose
developing nations badly needed to import capital economy has contracted by 14% since 1996. The only
and foreign financial knowhow to keep growing. But way to achieve growth, says opposition Social
many nations simply couldn’t handle the inflows. Democracy Party legislator Adrian Nastase, is to make
The results were huge white-elephant industrial and Romania more attractive to foreign investment, boost
property projects that devoured funds and foreign- exports, and work with the IMF and World Bank. But
currency debt bombs that started exploding in 1994, he’s also wary of importing pat formulas. ‘We have
first in Mexico and later in East Asia. been told that small is beautiful. We have been told
A more realistic view is now gaining hold. It begins to privatize as fast as possible. We have been told
with a similar premise: that trade and inflows of many things,’ says Nastase, who is expected to be
private capital are still essential to achieving strong, Romania’s next prime minister. ‘But the teachers are
sustainable growth and to reduce poverty. But it changing the contents of the schoolbooks.’
acknowledges that multinationals – which account for Some countries face such immense challenges that
the bulk of direct cross-border investment and one- it could take a decade before they benefit from lifting
third of trade – have social responsibilities in nations trade and financial barriers. Despite considerable
where the rule of law is weak. And it dispenses with liberalization, growth in sub-Saharan Africa has fallen
the erroneous notion that open markets will magically from 3.5% in the 1970s to 2.2% in the 1990s. And
produce prosperity in all conditions. Even the IMF foreign investment is negligible. ‘Companies have noth-
now warns that a high degree of openness to global ing against Africa,’ says U.N. Development Program
capital can be dangerous for some development. economist Salim Jehar. ‘It’s that stability, infrastructure,
‘The IMF push for capital-market liberalization for all and skills are not there.’ The only way for sub-Saharan
nations was driven by financial-market ideology,’ says Africa to begin digging out is for foreign creditors to
former World Bank chief economist Joseph E. Stiglitz, forgive most of its debt, which consumes some 40%
now a vocal IMF critic. ‘They have conceded defeat, of export revenue. Then, it must somehow attract
but only after the damage was done.’ massive infusions of private investment.
Even the orthodoxy that developing countries should Just as there are no one-size-fits-all policies for
quickly lower import barriers and slash the state’s economic development, there also are no clear road-
role in industry is being challenged. Before trade and maps for corporate behavior. Balancing growth with
foreign capital can translate into sustainable growth, environmental and labor regulations is wrenchingly
governments first must deliver political stability, sound complex in countries where people live on the margin.
economic management, and educated workers. Many poor nations fiercely resist discussion of labor or
NOT SO FAST. East Asia’s Tigers had many of these environmental issues in the WTO because they fear the
features when they began their export drives; most of process will be hijacked by Western protectionists: The
Latin America and Africa did not. ‘To get the benefits feeling is that Western unions will shield jobs at home
of trade and capital flows, you need a broader base by imposing standards that drive up labor costs in
of development,’ says Dani Rodrik, a Harvard Univer- emerging markets to levels where developing nations
sity economist whose research has raised hackles by can’t compete. ‘It’s hypocrisy of the first sort for the
suggesting that there is no automatic link between West to talk about opening borders and then hide
openness and growth in developing countries. behind barriers,’ says Indian economist Surjit Bhalla.
The search for a more intelligent approach to global- The result, however, is confusion. At a time when
isation is most evident within the developing nations image is paramount, corporations are besieged with
themselves. Russia is only now starting to recover from activists who harangue executives at shareholder
the massive corruption, capital flight, and economic meetings, organise consumer boycotts, smear their
collapse of the 1990s. Putin’s government plans to brand names on the Web, and pressure creditors and
continue market reforms and wants to join the WTO. shareholders alike. To allay critics, companies such
But its blueprint also calls for strengthening the legal as Nike, Mattel, Levi Strauss, and Royal Dutch Shell
system and control of the financial sector. ‘There’s an Group have drawn up their own guidelines and invited
emphasis on long-term plans for economic develop- monitors to ensure that they live up to them.
ment instead of the haphazard, piecemeal policies of ‘People’s expectations of the social and environ-
the pre-crisis years,’ says Mikhail Zadornov, who was mental role of businesses have absolutely changed in
finance minister under Boris Yeltsin. the past five years,’ says Aron Cramer, vice-president
42
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 43
of San Francisco’s Business for Social Responsibility, rules. There already are international agreements on
which advises the Gap Inc., General Motors Corp., and intellectual-property rights, prison labor, and trade
other companies on their practices abroad. ‘If there’s in endangered species that allow countries to bar
a problem in a company’s global supply chain, all it imports from violators.
takes is one modem in Indonesia to alert the world As the costs of consumer boycotts and monitor-
about it.’ ing rise, companies and their investors are likely to
But altering business practices to appease pressure look toward more uniform standards of behavior. But
groups can also hurt more than help the impover- make no mistake: It’s unlikely that anyone would
ished if they are done hastily. For example, soon after agree to an international central bank policing the
a bill was proposed in the U.S. Congress in 1993 capital markets or world legislatures and regulatory
to ban imports from countries where children work in agencies enforcing good corporate behavior. The new
factories, garment makers in Bangladesh fired 36,000 rules of global capitalism will evolve slowly, in pieces,
workers under age 18, most of them girls. Studies by and with varying degrees of success.
the International Labor Organisation and Unicef found A serious discussion on globalisation has begun.
that few of the fired workers ended up in school. Until now, it has been dominated by extremists on
Instead, many took more dangerous jobs or became both sides – anti-globalism radicals and dogmatic
prostitutes. ‘Instead of just throwing children out of free-marketers. ‘At each end of the spectrum are ideo-
work, you first must address the underlying economic logues who are pushing agendas unrelated to reality,’
conditions,’ says Nandana Reddy, director of India- says World Bank development research director Paul
based Concern for Working Children. Collier. ‘It has been a dreadfully silly debate.’
Partly to avoid having extremists set the agenda, A decade ago, when much of the world was
efforts are now under way to clarify the rules. In May, still clinging to various brands of wealth-destroying
the U.N. kicked off a program called Global Compact. socialism, it may have made sense to push rigid
The idea is to get multinationals to endorse a set doctrines. But the battle for market-driven economics
of basic human rights, environmental, and labor has been largely won. And the flaws of trying to force
principles, and allow private groups to monitor their every country into the same template have become
compliance. So far, some 44 companies, including clear. To take globalisation to the next level, it is time
Shell and Nike, have signed up. to forge a more enlightened consensus.
SANCTIONS. Because industry self-regulation
schemes lack real teeth, critics dismiss them as Source: Pete Engardio (Washington) and,
merely public relations. But such pacts are beginning Catherine Belton (Moscow), 6 November 2000,
to form the basis of a kind of global capitalism with Business week online www.businessweek.com.
43
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 44
economics and politics, with the economic emphasis often reducing the political and institu-
tional arrangements to contingent products of the dominant market mechanism. Secondly, the
neo-Schumpeterian approach considers social and institutional change to be ‘techno economic’
where the evolution and effectiveness of social institutions rests on the development and adapta-
tion of technologies. Although partially true, such a focus nonetheless reduces the impetus for
social change to a form of technological determinism reminiscent of Kondratiev’s ‘long wave’
theories. Thirdly, the disorganised capitalism thesis of Lash and Urry (1987), perceives transition
as a growing disorganisation of contemporary capital emerging out of the material conditions
associated with the powerful structure of class politics.
Contemporary regulation school thinking adopts a very systemic approach, contextualises
change to be a consequence of interaction and perceives capitalism as being dependent on two
interrelated institutions – regimes of accumulation, and modes of regulation.
Regimes of accumulation refer to set(s) of regularities at the level of the whole economy that
enable rational processes of capital accumulation to occur, and include norms relating to pro-
duction and management, forms of exchange, principles of wealth accumulation, and patterns
of consumption and demand.
Modes of regulation refer to the social/institutional rules and regulations which ensure/secure
capital accumulation. They consist of formal or informal rules that codify the main social
relationships and include institutions and conventions which reproduce a given accumulation
regime through law, state policy, political practices, codes of practice, rules of negotiation and
bargaining, culture of consumption and social expectations.
Regulation school thinking perceives social markets to be institutions encompassed by other
limiting institutions, in which interaction is subject to principles of reciprocity and cooperation.
More importantly, regulation school thinking encapsulates a holistic view inasmuch as it insists
any analysis explores the total package of relations and arrangements that contribute to the
accumulation of wealth. It is therefore essentially a systemic framework of analysis that provides
a useful mechanism for understanding:
n the complex nature of change in the context of a continuing crisis of accumulation, and
n the impact of that change on regulated social institutions.
Indeed, in explaining the paradox within capitalism, its tendency towards crisis and its ability to
stabilise within the context of a set of institutional norms, regulation school thinking acknowledges
the importance of historical processes, locating the systemic coherence of capitalist development
on a number of key concepts. In characterising the development of market-based capitalism by
specific forms of regimes of accumulation and modes of regulation, regulation school thinking
views the hegemonic structure – the structure that describes the historical connection between
regimes of accumulation and modes of regulation – as a result of a process of conflictual his-
torical evolution, a process moulded by the social and economic impact of discrete phases of
time–space compression or, more importantly, the impact of technology on society.
But what has all this to do with corporate accounting information systems?
Firstly, what the above clearly illustrates is that economic power, or market-based capitalism as the
dominant social system, is extremely volatile, highly competitive and due to its inherent risk and
instability, modulates from crisis to crisis. In so doing, it possesses a tendency to create ‘protective’
44
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 45
bureaucratic structures to surround the created processes of wealth accumulation. Indeed the
company structure – the organisational structure at the centre not only of contemporary market-
based capitalism but more importantly much of the discussion that follows in this book, primarily
arose out of the social and political consequences of the changing nature of capital.
Secondly, as an increasingly complex social system, a social system populated by evermore
complex and bureaucratic organisational structures, market-based capitalism (perhaps a more
accurate description would be the institutions and organisations that comprise the marketplace)
requires evermore complex regulation and socio-political intervention, not only to ensure
increased accountability, transparency and control but, more importantly, to ensure market
efficiency, especially pricing efficiency, although such intervention is also designed to promote
both operational and allocational efficiency.8
Such demands, whether a product of government intrusion and/or market-based conscience,
nonetheless promotes a greater dependency on systems – a trust in systems – in order that:
n governments ensure adequate regulatory control of an increasingly complex marketplace is
maintained, and
n market regulators ensure an appropriate level of market confidence is maintained in extant
regulatory procedures.
So what have been the main implications of this increasing trust in systems?
45
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 46
In addition, the increasing complexity and associated business risk and uncertainty inherent
within contemporary market-based capitalism has promoted an increase in the use of/demand
for expert knowledge systems, and an increased emphasis on virtual/fictitious information –
a demand for more and more intricate descriptions of the consequences of contemporary
market-based decisions.
In combination, each of the above has resulted in a progressive increase in the use of:
n systems thinking – to understand how a business organisation operates within a changing
business environment, and
n information models – to communicate how well the business organisation is operating in a
relative sense compared to the rest of the business environment.
And because the key motivating force in contemporary society is market-based capitalism –
wealth accumulation, with all its associated risks and uncertainties – what we can say with some
degree of certainty is that the key system of knowledge in today’s often chaotic business environ-
ment is accounting information – central to whose construction is an understanding not only
of what inter-relationships exist, but more importantly how they interact.
Systems thinking
Finally we have arrived, albeit with a few minor but nonetheless relevant diversions, at our
consideration of systems thinking. So what is systems thinking?
Systems thinking is a contemporary interdisciplinary study – a study of organisation and
relationship, independent of any substance, type, spatial or temporal scale of existence. Such
thinking seeks to investigate:
n the principles common to all complex entities, and
n the models (often mathematical in origin) which can be used to describe them.
With its origins in biology, systems thinking was first proposed by the biologist Ludwig von
Bertalanffy (1936) as a reaction to what von Bertalanffy viewed as the reductionism of con-
temporary science. Von Bertalanffy sought to emphasise the holistic nature of real systems. He
sought to emphasise that real systems were open to, and interact with, their environments, and
as such can acquire qualitative properties through processes of acquisition, adaptation and
change – processes of emergent evolution.
Rather than reducing an entity, organisation or institution, or process, to the properties of
its constituent parts or elements, systems thinking focuses on the arrangement of and relation-
ships between the parts which connect them into a whole. This idea of looking at the whole is
a concept commonly referred to as holism – a concept that has enormous consequence in
contemporary financial reporting issues.
Since it is the particular set of relationships and/or organisation that determines a system,
independent of the concrete substance of the system’s elements, the same concepts and prin-
ciples of organisation can be, and indeed have been, used to analyse and explore issues from
an eclectic range of disciplines (e.g. sociology, economics, physics, biology, information tech-
nology and many more). Indeed, nearly 70 years after von Bertalanffy’s proposition, systems
thinking has evolved into a situation where systems thinking and its terminology has become
not only integrated into common business language but everyday language – for example,
health care system, family system, social system, human systems, information systems, banking
systems, political systems.
46
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 47
Clearly whilst each of the above types of system possesses a range of common relational
elements, they nonetheless represent an enormous diversity – a diversity founded on, for
example, varying degrees of humanism (objectivity/subjectivity) and/or varying degree of
predictability and stability. A diversity which can be categorised as ‘hard systems’ thinking and
‘soft systems’ thinking.
For our purposes we will use the framework developed by Burrell and Morgan (1979) which
is constructed on two simple dimensions/criteria:
n an ontological dimension, that is a subjective/objective criterion, and
n an ethical/contextual dimension, that is a change criterion or a scale ranging from radical
and chaotic change to regulation and stability.
Within the ontological dimension, a subjective view/assumption would perceive social reality/
system to be product of an individual and/or a shared consciousness, whereas an objective
view/assumption would perceive social reality as having a hard objective, externally determined
existence separate from the individual.
Within the ethical contextual dimension, a sociology of regulation would perceive social
reality/system to be based on consensual agreement with stability achieved through discussion
and cooperation, whereas a sociology of radical change would perceive social reality as con-
taining widespread contradictions and conflict, with cohesion existing as a consequence of one
group’s domination over another.
Whilst such a framework neither implies nor distinguishes between:
n a social reality/system whose purpose/meaning is provided by society or an individual (or
group of individuals) – that is a perpetuity/mechanistic explanation, or
n a social reality/system whose progress and purpose are externally imposed as a doctrine of
final causes – that is a teleological explanation,
it does provide a structure within which two broad categories of systems (or views of social
reality) can be identified:
n a hard systems view or hard systems thinking, and
n a soft systems view or soft systems thinking.
Within a hard systems context Burrell and Morgan (1979) identified two views (see Figure 2.2):
n the functionalist view perceives social reality/systems to be real, external to the individual,
structured, purposeful and stable. (Individuals are regarded as no more than a component
part, with understanding based on identifying relationships and regularities.)
n the radical structuralist view perceives social reality/social systems to be real, structured but
generally unstable. (Again human intention is secondary, however understanding is based
on identifying contradictions irregularities and conflict.)
Within a soft systems context Burrell and Morgan (1979) identified two further views of social
reality/systems:
n the interpretive view which perceives social reality/systems to be humanist, interpretive in
nature and based on consensual intention and free will, but nonetheless stable, and
n the radical humanist view which perceives social reality/systems to be humanist, creatively
constructed and as such interpretive in nature, but generally unstable with arrangements and
relationships as transient and subject to continuing change.
47
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 48
But what is the importance and relevance of this distinction to corporate accounting information
systems? Accounting in general, and accounting information systems in particular, are often
viewed as hard systems, as functionalistic, structured, purposeful, specific and stable. However
nothing could be further from the truth!
Clearly, financial statements are socially constructed and politically created statements.
However, more importantly, the human interface that is ever present in corporate accounting
systems, the choice, the flexibility, and the interpretive nature of accounting standards and
regulations used in the preparation (and creation) of such financial statements, all result in
unstable and sometimes contradictory, often unpredictable outcomes.
What is a system?
As suggested in Chapter 1, there are a number of alternative definitions of a system. For example,
a system can be defined as an entity which can maintain some organisation in the face of change
from within or without, or more simply as a set of objects or elements interacting to achieve a
specific goal.
For our purposes we will define a system as a complex of directly and indirectly related
elements which operate to attain a goal or objective, in which the goal or objective is often used
as the key controlling element, the function of the system being to convert or process energy,
information or materials into a product or outcome for use inside the system, or, outside of the
system (the environment) or both.
Furthermore, we will assume three key groups of ideas. Firstly, all systems, whether hard
and/or soft, have a number of common elements (see Figure 2.3):
48
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 49
What is a system?
n input,
n throughput or transformation process,
n output
n an external environment and boundary,
n control,
n feedback and, where appropriate, feedforward, and
n a goal and/or objective.
Secondly, we will assume that all the systems possess the following fundamental, if somewhat
generic, characteristics:
n all systems consists of a set of objectives and their relationships,
n all systems tend toward equilibrium (or balance),
n the constant interaction between systems results in a constant state of flux/change,
n all systems are composed of interrelated parts – that is a hierarchical system/sub-system
relationship,
n where such sub-systems are arranged in a series, the output of one is the input of another;
therefore, process alterations in one require alterations in other sub-systems,
n the parts of the system (sub-system) constitute an indissoluble whole,
n although each sub-system may be a self-contained system, it is nonetheless part of a wider
and higher order,
n each sub-system works together towards the goal of the higher system.
n the system (and sub-system) must exhibit some predictability, but some systems are very
complex and are impacted on by an infinite number of other systems, and as such can never
attain total predictability of effects,
n the value of the system is greater than the sum of its parts (or individual sub-systems),
n to be viable, all systems must be strongly goal-directed, governed by feedback and have the ability
to adapt to changing circumstances – that is exhibit properties of emergent evolution, and
n no system exists in isolation – a system interfaces with other systems that may be of a similar
or different nature.
49
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 50
Third, we will assume that systems exist within a range of differing levels of complexity. As sug-
gested by Wren (1994) alternative levels of complexity can be identified within systems thinking
(see Figure 2.4), these being;
Clearly, in each of the above there are a number of distinguishing characteristics. Firstly, there
is a distinction between a static system and a dynamic system. A static system is a system in which
neither the system elements nor the system itself changes much over time in relation to the
environment (e.g. level 1). A dynamic system is a system which is not only constantly changed
by the environment, but also changes the environment in which it exists (e.g. levels 4 to 9).
Levels 2 and 3 could perhaps best be described as semi-dynamic (or semi-static), since control
and influence is generally external imposed/moderated.
Secondly, there is a distinction between an open system and a closed system.
An open system is one which is interactive with the environment, exchanging information,
energy and/or raw materials for information, goods and/or services produced by the system.
Such systems are generally self-regulating and capable of growth, development and more
importantly, adaptation. Example of such systems would range from nature-based systems
such as the human body and other plants and animals, to created organisational systems such
as banks and financial institutions, manufacturing plants, governmental bodies, associations,
businesses and many more.
A closed system is a system which is not interactive with its environment. Fixed and often
automatic relationships exist between system components with no exchange with the environ-
ment. Such systems are generally incapable of growth or any form of development/adaptation
and as such possess a limited life. Examples of such systems would range from nature-based
systems, such as a rock as an example of the most closed type of system, to a mechanistic pro-
cess, such as an autonomous piece of manufacturing machinery, to detached social systems such
as families and/or communities that are isolated from the society and resistant to any outside
influence.
50
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 51
What is a system?
51
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 52
This distinction between an open system and a closed system also encapsulates what is
called the ‘principle of equifinality’. We will discuss this principle later in the chapter but for the
time being we can define the principle of equifinality as the capacity of an open system, because
of its interactive nature, to reach its final state or achieve its goal(s)/objective(s) in a number of
different ways, whereas a closed system can only achieve its final goal(s)/objective(s) or state
based on its initial conditions.
Although some social systems (and institutions) may, in the short term, appear to be isolated and
detached from their environment, such isolation is, in a system sense at least, limited. Prolonged
detachment often results in either systems failure, that is the system becomes disorganised or
entropic, or external influences intercede and the system becomes interactive with its environ-
ment, whether by choice or by imposition.
Clearly, then, the sustainability of a social system is dependent on its interactivity, that is:
n monitoring change in the environment,
n understanding the relationship between parts of the environment, and
n understanding the effects of change in the environment
However, because all social systems are created, constructed and artificial, their interactivity is
often moderated and generally controlled, that is they exhibit characteristics of both open and
closed systems – they are semi-open (or semi-closed) systems.
A semi-open system is a system which exchanges known or prescribed inputs and outputs
with the environment: that is such systems are generally constructed and/or artificial processes and
generally regulate interaction with the environment. As a consequence such systems are capable
of sustainable growth and emergent development, where competition for limited resources may
exist. Examples of such systems would of course be the business and financial environment (see
Figure 2.5) and created social/organisational systems such as companies.
For example, for the company, prescribed inputs and outputs of resources and information
are regulated not only by legal requirements and codes of practice, but more importantly, by
market pressures of supply and demand, and internal resource constraints. Let’s look at this
notion of change a little closer.
Systems change because of an event or a series/sequence of events over time between or
within systems. Such events can and often do cause multiple events (or change) in other systems.
Where an event is a repetitive sequence, such a sequence is known as a cycle. From a system’s
perspective, cycle(s) or cycling, may be used either to retain and/or enforce balance within a
system – that is to maintain equilibrium – or to stimulate growth – that is to attain a higher level
of integration.
The attainment of a different level of integration through a series/sequence of events is
often known as spiralling – that is where there is a sequential effect as a result of a series of
events that magnifies the initial effect. Spiralling that has an increasing integrative effect is
known as positive spiralling. Spiralling that has an increasingly disintegrative effect is known as
negative spiralling.
Before we move on to a consideration of the key elements of a system, and systems thinking,
perhaps it would be useful to provide some context to this notion of system and that of events,
cycles and spiralling.
52
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 53
53
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 54
54
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 55
corporate stakeholders (risk minimisation), but more importantly to maximise the wealth of its
shareholders (wealth maximisation).
In a systems context, however, a company is (using a hierarchical decomposition context) merely
a complex black box whose primary goal is a ‘transformation process’ – of inputs into outputs,
of needs and desires into products and services, of market demand into market supply and, of
course ultimately, wealth creation. A collection of systems, procedures and processes whose
weltanschauung or ‘world view’ is clearly located within the latter financial contextualisation,
but nonetheless limited by the former legal contextualisation.
As with modern society, and with the financial environment, we will take a fairly simplistic
system’s view of the company (whatever the nature of the business undertaken), and contextualise
the company’s activities/procedures/processes or more appropriately cycles of operation, as
follows (see Figure 2.8):
n an expenditure system,
n a production (conversion) system,
n a revenue system, and
n a management system.
More importantly, we will consider the company to be a semi-open system seeking greater
integration within its systemic environment – that is the financial environment and ultimately
modern society.
55
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 56
56
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 57
n control – the mechanism for regulating performance to expectations, that is the activities,
processes and procedures used to evaluate input, throughput and output in order to make
corrections,
n feedback – information about some aspect of output that can be used to evaluate and
monitor the system and to guide it to more effective performance,
n feedforward – information about some aspect of input that can be used to modify the system
processing procedures and to guide it to more effective performance,
n goal/objective – the overall purpose for existence of the system, or the desired outcome of
the system (that is its reason for being).
Input
Input can be defined as the data, energy and/or raw materials transformed by the system. Input
may be externalised, that is it is obtained directly from the system’s external environment, or
it may internalised, that is it can be the product of or output from another sub-system within
the system’s environment.
Transformation process
The transformation process is the function or purpose of the system, that is the process or
processes used by the system to convert data, raw materials or energy from the environment
into information, products and or services that are usable by either the system itself or by the
environment.
Output
Output can be defined as the information, product and/or service which results from the system’s
transformation process. Output may be externalised, that is it generated for and delivered
directly to the system’s environment, or it may be internalised, that is it is the product/input of
another sub-system within the system’s environment.
Boundaries
The system’s boundary is a functional barrier that exists between systems (or sub-systems), a
line or a point where a system or sub-system can be differentiated from its environment, or
from another sub-system, or set of sub-systems. A system’s boundary can of course take many
forms – it may be rigid or permeable, tangible or intangible, physical or virtual. Nonetheless it is
essentially a specified demarcation that enforces a limit within which the elements/components/
attributes of a system and their interrelationships can be explained. That is the system’s boundary
is that which defines the system.
For example, in many biological, geological and created mechanical/physical systems, such
system boundaries are often intangible and readily identifiable – a membrane surrounding
a biological organism, a physical border between two countries or the body/shell of a motor
vehicle. In many sociological and socio-political systems, however, such boundaries tend to be
intangible and often virtual in nature, and as such often difficult to identify. More importantly,
such systems may possess many alternative boundaries that may be in a constant state of flux as
a result of changing environmental conditions. For example, what is the boundary of company
– that is at what point does an employee enter the company in a systems context? Is it when the
employee crosses the physical boundary that separates the company premises from the outside
environment? Or is it when an individual became an employee of the company?
57
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 58
Environment
The system’s environment is that which is external to the system.
A system environment could be described not only as all those objects, elements, components
and attributes not in the system, but more importantly, all objects, elements, components and
attributes within specified limits, that may have influence on, or be influenced by, the operation
of the system. That is a system environment does not only comprise of those external elements
whose change may affect the nature, context, properties and functioning of the system, but
includes all those elements that are themselves affected by the system’s behaviour.
Control
Although we will explore the issue of control in more detail in Chapter 3, for the time being we
will define control as that which guides, directs, regulates and/or constrains the behaviour of
a set of variables. It is a mechanism designed to regulate, monitor and/or compare perform-
ance to expectations – that is the activities, processes and procedures used to evaluate input,
throughput and output and, where necessary, make appropriate corrections.
Such control can either be by means of feedback – where information about some aspect of
output is used to evaluate and monitor the system and to guide it to more effective performance
– or feedforward – where information about some aspect of input can be used to modify the
system processing procedures and to guide the system to more effective performance.
Objectives/goals
The ultimate objective/goal of a system or its raison d’être is dependent not only on the nature
and context of the system, but more importantly on its hierarchical location. For example:
n for modern society it could be the reproduction and/or maintenance of existing social rela-
tionships and power structures,
n for the financial environment it could be the reproduction of exiting modes of regulation
and regimes of wealth accumulation, and
n for the company it could be the accumulation of wealth by means of the temporal and spatial
displacement of assets and resources.
Equifinalty
Systems thinking recognises that semi-open systems and open systems can achieve their
objective(s)/aim(s) in a variety of ways using varying inputs, processes, methods and procedures.
As suggested by von Bertalanffy (1968):
the same final state may be reached from differential conditions and in different ways
(1968: 40).
Systems adaptability
For closed systems the achievement of any objective/goal often requires little external inter-
vention because such systems, by definition, require little or no environmental interaction
to function. However for semi-open and open systems the achievement of any objective/goal,
58
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 59
almost certainly requires some on-going monitoring of the systems environment and systems
adaptation where appropriate (see Figure 2.10). Why?
Because for such systems both input and output are affected by changes in the system environ-
ment and certainly in a business context where a system environment is rarely constant, stable
and predictable, the successful achievement of any objective/goal or set of objectives/goals requires
carefully planned change. A lack of monitoring and, where necessary, adaptation, may not only
lead to increased disorganisation or entropy but, more importantly, a failure to meet ongoing
objective(s)/aim(s).
One common feature of all systems, not only socially constructed open and semi-open systems,
is that a system and/or sub-systems can belong to more than one system or sub-system: that
is it is possible, and often common, for a system not only to possess multiple ownership/
membership of other systems and sub-systems, but also to interact at different levels with
different systems/sub-systems.
Such multiple ownership/membership (see Figure 2.11) is particularly important where
changes are made to systems.
Interconnections
All systems are interconnected either by way of input and/or output or by processing rela-
tionship. Often systems/sub-systems will be connected to a number of systems/sub-systems
simultaneously – interacting and exchanging data and information at various levels of activity.
The number of interconnections can be calculated as:
(n (n − 1))/2
For example, a system with four interrelated sub-systems would have (5 (5 − 1))/2 = 10 potential
interconnections (see Figure 2.12)
59
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 60
Decoupling
If sub-systems are interconnected, such interconnectivity implies not only spatial and temporal
coordination but more importantly functional integration. Decoupling occurs where:
60
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 61
n a number of systems (or sub-systems within a system) operate with a degree of independence,
and/or
n an interconnection between two systems and/or sub-systems is suspended either temporarily
or in some instances permanently.
Whilst many reasons can exist to justify/rationalise such decoupling (e.g. see the case study later
in this chapter), such decoupling (see Figure 2.13) can nevertheless be difficult and problematic
in terms of:
n the costs involved,
n the time period involved,
n the consequences of a loss of sub-systems connectivity and control, and
n the possibility that such decoupling could result in long-term sub-optimisation.
61
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 62
Systems constraints
Many systems, especially socially created systems, have constraints imposed upon them, for
example operational limitations, resources shortages and/or structural difficulties.
Such constraints (see Figure 2.15) may well be temporary but can nonetheless severely
restrict the system’s ability to achieve its aim(s)/objective(s).
Sub-optimality
Sub-systems should work towards the goal of their higher systems and not pursue their own
objectives independently.
Where a sub-system seeks to pursue its own objectives/agenda to the detriment of higher
objectives, or the decoupling of a number of sub-systems has reduced the overall efficiency of
the system as a whole, or changes in a system’s environment have not been correctly accounted
for and as a consequence reduced the overall efficiency of the system, then a situation of sub-
optimality may be said to exist.
Let’s look at some of these key elements of systems thinking in more detail in the context of the
following case study scenario – Taj-a-Jac Ltd.
62
..
CORA_C02.qxd 6/1/07 10:57 Page 63
CASE STUDY
Taj-a-Jac Ltd 9
Strategic review
In 2002, external consultants were asked to identify the strategic options open to Taj-a-Jac Ltd.
The review found that, although the middle/upper end of the furniture market was becoming
increasingly competitive, there was still room for significant growth. Despite numerous store
openings, the company was still very much a regional operator. Expansion of the market was
predicted to continue for many years, although Taj-a-Jac Ltd’s product and strategic position-
ing left the business vulnerable to changes in the business cycle. Indeed, the company had been
affected quite significantly by a fall in turnover in the mid/late 1990s.
Aware of this, the consultants suggested a number of alternatives for the company. The first
was for more stores to be opened – particularly in the south of England where the company had
little presence. This option had implications for the management and organisational structure
of the company as at least two additional workshop, warehouse and distribution centres would
be necessary to provide the required infrastructure. Such a centre was opened in the latter part
of 1997, as a programme of store openings had already been an idea that the management had
been considering for some time. The company had previously considered franchising as a way to
achieve this growth and the company did in 1999 enter into a seven-year contract that was signed
63
..
CORA_C02.qxd 6/1/07 10:57 Page 64
with a large UK-based department store. However, subsequent market and business research
regarding the UK market had suggested that franchising would not be an attractive/profitable
propposition for a company like Taj-a-Jac Ltd and as a consequence the policy was abandoned.
A second alternative recommended was diversification. Significant experience of the import
of quality pine from North America and Northern Europe was, the consultants suggested, not
being exploited. The wholesale purchase of wood was therefore recommended. This had the
added advantage of producing economies of scale which would have the effect of reducing unit
costs. Charles and Thomas together with their senior managers had not previously considered
this proposal and felt that so long as they were not supplying major competitors this was a
proposition that could and should be pursued.
Thirdly, the consultants suggested the development of the ‘lifestyle concept’ store format –
stores that not only sold furniture but also related accessories (such as soft furnishings) in
a themed environment. Such stores had started to develop at the lower end of the market, but
such a format had not yet been rolled out in the market sector that the company occupied.
This proposal found immediate favour with some of the management board, although the size
of each of the existing shops would not easily accommodate such a change. The movement to
larger retail outlets or the opening of new additional stores that could accommodate this format
would be necessary but costly.
Fourthly, the demand for English-designed quality furniture had always been popular in Asia.
The region as a whole was becoming potentially a more significant market and the consultants
argued that a gradual move into this market would in time reduce the company’s dependence
on UK demand. The consultants, concerned about the risk associated with this alternative, felt
that expansion in this way should be via joint venture. This idea was one with which Charles,
Thomas and their senior managers readily agreed.
The proposal suggested that, in the long-run, furniture should be manufactured in Asia using
designs and templates from the UK. In the short and medium term, however, in order to establish
the viability of the market, furniture should be exported – a practice that the consultants suggested
should continue until the market was sufficiently mature – approximately five years hence.
As part of their review the consultants provided the following estimated summary costing for
each of the alternatives.
Alternative 2 – diversification
Initial investment cost £23m
Potential annual income £6m pa
64
..
CORA_C02.qxd 6/1/07 10:57 Page 65
Since 1998 Taj-a-Jac Ltd had begun generating significant cash surpluses which, the financial
advisors had suggested, should be used to partly fund the selected proposal/proposals. Another
possibility, given the risks that expansion involved, was conversion to public limited company
(plc) status so that a ‘listing’ might be sought. This, the consultants suggested, would raise an
additional £40m.
In addition to this, the consultants suggested that debt instruments should be used to
fund any remaining shortfall – given the current gearing ratio of the company. The company
currently has a cost of equity of 12% and an after-tax cost of debt of 16%. In addition, it limits
project life cycles to a maximum of 20 years. The company believes that if additional funds were
raised through borrowing then its cost of equity would rise to 16%.
The following financial statements relate to Taj-a-Jac Ltd for the years 2001 to 2003.
65
..
CORA_C02.qxd 6/1/07 10:57 Page 66
Input
Taj-a-Jac Ltd is clearly a manufacturing/retail company and as a result would attract/draw on
an enormous range of both externalised and internalised inputs in order to function successfully.
Some of the more important of these would be as follows:
n In terms of externalised inputs:
l raw materials for the manufacture of specialist hand-crafted furniture,
l human resources (skills of specialist trained woodworkers, etc. and other management
and administrative staff),
l financial resources,
l data/information regarding resource availability, product demand, and changes in the
marketplace regarding the structure of the market, prices and competitors.
n In terms of internalised inputs:
l work-in-progress transferred between production processes, and
l data/information regarding resource availability, internal production schedules and
changes in operating procedures and management structures.
Transformation process
As a complex manufacturing/retail company, Taj-a-Jac Ltd would have a number of interrelated
transformation processes. At a superficial and somewhat generic level these transaction processes
would include:
n acquisition transformation processes (expenditure cycle) – these would include converting/
transforming resource requirements into physical resources,
n conversion (manufacturing) transformation processes (conversion cycle) – these would
include not only the conversion of raw materials to finished saleable products but also staff
training (of employees from non-trained employees to specialist manufacturers),
66
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 67
n retail transformation processes (revenue cycle) – these would include the marketing and
distribution of products and resources – converting potential demand to actual retail sales,
and
n resource management transformation processes (management cycle) – these would include
the conversion of sales into useable resources.
More importantly, each of the above transformation processes would also comprise of a number
of self-contained but interrelated and interconnected transformation processes.
Output
For Taj-a-Jac Ltd, externalised outputs would include, for example:
For Taj-a-Jac Ltd, internalised outputs (including data, information and resources) would
occur at various stages of the transformation process, between the acquisition transformation
processes, the conversion (manufacturing) transformation processes, the retail transformation
processes, and the resource management transformation processes.
Systems boundaries
Within Taj-a-Jac Ltd many functional boundaries would exist – some of which would be
tangible and physically identifiable boundaries, others would be virtual and intangible. Whereas
tangible boundaries would possibly act as barriers to prevent unauthorised access, for example:
n controlled access to manufacturing locations and retail locations outside normal retail hours,
and
n security codes preventing access between different parts of the company, and
n password codes restricting access to the company’s information database,
Systems environment
For Taj-a-Jac Ltd (as a company), its systemic environment would comprise not only those
external elements whose change may affect the nature, context, properties and functioning of
the company, but also those elements which would themselves be affected by the company’s
behaviour. In essence the contemporary marketplace!
In such a marketplace key elements would include:
67
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 68
Systems control
As a complex organisation functioning within a competitive but expanding business environ-
ment, it is perhaps important for the company not only to coordinate and regulate its activities,
but also monitor efficiency and/or compare performance and activity to expectations. Such
control would normally exist at a number of levels within Taj-a-Jac Ltd – at a strategic level, at
a tactical level and of course at an operational level.
In a systems context, strategic control would normally be feedforward in nature, tactical
control would be a combination of both feedforward and feedback, whereas operational con-
trol would almost entirely be feedback orientated:
n At a strategic level control issues would consider:
lenvironmental pressures affecting the company,
lthe appropriate business focus for Taj-a-Jac Ltd, and
l general financing requirements of the company.
n At a tactical level control issues would consider:
l medium-term allocation of resource to company activities,
l the quality policy of the company,
l production management (including resource allocation) of the company, and
l organisation facilities required to meet corporate objectives.
n At an operational level control issues would consider:
l short-term allocation of resource to company activities, and
l day-to-day management of operational resources.
Systems objectives/goals
In a commercial competitive context, a company has two primary objectives/goals. Objective
one is survival! Objective two is the maximisation of shareholder wealth, that is maximising the
value of the company as expressed as follows;
v = (i, f, d, m)
where:
i = the investment decision
f = the financing decision
d = the dividend (or distribution) decision
m = the management of corporate resources.
68
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 69
For Taj-a-Jac Ltd, both of the above objectives are clearly evident in the company’s considera-
tion of the alternative strategic options suggested by the consultants.
Clearly objective one is contingent upon successfully meeting objective two and for Taj-a-
Jac Ltd the falling profits indicate that the company is experiencing some difficulty in achieving
this.
Equifinalty
Clearly corporate survival and wealth maximisation can be achieved in a number of different ways
as illustrated by the proposals made by the consultants to the management of Taj-a-Jac Ltd.
For example:
n proposal 1 considers regional consolidation through corporate franchising,
n proposal 2 considers vertical diversification,
n proposal 3 considers horizontal diversification and development of a lifestyle concept, and
n proposal 4 considers market/geographical relocation and a move to the Asian market through
a joint venture arrangement.
Although each of the of the above proposals appear viable (in a purely financial (NPV) context):
they each nevertheless possess varying degrees of associated systemic risk (both internal and
external), with perhaps proposal 3 being the least risky, then proposal 1, then proposal 2, and
finally proposal 4 is the most risky.
Whilst such risk assessment is clearly very subjective, it can, in a very broad sense, be analysed
from a purely systemic context in terms of systems adaptability, which is itself dependent upon:
Systems adaptability
For Taj-a-Jac Ltd, as a semi-open system, both the company’s inputs and outputs (and therefore
its transaction processing system(s) are clearly affected by changes in the company’s environment,
an environment that appears to be increasingly competitive, uncertain and unpredictable.
Of course regular strategic monitoring of the company’s environment can clearly assist in
minimising the impact of such environmental change. Indeed, and as indicated in the case study
scenario, such monitoring has revealed an urgent need for adaptation/change. The success of
any of the proposals identified by the consultants appointed by the management of Taj-a-Jac
Ltd would of course be conditional upon the company’s ability to adapt/change. Identifying/
knowing what needs to be done is only part of the solution. Structuring that knowledge and
successfully implementing a strategy based on that knowledge are the keys to future survival –
both of which are dependant upon the company’s flexibility and adaptability.
So what about Taj-a-Jac Ltd? Does the company appear to be sufficiently adaptable? Whilst
there is no direct evidence – the answer (intuitively perhaps) is probably yes!
69
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 70
The very fact that such monitoring takes place would suggest that the management of the
company are more than aware of the marketplace within which they operate; more than aware
of the possible consequences to the company of a lack of adaptability, a lack of flexibility, a
lack of reflexivity.
Within each of these functional cycles10 (or sub-systems) a number of sub-systems will exist, for
example:
It is possible, indeed probable, that within each of the above cycles and sub-systems some
sharing/overlap will exist. Such overlap may be in terms of:
n sharing of data/information,
n interrelated activities, and
n shared resources, including staffing.
For example the cash receipts and payments system (management cycle) will clearly be related
and connected to the purchasing and creditor system (expenditure cycle) and the sales and
debtors system (revenue cycle). Whilst such sharing/overlapping does provide some benefit in
terms of organisational rationalisation and potential cost saving, excessive sharing/overlapping
can if unmonitored lead to:
70
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 71
More importantly for Taj-a-Jac Ltd, is the need not only to understand, but also appreciate the
possible outcomes, implications and any emergent problems that may arise as a result of any
organisational change (from implementing any of the four proposals) on shared/overlapping or
multiple-owned systems.
Interconnections
As a company, the systems (and sub-systems) that operate within Taj-a-Jac Ltd would not
only be interconnected by way of input, output or by processing relationship but would also
be interdependent upon one another – interacting and exchanging data and information at
various levels of activity.
As with shared/overlapping systems and sub-systems, interconnectivity provides a number
of benefits, in terms of control and accountability, but also problems if such connections are
not appropriately managed. The result often excessive procedural bureaucracy and deficient
time management.
Taj-a-Jac Ltd does appear to have some problems in this area – a problem substantiated by
the existence of significant problems in working capital management. The source of this problem
could exist at two distinct levels:
n systems/sub-systems interconnections may not be functioning adequately because of internal/
external change, or
n systems/sub-systems have become decoupled.
Decoupling
Although in a business context systems decoupling is part of the systems/sub-systems life cycle
and occurrs periodically – for example at year-end close down in terms of not only stock con-
trol, separating production from the stock management systems, but also in terms of financial
accounting systems and the preparation of year-end statutory financial reports – the case study
does not indicate whether direct activity decoupling exists on an operational level. However,
there is some circumstantial evidence to suggest that some (at least partial) decoupling exists in:
n the expenditure cycle – within the procurement control system, and the purchasing and
creditor system,
n the conversion cycle – within the stock control system,
n the revenue cycle – within the sales and debtors system, and
n the management systems – within the cash receipts and payments system, and the general
ledger management system.
71
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 72
la purchasing and creditor system – to ensure all payments are made in accordance with
supplier/company requirements.
n In the conversion cycle:
l stock control system – to maintain sufficient stock to meet production requirements
l production control system – to ensure appropriate quality standards are maintained,
l payroll system – to ensure payments are made in accordance with company/legal
requirements.
n In the revenue cycle:
l marketing system – to ensure products are appropriately advertised/marketed,
l transportation system – to ensure all sales are securely transported to customer location, and
l sales and debtors system – to ensure products are appropriately priced, and all receipts are
received in accordance with company requirements.
n In the management cycle:
l cash receipts and payments system – to ensure adequate records and controls are main-
tained, and
l fixed assets and property system – to ensure all assets are properly accounted for and legal
titles securely maintained.
Whilst each of these appears appropriate conflict could arise between, for example, the need for
best quality materials (procurement control system), the pricing of products (sales and debtors
system) and the overall objective of maximising shareholder wealth. Why? Quality materials
may incur substantial costs. Unless passed on to the customer such costs could reduce overall
profits and therefore shareholder wealth.
Clearly the existence of such multiple objectives is not uncommon but conflicting objectives
can, if not appropriately managed, result in the inefficient use of resources and in a systems
context entropy and ultimately systems failure.
Systems constraints
For Taj-a-Jac Ltd a number of internal and external constraints, or in a more accounting
context, limiting factors, may exist. These are elements that not only constrain current activity,
but may also limit the possible success of the proposals identified by the consultants. Such
constraints could include:
Sub-optimality
For Taj-a-Jac Ltd there is clearly some sub-optimality – a simple financial analysis of the com-
pany’s profit and loss account and balance sheet clearly indicates the existence (in 2003 at least)
of increasingly significant problems regarding working capital management especially debtor
management and creditor management. Whilst it is unclear as to whether such sub-optimality
is a result of:
n a lack of coordination with the business as a whole, for example individual employees working
towards a set of personal objectives/agenda to the detriment of the company as a whole, or
n generic inefficiency increasingly endemic within the company’s operations, or
n a failure of the management of the company to respond/adapt to environmental turbulence,
72
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 73
Concluding comments
its existence is nevertheless worrying and perhaps a contributing factor in the management of
Taj-a-Jac Ltd seeking the advice of a consultant.
Concluding comments
General systems theory arose out of a generic interest in finding a general theory of similarity
between different systems – a fundamental theory that could address problems associated with,
and related to:
n order,
n structure, and
n organisation.
The aim of such a general systems theory is to provide a set of unifying principles of organ-
isation that could be applied to all organisations at all levels of complexity (von Bertalanffy,
1968).
In essence, general systems theory addresses a number of structural and relational issues that
are common to a vast range of interdisciplinary studies (including accounting and finance).
Perhaps, more importantly, general systems theory, or systems thinking, provides a framework
– a conceptual model – that can be applied to a diverse range of scientific and business areas.
Indeed business practitioners and management scientists have learned a great deal about
organisations and how they work by utilising a systems perspective, the benefits of which have
been:
n more effective problem solving,
n more effective leadership,
n more effective communications,
n more effective planning, and
n more effective organisational development.
However, despite such benefits, as a conceptual framework, general systems theory and systems
thinking do nonetheless possess a number of major limitations, including:
n general systems theory is by its very nature ‘general’ and as such is often accused of being
ineffective in explaining anything,
n general systems theory adopts a somewhat hard structured analytical approach, and
rejects/ignores the human factor or the behavioural context of systems and, perhaps more
importantly,
n general systems theory imposes a very prescriptive mechanistic framework that necessitates
the use of an overly functional analytical context.
So, if systems thinking possesses so many limitations – why is it used? Firstly, in the context of
contemporary capitalism, general systems theory and systems thinking provides an assessable
(if somewhat limited) framework that can be used not only to monitor but more importantly
control business activity. Secondly, as a broad conceptual model general systems theory pro-
vides an acceptable conceptual version of how the physical aspects of capital move within the
business environment.
And third, general systems theory provides a rational (if again somewhat limited) basis on
which conceptual models of organisational structures (including those of a company) can be
constructed.
73
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 74
References
74
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 75
Websites
Bibliography
Ackoff , R.L. (1971) ‘Towards a systems of systems concepts’, Management Science, 17(11).
Checkland, P. (1981) Systems Thinking, Systems Practice, John Wiley, London.
Harry, M. (1994) Information Systems in Business, Pitman, London.
Kim, D.H. (1999) Introduction to Systems Thinking, Pegasus Communications, London.
Laszlo, E. (1996) Systems view of the world, Hampton Press, London.
O’Connor, J. and McDermot, I. (1997) The Art of Systems Thinking, Thorsons, New York.
Wienberg, G. (2001) Introduction to General Systems Theory, Dorset House, London.
Websites
www.systemsthinkingpress.com
Chaos Theory – Critical Thinking, Organisational Development Portal
http://pespmc1.vub.ac.be/
Principia Cybernetica webpage
Other websites you may find helpful in gaining an insight into more accounting related discus-
sion and systems thinking include:
www.accaglobal.com
(Chartered Association of Certified Accountants)
www.cimaglobal.com
(Chartered Institute of Management Accountants)
www.ft.com
(Financial Times)
www.economist.com
(Economist)
75
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 76
www.guardian.co.uk
(Guardian)
www.accountingweb.co.uk
(general accounting website)
Self-review questions
Question 1
Classical systems theory often considers a company to be a ‘hard’ closed system, whereas contemporary
systems theory often considers a company to be a ‘soft’ open system.
Required
Define the ‘hard’ and ‘soft’ systems.
With the aid of diagrams, comment on and discuss the difference between these two theoretical approaches
and their implications on designing computer-based accounting information systems.
Question 2
Read the following extract:
Management do not always know what information they need and information specialists often do not
know enough about management in order to produce relevant information for the managers they serve. An
example given by Professor Kaplan graphically illustrates this point. He reported that a group of American
industrialists visiting Japan found that their counterparts were regularly supplied with information on the
proportion of products which pass through the factory without re-working or rectification. They found that
a typical percentage of products that needed no re-working was 92%. The American managers found
that this information was not available to them at their factories at home but on investigation it was found
that their ratio was 8%. They then worked on this factor for 6 months at which point the ratio had moved
up to 66% and, more importantly, productivity was 25% higher (Lucy, 2000: 3).
76
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 77
Required
Assume that you are the Information Systems Director of Test Kits Ltd. This is a growing company that
produces a range of chemical test kits for a wide range of products and markets. Currently the company is
experiencing a boom in demand for its BSE test kit for beef.
You were planning a presentation to the Board of Directors entitled ‘The accounting information system – an
abstract representation of the company’, when your Managing Director hands you the above quotation. He
asks you to address those issues raised in the quotation in your presentation and also how they affect lower,
middle and senior management.
Draft out the main points of the Information Systems Director’s presentation. Ensure that you include a definition
and diagram of a system and its principal components, explain the main systems concepts and address the
practical problems raised in the quotation.
Question 3
Read the following extract:
Sociological systems theory contributed a profound understanding of the nature and role of organis-
ational sub-systems in meeting organisational needs. . . . The inspiration came in the form of a rigorous
working out of the idea that organisms – and other types of complex systems – were ‘open systems’
(Jackson, 1991: 48).
Required
Explain, with the aid of a diagram, the relevance to an understanding of the accounting information system of
‘open systems’.
Question 4
Katz and Kahn in The Social Psychology of Organisations (1966) cite five generic types of sub-system to meet
an organisation’s functional needs:
n The production or technical sub-system, concerned with the work done on the throughput.
n The supportive sub-system, concerned with obtaining inputs and disposing of outputs.
n The maintenance sub-system, which ensures conformance of personnel to their roles through selection,
and through rewards and sanctions.
n The adaptive sub-system, ensuring responsiveness to environmental variations.
n The managerial sub-system, which directs, coordinates and controls other sub-systems and activities
through various regulatory mechanisms.
Required
Identify these sub-systems in accounting terms and give an example of how the accounting information sys-
tem obtains and supplies information for each of these sub-systems.
Question 5
Using general systems theory as your analytical framework, identify and describe the main control elements
of a medium-sized fast-moving consumer goods company’s accounting system. In your description you
should identify how each of the component parts of the accounting system are connected together and the
related information requirements of each component part.
77
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 78
Assignments
Question 1
In December 2002, ERT plc, an established retail company located in the north-east of England, merged
with PLR plc, an Edinburgh-based company that had been operating successfully for over 45 years and
who had over the past seven years become a major competitor of ERT plc. In December 2002, the combined
companies began trading as GBI plc.
Both ERT plc and PLR plc had enjoyed record profits during 2000 and 2001.
Although market reaction to the acquisition was positive with GBI’s share price rising dramatically, the over-
all profitability and efficiency of the new merged company fell sharply during 2003, with GBI recording an
annual trading loss in January 2004.
In March 2004, the management of GBI appointed consultants to identify why such a fall in the company’s
fortunes had occurred. The consultants’ report was highly critical, suggesting that the core problems being
experienced by GBI had resulted from an incompatibility of the ERT and PRT accounting information systems.
In particular, the consultants identified an inability of GBI’s management to understand the nature of systemic
functional cycles of operation and the implications of systems theory in the management of corporate activity.
Required
(a) Describe and diagrammatically represent the main functional cycles of operation that may exist in a retail
company such a GBI plc.
(b) Explain briefly why in the context of the above scenario the ERT’s and PRT’s cycles of operations may
have been incompatible.
(c) Explain how a knowledge of systems theory may have assisted the management of GBI in their attempt
to reverse the decline in the new company’s financial fortune.
Question 2
GHS Ltd is a small local company that sells motor car accessories. The company has 26 small retail outlets
located throughout the UK. Each retail outlet employs five people: a sales assistant, a receptionist/secretary,
two technical advisors and a manager.
The company operates a networked EPOS (electronic point of sale) system for all sales.
Sales are:
n through the companies website,
n by mail order, or
n over-the-counter cash/credit card sales.
Internet sales are handled by the company’s head office and despatched from the company’s main distribution
centre in Crawley.
Mail order and over-the-counter sales are handled by the sales assistant at each individual retail outlet.
Over-the-counter sales can be for cash, credit card payment or payment by cheque. The sales assistant records
the sale using the company’s EPOS system and issues a sales receipt to the customer.
Mail order sales are only accepted from authorised customers. These customers are authorised by the retail
outlet manager and are allowed 30 days’ credit.
All mail order sales are recorded as a deferred sale using the company’s EPOS system.
A list of these sales is held by the sales assistant until the payment is received when payment is recorded.
Payments not received within the 30-day period are referred to the manager.
78
.. ..
CORA_C02.qxd 6/1/07 10:57 Page 79
Chapter endnotes
The receptionist/secretary opens all incoming mail and passes any payments to the manager for review. The
manager passes these back to the sales assistant for recording in the company’s EPOS system, and for the
issue of a receipt which is sent back to the customer.
The sales assistant passes all cash and cheques back to the manager, in time for them to be banked each
day, when the manager leaves to pick up his children from school. The manager also prepares the bank
deposit slip.
The manager is solely responsible for any discounts and verifies these before payments are recorded in the
company’s EPOS system. The manager is also responsible for writing off any bad debts after seeking and
receiving approval for these actions from head office.
Required
Describe the system from a systems perspective, including suggestions for improvements.
Chapter endnotes
1
The term ‘systems thinking’ is used in preference to systems theory and/or general systems theory.
2
Teleology is the supposition that there is purpose or directive principle in the works and pro-
cesses of nature and society.
3
For the neo-Marxist regulation school’s socio-political account and its emphasis on the
increasing tension between social modes of regulation and regimes of accumulation see Aglietta
(1979), Andre and Delorme (1982) and Lipietz (1985, 1987).
4
For the neo-Smithian flexible specialisation account and its emphasis on the structural rela-
tionship between dominant economic and political institutions see Sabel (1982), Piore and Sabel
(1984), Sabel and Zeitlin (1985) and Hirst and Zeitlin (1989, 1991).
5
For the neo-Schumpeterian approach, based predominantly on the premise of technological
determinism reminiscent of Kondratiev’s long wave theory, see Freeman et al. (1982), Dosi et al.
(1988), Freeman and Perez (1988) and Schumpeter (1987).
6
For the disorganised capitalism thesis and its emphasis on an increasing disorganisation of
regimes of accumulation emerging out of the material conditions associated with the powerful
structure of class politics see Lash and Urry (1987, 1993) and Offe (1985).
7
For the flexible accumulation approach and its increasing emphasis on the impact of time–
space compression and the increasing dominance of fictions in regimes of accumulation see
Harvey (1987, 1990, 1991) and Harvey and Scott (1988).
8
Pricing efficiency refers to the notion that prices should reflect in an unbiased way all available
information. Operational efficiency refers to the level of costs of carrying out transactions within
the marketplace, whereas allocational efficiency refers to the extent to which capital is allocated
to the most profitable enterprise.
9
Based on a case study developed by Geffory Firth, University of Lincoln.
10
We will consider these functional cycles in Part 3 of this book.
79
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 80
Control theories:
3 management by design
Introduction
There can be little doubt that in the latter part of the 20th century and indeed the early part
of the 21st century, market-based corporate activity has become overwhelmed by a social
and political typology increasingly dominated by the economics of the ‘free’ marketplace.
This has come about by an emphasis on reducing social diversity, minimising political
prejudices, and eliminating economic asymmetries; by a push toward a single market, a
single borderless society, a single global culture, a single homogenous polity.
Yet, although this seemingly unstoppable force – this immovable drive toward ‘singularity’
– toward a global oneness (in a commercial sense at least!) has produced many benefits,
it has done so at some considerable cost. Whilst for some it has produced larger choice
and greater freedom, and for others it has resulted in increased wealth and amazing
prosperity, for yet others it has resulted in social poverty, economic destitution and political
isolation. Whilst consideration of such issues is clearly beyond the scope of this book it is
important to acknowledge that this relentless and often inescapable global pursuit of gain
and profit – this inevitable push toward a single global marketplace – has become syn-
onymous with a much more subtle if somewhat disconcerting trend. A trend encapsulating
a conscious desire to minimise risk, reduce uncertainty, increase efficiency and maximise
return. A covert trend of increasing bureaucracy, of greater regulation and of increased
surveillance – a trend towards greater and greater control!
But what is control? A simple and obvious, yet deceptively difficult question to answer.
Why? Because unfortunately, control is many things – to many people.
In a socio-cultural context the concept of control is sometimes ‘individualised’. It is
often defined and associated with adroitness, with the ability to illustrate great discipline
and specialty and the capacity to exercise and demonstrate skilfulness and knowledge.
Although we will not discount this notion of control completely, for the present we will restrict
our discussion on control (and control theory) to what can be described as the ‘group’ or the
‘entity’ contextualisation – to the corporate perspective. For example, in a transactional/
commercial context control can be associated with the capacity to direct or determine a
80
..
CORA_C03.qxd 6/1/07 10:55 Page 81
function and/or outcome, with the ability to regulate and manage, with planning and standard
setting, and with comparison, evaluation, verification and validation, whereas in a governance/
regulatory context control is normally associated with notions of power, surveillance and
regulation, and with the imposition of authority and the capacity to exercise restraining
commanding power, determine regulatory context and impose absolute exclusivity.
What is important here is to recognise that in the group or the entity contextualisation,
control is an ‘imposed’ construct – a construct whose regulatory technology is neither
objective nor neutral. It is a political construct – a construct dominated by the demands
of the economic. Whether such control is in the form of polite informal restraint, passive
formal guidance, or indeed an imposed authoritative regulation, its underlying context is
rarely concerned with merely maintaining stability and order – it is rarely concerned with
social conscience. There can be little doubt that as society treads warily into the early part
of the 21st century, control has become undeniably market-based and unquestionably
profit-orientated.
The aim of this chapter is to ascertain the key features of control theory and explore
how and why control (and control theory) has become fundamental to contemporary
capitalism. It has become fundamental not only to:
but more importantly, for our purposes, to ensuring the reliability and relevance of infor-
mation – in particular accounting information.
Learning outcomes
This chapter explores a wide range of issues relating to control theory and its application
in the development and management of accounting information systems and provides
an introduction to how control theory has been, and indeed continues to be, increasingly
relevant to understanding the complex nature of 21st century corporate activity.
By the end of this chapter, the reader should be able to:
n explain the contextual nature of control,
n understand the importance of control in complex systems,
n describe the basic elements of control,
n critically evaluate the relevance of environmental factors on control, and
n distinguish between feedback and feedforward, explaining their importance in control.
As indicated earlier, there can be little doubt that today’s global market is a product of many forces
and influences. From an evermore disembedded spread of companies, to an increasing use of
fictitious capital,2 to an escalating growth in the marketability of technology and information.
81
..
CORA_C03.qxd 6/1/07 10:55 Page 82
Indeed, many business commentators and academics suggest we now live in what some term a
‘global village’, in which the increasing marginalisation of state power and territorial sovereignty
have become secondary to the unremitting push towards a borderless society/polity – a push
towards a global marketplace.
From colonial capitalism of the 16th century, to entrepreneurial capitalism and so-called
international capitalism of the late 19th and early 20th century, to multinational/global capital-
ism of the late 20th century, to perhaps now the derivative/fictitious capitalism of the late 20th
and early 21st century (further details are available on the website accompanying this text
www.pearsoned.co.uk/Boczko), we now live in a global marketplace synonymous with:
n a continuing deregulation of markets,
n an increasing international transferability of capital, and
n an increasing dependency on, and evermore global commodification of knowledge and
information systems.
Clearly, markets have changed/grown, technologies have developed and societies (well parts
of some societies at least!) have embraced the new world order and the unstoppable force of
commercialisation, of marketisation and globalisation. Today, capital is intrinsically global – all
the advanced economies of the world are involved. Increasingly, political social and technological
innovations develop subordinate to the needs of wealth accumulation and profit maximisation.
Global capital flows are thus politically dynamic and technologically deliberate. Whilst some believe
such global capital flows have helped to enhance social mobility and consumer sovereignty,
others believe that such flows have helped to undermine territorial autonomy, national stability
and cultural self-sufficiency (Amin, 1994; Lipietz, 1994). They have resulted in social exploitation,
economic subordination, political volatility and environmental commodification, and have
continued to promote economic polarisation and financial instability (Savage and Warde 1993).
The heated debate continues!
But what has this all meant for the ‘company’ – the corporate entity? Well, as part of this
‘global village’, this increasingly technology-driven ‘information society’, this global marketplace
now dominated by virtual trading and fictitious (derivative) capital (Harvey, 1990; Cerny, 1994),
companies have become increasingly bound up with or, perhaps more appropriately, increasingly
dependent upon:
n virtual systems for collecting, storing, and processing data and information,
n technology-based networks of surveillance, and
n systems of organisational control.
There are a number of reasons for this. Firstly, market-based capitalism is an institutional
system founded on commodity production and exchange (Palloix, 1975, 1977; McChestney,
1999) and as suggested in Chapter 1 seeks to sustain a liberal ideology of the ‘dominance of
capital’ and ‘freedom of accumulation’. Consequently, the need to know and the ability to
control internalised activity, not only to:
n coordinate business activity and resource utilisation, and
n the socialisation of people and procedures,
82
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 83
Secondly, the competitive nature of market capital and the increasing implications of tech-
nology have altered the ‘perceived’ structure and nature of business activity – of the corporate entity.
They are no longer regarded as just collections of tangible assets and resources. Companies
are now seen as complex ‘social’ arrangements of interacting intangible systems or procedures
– of connections and interconnections. The contemporary framework of analysis of corporate
activity has clearly moved from ‘what do we do’ – that is from being output driven – to ‘how
do we do it’ – that is to being process driven.
Thirdly, the increasing complexity of the so-called ‘global market’ and the increasing uncertainty
competition brings to those operating in such markets has resulted in a growing notion of
agency and governance – of separation between ownership and control. Clearly such a notion
of separation is by no means a contemporary phenomenon. Formally, such an enduring notion
has probably existed since the creation of joint stock companies in the mid-19th century.
Informally however, it has probably existed since the dawn of civilization and commercial
trade, although its expression has, certainly during the latter part of the 20th century and early
21st century, manifest itself with much more clarity and urgency.
Such separation – between ownership and control – and indeed notions of agency and
governance require at the very least not only an acknowledgement of the concept of account-
ability, but more importantly an acknowledgement of the notion of trust – in particular a trust
in systems.
We will return to the notions and concepts of agency and governance, in particular corporate
governance, later in this chapter. For the moment however, let’s have a look at this notion of
trust – of trust in systems!
Historically (in a corporate context at least) trust was in the majority of cases placed in,
or assigned to people, as representatives, as sentient expressions of the business entity, of the
corporate entity. Physicality it appeared ruled! Today however, trust is no longer merely placed
in people or individuals – if at all. It is placed in systems and information – in the networks and
the procedures and the interconnections that exist within and between corporate entities.
Consider the following.
Imagine you are an elderly customer entering a bank to deposit money into your current
account. At the bank counter you are greeted by a counter clerk who will deal with your
transaction. As an elderly customer you may well believe that as the transaction that takes place
there is trust relationship (however limited) between you as the customer and the counter
clerk – a trust that is founded on the assumption that the correct procedures will be followed,
the transaction will be properly processed and the money will be paid into the correct
current account – your account.
In reality, however, this is not the case. As a customer you have (in the majority of cases at
least) often no knowledge of the bank clerk apart from, say, a name badge and evidence that
the bank clerk actually works for the bank. (We will discount here any possibility that the bank
clerk may be an impostor or villain waiting to defraud the bank.) The customer’s trust is not
placed with the individual bank clerk, but in the system that the bank clerk represents and
more importantly the systems that actually facilitated the bank clerk’s presence at the counter
to deal with customers in the first place!
83
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 84
anthropological context trust was, and indeed continues to be, associated with notions of
cultural kinship and community, with notions of hierarchy and deference, with respect and
responsibility, and with locality. However, contemporary society, or modernity, has, with all
its complex processes and interconnections, detached social relations from their local contexts,
their communities and their local hierarchies, and restructured them often across infinite spans
of time and space.
Such complex processes are often referred to as ‘disembedding mechanisms’ (see Giddens,
1990). Disembedding mechanisms are those aspects of contemporary society that allow indi-
viduals and/or organisations such as companies to create and develop distance relations.
Whilst such disembedding mechanisms can be varied, and will undoubtedly have their roots
in antiquity, in a contemporary context – or at the very least in a market capital context – there
are perhaps two key and important disembedding mechanisms, these being:
The world is too complex and because of this complexity we depend on others to help us
navigate through the complexity – to demystify it and to make it less complex. This process
of demystification however is far from straightforward and rarely apolitical!
Obviously there is again a price attached to such knowledge, information and demystifica-
tion, and so again we are intrinsically associated with and/or connected to the exchange
environment – the market process. And, as we enter the 21st century, our trust in the use of
these symbolic tokens (of these expert systems) has been given further urgency by the impact
of technology. Just think of a modern society without credit and debit cards, e-commerce,
e-banking and everything else ‘e’-based!
In a contemporary context at least then, trust is no longer ‘just’ a confidence in the reliability
of a person or persons. It is more importantly a confidence in the reliability of a system or a
set of procedures and/or process(es) – on a particular outcome or an event. Indeed, contrary
to popular belief, the requirement for trust – for the existence of a trust based interrelationship
is not a lack of power. It is a lack of knowledge or understanding, a lack of ability, a lack of
information.
And, here it seems that market-based capitalism is not without a sense of irony. Why? Because
as the changing dynamic of the global market becomes evermore complex and individuals
become increasingly dependent on symbolic tokens and expert systems – as companies become
evermore integrated, interconnected and interdependent, evermore technology orientated and
virtual – they become evermore disembedded and spatially remote. Evermore dependent on
continual recreation and the development of distance relations.
Think of some of the world’s largest companies and consider their spatiality! For example:
n BP plc3 is one of Britain’s biggest companies and one of the largest oil and petrochemicals
groups in the world. The company has operations in over 70 countries. During 2003 it
employed 103,700 employees and generated revenues of $233bn.
84
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 85
n HSBC plc4, the world’s ‘local bank,’ was founded in 1865 and had (at the start of 2004) 9,500
offices world wide, with 223,000 employees in 79 countries. The company now processes
over 13 billion customer transaction annually including 87 million internet transactions.
n Time Warner5 Inc is the world’s leading media and entertainment company, whose busi-
nesses include filmed entertainment, interactive services, television networks, cable systems,
publishing and music. For the year 2004 the company had approximately 80,000 active
employees throughout the world and generated revenues of approximately $39.6bn.
So, we have three very diverse, very global companies.
In a broad context, as companies such as Time Warner Inc, HSBC plc, and BP plc expand and
grow – as they become evermore spatially remote – they become increasingly dependent on systems
and procedures, on interconnectivity and on the creation and development of boundaries. Not
only interconnectivity internally between companies within the group but, more importantly,
externally with other companies outside the group structure or group boundary: between
companies as ‘bounded’ systems and between the commercial environment (the marketplace)
as a higher ‘bounded’ system. So the need for a trust in systems and procedures becomes an
evermore entrenched component within the marketplace and the market structure. Such trust
becomes manifestly hierarchical, increasingly virtual and evermore essential (see Figure 3.1).
It is perhaps important to note that this trust in systems can be both explicit – that is through
formally agreed contractual agreements – or implied – that is through the development of
informal indirect dependencies/relationships.
More importantly, as a system or set of systems evolves and expands (or more appropri-
ately as ‘political’ participants within or responsible for the system or systems facilitate such
an evolution), they do so not only by creating more and more interconnections but also by
eliminating redundant systems and inert connections. For example, a company can enter a new
market by either:
n the development of a new range of products and/or services, or
n the acquisition of an existing company.
85
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 86
Whichever strategy is adopted, the expanding company will create and seek to sustain new
interconnections and new interdependencies whilst at the same time possibly destroying and/or
relinquish others. And so?
Well, as these changing interconnections become evermore complex – as the level of inter-
connectedness and interdependency rises – so boundaries become evermore difficult to monitor
and control. Such boundaries become increasingly more porous – and their effectiveness becomes
increasingly more unpredictable. As a consequence, the level of risk and inherent uncertainty
within the system or systems rises, increasing the potential for entropy, chaos or failure.
(Remember we are talking here about semi-open ‘created’ systems, whose environment is at
best volatile and at worst extremely erratic, and where interconnections and interdependencies
are created and destroyed in an often chaotic and random manner.)
As the potential for risk and inherent uncertainty rises – as the risk of possible failure and the
level of insecurity rises – so the level of trust in the system or systems rises up to a point, a point
at which the cost of such trust in systems outweighs the possible benefits to be gained.
Have a look at the following
DFL plc is a large, established, international company seeking to expand its business activ-
ities into a third world country. Clearly risks will exist – certainly in terms of country risk. For
example country risk could arise out of a country’s government actions/policies that seek to
either expropriate corporate assets and/or profits, impose discriminatory pricing intervention
policies, enforce restrictive foreign exchange currency controls, and/or impose discriminatory
tax laws.
On a more socio-political level such country risk can also arise out of a country’s government
actions/policies that seek to impose social/work-related regulations that offer preferential
treatment to domestic companies, restrict the movement of corporate assets and resources,
and/or impose regulations that restrict access to local resources.
To minimise such risk and uncertainty the company would most likely hope to develop, create
and foster a range of risk minimising strategies that could, for example, include:
n obtaining insurance against the possibility of any potential expropriation of the company’s
assets,
n negotiating with host governments potential concessions and/or guarantees,
n structuring the company’s financial and operating policies to ensure they are acceptable
to and consistent with regulatory requirements,
n maintaining high levels of local borrowing to cover against the possibility of government
action adversely affecting exchange rates,
n encouraging the movement of surplus assets from host country companies to the home
country companies,
n developing close social/political relationships with host country institutions,
n internationally integrating production to include host and home country companies to
ensure the former are dependent on the latter,
86
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 87
• locating research and development activities and any proprietary technology in the home
country to reduce the possibility of expropriation,
• establishing global trademarks for company products and services to ensure such rights
are legally protected domestically and internationally, and
• encouraging local participation in company activities and inviting local shareholders to
invest in the company’s activities.
Each of the above would invariably involve developing interconnections and interdependencies
with a range of organisations – the greater the perceived risk the more intense these become,
essentially to minimise any possible boundary incursion and protect the company from
possible risk of loss and/or adversity.
There is however a second important issue to consider. That is as the level of interconnected-
ness and interdependency rises – as the level of trust in the system or systems rises – so does
the ‘imposed’ level of monitoring and control. In fact, as complexity and uncertainty within
a system or interconnected systems rises, so the systems themselves become less concerned with
the underlying context/rationale for such trust and a means of efficient operation, and more
concerned with governance and control, an adaptation process that during the 20th century
we have come to call bureaucracy.
But why does this so-called adaptation occur? In a corporate context at least, this silent
conversion – this almost velvet revolution – occurs as systems within a hierarchy attempt to
minimise at best any possible loss or at worst complete failure, not only of the company but
the market as a whole!
In essence, as lower-level systems become increasingly more interconnected and more integrated
into higher level systems, so the higher-level systems can and do exert greater influence and
control on the lower-level systems. At best, this can be good because in a corporate/market
sense at least, it can lead to the creation of a so-called ‘level paying field’, a fair, albeit competitive,
marketplace. However, at worst it can lead to excessive surveillance and regulation, and thus lead
to unfair competition and potential abuse. Indeed an endemic attribute of the ever-expanding
influence of the marketplace – of market capitalism – is that features and system characteristics
that often start out as ‘facilitators’ of commercial activity can (and very often do) eventually end
up as conduits of ‘economic politicalisation’ and ‘bureaucratisation’.
Why? Because such endemic risk and uncertainty – as emergent features from the ever
changing interconnections and inter-dependencies, result in:
n an increasing need for environmental surveillance to monitor how these ever changing
interconnections and inter-dependencies may cause potential failure and possible loss,
and
n an increasing use of regulation and control to minimise the impact of such ever-changing
interconnections and inter-dependencies.
Why? Because such thinking not only lies at the foundation of liberal economic thought it is (in
a contemporary context at least) now the dominant ideology within the contemporary global
marketplace!
So now that we have a general context for control let’s have a look at how control is a key
component of the so-called corporate governance triad:
87
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 88
As suggested earlier, in a superficial context (albeit an often overly emphasised context) the
hierarchical nature of the marketplace provides a contextual mechanism through which com-
panies not only exchange goods and services, but generate income and profit, and thus provide
a context for their future survival. It is, however, also a highly integrated and dynamic systemic
framework. A socio-political framework through which companies seek to:
n interpret and understand the context of environmental change, and
n manage and where appropriate minimise/maximise the consequences of such environmental
change.
More importantly, it is a framework through which contemporary notions of corporate
governance – of accountability and of responsibility – are both articulated and operationalised.
Corporate governance is, as suggested by Cadbury (2000), concerned with holding a balance
between the economic, social (and political) goals of individuals and of the community. A
(pro)active corporate governance framework is essential to:
n encourage (and ensure) the efficient and effective use of resources, and
n require accountability for the stewardship of those resources.
Thus, the aim of corporate governance is to align as closely as possible the interests of indi-
viduals, of companies and of society, and involves a control framework founded on regulation,
surveillance and on control.
Although an in-depth discussion on corporate governance is beyond the scope of this book,
an understanding of the component aspects of corporate governance, that is:
n regulation,
n surveillance, and
n control,
is not.
Regulation
Regulation relates to the provision of prescribed rules of operation and codes of practice that
are designed to provide a framework for not only uniformity of action, but also accountability/
responsibility for such action. Consequently, such prescribed rules of operation/codes of prac-
tice are normally process and/or procedure related – that is they define, they facilitate and they
constrain not only what can be done but more importantly, how it can be done, where it can be
done and when it can be done.
Whilst in a corporate context, modes of regulation/rules of operation/codes of practice may
be seen as ‘democratically negotiated’ they are:
n often imposed – whether internally and/or externally,
n often hierarchical in content – that is they operate at different socio-political levels, and
n generally pluralistic in context – that is they may not only have multiple origins, they may
also impact on different levels within an organisation in different ways.
Indeed, in a ‘free’ market context, regulations generally evolve from a combination of pressures
from the state, the market and the community – although invariably the levels of pressure exerted
in the struggle to manage/enforce regulatory pronouncements is not necessarily reflective of
that order.
88
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 89
Surveillance
Surveillance is synonymous with notions of supervision – of close observation – and relates to
any process or mechanism through which information on, or knowledge of the efficiency and
effectiveness of extant modes of regulation/codes of practice/rules of operation can be obtained.
Whilst in a societal context, surveillance is often associated with contemporary notions of a
‘big brother’ type imposed control and overly invasive bureaucratic monitoring of social and
economic activities and processes, it is (in a corporate context at least) essentially an economic-
ally driven political process – a process concerned primarily with appropriating information and
knowledge as both a current and future basis of power, of control, of gain. Thus in a corporate
context, surveillance processes exist to assist companies in:
n seeking out opportunities and managing competition,
n understanding and controlling change (political and technological),
n mediating disputes,
n making decisions, and ultimately
n enforcing regulations.
Control
Whilst there are many definitions of control (see the introduction to this chapter), for our
purposes, we will define control as two distinct but interrelated activities.
Firstly, we will define control as the processes/mechanisms through which compliance with
extant modes of regulation/codes of practice/rules of operation are monitored and enforced.
Secondly, we will define control as the power/ability to influence either directly or indirectly
another’s (either individual and/or corporate entity) activities.
In a broad sense, notions of control encapsulate an ability to determine, facilitate, and/or
constrain such activities by enforcing adherence to and compliance with approved systems,
policies and procedures – to ensure the maintenance of hierarchical responsibilities and
accountabilities.
Although control may be:
n internal/external,
n direct/indirect,
n formal/informal,
n voluntary/statutory,
n facilitating/constraining, and
n mechanistic/organic,
the socio-political context of control as an organisational mechanism, is neither socially neutral
nor economically impartial. Control is a political process at the centre of which is the need for
access to, and use of, information and knowledge.
But what is the purpose of control? In a corporate context at least, as a ‘constructed artificial
process’, the purpose of control is designed to assist a company in:
n promoting environmental fit,
n minimising the impact of environmental (socio-economic) disturbances,
n providing a framework of conformity (organisational isomorphism),
n promoting the coordination of action and resource utilisation, and
n promoting the socialisation of people and procedures.
In essence, control operates on three economically determined but nevertheless socio-political
levels.
89
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 90
90
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 91
and secondly – and perhaps more importantly – by the socio-political context through which
such controls are politicised and operationalised – that is whether controls are:
n coercive,
n mimetic, and/or
n normative.
For the moment however it would perhaps be useful to recap on a number of key control
contexts identified in the discussion so far:
n control is a primary management task – as part of the wide corporate governance ethic,
n control processes and procedures exist/function as a facilitator of organisational action,
n control mechanisms are socially constructed political processes designed to ensure that
operations/activities proceed and/or comply with extant modes of regulation/codes of practice/
rules of operation,
n control is necessary because unpredictable environmental disturbances occur that can
result in actual performance deviating from expectations, and/or a failure (whether
passive or active) to comply with extant modes of regulation/codes of practice/rules of
operation.
To illustrate the basic elements of control, for the remainder of this chapter we will consider
control as a mechanism for the identification and management of deviations from expectations
– the description in the last point above.
91
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 92
92
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 93
93
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 94
Since control is exercised within the system – that is there is no interaction with the external
environment – such a control function would normally be regarded as a closed system, and
would be fairly mechanistic and more than likely automated, and in contemporary corporate
accounting information systems probably computer-based. A higher-level loop (or loops) may
consider large or excessive variations between expectations and outcomes, and/or consistency
of expectations over a range of company locations and/or reporting periods, and would there-
fore be concerned with the strategic or ‘big picture’ view. Such a higher-level loop (or loops)
may, where appropriate, take action to revise/review plans/expectations.
Whilst interconnecting (or nesting) feedback loops to create multi-level loops has become
commonplace in contemporary corporate control systems, it is perhaps worth considering the
law of requisite variety6 which provides that:
for full control . . . a control system should contain controls at least equal to the system it is
wished to control.
This fairly abstract rule (it is perhaps a little excessive to call it a law) provides two key
points. Firstly, simple control systems cannot effectively control large complex systems – that is
closed feedback systems are only suitable for simple systems. Complex systems require open-
loop feedback and feedforward control systems. Secondly, increasing levels of control may
result in the imposition of excessive time delays and additional costs which may render the
system both redundant and inefficient.
Sounds familiar – absolutely! The law effectively operationalises the notion of bureaucracy
as excessive levels of control.
94
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 95
In many instances, such events are beyond the control of the company, and as such all that the
management of the company can do is to attempt to minimise/maximise the possible adverse/
favourable consequences of such environmental disturbances by the active maintenance of
feedforward procedures, processes and mechanisms.
It is perhaps important to note that the two types of control explored above – namely
‘feedback’ and ‘feedforward’ – are not mutually exclusive. Feedforward control systems are
often combined with the feedback control systems. Why?
Firstly, feedforward control systems facilitate a rapid response to any environmental dis-
turbance and feedback control systems correct any error in the predetermined adjustment made
by the feedforward control system. Secondly, feedforward control systems do not have the
stability problems that feedback control systems can and often do have, especially in feedback
control systems that require some human intervention. Feedforward needs to be pre-calibrated
whereas feedback does not: that is feedforward control applies to disturbances with known effects.
So, the management of a company can only react to forthcoming disturbances if it is able to
assess the potential effect of such disturbances.
95
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 96
Types of feedback
Before we consider some of the problems that can emerge within a control system and explore
the issues of feedback and feedforward within the context of a case study scenario, it would
perhaps be useful to define alternative types of feedback and feedforward.
Positive feedback
Positive feedback is feedback which causes a system to amplify an adjustment result – that is
positive feedback acts in the same direction as the measured deviation and thus reinforces the
direction in which the system is moving.
96
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 97
Negative feedback
Negative feedback is feedback which seeks to reduce/minimise fluctuations around a standard
or an expectation – that is negative feedback acts in the opposite direction to the measured
deviation and thus the corrective action would be in the opposite direction to the error.
Types of feedforward
Whilst it is not customary to distinguish between positive or negative feedforward, it is possible
for each variant to exist.
In the real word, complex business organisations will invariably possess integrated control
systems that consist of both feedback and feedforward, possibly at a double if not greater
multiple nested levels (see Figure 3.8).
The reason for this is that:
n companies are invariably hierarchical and comprised of many interconnecting systems and
sub-systems,
n relying on single-loop feedback may result in action being taken too late which may increase
the possible risk of failure,
n relying on single-loop feedback may result in incorrect action being taken which may also
increase the possible risk of failure,
Figure 3.8 Feedback and feedforward control loops – the full picture
97
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 98
n relying only on feedback may not alert the company to environmental changes that may
have a significant impact of future activity, and
n feedforward, whilst important, would not on its own be able to instigate the appropriate
corrective action where inefficiencies exist.
There are many issues that have an impact on the effective and efficiency of a control system.
Such factors include:
n timing of the control action,
n delays in the control cycle,
n internal contradiction,
n political nature of management control systems,
n behavioural aspects of control systems, and
n organisational uncertainty.
Clearly this is not an exhaustive list, but merely illustrative of the possible problems a company
could face.
There can be little doubt that control action is most effective when the control time lag is short
– that is when the time difference between the determination/measurement of a deviation from
expectations and the implementation of action to redress the divergence is minimised.
For example, monitoring budgetary performance is commonplace in many large companies.
If a large deviation between expected performance (budget) and actual performance was to occur
in a large manufacturing facility of a national company, in month 2 or 3 of the financial year –
let’s say the overspend is the result of excessive raw material wastage due to poor quality raw
materials – then waiting until month 5 or 6 or even later could result not only in excessive losses
being carried by the production facility, but also possible losses being incurred in other areas of
the company due to possible loss of trade, etc.
But why do such delays occur? Problems in the timing of control action can occur as a
result of:
n an inefficient organisational structure – that is excessive levels of management (e.g. where
the company requires information concerning possible deviations from expectations to be
processed and monitored by a number of managers at a number of different levels),
n an inappropriate reporting period/lack of speed – that is excessive waiting periods between
the identification/measurement of a deviation and the making of that information available
so that control action can be taken (e.g. where budgetary performance in May is not made
available until June), and/or
n an ineffective information content – that is where the information available for control
action is either inaccurate and/or lacking in appropriate detail.
Is there a possible solution to any of these problems? Difficult to say, but as a general rule
control decisions/action should, where at all possible, be made at the lowest possible hierarchical
level – that is as close to the event (the source of the deviation) as possible.
98
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 99
Whilst eliminating:
may improve the effectiveness of the control action, it is also important that corporate control
systems should seek to ensure that:
n control action is taken as soon as possible after any deviation has been identified/measured,
n environmental disturbances are recognised and acted upon as soon as possible, and
n the concentration of control action is correctly focused on those areas of greatest potential
risk
Nevertheless, and often despite the best actions of corporate managers, delays in control action
can and indeed do arise at various stages of a control cycle. Such delays would, for example,
include;
n collection delays,
n assessment delays,
n decision making delays,
n implementation delays,
n impact delays, and
n control delays.
Internal contradiction
Internal contradiction or ‘push/pull’ problems arise from conflict resulting from the exist-
ence of multiple control factors within a system and/or group of interconnected systems. In
a corporate environment such internal contradiction can arise where a system’s and/or sub-
systems’ boundaries are ill defined and its objectives/goals are contradictory. For example, a
company whilst seeking to maximise shareholder wealth may nevertheless possess a range of
secondary objectives that may – at least in the short term – result in contradictory pressures
existing within the company. These could be, for example, seeking to maximise high-quality
product specifications or attempting to maintain high levels of employee development whilst
seeking to minimise/reduce overall costs.
Whilst the existence of such multiple objectives is clearly not uncommon, the role of corporate
strategic managers to ensure that such conflicting objectives are prioritised and accommodated
as painlessly as possible (i.e. with as little financial loss as possible) since such conflicting
objectives can, if not appropriately managed, result in the inefficient use of resources and, in a
systems context at least, possible entropy and ultimately systems failure.
Let’s look at some of these key elements of control theory in more detail in the context of the
following case study scenario: Westelle Ltd.
99
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 100
CASE STUDY
Westelle Ltd
Westelle Ltd is a large, UK-based, machine component manufacturing company that has been
trading successfully for approximately 45 years. The company has a number of production
facilities and wholesale retail outlets throughout the UK. The sales of Westelle’s products currently
account for approximately 18% of the total market for machine components in the UK.
Anthony Fisher is production manager of Westelle’s Newcastle production facility. The
company has five other production facilities located in Glasgow, Birmingham, Leeds, Swindon
and Bristol, and four wholesale retail outlets located in Manchester, Bradford, Sheffield and
Cambridge. The company’s head office is in York.
The Newcastle production facility is a specialist non-trading division of the company. The
production facility has limited contact with outside agencies (apart from contacting suppliers)
and has no retail staff. Transactions at each of the six production facilities are internal in nature
– that is with other production facilities and/or wholesale retail outlets within the company.
For accounting purposes, all the company’s production facilities are treated as cost centres
rather than an income generating revenue or profit centres.
Because of the company’s somewhat dispersed geography, both wholesale retail managers and
production facility managers meet on a regular basis but usually only every two months at the
company’s head office in York. They discuss management issues relating to the company’s activities.
It is also common practice for head office managers including the company accountant, the
company personnel manager and the company operations manager to attend these meetings.
The chairmanship of the senior committee is rotated on an annual basis. This year the
chairmanship is in the hands of John Lightman-White, Westelle’s operations manager.
Although the August 2004 meeting agenda was unremarkable and similar to those of previous
numerous meetings, the final agenda item – proposed by Anthony Fisher – was somewhat unusual
and bound to raise the ambient temperature of the meeting. The agenda item concerned the
ineffectiveness of the company’s budgetary system as a corporate control mechanism.
The meeting commenced at 10:15 am in the board room at the company’s head office in
York. After nearly 11/2 hours of rather mundane pleasantries, bureaucratic idiosyncrasies and
tedious committee protocol, at approximately 11.45 pm John Lightman-White, in his role as
chairman, looked at Anthony Fisher, and said, ‘I believer this final item is your agenda item
Anthony – the meeting is yours.’
With that Anthony looked around at the other members of the committee and took a
deep breath. He began: ‘As you may well know, I have been at Newcastle production facility
of Westelle Ltd for a little over 18 months and have during that time become increasingly con-
cerned about the ineffectiveness and inefficiency of the company’s budgetary control system.
In my opinion, and may I add an opinion supported by many of you around this table, the
company’s corporate accounting department – its accounting information system and in
particular its budgetary control system – provides little useful information for either production
managers or wholesale retail managers. The historical emphasis of the accounting infor-
mation system – the historical nature of the budgetary control statements issued monthly to
production and wholesale retail managers – continues to have a negative motivational impact
on managers because the statements fail to reflect adequately on how efficiently and effectively
100
..
CORA_C03.qxd 6/1/07 10:55 Page 101
both production and wholesale retail managers are in their day-to-day managerial activities.
Indeed, despite repeated representations to the company head office by many of the productions
facility managers and repeated attempts to discuss/explore these concerns with the company
accountant, over the past 12 months little has changed.
‘In my opinion, the budgetary control statements producted by corporate head office not
only lack any realism, they are ambiguous, confusing, disingenuous and misleading.
‘Over the past year the Newcastle production facility – and may I also add, the Birmingham,
Leeds and Swindon production facilities – have all exceeded their budgeted production targets.
Yet for the past 12 months the budgetary control statements continue to show Newcastle,
Birmingham, Leeds and Swindon production facilities as carrying excessive costs. This despite
the Newcastle and Leeds production facilities making substantial improvements in raw materials
used in the production process, and the Birmingham and Swindon production facilities mak-
ing vast improvements to man-hour output levels – none of which has been, nor will be to my
knowledge, ever reflected in the production facilities budgetary control statements. It appears
that any information provided by production and wholesale retail managers to head office –
and in particular the company accountant – is continually ignored as irrelevant.
‘Looking back over the past two years’ budgetary control statements, all six of the production
facilities have shown negative total variances for 20 out of the 24 months – and there appears
little that either the production and/or the wholesale retail managers can do.
‘It is clearly time for the accounting information system – and the budgetary control
statements – to reflect what is actually happening at the various production and wholesale
retail facilities and not some abstract notion created by head office accounting staff of what
“might” be happening.
‘Perhaps the company accountant would like to comment using the June 2004 budgetary
control statement for the Newcastle production facility and explain why, as in the previous
15 months, actual head office costs have exceeded the budgeted head office costs.’
Anthony distributed a copy of the report to each of the committee members.
Materials
Potassium ethnolitrate 2,000 1,980 (20)
Abelithium 1,980 1,970 (10)
Zinctricate 460 408 (52)
Labour
Skilled 1,200 1,200 0
Technician 1,180 1,090 (90)
Semi-skilled 3,040 3,010 (30)
Manual 560 540 (20)
101
..
CORA_C03.qxd 6/1/07 10:55 Page 102
‘Alun, would you like to respond,’ asked the chairman. After a brief pause, Alun Wayle rose
to his feet and began his response. ‘Firstly, I think it would be inappropriate for me to respond to
the specifics in terms of levels of head office expenditure at each of the outlying production/
wholesale retail facilities as raised by the Newcastle production facility manager.’
‘That’s a surprise,’ whispered Anthony.
Whilst the other production facility managers smiled at Anthony’s witty rhetoric – the com-
pany accountant scornfully ignored the comment, treating it with the contempt he believed
it deserved. ‘However,’ he continued ‘what I think is important is that we must not lose sight
of the bigger picture. The accounting information system and the budgetary reporting system
are a component part of a larger corporate information system that has operated success-
fully in the company for a number of years. Whilst the past few years has seen some change
– the introduction of the company’s new “online” accounting system and increased network
facilities – the core accounting system has remained generally unchanged and in my opinion
rightly so. The budgetary reporting systems have, and indeed continue, to operate and satisfy
all the reporting requirements as laid down in the company’s operation procedures guide-
lines issued some two years ago – and may I add agreed and ratified by this committee. More
importantly, to undertake changes alluded to by the Newcastle production facilities manager
would require substantial investment – funds which the company does not have available at
its disposal.
‘Whilst the budgetary control statements, produced by the budgetary reporting system are
the basis for:
n evaluating the efficiency of both production facilities and wholesale retail facilities, and
n determining whether managers have compiled with the company’s longer-term strategy and
performed in accordance with set targets,
both production and wholesale retail managers should not worry too much. None of you have
been sacked – yet!’
At this Anthony became extremely annoyed and agitated by the truculent attitude and
arrogant demeanour of the company accountant. From discussions with other production
managers, in particular Jessica Lee, the production manager of the Swindon facility, Anthony
was certain that the company accountant was incorrect. He was aware for example, that over
the past few years, because of the introduction of new computing technology, some rather
substantial changes to the financial reporting systems of other non-production and non-retail
facilities had been made.
As the company accountant retook his seat, Anthony rose to his feet without invitation, and
started his reply. ‘May I say that I find the egotistical attitude of the company accountant both
naïve and insulting! I am sure that Alun is aware that the staff turnover of production managers
at the company continues to be extremely high even though “few” managers have ever been
sacked. Most managers seemed to resign – usually in disgust because of the belief that they are
not being fairly evaluated – a point I’m sure the company personnel manager could confirm
from his personnel records.
‘The following are typical comments of production managers who have left Westelle Ltd
over the past year:
n ‘The company accountant may well be able to justify the numbers they use – but they know
nothing about production. I just used to ignore the budgetary control statements entirely
and pretend they didn’t exist.’ Len Chapman ex Production facilities manager Leeds
n ‘No matter what they say about firing people, negative budgetary control statements mean
only one thing – negative evaluations.’ Bryn Robson ex Production facilities manager Swindon
102
..
CORA_C03.qxd 6/1/07 10:55 Page 103
n ‘the company head office in York has never and probably never will listen to production
facility managers. They see us as inconsequential – as a blot on the landscape. All the head
office bureaucrats are concerned with are those wretched misleading budgetary control
statements.’ Jim Barnes ex Production facilities manager Bristol
‘The market we operate in is a select and highly specialised market. Of the five managers who
have left the company over the past year, four of them – including the three I have quoted –
have taken posts of a similar nature with companies in direct competition with Westelle. Surely
that cannot be good for the company – can it!’
‘Absolutely not,’ said Herald Bosse, company personnel manager ‘but may I point out . . .’.
‘Perhaps you could point it out at a later date,’ said John Lightman-White, chairperson.
‘Unfortunately we have run out of time. As you are all aware head office imposes a time limit
on our meetings of two hours and we have just about reached that time limit. Perhaps we can
carry the discussion on item 12 over to our next meeting – on 9 October 2004. Agreed?’
‘Looks like we have no alternative,’ said Anthony disdainfully. ‘Yes – it does look as if we
have no alternative, doesn’t it,’ replied the chairman. There were no further dissenting voices.
The meeting was adjourned.
The protagonists
Anthony Fisher is a highly qualified and experience production facilities manager, who appears
competent and both accommodating and flexible inasmuch as he willing to accept and adopt
new procedures. He also appears to care about the quality of his production facilities’ output.
However, currently he appears frustrated and perturbed at the reluctance of the company’s
head office to consider what he believes are important control issues and thus feels demotivated
and under-valued.
Alun Wayle is an accountant of many years’ experience who appears to care very little
about departmental issues outside the confines of the head office. He is rather unsympathetic
to concerns expressed by production facilities and wholesale retail managers, and unwilling (or
even perhaps unable) to change. He is very much a bureaucrat in the traditional sense, and
103
..
CORA_C03.qxd 6/1/07 10:55 Page 104
appears to have an extremely negative attitude towards criticism often treating it with rancour
and contempt. He also appears to reject any advice – without any constructive discussion –
despite such advice clearly being well-founded and appropriate.
But what are the key problems/control issues? Before we look at these it would be useful to
consider the key sources and/or factors underpinning these problems/control issues.
104
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 105
Concluding comments
Concluding comments
Control, trust in systems, feedback, feedforward and control loops are now an endemic part of
corporate activity. They are a product of:
n the evermore virulent spread of ‘market-based’ competitive capitalism, and
n the increasing ‘public/media’ demands for greater corporate responsibility and accountability,
i.e. for more effective corporate governance.
105
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 106
References
Amin, A. (1994) ‘Models, Fantasies, and Phantoms of Transition’, in Amin, A. (ed.) Post Fordism,
Blackwell, London.
Ashby, W.R. (1956) An Introduction to Cybernetics, Chapman & Hall, London (available @
http://pcp.vub.ac.be/books/IntroCyb.pdf.
Cadbury, A. (2000) in ‘Global Corporate Governance Forum’, World Bank.
Cerny, P.G. (1994) ‘The dynamics of financial globalisation – technology, market, and policy
response’, Political Sciences, 27, pp. 319–342.
Giddens, A. (1990) The Consequences of Modernity, Polity Press, Stanford, CA.
Harvey, D. (1982) The Limits to Capital, Blackwell, Oxford.
Harvey, D. (1990) The Condition of Post Modernity, Basil Blackwell, London.
Lipietz, A. (1994) ‘Post Fordism and Democracy’, in Amin, A. (ed.) Post Fordism, Blackwell,
London.
106
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 107
Websites
McChesney, R. (1999) ‘The New Global Media: It’s a Small World of Big Conglomerates’, The
Nation, 269(18), pp. 11–15.
Parsons, T. and Shils, E. (1951) Towards a Theory of Social Action, Harvard University Press,
Cambridge, MA.
Palloix, C. (1975), ‘The Internationalisation of Capital and the Circuits of Social Capital’, in
Radice, H. (ed.) International Firms and Modern Imperialism, Penguin Harmondsworth,
London.
Palloix, C. (1977) ‘The Self Expansion of Capital on a World Scale’, Review of Radical Political
Economics, 9, pp. 1–28.
Savage, M. and Warde, A. (1993) Urban Sociology, Capitalism and Modernity, MacMillan, London.
Bibliography
Bertalanffy, von, L. (1975) Perspectives on General Systems Theory, Braziller, New York.
Bertalanffy, von, L. (1976) General Systems Theory, Braziller, New York.
Checkland, P. (1981) Systems Thinking, Systems Practice, John Wiley, London.
Harry, M. (1994) Information Systems in Business, Pitman, London.
Kim, D.H. (1999) Introduction to Systems Thinking, Pegasus Communications, London.
Laszlo, E. (1996) Systems view of the world, Hampton Press, London.
Lucy, T. (2000) Management Information Systems, Letts, London.
Wienberg, G. (2001) Introduction to General Systems Theory, Dorset House, London.
Websites
www.systemsthinkingpress.com
(Chaos Theory – Critical Thinking, Organisational Development Portal)
http://pespmc1.vub.ac.be/
(Principia Cybernetica webpage)
Other websites you may find helpful in gaining an insight into more accounting-related discus-
sion and systems thinking include:
www.accaglobal.com
(Chartered Association of Certified Accountants)
www.cimaglobal.com
(Chartered Institute of Management Accountants)
www.ft.com
(Financial Times)
www.economist.com
(Economist)
www.guardian.co.uk
(Guardian)
www.accountingweb.co.uk
(General accounting website)
107
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 108
Self-review questions
1. What is control?
2. Why is control necessary in any type of social organisations?
3. What are the basic elements of a control cycle?
4. What is a feedback loop?
5. What are the key components of a feedback loop?
6. What is a feedforward loop?
7. What are the key components of a feedforward loop?
8. Distinguish between negative feedback and positive feedback.
9. Why is the law of requisite variety important in control systems?
10. Why is control often regarded as a political process?
Question 1
Control is a fundamental issue for any company seeking to function efficiently and maximise the wealth
of its shareholders. Describe the basic elements of control and explain why it is necessary in corporate
organisations?
Question 2
One component aspect of control theory is surveillance. Identify and describe the systems of ‘surveillance’
you would expect to find in a large manufacturing organisation and describe the likely impact of constant
surveillance on employees within an organisation.
Question 3
Control systems can generally be divided into three levels:
n operational accountability,
n tactical control, and
n strategic management.
Explain how the increasing use of computer technology and information management has affected processes
and procedures at each of the above three levels of control.
Question 4
(a) Why is the timing of control important and what delays could exist in a company’s control cycle?
(b) What would be the possible consequences of excessive delays in a company’s control cycle?
Question 5
Does the control function differ between soft systems and hard systems?
108
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 109
Assignment
Assignments
Question 1
You have recently been appointed as systems accountant for KLW Ltd, an established FMCG company
located in Newcastle. The company has retail outlets throughout the UK and has been operating successfully
for approximately 35 years. During 2003, KLW Ltd’s turnover was £102m with after-tax profits of approximately
£26.5m.
The company currently operates a networked computer-based accounting information system with a grow-
ing percentage (currently approximately less than 3% of annual turnover) of its transactions occurring through
its web-based e-commerce facility.
At a recent board meeting the managing director of the company presented the following extract taken from
Tesco’s annual review and summary financial statements:
Tesco.com is the largest e-grocer and most profitable e-retail business in the world. Tesco.com sales for
the year ended 22 February 2003 have increased by 26% on last year. This year (year ended 22 February
2003) our turnover reached £447m. Each week in the UK we deliver over 110,000 orders. We have 65%
share of the UK internet grocery market.
We are the only UK supermarket to offer a nationwide service, covering 96% of the population. (2003: 26)
In my opinion the future strategy of our retail activity should seek to fully embrace an increasing e-commerce
facility. With potential growth opportunities in excess of 25%, we should aspire to use the available tech-
nology in all our retail activities. Although we cannot compete directly with companies like Tesco we should
nonetheless seek to embrace the competitive advantage e-commerce offers companies like KLW Ltd.
After protracted discussion and despite some reservations, following the managing director’s somewhat brief
presentation, the board made the following three resolutions;
n Resolution 1: to develop an e-commerce facility and aim for an overall turnover of approximately 25% of
total sales by 2006.
n Resolution 2: to develop financial and accounting controls to ensure the efficient and effective operation of
such an e-commerce facility.
n Resolution 3: to appoint a sub-committee (to be chaired by the managing director) to monitor the develop-
ment of the company’s e-commerce facility.
Following the sub-committee’s first meeting in December 2003, you received the following internal memorandum;
Internal Memorandum
From: Chair
E-commerce sub-committee
To: Systems Accountant
Date: 05 January 2004
.. ..
CORA_C03.qxd 6/1/07 10:55 Page 110
the members of the e-commerce sub-committee have requested a formal presentation on a range of issues
related to the development of an extended e-commerce trading platform.
As part of the above discussion, the members of the e-commerce sub-committee would like you to provide
a description and evaluation of the control-related activities you would expect to find for such a facility to
operate efficiently and effectively.
Required
Prepare a discussion document for the chairman of the e-commerce sub-committee in which you cover all
the issues raised in his internal memorandum dated 5 January 2004.
Question 2
Learn-a-lot Ltd is a small but expanding Leeds-based retail company that provides computer-based educa-
tional facilities and equipment for a range of public and private sector colleges and universities specialising in
postgraduate professional IT courses. As a result of a recent increase in demand for the courses offered by
universities and colleges, the company is considering expanding its current retail facilities.
The company is seeking to establish a presence in both Hull and York in order to benefit from the high number
of undergraduate university students studying IT and computer science related degrees.
The company is, however, aware that such an expansion would require not only a substantial capital invest-
ment, but also a significant change in the company’s accounting information systems procedures, especially
those concerned with the recording of sales income.
Required
As their recently appointed systems accountant, prepare a report for the management of Learn-a-lot Ltd on
the importance for a company like Learn-a-lot Ltd to possess a cohesive control structure within its account-
ing information systems and the possible consequences of a failure of such controls.
Chapter endnotes
1
The general context of control will be discussed within an ‘equilibrium-based theory’ or a
‘stable state theory’ of organisation in which the tendency is towards consensual explanations
pointing towards norms and values as a basis for mutual coordination (e.g. see Parsons and
Shils, 1951).
2
The term ‘fictitious capital’ was historically used to describe capital that did not productively
employ labour: however in a contemporary context it has become increasingly associated with
an escalating use of credit. Indeed, as Marx put it, fictitious capital is ‘some kind of money bet
on production that does not yet exist’ (Marx quoted in Harvey, 1990: 107). In this context it
is perhaps best described as any financial instrument (including derivative instruments) other
than the tangible commodity of money. In a contemporary context such instruments are often
associated with schemes of risk reduction and risk diversification (see also Harvey, 1982:
Chapter 9).
3
For further information see www.bp.com
4
For further information see www.hsbc.com
5
For further information see www.timewarner.com
6
See Ashby (1956). This is commonly referred to as Ashby’s law.
110
..
CORA_C04.qxd 6/1/07 10:59 Page 111
Part 2
Accounting information systems:
a contemporary perspective
..
CORA_C04.qxd 6/1/07 10:59 Page 112
Part overview
112
..
CORA_C04.qxd 6/1/07 10:59 Page 113
Introduction
Technology is society (Castells 1996: 5).
As you are probably aware the late 20th and early 21st centuries have seen what some
would describe as an unrestrained explosion of technological innovation – innovation that
has revolutionised the nature and context of social relations and transformed the very
fabric of social life. A self-accelerating process of technological innovation and develop-
ment whose pervasive, integrative and reflexive capacity to facilitate operations and
communications in real time has clearly contributed to a reconfiguration of:
For some, the impact of such technological innovation and development has enabled/
facilitated the creation of new global interdependencies and interrelationships – new global
interconnections characterised by the emergence of:
For others, however, such technological innovation and development has merely frag-
mented the very foundations of social life4 and has not only become: intertwined with
rising inequality and social exclusion throughout the world (Castells, 1998: 70), but has
more importantly, contributed to the resulting increase in economic regionalisation, polit-
ical territoriality and social segmentation (Castells 1996: 106). Why? Because of what has
become known as the ‘social paradox of technology’!
113
..
CORA_C04.qxd 6/1/07 10:59 Page 114
n considers the social, political and economic impact of information and communica-
tion technology enabled innovations on corporate activities, services and facilities – in
particular corporate accounting information systems,
n examines the increasing dependency of corporate accounting information systems on
information and communication technology enabled innovations, and
n explores how and why the selected adoption of such information and communication
technology enabled innovations has become fundamental to the future of contemporary
capitalism.
Learning outcomes
This chapter explores a wide range of issues relating to information and communication
technology enabled innovations and their implications on the functioning and management
of corporate accounting information systems and provides an introduction to e-business
and the virtual world. (These issues are discussed in detail in Chapter 12.)
By the end of this chapter, the reader should be able to;
n describe the major development stages of information and communication technology,
n consider and explain the impact of information and communication technology enabled
innovations on corporate accounting information systems, and
n demonstrate a critical understanding of the social, political and economic aspects/
consequences of information and communication technology enabled innovations.
114
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 115
Whilst the history of information and communications technology clearly has its roots in an-
tiquity, a heritage that can be traced back to the ancient civilisations of Babylonia, Mesopotamia
and Egypt, it would perhaps be negligent to consider innovation and development to be pro-
gressive and linear, to believe that the new is always accepted over the old and to assume that
change (especially technological change) is apolitical and neutral. Nothing could be further from
the truth. Why?
Because change emerges from, or perhaps more appropriately is a reflexive product of, the
interaction of a vast array of influences and forces that coexist within an imposed hegemonic
framework – a framework that is neither isolated from nor immune to the social, political and
economic conflict and turmoil that continues to populate many of the institutional arrange-
ments that comprise its very essence.
In an increasingly uncertain and unpredictable world, a world in which the priorities of
organisational technologies, political bureaucracies and social hierarchies are constantly
reupholstered, reconfigured and redistributed by:
n the complex territoriality of inter-state politics, and
n the chaotic global priorities of capital accumulation,
change is the one certainty that binds the past to the present, and the present to the future.
All change is connected and all change has consequences, however eclectic random or arbitrary!
So, let’s have a look at a brief (and very selective) history of information and communications
technology.
115
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 116
Pre-1940
n 14 AD (approximately) the Romans establish a postal service.
n 37 AD the first recorded use of mirrors to send messages (Roman Emperor Tiberius).
n 305 AD the first wooden printing presses are invented, in China.
n 1049 the first moveable clay type is invented, in China.
n 1450 newspapers appear in Europe.
n 1455 Johann Gutenberg invents the movable metal-type printing process.
n 1622 William Oughtred invents the slide rule, an early example of an analog computer.
n 1623 Wilhelm Schickard develops the calculating clock, the first calculator.
n 1642 Blaise Pascal invents/develops the Pascaline, a mechanical calculator.
n 1650 the first daily newspaper (Leipzig).
n 1674 Gottfried Wilhelm von Leibniz develops the Step Reckoner.
n 1714 Henry Mills obtain a patent for a typewriter.
n 1801 Joseph Marie Jacquard’s invents a programmable mechanical loom.
n 1821 Charles Babbage develops the difference Engine No. 1 and Charles Wheatstone reproduces
sound in a primitive sound box.
n 1831 Joseph Henry develops the first electric telegraph.
n 1835 Samuel Morse develops Morse code.
n 1843 Alexander Bain patents the first fax machine.
n 1861 Pony Express postal service commences.
n 1876 Alexander Graham Bell develops the telephone.
n 1880 Herman Hollerith developed a system for recording and retrieving information on
punched cards (and also starts a company that eventually became IBM).
n 1887 Emile Berliner invents the gramophone.
n 1894 Guglielmo Marconi invents the radio.
n 1906 Lee Deforest invents the electronic amplifying tube (or triode) improving all electronic
communications.
n 1923 Vladimir Kosma Zworykin invents the television or iconoscope.
n 1925 John Logie Baird transmits the first experimental television signal.
116
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 117
n 1951–58 first generation computers are developed with the following features:
l vacuum tubes are used as the main elements within the computer,
l paper-based punch cards are used to input data and store data externally,
l rotating magnetic drums are used for internal storage of data and programs, and
l computer programs written in machine code and composed using a compiler.
n 1959–63 second generation computers are developed with the following features:
l vacuum tubes are replaced by individual transistors as the main element within the computer,
l magnetic tape and magnetic discs are used to store data externally,
l magnetic core memories are developed, and
l high-level computer programming languages are developed, for example languages such
as COBOL7 and FORTRAN8.
n 1964–79 third generation computers:
l individual transistors are replaced by integrated circuits (silicon-based chips) as the main
element within the computer,
l magnetic tape and magnetic discs replace punch cards as external storage devices,
l metal oxide semiconductor (MOS) memory replaces magnetic core internal memories,
l advanced programming languages like BASIC are developed, and
l the computer floppy disc is invented.
n 1975 Bill Gates and Paul Allen create Microsoft Inc.
n 1979 to the present, the fourth generation computers are developed with the following features:
l large-scale and very large-scale integrated circuits (LSIs and VLSICs) are developed,
l micro-processors containing ROM and RAM memory, logic and control circuits (an entire
CPU on a single chip) are developed, and
l MS-DOS (Microsoft Disk Operating System) debuts.
n 1981 IBM introduces the PC.
n 1983 GUI (graphical user interface(s)) for the PC arrive.
n 1984 Apple Mac is released.
n 1985 CD-ROMs in computers.
n 1990 MS Windows version 3 is released.
n 1991 WWW launched to the public.
n 1994 US government releases control of the internet.
n 1995 MS Windows 95 released.
n 1998 MS Windows 98 released.
n 1999 DVDs in computers.
n 2001 Apple Mac OSX released.
n 2001 MS Windows XP released.
n 2005 number of internet sites between 45 and 50 million.
n 2007 MS Windows Vista released.
And the rest will be history!
117
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 118
Its cultivation, sponsorship and promotion was the product of applied research and develop-
ment undertaken by a vast number of unrelated yet inventive and forward thinking individuals
and organisations, located not only throughout the USA, but more importantly throughout
the world. Indeed, whilst the very existence of this so-called ‘internet’ is perhaps made more
remarkable by the episodic and fragmented context of its history, and the contentious and
conflict-ridden controversies associated with its early development, there can be little doubt
that in a contemporary context, as an information and communication facility the internet has
revolutionised the very fabric of polity, society and indeed economy. But what exactly is the
internet?
In a technical context, the term ‘internet’ (as an abbreviation of the term internetwork – see
below) refers to a publicly accessible worldwide system of interconnected computer networks
that are connected by internetworking10 and transmit data by packet switching11 using a
standardised internet protocol (IP)12, and/or other agreed protocols/procedures. The internet
is a created structure, a composed architecture, an interconnected configuration comprising
of thousands and thousands of smaller networks. What types of networks? Some academic,
some commercial, some domestic and some government based – all of which carry a vast array
of information and communication services, including for example e-mail messages, electronic
data, online chat and the interlinked webpages and other documents that comprise the world
wide web.
Surprisingly enough the general foundations of the internet can be traced back to the late
1950s and early 1960s. Indeed, it was as a result of:
n the increasing frustration and dissatisfaction with contemporary communication facilities,
and
n the growing realisation of the need for more efficient and effective communication between
an increasing number of users of computers networks and information and communications
systems,
that resulted (according to many academics) in the creation and development of the ARPAnet13
in the USA – a quasi-military/academic network which for many, is inextricably associated with
the birth of the contemporary internet.14
For many the ARPAnet was not only the core network in the early collection/group of
networks that formed the original internetwork, it was and indeed remains the intellectual pre-
decessor of the internet – as the first packet switching network. More importantly the ARPAnet,
or more specifically its developers and researchers, was fundamental in the development of
a number of innovative networking technologies – including open architecture networking15
– technologies responsible for facilitating internetworking across not only limited regional
networks, but across vast geographically dispersed computer networks irrespective of under-
lying characteristics and location.
As suggested earlier, the early internet, based around the ARPAnet, was:
n restricted to non-commercial uses such as military/academic research,
n government-funded, and
n limited (initially) to network connections to military sites and universities.
It was however the transition of ARPAnet from NCP to TCP/IP as a network standard that
enabled the sharing of the ARPAnet internet technology base and resulted initially in the par-
titioning of its use between military and non-military use, and eventually the complete removal
of the military portion of the ARPAnet to form a separate network, the MILnet. Indeed, by 1983,
network connections to the ARPAnet had expanded to include a wide range of educational
institutions/organisations and a growing number of research-related companies.
118
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 119
In 1986, the US National Science Foundation (NSF) initiated the development of the
NSFnet, a university network backbone which coincided with the gradual decommissioning
of the ARPAnet during the 1980s. Continued research and development during the late 1980s
(e.g. the development of a domain naming system (1984)) and early 1990s (e.g. the arrival of
the first commercial provider of Internet dial-up access (world std.com)) promoted an increas-
ing public awareness and interest in the internet: an interest that resulted in the emergence and
development of a number of commercial networks both in the USA and in Europe. And so the
commercial use of the internet was born – although not, it should be said, without heated and
often confrontational debate!
By 1994 NSFnet had lost its status as the ‘backbone’ of the internet with other emerging
competing commercial providers in the USA, in Europe, and indeed further afield, creating
their own backbones and network interconnections. Indeed by 1995 the main backbone of
the internet was routed through interconnected network providers, commercial restrictions
to access and use of the internet were removed, NSF privatised access to the network they had
created and developed . . . and the internet took off!
By 1996/97 the word ‘internet’ had become common public currency.
So how big is the internet? That’s an extremely problematical question to answer for two
reasons. Firstly, the internet is neither owned nor controlled by any one person, company,
group, government and/or organisation. Consequently accurate empirical data regarding the
internet – its size and usage – are not only difficult to obtain, but more importantly difficult to
substantiate and validate.
Secondly, the internet is an organic, ever-changing structure, an ever-evolving entity and
an ever-developing network whose exponential rates of growth (certainly in the past five years)
continue to belittle even the most optimistic of approximations.
In a general context however, estimates suggest that there are (as at 2005):
It should nevertheless be noted that the internet is not a global network, irrespective of much
of the commercial and political hyperbole surrounding its emergence into the global economic
psyche. There still remain many parts of the world (e.g. some countries within the African
continent, some parts of Asia and some parts of South America) where access to the internet
continues to be severely restricted, not only for social and technological reasons, but increas-
ingly for political and economic reasons.
Perhaps due to the fragmented nature of its development or the very nature of its under-
pinning technology, the internet as a social phenomenon has developed a significant cultural
ethos. An ethos predicated on the notion of non-ownership – the idea that the internet as a
virtual social network is not owned or controlled by any one person, company, group or indeed
organisation.
Nevertheless, the need for some standardisation, harmonisation and control is necessary for
any social network – especially a communication/information exchange network established on
the ever-shifting foundations of technological innovation, development and change.
119
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 120
Article 4.1
Names
Because a global unified namespace is essential for the internet to function properly, in
September 1998 the Internet Corporation for Assigned Names and Numbers (ICANN), a non-
profit making organisation, was created as the sole authority to: ‘coordinate the assignment of
unique identifiers on the internet, including domain names, internet protocol addresses, and
protocol port numbers’ (see www.icann.com).
ICANN’s headquarters are in California, USA, and although its operations are overseen by a
board of directors representing both commercial and non-commercial communities, there
continues to be little doubt that the US government continues to play a pivotal role in approv-
ing changes to the domain name system. Recent years have seen a number of attempts not only
to reduce the influence of the US government on the activities of ICANN, but also reduce the
influence of ICANN. At a November 2005 World Summit on the Information Society (WSIS)
in Tunis, Tunisia, ICANN retained a firm grip on its role as the key internet naming authority
but many critics fear that the possible privatisation of ICANN will lead to the ultimate com-
mercialisation of the internet (see Article 4.2).
120
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 121
Article 4.2
Retains control over main arms out publicly in favour of the status quo. And the
EU representative, David Hendon, confirmed to us
The United States has won its fight to retain control
last night that in political and governments circles –
over the internet, at least for the foreseeable future.
at every level – the US had pushed home its points
The world’s governments in Tunisia finally reached
again and again.
agreement at 10.30pm last night, just hours before
A letter from US secretary of state Condoleezza
the official opening of the World Summit this morn-
Rice sent to the EU just prior to the Summit also
ing. In the end, with absolutely no time remaining, a
had a big impact. Hendon said the UK’s position was
deal was cut.
pretty much set by then, but that it may well have had
That deal will see the creation of a new Internet
an impact on other EU members. The exact wording
Governance Forum, that will be set up next year and
of the letter has yet to come out but it is said to be
decide upon public policy issues for the internet. It
pretty strong stuff.
will be made up of governments as well as private
And so without the EU forcing the middle ground,
and civil society, but it will not have power over exist-
and with the US backed by Australia, the brokering
ing bodies.
– pushed in no short measure by chairman Massod
Equally, there will be no new oversight body for
Khan – was led by Singapore and Ghana. The result
ICANN, or no new ICANN come to that. Instead, all
was that Brazil, China, Iran, Russia and numerous
governments have agreed to work within existing
other countries were stymied.
organisations. Effectively that will mean within the
Because of the extremely short timetable, the only
Governmental Advisory Committee (GAC) of ICANN.
deal possible was consensus. And every radical pro-
Note the word ‘advisory’ because, again, the GAC
posal was simply shot down. Today will see a jubilant
has no powers of control over ICANN.
US ambassador David Gross, a resigned EU (and one
However, head of ICANN Paul Twomey promised
that may well learn some lobbying lessons in future)
delegates that ICANN was happy for the GAC to
and a depressed Brazil.
recreate itself as it saw fit. Twomey later pointed out
Everyone of course claims victory but the reality
to us that although the ICANN Board has to approve
is that the US has won out by shouting loudest.
any GAC decision, there has yet to be an occasion
Expect to read numerous press articles that claim
when it hasn’t gone along with it. A special meeting
the United States has saved the Internet from a fate
of the GAC will be convened at ICANN’s conference
worse than death. That was never true, and there
in Vancouver in a fortnight’s time.
were never any good real reasons why the US should
The deal represents a remarkable victory for the
not cede some control to an international formation
United States and ICANN: only a month ago they
of governments. But reality and politics have never
were put on the back foot by an EU proposal that
been good bed-fellows.
turned the world’s governments against the US
The shift to an international body will still happen
position.
but it will now be at least five years down the line.
But following an intense US lobbying effort across
The plus point of all this great theatre however is
the board, the Americans have got their way. Count-
that the world, and its governments, are now infinitely
less press articles, each as inaccurate as the last,
more aware of how this internet thing really works.
formed a huge public sense of what was happening
with internet governance that proved impossible to
Source: Kieren McCarthy, The Register,
shake.
16th November 2005, www.theregister.co.uk/2005/
Massive IT companies – again, mostly US and
11/16/us_wins_net_governance.
thanks to intense US government lobbying – came
121
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 122
As a series of documents, the RFC series began in 1969 as part of the original ARPAnet
project. Whilst the first RFC19 (surprisingly called RFC1) was written and published in April
1969, as at 2005 there are:
n over 4400 published RFCs (some now obsolete) describing every aspect of how the internet
functions, and
n over 70 internet standards (STDs) standardising every aspect of how the internet functions.
Today, such RFCs are the official publication channel for the Internet Engineering Task Force
(IETF)20 the Internet Architecture Board (IAB)21 and the wider internet community. RFCs are
published by an RFC Editor,22 who is supported by the Internet Society (ISOC)23, but account-
able to the IAB.
It is perhaps important to note that once published and issued, an RFC is never de-
published,24 but is rather superseded by the publication of a new RFC. An official list of RFCs
which are currently active, or have become adopted internet standards (see below) and/or have
been superseded is regularly published by the RFC editor.25
So how are RFCs produced and how does an RFC become an internet standard? Whilst RFCs
can be promoted through a variety of processes and procedures, the majority of RFCs are now
produced by working parties of technical experts. Such working parties/groups would publish
what the IETF refers to as an internet draft26 to:
prior to submission to the RFC editor for publication. And such an information procedure
works? Surprisingly, it does!
In managing to avoid both the ambiguities sometimes found in informal regulatory pro-
nouncements, and the bureaucracy always found in formal regulatory pronouncements, the
widespread adoption and acceptance of RFCs continues to define the workings of the internet.
(For more details about RFCs, and the RFC process, see RFC 2026 The Internet Standards
Process, Revision 3 (1996).27)
The acceptance of an RFC by the RFC Editor for publication does not automatically make
the RFC a standard. Promotion to, and recognition of, an extant RFC as an internet standard
(with the prefix STD) by the Internet Engineering Task Force (IETF) occurs only after many
years of experimentation and use and when widespread acceptance has proven an extant RFC
to be worthy of the designation ‘internet standard’.
And yet even after being designated an internet standard, many RFCs are still commonly
referred to by their original RFC number. For example, STD1 Internet Official Protocol
Standards28 is still frequently referred to as RFC 3700, its original designation prior to becom-
ing an internet standard.
Clearly, the internet regulatory process, the issue and promotion of internet drafts, the
adoption and publication of RFCs, and the development of internet standards, is an evolving
and developing standardisation process; a control procedure whose informality has perhaps
been its greatest success. Whether such informality will remain will have to be seen . . . but let’s
hope so.
In a contemporary context, the internet is more than just a complex arrangement of hard-wired
physical connections or a growing collection of wireless interconnections. It is more than just
122
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 123
the sum of its infrastructure. The internet – as a communication and information exchange
network – is an interconnected series of:
Indeed, the internet protocol suite29 was consciously and deliberately designed to be autonomous
of any underlying physical medium. As a consequence, any communications systems/network
– whether hard-wired or wireless – that can carry two-way digital data can be used for the
transmission of internet traffic.
Some of the most popular services and uses of the internet are:
Of the above, clearly e-mail and the world wide web are the most used, with many other services
being dependent upon them. Let’s look at each of these in a little more detail.
E-mail
Electronic mail (or e-mail) is a method of composing, sending and receiving messages, together
with any associated attached files of text data, numeric data and/or images, via an electronic
communication system/network, usually the internet. (We will discuss the nature and context
of e-mail later in this chapter.)
File sharing
File sharing is the activity of making a file of data/information, or files of data and/or infor-
mation available to others, a sharing that can be accomplished in many ways, for example:
Clearly one of the key benefits of any network (especially the internet) is the ability to share files
stored on a server with many other users. Whilst all of the above represent adequate mechanisms
for this task, where a vast amount of file sharing occurs between many users, such traffic – such
file sharing – may best be served/facilitated by the use of:
n a website and/or
n an FTP server, or
n a peer-to-peer (P2P) network.
123
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 124
Many companies operate websites/FTP server facilities from which product catalogues,
service information and/or corporate literature can be downloaded, for example, see:
n Tesco plc @ www.tesco.com
n HSBC plc @ www.hsbc.com
n British Airways plc @ www.britishairways.com or
n BP plc @ www.bp.com.
Many professional associations use secure FTP facilities to provide information to members
only, for example, see:
n Association of Chartered Certified Accountants @ www.accaglobal.com
n Institute of Chartered Accountants of England and Wales @ www.icaew.co.uk
n Chartered Management Institute @ www.managers.org.uk
n Chartered Institute of Marketing @ www.cim.co.uk or
n Chartered Institute of Management Accountants @ www.cimaglobal.com.
Many educational institutions – schools, colleges and universities – now use secure FTP facilities
to provide student access to data/information files, with many schools, colleges and universities
using blackboard32 to facilitate and control/restrict student access. For example, see:
n University of Hull @ http://blackboard.hull.ac.uk
n University of Leicester @ http://blackboard.le.ac.uk
n University of Teesside @ http://blackboard.tees.ac.uk or
n Bournemouth University @ http://blackboard.bournemouth.ac.uk.
So what about file sharing using peer-to-peer (P2P) networks.
Although file sharing is a legal technology with many valid and legal uses (as indicated
earlier) there remains nonetheless several major problems/concerns surrounding file sharing,
especially file sharing33 using peer-to-peer (P2P) networks. Why? For two reasons: firstly because
of the anonymity of such file sharing; and secondly because of the questionable legality of such
file sharing, especially where copyright concerns exist.
Whilst there can be little doubt that the popularity of anonymous internet file sharing
grew with the increased availability of high-speed internet connections and the decreasing size
(in a relative sense) of high-quality MP3 audio files (e.g. Napster,34 the first major – albeit illegal
– file sharing facility was launched in 1999). Today a vast array of file sharing programs are
available (e.g. Gnutella35) which allow users to search for and share almost any type of file –
copyright or not! Clearly, this situation has not gone unnoticed with those media companies who
hold the legal copyright to the material being shared. Indeed the latter part of the 20th century
and early part of the 21st century has been replete with media reports surrounding the attempts
by companies to track down illegal file sharing, close down illegal file sharing facilities and
prosecute those participating in the illegal file sharing of copyright material.
Whilst some successful prosecutions have been brought before the courts in an attempt
to close down and/or force those responsible for the development and management of peer-
to-peer (P2P) file sharing networks to legitimise their facilities/activities (see Articles 4.3, 4.4,
and, 4.5), it would nonetheless appear that such companies may well be fighting a losing
battle.
Why? For two reasons. First because the on-going development of new second generation
decentralised peer-to-peer (P2P) protocols (e.g. Freenet36 – see ‘What is Freenet?’ available
@ http://freenetproject.org/index.php?page=whatis) are severely restricting the potential effec-
tiveness of court action for file sharing and copyright infringement. Secondly, because of the
growth of groups supporting the use of file sharing technology and questioning the legitimacy
124
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 125
Article 4.3
Article 4.4
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 126
over the network was illegal. ‘Both the user who makes liable for the copyright infringement of their users. The
the file available and the user who downloads a copy peer-to-peer pioneer Napster was shut down in 2001
infringes the owner’s copyright,’ the ruling stated. after a US court ordered it to stop users swapping
The judgment against Sharman Networks, Kazaa’s copyrighted files. Napster has since been relaunched
Sydney-based owners, is a further blow to internet as a paid-for music file download service.
file-swapping and follows a series of adverse rulings The music industry blames the growth of file-
in recent months. Although Australian courts do not sharing software for its poor performance in recent
have jurisdiction overseas, their rulings customarily years. CD sales have fallen by 25% since file-sharing
influence the development of law in other Common- began to take off in 1999. Kazaa, which moved to
wealth countries, including Britain. headquarters in Australia and a registration in the
Yaman Akdeniz, the director of Cyber-Rights Pacific tax haven of Vanuatu after a similar court case
and Cyber-Liberties, said the judgment would simply in the Netherlands in 2001, was developed by the
increase the exodus of users to alternative file-sharing Swedish internet pioneer Niklas Zennström.
applications. ‘The number of users on Kazaa is already Mr Zennström has since become known for writing
going down ever since it started to be targeted,’ the software for the internet telephony service Skype.
Mr Akdeniz said. ‘If you put a successful copyright Sharman and the five other defendants will also
filter on it, there won’t be anything left because most have to pay damages and 90% of the costs incurred
of the swapping done there is illegal.’ by the record labels – including Universal, EMI, Sony
However, he said the ruling was unlikely to stop BMG, Warner and Festival Mushroom – which
file-swapping altogether, adding: ‘The legal system brought the case.
is slow and always lagging behind the software
development.’ In June, the US supreme court ruled Source: David Fickling, 6 September 2005, The Guardian,
that makers of peer-to-peer software could be held www.guardian.co.uk.
Article 4.5
of the so-called ‘corporate witch hunt’ for illegal file sharers – for whatever socio-political
reason. See, for example, the Electronic Frontier Foundation37 (EFF) and perhaps also the
openDemocracy website @ www.openDemocracy.net.
Media streaming
The delivery of media can be classified into two categories:
n delivery systems through which media can be delivered for concurrent consumption38 – for
example, television and radio, and
126
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 127
n delivery systems through which media can be delivered for deferred consumption – for
example, DVDs, books, video cassettes and audio CDs.
The term ‘media streaming’ is often used to describe delivery systems for concurrent con-
sumption, that is delivery systems and/or facilities through which the simultaneous delivery
and consumption of online and real time media occurs, and is invariably applied to media that
are distributed over computer-based networks. However, as we shall see, delivery systems for
deferred consumption are now increasingly dependent on online media streaming, although
some would categorise it as file sharing!
Although the basic concepts of media streaming had been well established as early as the
1970s, and the technical questions and problems regarding the feasibility of computer-based
media streaming delivery systems39 had been resolved as early as the 1980s, it was not until the
mid/late 1990s and:
but a new breed of internet only broadcasters have emerged that provide a range of audio and
video programming, from technical live web casts, to specialised video and audio programming,
much of which are often unlicensed and uncensored!
Increasingly – certainly since the early part of the 21st century – media streaming has become
an important mechanism in the delivery of media (audio and increasingly video) for deferred
consumption – that is consumption in another place and/or another (later) time. For example,
the availability of legal downloadable online music (see Napster @ www.napster.co.uk/index
and/or Apple itunes @ www.apple.com/itunes) and the increasing availability of downloadable
online movies (see ezMovies @ www.ezmovies.net and/or Movieflix @ www.movieflix.com),
a market in which the major movie studios have only recently entered (see Movielink @
www.movielink.com and Cinemanow @ www.cinemanow.com).40 (See also Article 5.6.)
There can be little doubt that media streaming has and indeed will continue to revolutionise
corporate activity – not only those aspects associated with product delivery, but perhaps more
importantly those aspects associated with service/process management: for example, media
streaming (in particular web-cam-based media streaming technologies) for intra-company
video conferencing where the technology brings with it many social, economic, and legal issues,
many of which remain unresolved.
127
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 128
Article 4.6
flows over a general-purpose packet switched network instead of traditional, dedicated, circuit
switched voice transmission lines.
So what are the advantages and disadvantages of VoIP? The main advantages are:
n faster innovation – product innovation and development is dictated by the market, resulting
in faster adoption of new or advanced features,
n lower cost41 – a telephony service using VoIP costs less than the equivalent service from
traditional sources, and
n increased functionality/portability – calls are always routed to a recipient’s VoIP phone and
calls can be made/received anywhere without additional cost.
The main disadvantages are:
n lack of reliability – power supply disruption/failure could significantly affect performance,
n geographical anonymity – some VoIP systems do not yet provide e999 facilities for emergency
calls and consequently it can be difficult to route callers to appropriate emergency centre/
facilities,
128
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 129
n integration into the global telephone number systems – although in the UK telephone numbers
are regulated by OFCOM42 in some countries there is no widely adopted number standard
for the allocation of numbers for VoIP, unlike traditional telephone systems and mobile phone
networks which comply with a common global standard E.164.43
Will VoIP replace contemporary mobile phones? Probably not – well not for the present at least.
Why? For three reasons.
Firstly, because in an already saturated telecommunications market, demand for VoIP
among both corporate clients and individual consumers will continue to remain weak and
uncertain, unless and until wireless network coverage achieves a similar geographical exposure
to contemporary mobile phone network coverage, thereby enabling a great usage of mobile
VoIP phones (often called WiFi phones).
Secondly, because problems still remain with regard to VoIP systems’ ability/capability to
service adequately the requirements of a vast range of devices that depend wholly or in part on
access to a quality voice-grade telephony for some or all of their functionality. Such devices
would include, for example:
n fax machines,
n conventional modems,
n FAXmodems,
n digital satellite television receivers that require a permanent telephone connection (e.g. Sky+
(see www.sky.com)), and
n burglar alarm systems which are connected to the regional call centre through which a link
(sometime automated) is provided to the emergency services.
Thirdly, the regulatory framework for VoIP is still in its infancy and whilst both EU and UK
telecommunications regulators are now drafting appropriate codes of practice for providers,
much still needs to be done.
As a consequence whilst some EU, UK and indeed US-based telecommunications providers
do use IP telephony – often over secure and dedicated IP networks – it remains unlikely that
the corporate office environment or the consumer home of the near future will use anything
remotely like pure VoIP.
Once an IRC client program has been installed, users can log onto an available IRC server,
select an appropriate channel,45 log into a chat session, and after learning a few basic commands
129
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 130
and text protocols, converse by typing messages to other chat session participants that are
instantly sent.
Surprisingly, many companies (especially IT companies) now hold regularly scheduled,
secured chat sessions – between company representatives, customers and clients – not only to
provide technical information and advice on products and services offered by the company,
but also to gain feedback on product/service developments and enhancements, and opinions
on possible future developments/innovations.
So, far from being merely a chat facility for the lost and the lonely hearted, internet relay
chat can be a valuable and important business/marketing tool. Yet whilst internet relay chat as
a communication facility clearly has many advantages it nonetheless has its seedier side! Indeed
following a number of high-profile cases in the late 1990s and early 2000s, in October 2003
MSN and Microsoft closed MSN Chat, issuing the following statement:46
as part of an overall effort by MSN and Microsoft to provide consumers with a safer, more
secure and positive overall online experience, MSN has decided to no longer offer MSN Chat
in the UK as of October 14, 2003. This change is intended to help protect MSN users from
unsolicited information such as spam and to better protect children from inappropriate com-
munication online.
Newsgroups
Newsgroups are often referred to as repositories47 although those which exist within the Usenet48
system, are perhaps more appropriately referred to as discussion groups since they are used
primarily for the distribution of messages posted from many users at many different locations.
Within Usenet, newsgroups are arranged into a number of hierarchies, as follows:
n comp.* – for discussion related to computer-related issues/subjects,
n humanities.* – for discussion related to humanities (e.g. literature, culture, philosophy),
n misc.* – for the discussion of miscellaneous issues/subjects not appropriate to any other
hierarchy,
n news.* – for discussion on or about Usenet,
n rec.* – for discussion related to recreational activities/undertakings,
n sci.* – for discussion related to scientific issues/subjects,
n soc.* – for discussion related to social issues/subjects, and
n talk.* – for the discussion of contentious issues (e.g. religion/politics).
There are also a number of alternative newsgroup hierarchies:
n alt.* – for the discussion of ‘alternative’ issues/subjects,49
n gnu.* – for the discussion of issues related to the GNU project of the Free Software Foundation
(see http://www.gnu.org), and
n biz.* – for discussion on business related issues/subjects.
130
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 131
Briefly, for a new newsgroup to be created, it must be introduced and discussed within
news.groups (see above) and a resolution for adoption be voted upon. If two-thirds of those
voting are in favour (and there are 100 more votes in favour than against) the resolution is
passed and the new newsgroup can be created.50
So how do newsgroups work? Newsgroup servers are hosted by various companies, organ-
isations and academic institutions, with many ISPs (internet service providers) hosting their
own, or at least renting a news server for the use of their subscribers. See for example Google
news groups available @ http://groups.google.com.
There are two ways to access the Usenet newsgroups:
n with the use of a newsreader program (most of the popular web browsers (Internet Explorer,
Netscape, and Mozilla) provide integrated free newsreader facilities), or
n with the use of a web-based Usenet service, for example:
l Google – see http://groups.google.com
l Interbulletin – see http://news.interbulletin.com
l Mailgate – see http://www.mailgate.org
l News2Web – see http://services.mail2web.com/FreeServices/Usenet
l WebNews-Exchange – see http://www.webnews-exchange.com.
The server name aspect of the URL is converted into an IP address using the domain name
system (DNS) – a global, distributed internet database. A HTTP request is then sent to the
web server working at that IP address for the webpage that has been requested. The HTML text,
131
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 132
graphics and any associated files that comprise the requested webpage are then returned to the
user making the request. The user’s web browser renders the webpage as instructed, incorporat-
ing where required any images, links and/or other resources as necessary. It is this rendering
that produces the webpage the user will see.
So what are the social implications of the web? In a contemporary context there can be little
doubt that the web has revolutionised the global interpersonal exchange of information on a
scale that was unimaginable even a few years ago. It has allowed/enabled a sudden and extreme
decentralisation of information and data unprecedented in history. Unfettered by the demands
of the physical world, the virtual nature of the web and the digital nature of its content have
presented an unparalleled opportunity for people separated by geography and time to mutually
develop and to share/exchange:
n social/cultural experiences,
n political ideologies,
n cultural ideas and customs,
n advice, and
n literature and art.
The internet . . . the good, the bad and the great divide!
As an emergent phenomenon of the late 20th and early 21st centuries, the internet is an elaborate
and intricate socio-technical system, a large-scale, highly engineered, highly complex system,
whose growth and expansion has continued to astound and amaze even the most optimistic of
users, developers and commentators.
And yet, whilst there can be little doubt that in a technical context the internet (and its
component services) has provided facilities/services that were once deemed to be the stuff of
science fiction, the socio-political impact of internet technology (or indeed – lack of internet
technology) has often reinforced traditional socio-cultural differences and related socio-economic
disadvantages. As suggested by Lu (2001), there exists,
‘great disparities in opportunity to access the internet and the information and educational/
business opportunities tied to this access . . . between developed and developing countries’
(2001:1).
Disparities which continue to reinforce the global digital divide in which the technologically
rich get richer, and the technologically poor get poorer – perhaps not in absolute terms but cer-
tainly in relative terms.
Indeed, whilst the internet has undoubtedly revolutionised contemporary processes of com-
munication and dismantled once traditional (almost sacred) spatial and temporal boundaries, it
has more importantly enabled a greater socio-cultural sharing of ideas, knowledge and skills, and
facilitated greater economic trade and the global movement of goods and services – any time,
any place, any where. Yet, the rewards and benefits from these changes – these opportunities –
have been and indeed continue to be shared by the very few!
Far from:
132
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 133
Whilst many problems remain, for example ADSL59 and broadband access remain rare even
non-existent in many less developed/developing countries, it is hoped that developing internet
technologies, for example wireless internet access and satellite based internet access, will help to
equalise the distribution and availability of internet technologies and (hopefully) help to reduce
the ever growing digital divide.
E-business60 or, electronic business, is any business process that is empowered by an infor-
mation system – which in a contemporary context invariably means the utilisation of information
and communication technology enabled innovations, including of course web-based technologies.
It enables companies/organisations to:
n connect both internal and external processes with greater efficiency and flexibly, and
n operate more closely with suppliers and/or related companies/organisations to better satisfy
the needs and expectations of customers and clients.
Effective e-business involves:
n the development and introduction of new revenue streams through the use of e-commerce
(see below),
n the enhancement of information and communication relationships with customers, clients
and related companies/organisations, and
n the development of efficient, effective and secure knowledge management systems.
Whether conducted over the public internet, through the use of internal intranets (internal
internet-based networks) or through the use of secure private extranets, e-business is clearly
more than just e-commerce. Why? Because, in facilitating the integration of both intra- and
inter-company/organisation business processes and procedures, e-business now encapsulates
the whole range of business functions, activities and services, from:
n the functions central to a company/organisation’s value chain, to
n the activities central to a company/organisation funding cycle, to
n the services that support both the commercial and non-commercial operations of a
company/organisation.
Indeed, as indicated in the European e-business report (2004)61:
n the increasing migration towards broadband internet connections,
n the increasing use of business-to-business (B2B) online trading,
n the increasing business-to-consumer (B2C) online trading, and
n the increasing integration/adoption of information and communication technologies,
133
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 134
all suggest that within the European Union (and in particular within the UK) e-business has
come of age and now represents an important aspect of corporate business and its never-ending
search for profit.
For our purposes, we will explore e-business in the context of the following categories:
n electronic data interchange – to send and receive commercial documents electronically, and
n electronic funds transfer – to send and receive funds electronically.
In a contemporary context, however, the term e-commerce has become synonymous with a
wide range of interrelated activities associated with the sale/purchase of goods and services via
the internet-based world wide web.62
Whilst during the early/mid 1990s, many business and economic analysts forecast that
internet-based e-commerce facilities would become the major retail vehicle of the late 1990s, it
was not until the late 1990s/early 21st century that a number of US-based/Europe-based com-
panies/organisations began to develop fully their web-based services including the integration
of e-commerce facilities. And, despite the early 21st century witnessing the spectacular demise
of a large number of so-called pure e-commerce companies during the dot com63 collapse in
134
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 135
2000 and 2001, many established companies and organisations have continued to recognise the
enormous added value (wealth creating opportunities) of increasingly sophisticated but user
friendly e-commerce capabilities/facilities.
So is e-commerce a global phenomenon? No, not really. As suggested earlier, e-commerce
(as with the internet) continues to remain very much a geographically focused phenomenon.
Indeed, as at the end of 2005, whilst e-commerce has become well-established across much of
North America, Western Europe and parts of Australasia, for a number of African, East Asian,
and South American countries it still remains:
n a slowly emerging facility/capability in some industrialised countries, and
n an almost non-existent facility/capability in many third world countries, including many
African countries.
More on this later – including the increasing use and availability of m-commerce64 facilities (see
Chapter 12).
Let’s look at the core constituents of e-commerce, that is the key requirements for effective
e-commerce:
n a website,
n electronic data interchange (EDI) facilities,
n electronic funds transfer (EFT) facilities, and
n electronic mail (e-mail) facilities.
Websites
135
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 136
n an archive website – used to preserve valuable electronic content threatened with extinction,
n a database website – a website whose main use is the search and display of a specific data-
base’s content,
n a directory website – a website that contains varied contents which are divided into categories
and subcategories (e.g. www.google.co.uk and www.yahoo.com),
n a download website – a website used for downloading electronic content, such as software,
games, etc.,
n a professional website – a website designed specifically for members of a professional
association (e.g. www.accaglobal.com and www.icaew.co.uk),
n a game website – a website that is itself a game or ‘playground’ where many people come to
play,
n an adult website – a website dedicated to the provision of pornographic literature, images
and movies,
n an information website – a website that contains content that is intended merely to inform
visitors, but not necessarily for commercial purposes (e.g. www.dti.gov.uk),
n a news website – a website dedicated to dispensing news and commentary (e.g.
www.ft.com.and and www.timesonline.co.uk),
n a search engine – a website that provides general information and is intended as a gateway
to other websites (e.g. www.google.co.uk and www.yahoo.com),
n a web portal – a website that provides a starting point, a gateway or portal to other resources
on the internet or an intranet,
and of course many websites would invariably fall into more than one of the above categories/
types!
Electronic Data Interchange (EDI) is the exchange of structured and pre-defined information
using agreed message standards and transmission protocols from one computer application
to another by electronic means and with a minimum of human intervention. Perhaps, more
appropriately, EDI is the specific interchange methods agreed upon by national or international
standards bodies for the transfer of business transaction data.
There are in fact three major sets of EDI standards:
136
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 137
So what type of business transaction data is EDI used for? EDI can/is used to:
n transmit documents such as invoices, purchase orders, receipts, shipping documents, and
other standard business correspondence electronically between companies, organisations
and/or business partners, and
n transmit financial information in electronic form, and
n transfer financial payments and/or funds (usually referred to as electronic funds transfer
(EFT)).
EDI is now widely employed in a variety of business-related industries, including:
n banking and financial services,
n manufacturing, and of course
n retailing.
So, why is EDI used as opposed to traditional, paper-based systems? For obvious reasons
really.
Firstly, traditional paper-based systems are:
n invariably slow and often extremely bureaucratic,
n often labour intensive and costly,
n increasingly suffer from low levels of accuracy and high levels of human error, and
n often subject to processing delays resulting in often excessive uncertainty.
Secondly, EDI-based systems are:
n less bureaucratic and less paper-based – and therefore environmentally friendly,
n flexible and simpler to use – usually allowing one-time data entry,
n time efficient – promoting the speedier, more-efficient flow of information, and
n very accurate – reducing possible handling errors due to less human interface.
So how does EDI work? Within a typical EDI transaction between two trading partners (a source
company and destination company), the following steps would normally take place:
n preparation of EDI documents by the source company – the collection and storage of data/
information into electronic files or a database;
n outbound translation by the source company – translation of electronic files/database into
a standard, pre-determined, structured and formatted document according to an agreed
specification;
n communication by the source company – transmission and routing of each file to the
appropriate client destination e-mail box (via the internet) according to the destination set
in the file;
n inbound translation by the destination company – retrieval of the data file from its e-mail box
and translation of the data file from the pre-determined, structured and formatted document
into the specific format required by the company’s application software; and
n processing of EDI documents by the destination company – processing of the received data
file by the client company’s internal application system.
Historically, the transmission/communication of EDI involved using a value added network
(or VAN) – a third party network performing services beyond the transmission of data (see
Figure 4.1).
In recent years, however, there has been (as we have all witnessed) a dramatic growth
in the use of e-commerce via the internet and, consequently, the use of such networks has
become increasingly rare, although some high-security VANs are still in operation. It was the
137
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 138
138
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 139
There are, of course, many risks arising out of the use of the EDI systems, in particular:
n risks associated with transmission, for example:
ldata completeness,
ldata accuracy, and
l data authenticity,
n risks associated with verification, for example
l data authorisation,
l data access, and
l error detection and correction.
The risks of EDI (and associated controls) are discussed in detail in Chapter 14.
Both CHAPS-based EFT, and BACS-based EFT would generally be used for business-to-business
electronic funds transfer (known as B2B-EFT) whereas BACS-based EFT may in addition be
used for:
n business-to-consumer electronic funds transfer (known as B2C-EFT), and
n consumer-to-business electronic funds transfer (known as C2B-EFT).
Within the point of service-based EFT there are two categories, these being:
n card-based systems, and
n non-card-based systems.
139
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 140
Card-based point of service EFT, or card-based EPOS EFT, can be divided into the following
categories:
CHAPS-based EFT
The Clearing House Automatic Payments System (CHAPS) is an electronic bank-to-bank, UK-
only, payment system. It is used by both banks and building societies where money is required
to be transferred from one bank/building society to another on the same day: that is where a
customer/client requires a secure, urgent, same-day payment. Under the auspices of APACS,76
CHAPS Clearing Company Ltd:
Primarily for high-value transactions, the company processes RTGS (real time gross settlement)
payments in both sterling and in euros.77
The main users of CHAPS are:
n banks and building societies – for inter-bank transfers and the movement of funds within
the financial system, and
n companies and business – for the transfer of funds from one company’s/business’s bank
account, to another company’s/business’s bank account.
140
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 141
So, how are CHAPS payments/transfers made? Most of the UK banks and a majority of the
larger UK building societies are direct members of CHAPS, with approximately 400 of the smaller
UK banks and building societies being indirect members,78 only having access to the CHAPS
payment systems through a direct member.
Payments/transfers are made electronically and should start and finish on the same day. CHAPS
payments/transfers can commence at 6.00 a.m. each day and payments/transfers usually have
to commence before 4.00 p.m. for same-day settlement, although there is a facility to make late
payments at up to 5.00 p.m. Payment/transfer instructions can be made electronically, usually
using internet or other secure/private electronic banking facilities, often the case for regular
users, although a substantial number of instructions for CHAPS payments/transfers are still –
somewhat unbelievably – made by customers manually filling in forms.79
Within a CHAPS payment/transfer, the various stages would be as follows:
n a company requests (probably electronically) and authorises its bank to make a CHAPS
payment/transfer out of its account,
n the paying bank (the bank of the company making the CHAPS payment/transfer request)
validates, verifies and authenticates the request,
n the payment/transfer request is submitted/forwarded to a central processing centre,
n the payment/transfer request is cleared through the inter-bank payment and settlement system
via the Bank of England,
n the payment/transfer is forwarded via a central processing centre to the recipient’s bank,
and
n the payment/transfer amount is credited to the recipient company account.
141
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 142
prior to the payment/transfer taking place, very occasionally procedural protocols are violated
and payments/transfers can go wrong. How? That’s a difficult one to answer.
In general, the vast majority of problems tend to be associated with the provision of incom-
plete, faulty and/or incorrect payment instructions which, in exceptional circumstances, results
in the occurrence of one or more of the following:
n a timing delay – the payment/transfer is not actioned as requested and the payment/transfer
is not completed on the same day,
n payment errors – funds are either transferred to an incorrect account, and/or
n value errors – the incorrect value of funds is transferred.
Clearly for such payments/transfers, given the often high-value nature of the payment/transfer,
the consequences of such a failure can be extensive, wide-ranging and extremely damaging,
both legally and financially.
BACS-based EFT
The Bankers Automated Clearing Services (BACS) was formed in 1971 (having previously been
known as the Inter-Bank Computer Bureau) and its main task is to provide a central clearing
function for bulk automated payments. In 1985, BACS changed its name to BACS Ltd and
expanded its membership to include building societies. Following a corporate governance
review during 2003, BACS Ltd was separated into two companies:
n BACS Payment Schemes Limited (BPSL) – to govern and administer the scheme, and
n BACS Ltd – to process payments and develop/enhance processing technologies.
Whilst many of the above payments are submitted directly to BACS, currently over 50% of
organisations/companies make their direct credit and direct debit payment submissions through
approved bureaux81 rather than submitting directly to BACS. Why? For a number of reasons,
for example:
142
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 143
n the organisation/company may only make a small number of direct credit and/or direct debit
payment transactions per month, or
n the organisation/company may be unable to fulfil all of the criteria to be able to make sub-
missions itself direct to BACS (e.g. a newly established SME with a low turnover).
Direct credit
Direct credit is a secure transfer service which enables organisations to make EFT directly into
bank and/or building society accounts.82 They are mainly used for paying wages and salaries,83
although they are also used for a wide variety of other applications such as supplier payments,
payments of pensions, payments of employee expenses, insurance settlements, payments of
dividends and/or interest, and payment refunds.84
For the paying organisation/company, the main benefits of direct credits are:
n payments are prompt and cleared on arrival into the customer/recipient account,
n the payment transfer process is safe and secure, and
n the payment process is time efficient and inexpensive.
Direct debit
A direct debit is an instruction from a customer to their bank or building society to authorise
a third party organisation/company to collect varying amounts from their account.85 In the UK,
approximately 60,000 organisations/companies and approximately 45% of the UK paying
population use direct debit services to collect a variety of regular and/or occasional payments
including utility payments, insurance premiums, council tax payments, mortgages and/or loan
repayments and subscription payments.
For the paying customer/client, the main benefits of direct debits are:
n payment is automatic,
n a direct debit payment is often cheaper than a cheque payment (although not always),86
n the payment process is convenient, and
n the payment process is safeguarded/guaranteed.87
BACSTEL-IP
Unlike the CHAPS payment/transfer system which has a same day processing cycle, the BACS
payment systems has a three-day processing cycle, that is a minimum of three UK bank work-
ing days, from the submission of a payment instruction to BACS for processing to the time that
payment reaches the destination/recipient account.
Historically, direct access to the BACS payment services was through BACSTEL88 a simple
but effective telecoms-based payment service. However, in 2003 as part of a major renewal
programme, a technology upgrade was launched and a whole-scale migration to BACSTEL-
IP commenced.89 Although the transition was far from smooth (see Article 4.7), BACSTEL-IP
effectively replaced the dated telecoms-based customer delivery channel with an IP-based facility/
technology incorporating both a public key infrastructure (PKI)90 and public key cryptography
(PKC)91 and providing:
n online payment tracking and status monitoring,
n real time access to payment/transfer records,
n online electronic reporting, and
n automated receipt of payment and payment confirmation.
We will consider public key cryptography in greater detail in Chapter 13.
143
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 144
Article 4.7
To use the facilities offered by BACSTEL-IP (e.g. to submit payment/transfer requests and/or
obtain activity reports), a company/business must be either:
n an approved/registered direct submitter, or
n a BACS approved bureaux.
144
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 145
So exactly how does the BACS payment system (using BACSTEL-IP) work?
The BACS processing is a four-stage processing procedure (arrival, input, process and output)
within a three-day processing cycle (see Figure 4.5) comprising of:
n arrival day (arrival/input stage) – the receipt of a company’s/organisation’s payment/transfer
file at BACS Payment Schemes,
n processing day (input and processing stage) – the acceptance and processing of all data
through BACS Payment Schemes and transfer onto the paying banks, and
n entry day (output stage) – requested payments/transfers are simultaneously debited and
credited to the relevant bank and/or building society accounts.
Note: the three days must always be three consecutive processing days.
145
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 146
As suggested earlier, e-mail is a method of composing, sending, and receiving messages, together
with any associated attached files of text data, numeric data and/or images, via an electronic
communication system. In a contemporary context the majority of e-mail systems today are
interconnected via the internet using the simple mail transfer protocol (SMTP),98 facilitating
the flow of e-mail to anywhere in the world – almost instantaneously.
n a header – which contains the message summary, sender details, receiver details and other
information about the e-mail, and
n a body – which contains the message itself (with a signature block102 at the end of the message).
n Cc: – sometimes referred to as carbon copy (old typewriting terminology) but is more
appropriately defined as copy correspondence,
n Bcc: blind carbon copy – or more appropriately blind copy correspondence,103
n Received: – tracking information generated by mail servers that have previously handled a
message,
n Content-Type: – information about how the message has to be displayed, usually a MIME
type.104
146
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 147
Secondly, how do you send/receive e-mail messages? To send and/or receive e-mails a user must
have:
n an active internet connection, and
n access to an active e-mail system.
147
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 148
n The SMTP server looks up the relevant destination domain name (Leigh.com) in the Domain
Name System/Server to find the SMTP server accepting messages for that domain.107
n The SMTP server accepting messages for that domain name (Leigh.com) responds with a
message exchange record.
n The message is delivered to the SMTP server for the domain name (Leigh.com).
n The SMTP server recognises the domain name for Jessica and forwards the e-mail message
to a POP3 server (or IMAP server) and the e-mail message is placed in the mail box of the
user Jessica.
n Jessica presses the ‘get e-mail’ to open her e-mail client and read the e-mail message.
In the above example, both Christopher (e-mail address – [email protected]) and Jessica
(e-mail address – [email protected]) are using standalone e-mail clients.
Many people (and companies) are however choosing to use web-based e-mail, otherwise
known as webmail.108 Why? For many reasons, perhaps the most important being:
n e-mail messages can be accessed and/or used anywhere, providing the user has access to a
web browser and an active internet connection, and
n webmail service providers offer a range of add-on features/facilities, for example:
l e-mail filtering,
l address book facilities,
l e-mail spam detection,
l mail retrieval,
l anti-virus checking of mail attachments,
l dictionary, thesaurus and spelling checking facilities . . . and many more.
However, there are some disadvantages, for example:
n users must stay online to access e-mail messages,
n some commercial webmail service providers limit individual user e-mail storage capacity, and
n access to webmail services can be affected by slow network/internet connections.
There can be little doubt that information and communication technology enabled innovations,
including for example:
148
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 149
149
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 150
Clearly, computer-based accounting software has existed for many years (certainly since the early/
mid 1970s) and indeed has been widely available from an extensive range of suppliers certainly
since the mid/late 1970s. However, whilst the late 1970s did witness an enormous increase in
the number and variety of accounting software providers, the late 1980s and early 1990s saw not
only widespread merger and acquisition activity between computer-based accounting software
suppliers, but also the increasing consolidation/integration of computer-based accounting soft-
ware functions. Why? Possibly for two reasons!
Firstly, the macro economic reason. During the late 1980s and early 1990s the market for
computer-based accounting software became saturated with a vast range of low-end/mid-market
accounting software products from an even greater range of software providers. Intense rivalry
and competition for a limited market stimulated demand-side pressures within an already
competitive/price orientated marketplace resulting in what many spectators referred to at the
time as the ‘supply side slaughter’.
Secondly, the technology reason. During early 1990s advances in information technology,
including innovations and developments in computing capabilities and improvements in
communication systems, had a significant impact on customer/user demands for greater func-
tionality, integration, inter-product compatibility and product utility. The inability of the small/
medium-sized accounting software suppliers to meet these ever-growing demands resulted in
many small/medium-sized suppliers merging with or being acquired by the larger, more capable
and more resource wealthy suppliers.
So what types of computer-based accounting software are there? In a contemporary con-
text, there are of course several types/varieties available, some of which would consist of single,
independent functional modules servicing specific accounting/finance requirements and others
of which would consist of a range of integrated functional modules servicing an assortment of
accounting/finance requirements. For our purposes we will classify these types into two categories:
150
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 151
In addition to the above computer-based accounting software there has also been a number of
generic software innovations, perhaps the two most important being:
n spreadsheets, and
n databases.
151
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 152
152
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 153
153
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 154
154
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 155
Proposed as an alternative methodology to the traditional cost management systems, its develop-
ment was seen as an attempt to address two key issues:
n the inability of traditional systems/approaches to determine accurately the ‘actual’ cost of a
product and/or a service, and
n the failure of traditional systems/approaches to provide relevant and appropriate information
for management decision-making purposes, at both the strategic and tactical/operational level.
As a methodology for allocating costs to products and services, activity-based costing is
generally used for planning, controlling and measuring the cost and performance of activities,
155
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 156
resources and cost objects. As a methodology, activity-based costing recognises the cause–effect
relationships of so-called ‘cost drivers’ to ‘activities’, inasmuch as:
n cost objects (either consumer products and/or client services) consume activities,
n such activities (in the process of producing such cost objects), consume resources, and
n the resources (consumed in the performance of such activities) drives costs.115
Whilst a vast range of generic activity-based costing software is available (e.g. Acorn Systems Inc. @
www.acornsys.com, ALG plc @ www.algsoftware.com or Sage Group @ www.sagesoftware.com),
as with traditional product costing/process costing software, activity-based costing software requires:
n the identification of major processes/activities that occur within a company/organisation,
and contribute to the production, manufacture and distribution of customer products/client
services, and
n the development and maintenance of a database of customer products and/or client services
produced/manufactured and sold by the company/organisation.
Activity-based costing systems are often integrated into:
n asset management systems (e.g. company/organisation inventory systems) to provide data/
information on the valuation of inventory items,
n budgeting systems and/or performance measuring systems to provide information on resource
usage/efficiency, and
n simulation, modelling and decision-making systems to provide information for product/
service pricing and other decision making.
156
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 157
n the ability to transfer financial transaction data to other integrated data manipulation/data
analysis software packages and thereby facilitate scenario modelling/simulation,
n the ability to secure and control the transfer of financial transaction data thereby minimising
the possibility of potential errors, and
n the ability (with the more sophisticated budgeting/budgetary control systems software) to
integrate not only quantitative financial data, but also qualitative non-financial data.
Just-in-time software
Although some consider that the origins of just-in-time methodology can be traced back to the
early 1920s116 the common view/consensus is that just-in-time as a manufacturing technique
was first adopted and publicised by the Toyota Motor Corporation in Japan in the early 1950s.
Whether as a response to the impact of:
n the ever-changing/ever-reducing product life cycles, and/or
n the ever-increasing demands from clients and customers,
Just-in-time is, in essence, a demand orientated pull system of production and/or purchasing
in which activities are organised and timetabled according to customer/client demand, as
opposed to a supply orientated push system, in which inventories are used as a buffer to smooth
out fluctuations in purchasing, manufacturing/production and sales.
In a contemporary context, the key requirements for an effective just-in-time system are:
n the active integration of production and inventory purchasing systems/procedures – that
is purchase order processing systems (POPS) procedures and sales order processing systems
procedures (SOPS),
n the continual monitoring of production/distribution processes and materials demand,
n the use of effective and identifiable signalling procedures,
n the existence of dependable and reliable suppliers, and
n the development and maintenance of good internal (and external) coordination,
all of which can, certainly within a large multi-product/multi-service company/organisation,
require the use of increasingly sophisticated information and communication technology. Why?
Because, in seeking to:
n reduce waste within the manufacturing/production process,
n expose problems and bottlenecks within the manufacturing/production process, and
n identify and eliminate excess set-up times, production lead times and inventory,
157
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 158
158
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 159
n business planning,
n master (or production) planning,
n master production scheduling,
n material requirements planning, and
n capacity requirements planning,
the output from which would be integrated into other operational activities within the company/
organisation, for example:
n purchasing activities,
n inventory management activities, and
n manufacturing/production activities.
In essence, manufacturing resource planning systems (MRP II) are essentially materials require-
ments planning systems (MRP-I) together with capacity requirement planning and control
procedures for both the short and long term.
In addition to the operational parameters/procedures required for materials requirements
planning (MRP-I) systems, manufacturing resource planning systems (MRP II) software would
also consider issues/data related to:
n the routing of manufacture/production,
n the operational times of each manufacturing/production activity,
n the activity/process capacity of manufacturing/production work centres, and
n the capacity of the manufacturing/production process.
Note: For many manufacturing companies/organisations, the term manufacturing resource
planning (MRP-II) has been replaced/superseded by the term enterprise resource planning
(ERP) – see below.
159
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 160
160
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 161
161
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 162
n internal management politics may resist the sharing of internal data/information, and
n centralising system procedures and processes may result in high organisation risks (e.g. a
potential failure could have widespread implications).
In addition, because of the integrated nature of such systems, once the systems are established,
switching cost may be very high thus reducing future flexibility and strategic control.
And what of the next generation? Fully integrated, fully interactive, browser-based, platform
independent, IP technology enabled, enterprise resource planning system software.
162
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 163
Spreadsheets
A spreadsheet is a computer program that displays – in rows and columns – a group of interrelated
cells in a two-dimensional arrangement, a program that allows for the entering, editing, and
manipulating of alphabetic and numeric data, and the undertaking of complex mathematical
operations.
There are, of course, many versions/types of spreadsheet available, perhaps the most widely
known being:
n Microsoft’s Excel (part of the Microsoft Office suite – available @ www.microsoft.com),
n IBM’s Lotus 1-2-3 (part of IBM’s Lotus Smart suite – available @ www.lotus.com),
n Corel’s Quattro Pro (part of the WordPerfect Office suite – available @ www.corel.co.uk), and
n StarOffice Calc (part of the StarOffice suite – available @ www.sun.com).
Whilst it is generally recognised that the inventors of the spreadsheet are Dan Brinklin and Bob
Frankson who created/developed the VisiCalc spreadsheet using, as suggested by Brinklin ‘a
blackboard/spreadsheet paradigm to view the results of underlying formulas,’ it was Mitchell
David Kapor (the founder of Lotus Development Corporation in 1982) and Jonathan Sachs
who designed the Lotus 1-2-3, a spreadsheet released in January 1983 that became the ‘killer
application’118 of the 1980s and:
n revolutionised the use of PC’s, and
n contributed significantly to the success of IBM PCs in the corporate environment.
163
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 164
Originally marketed as a spreadsheet program called Multiplan,119 in 1982 the first version
of Microsoft Excel was released for the Apple Mac in 1985, with the first Windows version
being released in November 1987. By mid-1988, Microsoft Excel had begun to outsell Lotus 1-
2-3, elevating Microsoft Inc. to the position of leading PC software developer – a position the
company has maintained (not without a number of legal, commercial and technical battles)
ever since. It also, perhaps more importantly, augmented the profile of spreadsheets from
merely interesting add-on software technology to indispensable business tools so much so that
in a contemporary business context the term spreadsheet has now become synonymous with
accounting and finance. Indeed, in providing:
n user defined data input facilities – increasingly integrated into either other spreadsheets
and/or other software applications to facilitate direct input,
n user defined data editing and data manipulation facilities – including facilities to perform
complex iterative calculations using user defined processes (macros) and input variables and
to link related spreadsheets and create multi-dimensional spreadsheets, and
n user defined data output using a range of textual and graphical features facilities,
spreadsheets have become an indispensable ‘everyday’ tool in accounting and finance, and are
now widely used in many diverse areas, for example:
Databases
A database can be defined as an organised body of related data, or perhaps more appropriately
as a logical and systematic collection of interrelated data managed and stored as a unit. A key
feature of a database is the structural relationship between the objects represented in the
database (called data elements), often referred to as a database schema. There are of course a
number of ways of organising a database schema – that is alternative ways of organising the
relationships between data elements stored in a database. Such alternative ways are often referred
to as database models (or data models), the most common being:
164
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 165
So which database model is the best? That depends on a range of factors including the type and
amount of data to be processed and stored.
There are of course many alternative databases available, perhaps the most widely known
being:
n Microsoft’s Access (part of the Microsoft Office suite – available @ www.microsoft.com),
n Corel Paradox (part of the WordPerfect Office suite – available @ www.corel.co.uk),
n Cracle (available @ www.oracle.com), and
n Microsoft SQL Server (available @ www.microsoft.com).
We will look at databases in more detail in Chapter 7.
Concluding comments
There can be little doubt that the impact of information and communications innovations and
developments on both social and economic activity over the past 20 years has been enormous,
changing (as we have seen) not only:
n the content of corporate activity (that is what is undertaken), but also
n the context of that corporate activity (that is how it is undertaken), and perhaps more importantly
n the nature of that corporate activity (that is where it is undertaken).
And yet, as we enter the 21st century and before we congratulate ourselves on the success of
this global technological revolution, it is perhaps important to recognise the socio-political
consequences and ephemeral nature of the paradise we have created. Indeed, there can be little
doubt that growing economic regionalisation, rising political territoriality and increasing social
segmentation – whilst clearly products of early times – nonetheless provide iconic testimony
to the late 20th and early 21st century information technology revolution.
165
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 166
References
Castells, M. (1996) The Rise of the Network Society, The Information Age: Economy, Society and Culture,
volume I, Blackwell, Oxford.
Castells, M. (1998) The end of millennium (The information age, economy, society and culture,
volume III), Blackwell, Oxford.
Lu, M. (2001) ‘Digital divide in developing countries’, Journal of Global Information Technology
Management 4:3, pp. 1–4.
Stadler, F. (1998) ‘The Network Paradigm: Social Formations in the Age of Information’, Information
Society 14:4.
Bibliography
166
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 167
Websites
www.bacs.co.uk
Bankers Automated Clearing Systems
www.eff.org
Electronic Frontier Foundation
www.financial-ombudsman.org.uk
Financial Ombudsman Service
www.iab.org
Internet Architecture Board (IAB)
www.ietf.org
Internet Engineering Task Force (IETF)
www.irtf.org
Internet Research Task Force (IRTF)
www.isoc.org
Internet Society (ISOC)
www.rfc-editor.org
Request for Comments editor
www.voca.co.uk
Voca Ltd
www.voipproviderslist.com
VoIP provider list
www.w3.org
World Wide Web Consortium
Self-review questions
1. Briefly explain the contribution APRAnet made to the development of the internet.
2. Distinguish between the internet, and the web.
3. Define the term RFC, and explain the role of RFCs in developing internet standards.
4. Define and explain what is meant by the term ‘file sharing’.
5. Define and explain two of the following internet services/facilities:
n e-mail,
n file sharing,
n media streaming,
n VoIP (Voice over IP),
n internet relay chat,
n newsgroups.
6. Define and briefly explain the role of the Internet Society (ISOC).
7. Identify and describe the main categories of electronic funds transfer (EFT).
8. Define and distinguish between direct credit and direct debit.
9. Briefly explain the difference between card-based, and non-card-based EPOS EFT.
10. What are the major types of computer-based accounting software?
167
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 168
Question 1
‘The internet is a global phenomenon started by the Russians!’ Discuss.
Question 2
‘The internet is a global phenomenon managed and controlled by the Americans!’ Discuss.
Question 3
Computer-based accounting software can be classified into two categories:
n accounting finance-related software, and
n management-related software.
Required
Describe and explain the three types of software within each of the above categories.
Question 4
The BACSTEL payment service was withdrawn at the end of December 2005 and replaced by BACSTEL-IP.
Required
Briefly describe the four stage processing procedure of BACSTEL-IP and explain the main advantages of the
new service.
(Note: Before answering the question have a look at the information available @ http://www.bacs.co.uk/bpsl/
bacstelip).
Question 5
There are many different types of websites, some of which allow free access, some of which require a
subscription to access part of their content and some of which require a subscription to access all of their
content.
Required
Describe (with examples) eight types of website available on the web today.
Assignments
Question 1
KDS Ltd is a UK-based services company. The company provides a range of secure delivery services for
NHS hospitals in the south-east of England. Currently the company operates a fleet of 62 vehicles and is
investigating the possibility of using VoIP for communication between the company’s head office and the
various delivery vehicles.
168
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 169
Chapter endnotes
Required
Describe the advantages and disadvantages of using VoIP for a company such as KDS Ltd and the possible
uses/benefits such a system could have in relation to the company’s accounting information perspective.
Question 2
At a recent accounting information systems conference in London, a guest academic speaker completed his
lecture on ‘the impact of information and communication technology on corporate accounting information
systems’ with the following statement:
and remember, there are only four golden rules in corporate accounting information systems management,
these being:
n information is money – protect it,
n trust is not a form of control,
n technology is paradox, and
n the cost of security can never be too high.
Required
Critically assess the validity and appropriateness of the guest speaker’s four golden rules.
Chapter endnotes
1
As suggested by Stadler (1998), the new economy is ‘informational because the competitive-
ness of its central actors (firms, regions, or nations) depends on their ability to generate and
process electronic information. It is global because its most important aspects, from financing
to production, are organised on a global scale, directly through multinational corporations
and/or indirectly through networks of associations.’
2
Such space of flows comprises of a vast range of interconnected elements/networks through
which socially constructed organisations (such as companies) constitute/(re)constitute them-
selves and organise their activities. For Castells (1996) such a space of flows comprises of three
interrelated aspects:
n technology – the infrastructure of the network,
n places – the topology of the space formed by the links and connection within the network, and
n people – the segregation of people within such networks.
3
For Castells the network enterprise is ‘that specific form of enterprise whose system of
means is constituted by the intersection of autonomous systems of goals’ (1996: 171), and is a
phenomenon arising from and comprising of changing patterns of both internal and external
competition and cooperation.
4
For Castells such increasing fragmentation is the result of ‘societies . . . (being) . . . increasingly
structured around the bipolar opposition of the Net and the Self’ (1996: 3). For Castells, the
Net metaphor relates to/symbolises the new emergent organisational formations and structures
based on the pervasive use of networked communication media – formations and structures
that are now characteristic of many companies, communities and social movements. The Self
metaphor relates to/symbolises the activities through which individuals attempt to reaffirm
their identities under the conditions of structural change and instability – structural change and
169
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 170
instability that is symptomatic of the organisation and (re)organisation of social, political and
economic activities into dynamic networks.
5
Or as described by Castells (1996) as ‘network enterprises’.
6
Cuneiform is a pictographic writing system used by many languages over several empires in
ancient Mesopotamia and Persia. Cuneiform is derived from Latin meaning ‘wedge shaped’.
7
COBOL (COmmon Business Oriented Language) was developed in the 1960s as a programming
language designed for and used primarily in business-related applications.
8
FORTRAN (FORmula TRANslator) was developed by IBM in the late 1950s and was one of
the first high-level program languages, used primarily for scientific calculations.
9
In formal usage, the word Internet was traditionally written with a capital first letter, whilst in less
formal usage, the capital letter was often dropped (internet). Up to 2000 the former dominated
the media and the published press. However since 2000 a significant number of publications
have adopted the latter less formal usage. It is this latter version that is used in this text.
10
Internetworking involves connecting two or more distinct computer networks together into
an internetwork, using devices called a router (a computer network device that forwards data
packets across an internetwork through a process known as routing) to connect them together
and allow traffic to flow between them.
11
In computer networking, packet switching is the dominant communications procedure in
which packets (units of information carriage) are individually routed between computer network
nodes (devices).
12
The Internet Protocol (IP) is a data-oriented protocol that is used by source and destination
hosts for communicating data across a packet switched internetwork.
13
The Advanced Research Projects Agency Network (ARPAnet) developed by ARPA (Advanced
Research Projects Agency) of the US Department of Defense.
14
For some, the urgency afforded to the development of the ARPAnet by the US government
authorities was a direct consequence of the scientific success illustrated by the Russian Sputnik
programme, especially Yuri Gagarin’s successful spaceflight on 12 April 1961.
15
In an open-architecture network, the individual networks may be environment specific –
that is separately designed and developed with their own unique interface which they may offer
to users and/or other providers, including other internet providers.
16
See: www.zakon.org/robert/internet/timeline.
17
Source: Computer Industry Alamanac – see www.i-level.com/resource-centre/statistics.asp.
18
Source: BMRB Internet Monitor – see www.i-level.com/resource-centre/statistics.asp.
19
RFC1 was written by Crocker, S., University of California, Los Angeles. It was published in
1969 and was entitled ‘Host Software’.
20
The Internet Engineering Task Force (IETF) is responsible for the development and pro-
motion of internet standards. It is an open, all-volunteer organisation. It possesses neither
formal membership nor any formal membership requirements. For further information see
www.ietf.org.
21
The Internet Architecture Board (IAB) (see www.iab.org) is responsible for overseeing the
technical and engineering development of the internet by the Internet Society (ISOC) (see below).
The board oversees a number of task forces, of which perhaps the most important are:
n the Internet Engineering Task Force (IETF), and
n the Internet Research Task Force (IRTF) – see www.irtf.org.
22
The RFC Editor is:
n the publisher of RFC documents,
n responsible for producing the final editorial review of the RFC documents, and
n responsible for maintaining a master file of RFC documents called the RFC Index.
170
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 171
Chapter endnotes
171
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 172
censorship and allow people to communicate freely and with near-total anonymity. More
information on Freenet is available @ http://freenetproject.org.
37
Founded in 1990 the Electronic Frontier Foundation (EFF) is a US-based, non-profit-making
organisation whose main aims are to ‘educate the press, policymakers and the general public
about civil issues related to technology,’ in the context of today’s digital age. More information
on the Electronic Frontier Foundation is available @ http://www.eff.org.
38
The term ‘consumption’ is used here to mean any or a combination of the following:
n reading – if the media is text based,
n hearing – if the media is audio based, and
n viewing – if the media is video based.
39
For example, protocol issues/requirements, data corruption issues, data recovery procedures
and transmission guarantees.
40
Movielink is a venture jointly owned by Paramount Pictures, Sony Pictures Entertainment,
Universal Studios and Warner Bros Studios, and CinemaNow is a venture jointly owned by
Lions Gate Entertainment, Microsoft, Blockbuster and several private investment companies.
41
Although an IPS (internet service provider) will clearly charge for connection to the internet,
the use of VoIP over the internet does not usually involve any extra/additional charges. Con-
sequently VoIP users often view any calls as free. Example VoIP providers include Free World
Dialup @ www.freeworlddialup.com and/or Skype www.skype.com.
For a comprehensive list of VoIP providers see VoIP provider list available @ www.
voipproviderslist.com.
42
UK Office of Communication.
43
E.164 is a global standard which defines the international telecommunications plan that
among other provisions defines the format of telephone numbers. Further details are available
@ www.comm.disa.mil/itu/r_e0.html.
44
Internet relay chat was created by Jarkko Oikarinen (nickname ‘WiZ’) in August 1988 to
replace a program called MUT (Multi User Talk) on a bulletin board system called OuluBox,
in Finland. The prominence and profile of internet relay chat grew enormously during 1991
when it was used extensively by many Kuwaitis to report on the Iraqi invasion of Kuwait
in August 1990 and the consequential Gulf War in 1991, and by many Russians to report
on the Soviet coup attempt – the August Putsch, in August 1991. Interent relay chat was
also used in a similar way during the coup against Boris Yeltsin in September 1993. (See
www.wikipedia.org.)
45
It is not uncommon for an IRC server to have dozens, hundreds or even thousands of chat
channels open simultaneously – some channels are more or less permanent, others less so.
46
Available @ http://groups.msn.com/Editorial/en-gb/Content/chat.htm.
47
A central location where data are stored and maintained.
48
Usenet is a distributed discussion system through which users (or more appropriately
usenetters), can access and distribute messages (often called articles) to a number of dis-
tributed newsgroups. The functionality of the system is maintained through a large number of
interconnected servers, which store and forward messages from each other. And the difference
between Usenet and the Internet is? The internet is the worldwide network of computers com-
municating to each other with the use of a specific communications protocol (TCP/IP) used
by a vast range of applications. Usenet is essentially an application – a multi-user BBS (bulletin
board system) that allows people to talk to each other on various subjects/issues.
49
The alt.* hierarchy contains a vast number of sub-hierarchies/newsgroups for the discussion
of a wide range of topics – some geographically orientated, some culturally determined – and
many in a language other than English.
172
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 173
Chapter endnotes
50
The procedure/criteria for the creation of a new group within the alt.* hierarchy should
be discussed in alt.config, and its adoption is not subject to the strict rules/voting procedures
required for other hierarchies.
51
Using a hyperlink, which is essentially a reference in a hypertext document to another
document or other resource.
52
A web browser is a software application that enables a user to access, display and interact
with HTML documents (webpages) either:
n hosted by a web server, or
n held in a file system.
The most popular web browsers for personal computers (PC and Mac) include:
n Microsoft Internet Explorer (see www.microsoft.com/windows/ie/default.mspx),
n Mozilla Firefox, (see www.mozila.org),
n Opera (see www.opera.com), and
n Safari (see www.aple.com/safari).
53
Tim Berners-Lee now heads the World Wide Web Consortium (W3C) – see www.w3.org –
which develops and maintains standards that enable computers on the web to effectively store
and communicate different forms of information.
54
This document (Berners-Lee, T.M. and Cailliau, R. (1990) ‘World Wide Web: Proposal for
a hypertext project’) is available @ http://www.w3.org/Proposal.
55
See http://groups.google.com/group/alt.hypertext/msg/395f282a67a1916c.
56
A URI (Uniform Resource Identifier) identifies a particular resource – a URL (Uniform
Resource Locator) not only identifies a resource, but indicates how to locate the resource. That
is the URL functions as a document/web page address.
57
For example the most prevalent language on the internet is English (approximately 60%).
58
A disparity in technological progress and development between those developed nations/
countries able to develop and invest in information and communication technologies, and
those less developed/developing nations/countries unable to develop and invest in information
and communication technologies, continues to reinforce and indeed widen existing economic
differences and inequalities, between:
n the most developed nations/countries of the world (e.g. the USA, Canada, Japan and those
countries that comprise the EU), and
n the less developed and/or developing nations/countries of the world (e.g. many African and
Latin American nations/countries and some South-East Asian nations/countries).
A global divide often characterised as the north–south divide – between the northern, wealthier
nations/countries and southern, poorer nations/countries.
59
Asymmetric Digital Subscriber Line (ADSL) is a data communications technology that
enables faster data transmission over conventional telephone lines than a conventional modem
can provide.
60
The term e-business is often attributed to Louis V. Gerstner, Jr., Chairman of the board and
Chief Executive Officer of IBM Inc. from April 1993 to December 2002.
61
The European e-business report: a portrait of e-business in 10 sectors of the EU economy (2004)
is available @ www.ebusiness-watch.org/resources/documents/eBusiness-Report-2004.pdf.
62
Some commentators refer to such activities as web commerce.
63
Dot com companies were the collection of mainly start-up companies selling a range of
products and/or services using a range of information and communication-related vehicles – in
particular the internet. Their exponential proliferation during the late 1990s dotcom boom was
matched only by their spectacular decline in 2000/01.
173
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 174
64
M-commerce can be defined as the buying and selling of goods and services through wireless
(handheld) devices such as mobile telephone and www enabled personal digital assistants.
65
HyperText Markup Language (HTML) is a markup language designed for the creation
of webpages and other information viewable with a web browser. HTML is used to structure
information identifying text, for example headings, paragraphs, lists, etc.
66
Extensible HyperText Markup Language, or XHTML, is a markup language with the same
semantic context as HTML but with a much stricter syntax.
67
Hyper Text Transfer Protocol (HTTP) is the primary method used to convey information
on the web.
68
Uniform Resource Locator, or web address, is a standardised address name layout for resources
(such as documents or images) on the internet.
69
A hyperlink is merely a link or a reference in a hypertext document to another hypertext
document and/or other resource.
70
Web traffic can be analysed by viewing the traffic statistics found in the web server log file,
an automatically-generated list of all the pages served or ‘hits’.
71
X12 refers to the version/generation.
72
The sending of EDI transactions, using the Internet, involves translating the transaction
document into MIME format and then using e-mail to transmit the message from the source
company to the destination company.
73
EDI on the internet is also-called ‘open EDI’ because the internet is an open architecture network.
74
BACS (Bankers Automated Clearing System) is operated by BACS Payment Schemes Limited.
The organisation is a membership-based industry body established and owned by the major
UK banks to provide the facility for transferring funds (via direct debit, direct credit and/or
standing order). Its role is to:
n develop, enhance and promote the use and integrity of automated payment and payment-
related services, and
n promote best practice amongst those companies who offer payment services.
174
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 175
Chapter endnotes
competence and operational integrity of the bureaux in accordance with the requirements of
the BACS Approved Bureaux Scheme. The following areas are normally assessed:
n physical security,
n computer operations, and
n applications and systems support.
82
Note: The control of a direct credit payment normally resides with a payer’s bank.
83
During 2005 approximately 90% of the UK workforce was paid using direct credit –
approximately 5 million wages every week and nearly 25 million salaries every month. However,
direct credit can be used for a wide variety of other applications.
84
During 2005 nearly 200,000 organisations used BACS for supplier payments, payments of
pensions, payments of employee expenses, insurance settlements, payments of dividends and/or
interest and payment refunds.
85
Note: The bank and/or building society holding the payer’s account is both responsible and
answerable for all payments (including those made by direct debit) made for that account.
86
Some organisations/companies sometimes levy an additional (interest) charge on customers
for paying by direct debit.
87
All direct debit payments are protected by three safeguards:
n an immediate, money back guarantee from the bank or building society if an error is made,
n advance notice from the recipient company/organisation if the date and/or the amount of
the direct debit changes, and
n the right to cancel.
88
BACSTEL payment service was withdrawn at the end of December 2005.
89
Conversion/transfer of all direct submitters and BACS approved bureaux was completed by
late 2005/early 2006.
90
Public key infrastructure (PKI) is an arrangement which provides for third-party vetting of,
and vouching for, user identities. It also allows binding of public keys to users. This is usually
carried by software at a central location together with other coordinated software at distributed
locations. The public keys are typically in digital certificates.
91
Public key cryptography (PKC) is a type of cryptography in which the encryption process is
publicly available and unprotected, but in which a part of the decryption key is protected so that
only a party with knowledge of both parts of the decryption process can decrypt the cipher text.
92
The software interface can be either:
n an acquired/purchased software interface from a BACS approved solution supplier – a
company that provides BACS Payment Schemes approved software solutions to businesses
that wish to access the BACS Payment Schemes service, including BACSTEL-IP software and
hardware packages, mailbox services for BACS Payment Schemes reports and total manage-
ment solutions to handle and run direct debit and direct credit systems, or
n an in-house corporate developed software interface which must conform to the technical and
quality specifications of BACSTEL-IP and be subject to the conditions and testing protocols
mandated under the BACS Approved Software Service.
93
Currently, a company/business will need:
n WINDOWS 98 SE, WINDOWS NT4, WINDOWS 2000 or XP (all versions), or
n Linux & AS400, or
n Internet Explorer 5.01 and above, 128 bit SSL encryption; Netscape Navigator 4.7 and above,
128 bit SSL encryption, and
n zipping software (WinZip), and
n the ability to connect a smartcard reader (USB (preferred) or serial interface).
175
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 176
94
For further details on each of these connectivity types see www.pearsoned.co.uk/boczko.
95
A smartcard-based security process requires an operator to insert the card into a reader
and key in a PIN each time a digital signature is required. Such a security process is normally
used/best suited to a PC or other interactive-based system.
96
A hardware security module (HSM) solution can be an external module connected to or an
internal module integrated within the computer system to:
n store secret keys and other security-related material,
n provide a secure and controlled production of digital signatures, and
n provide different levels of security to prevent unauthorised access to the secret material.
Such a module is normally used/best suited for a mainframe or server environment, and/or where:
n unattended operations are performed,
n remote and/or secure computer environment is required, and/or
n physical access is limited.
97
Sponsoring banks are responsible for (in agreement with the user’s primary security contacts):
n setting up each user and contact point on BACSTEL-IP, and
n assigning relevant access levels for each contact point.
98
Simple Mail Transfer Protocol (SMTP) is the standard for e-mail transmission across the
internet. It is a simple, text-based protocol, where one or more recipients of a message are specified
(and in most cases verified to exist) and then the message text is transferred.
99
A ‘killer application’ is the term used to describe a computer (software) program that is so
useful that people will buy a computer hardware and/or operating system simply to run the
program.
100
BITnet was a cooperative US university network founded in 1981 at the City University of
New York.
101
US-based National Science Foundation network (NSFNet) which formed a major part of
the central network/core of the internet.
102
A signature block is a block of text automatically appended at the bottom of an e-mail
message that essentially signs off the message. Information usually contained in a signature
block may for example include:
n the sender’s name,
n the sender’s email address, and
n other contact details where appropriate, for example website addresses and/or links.
103
Here the recipient of this copy will know who was in the To: field, but the recipients cannot
see who is on the Bcc: list.
104
Multipurpose Internet Mail Extensions (MIME).
105
The Domain Name System (or DNS) is a system that stores information about hostnames
and domain names in a type of distributed database on networks, such as the internet. Of the
many types of information that can be stored, most importantly it provides a physical location
IP address for each domain name and lists the mail server accepting e-mail for each domain.
106
POP is an abbreviation of Post Office Protocol, and IMAP is an abbreviation of Internet
Mail Access Protocol.
107
If the recipient address had been another user at James.com the SMTP server would merely
transfer the e-mail message to the POP3 server for James.com (using what is called a delivery
agent). However, because the recipient is at another domain, the SMTP server needs to com-
municate with that other domain.
176
.. ..
CORA_C04.qxd 6/1/07 10:59 Page 177
Chapter endnotes
108
The market for webmail has two main competitors: Hotmail with approximately 33% of
the market and Yahoo Mail with approximately 30% of the market. Gmail (Google mail) has
approximately 4% of the market. The remaining 33% of the market is held by smaller providers.
109
Source: BMRB Internet Monitor, See www.i-level.com/resource-centre/statistics.asp.
110
For example, customer analysis by:
n geographical location,
n volume of trade, and/or
n payment history.
111
For example:
n sending out debtor letters, payment reminders and statements of account,
n making provisions for doubtful and bad debts, and
n holding/closing accounts.
112
For example, multiple delivery addresses for each customer.
113
For example, supplier analysis by:
n geographical location,
n account type, and/or
n credit terms.
114
Activity-based costing was first defined in 1987 by Robert Kaplan and Robin Cooper (Kaplan,
R. and Cooper, R. (1987) Accounting and Management: A Field Study Perspective, Harvard Business
School Press, Harvard Business School).
115
Where a cost object (product and/or service) uses and/or shares common resources differently
(in different proportions or at different rates), the measure of the use of the shared activity by
each of the cost object (product and/or service) is known as the cost driver. Note that an activity
can have multiple cost drivers.
116
See article @ http://www.ct-yankee.com/lean/mlw/jit.html.
117
These are products integrated into other products.
118
See note 99.
119
Multiplan was an early spreadsheet program developed by Microsoft in 1982. It was initially
developed for computers running operating systems such as CP/M, MS-DOS and Apple II, with
the Apple Mac version being Microsoft’s first GUI (graphical user interface) spreadsheet.
177
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 178
Introduction
Information technology and business are becoming inextricably interwoven. I don’t think any-
body can talk meaningfully about one without talking about the other (Bill Gates, Microsoft).
The history of any society (or group/organisation within a society) is a history littered with
uncertainties and ambiguities. A history in which political and economic pressures often
necessitate the frequent modification of organisational boundaries, and in which social
and cultural pressures often require the imposition of new and/or redefined existing social
structures, social arrangements and organisation interrelationships.
A history of change perhaps? But how do we know? We don’t . . . well not with any
degree of certainty, because history – especially the social history of a group, organisation
and/or institution is often written/re-written through the eyes of the present!
However, that said, what we do know (if perhaps only intuitively) is that our species is
socially interactive with an almost unconscious need/desire for collectiveness, connectivity
and belonging. A need/desire that has perhaps existed since the dawn of time! From:
n the emergence of small self-sufficient groupings (small, self-sustaining social networks
founded on the need for mutual survival), to
n the development of larger local assemblies and urban alliances/networks founded on
the need for mutual protection and security, and the coordination of activity, to
n in a contemporary context, the establishment of large national and international
democratic societies founded on the need for socio-political governance, economic
management and wealth creation,
the need for belonging, for connectivity and for socially structured networks has remained
a common feature/theme – a theme that perhaps unsurprisingly has continued to play
an increasingly important role in the ever-changing cartography of modern 21st century
society.1 A society that is neither isolated nor protected from the consequences of inter-
state politics, cultural territoriality and the ever increasing mobility of capital. One that
possesses neither permanence nor stability, and is neither a static nor unchanging product
178
..
CORA_C05.qxd 6/1/07 11:01 Page 179
Introduction
of antiquity. Indeed, there can be little doubt that as an ever-changing, ever-complex network
of socio-cultural arrangements, economic rationales and socio-political relationships, that
society (and the groups, institutions and organisations of which it is comprised) are con-
stantly being reupholstered, reconfigured and/or reconstructed by a vast array of often
conflicting social, economic and increasingly political pressures.
Consider, for example, the past social conflicts that have punctuated the history of many
of the worlds’ societies, nations, and states,2 or indeed the many political/democratic changes
that have scarred many a social landscape and resulted in a redefining of individual societies,
nations and states. Most (if not all) of these conflicts and changes have arisen/emerged from
the desire of one social group (or indeed, one nation, or one state) – sometimes in collusion
with others – to impose its world view, its idea of collectiveness (of belonging/connectivity),
its Weltanschauung,3 onto another social group (or indeed nation or state) – for better or worse!4
There can also be little doubt that today – within western contemporary society, certainly
during the latter part of the 20th century and the early part of the 21st century – much of
the growing demand for greater interconnectivity and greater organisational/institutional
networking has resulted from the increasing dominance of an almost singular economic
philosophy.5 A philosophy:
n whose foundation lies within the social politics of economic liberalism and the free
pursuit of wealth accumulation, and
n whose organisation and continued success is dependent upon a structure of defined
economic networks and socio-political interconnectivity.
An interconnectivity necessitated by:
n the ever-increasing numbers of market-based participants,
n the ever-increasing complexity of market-based interrelationships, and
n the ever-increasing geographical diversity of market-based activity.
Indeed, from the earliest social networks to the emergence of complex interrelated institu-
tional networks (e.g. the limited liability company), to the development of virtual networks,
the purpose of such networks – their raison d’être – has remained unchanged. To provide an
interconnectivity of trust through which the use of data, information, assets and resources can
be managed, coordinated, organised, structured and, perhaps most importantly, controlled.6
Learning outcomes
This chapter considers a range of issues related to soft-type networks, hard-type networks
and semi-soft-type networks, and explores the implications of such networks on corporate
accounting information systems. It examines issues relating to the development and con-
trol of alternative network architectures and topologies, and considers how information
and communication technology, and the adoption of alternative network architectures
and topologies, have affected the computer-based processing of transaction data.
By the end of this chapter, the reader should be able to:
n describe the major characteristics of, and inter-relationships between, soft-type net-
works, hard-type networks and semi soft-type networks,
n consider and explain the socio-political context of networking, and
n demonstrate a critical understanding of the implications of alternative network archi-
tectures and topologies on corporate accounting information systems.
179
..
CORA_C05.qxd 6/1/07 11:01 Page 180
All networks whether they are physical, social or indeed virtual possess three important
characteristics:
n an architecture – that is a specific design for the inter-operation of the components that
comprise the network,
n a topology – that is a specific shape or relational map that describes the network, and
n a protocol – that is a set of rules that prescribe and govern access to, engagement with, and
communication within, the network, and/or between a network and other interrelated networks.
Remember Chapter 2 and the discussion on soft systems/hard systems? We will adopt a similar,
albeit slightly extended, framework for our discussion on networks and distinguish between the
following network types:
n soft-type networks – or social networks
n hard-type networks – or physical networks, and
n semi-soft-type networks7 – or logical (virtual) networks.
Soft-type networks
In a social context, a network can be described as a set of relationships and/or interconnections
between individuals and/or groups of people, and refers to the interassociation between indi-
viduals and/or groups of individuals, designed to:
n share commonalities,
n form communities (or expand existing communities), and
n exchange information, knowledge and/or resources.
We will refer to these networks as soft-type networks, that is networks in which the dominant
feature is mutual communication, social interaction, and exchange within a politically con-
structed, framework/arrangement.
Such soft-type networks can be divided into two categories:8
n a social network or socio-political network – often referred to as self-focused network which
is created, developed and sustained for the benefit of the self, and
180
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 181
Hard-type networks
In a structural context, a network can be described as a physical construct and defined by the
components that comprises its underlying physical structure. For example, using an information
and communication technology context, a network can be defined as:
n a group of devices connected by a communications facility, the primary use of which is the
exchange of data and/or information, or
n a configuration of data processing devices and software programs connected for data and/or
information interchange, or
n a group of computers and/or computer-related devices (e.g. a server) connected by a com-
munications facility and/or telecommunications link that share data, and/or information
and/or resources/facilities.
We will refer to these as hard-type networks, that is networks in which the dominant feature
is a structured interconnectivity. Such hard-type networks (in particular, information and
communication technology-based networks) may be either:
n permanent – for example a structure defined by physical interconnections and communica-
tions links, such as Ethernet cabling and/or fibre optic cabling, or
n temporary (on intermittent) – for example using non-physical wireless interconnections and
communication links, such as digital links and/or satellite facilities.
Furthermore, given the highly structured (some would say mechanistic) nature of such networks,
outcomes and performance are generally seen as certain and predictable, with performance
often measured in quantifiable terms.
Semi-soft-type networks
From a process context, a network may also be defined as an abstract organisational construct,
a construct that is superimposed on all or part of one or more interrelated physical networks,
and through which data/information is made available and/or resources and activities are
coordinated and managed.
Such networks are sometimes referred to as logical networks9 – a good example of which is
of course the internet, and its associated derivatives, the intranet and extranet.
We will refer to these networks as semi-soft-type networks, that is networks in which the
dominant feature is representational interconnectivity, or more appropriately a conceptual
description/constructed representation concerned only with the interconnections and pathways
that comprise the network.
Let’s look at each of these alternative types of networks in a little more detail.
181
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 182
often political in context and invariably economic in origin. It is the interaction (directly or
indirectly) of these network actors that influences the ongoing social, political and economic
activities of the network and, as a consequence, determines:
n how effectively data/information flows within the network,
n how efficiently data/information is used within the network, and
n how patterns of trust and mechanisms of control are developed, established and fostered
within the network.
Such interactions are determined by the interaction/interface of a range of factors/characteristics,
the most important being:
n architecture-related structural characteristics – normally influenced by, for example:
l the nature and purpose of the network, and
l the nature of the social connectedness within the network,
n topology-related functional characteristics – normally influenced by, for example:
l the type of relationships/links possible within the network, and
l the frequency of social contact within the network, and
n protocol-related control/management characteristics – normally influenced by, for example:
l the proximity of individuals within the network, and
l the risk profile/nature of network activities.
In a soft-type network context, the architecture provides the structure/framework through which
aims and objectives of the network are realised. Whilst such architectures can vary enormously
between networks, they can nonetheless be located on a somewhat subjective scale between:
n a formal and highly structured architecture, and
n an informal/casual architecture.
Formal
A network with a formal type architecture can be loosely defined as a regulated social arrangement/
network of people and/or groups of people designed to facilitate interaction, communication
and the exchange of both knowledge and resources.12
Informal
A network with an informal type architecture can be loosely defined as a social arrangement/
network of people and/or groups of people designed to facilitate casual interaction – without a
formal regulated framework.
In reality, of course most soft-type networks are rarely ever completely formal (i.e. rule-bound)
or rarely ever completely informal (i.e. rule-less). Instead, such networks tend to be a combina-
tion of both formal and informal types, that is they tend to be a complex layering or blending
of both formal and informal architectures,13 a blending that historically has, in a corporate con-
text at least, been associated with/dominated by the ever-changing demands of the marketplace
and the priorities of capital accumulation.
182
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 183
In a soft-type network context, a topology provides the specific shape or the relational map of
the organisation/network. Again, whilst such topologies can vary enormously between networks,
they can (again) be located on a somewhat subjective scale between:
Bureaucracy
n mechanistic,19
n organic,20
n functional,
n process-based, and/or
n matrix (or mesh) orientated,
they are (despite their inherent problems21) designed primarily to promote stability, and equality,
and provide for the allocation of:
Adhocracy
In addition, they are typified by a core desire to maintain – at all costs – the autonomy and
sovereignty of network actors/participants.22
183
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 184
In a soft-type network context, the protocols provide the regulatory context of the organisation/
network, that is the management framework within which the network functions and under-
takes its activities. Protocols are designed primarily to:
n reduce network variability,
n minimise possible instability,
n moderate the impact of future uncertainty and unpredictability, and
n secure future sustainability.
Such protocols (i.e. rules and regulations) are invariably a product of an often complex
and highly politicised process, the outcome of which is invariably determined by the type of
architecture and topology adopted by/imposed upon the network.
As suggested earlier, we can locate a soft-type network on two distinct scales, based on:
n the type of network architecture – ranging from formal to informal, and
n the type of network topology – ranging from bureaucratic to adhocratic.
Using the former (network architecture) as a vertical scale, and the latter (network topology)
as a horizontal scale, we can create an intuitive representation – albeit a somewhat simplistic
representation – on which to locate alternative soft-type networks. This representation provides
four categories, from:
n formal bureaucracy, to
n formal adhocracy, to
n informal bureaucracy, to
n informal adhocracy.
See Figure 5.2.
An established retail/distribution company, a manufacturing/production company or
indeed a time/space-based company would, because of:
n the nature and interconnectivity of their activities,
n the hierarchical complexity of their activities, and
n the dependency on routine formalised processes and procedures,
tend to adopt a more formalised (more bureaucratic) structure, and would perhaps be located
within the formal bureaucracy region of the model (see area A in Figure 5.2).
An established knowledge/skills-based company or profession-based company, dependent
not on routine formalised activities but on:
n individual (or group) skills,
n individual professional knowledge and competence, and/or
n individual (or group) creativity and inventiveness,
would, for example, tend to adopt a less-formalised (more adhocratic) structure, and would
perhaps be located within an area that overlaps a number of regions (see area B in Figure 5.2).
184
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 185
and would perhaps be located within an area that overlaps both the formal bureaucracy and
informal bureaucracy regions of the model (see area C in Figure 5.2), although eventually
as the company becomes more established, the priorities of accumulation and the pressure
of the marketplace may well force such a company into either area A or area B (or out of
business!).
Non-corporate-based soft-type networks, for example a charity or mutual association,
would – depending of course on its size and range of activities – adopt a less formalised/more
adhocratic structure, and perhaps be located within an area that overlaps a number of regions
(see area B), although larger more established networks may well adopt a more corporate
orientated bureaucratic structure, and perhaps move into the formal bureaucracy region of
the model (see area D in Figure 5.2).
For our purposes, we will define a hard network as an information and communications system
that interconnects computer systems at different locations, and:
n facilitates the transfer and exchange of data and/or information, and
n allows the sharing of software, hardware (e.g. other peripheral information and communi-
cations devices) and/or processing power.
Such a network may be fixed, cabled and permanent, and/or variable (flexible), wireless and
temporary.
185
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 186
The term network architecture refers to the design of a network that is the basic layout or
configuration of an information and communication system/computer system, and includes:
n the relationship of a network with/to any associated system,
n the physical configuration of the network,
n the functional organisation of the network,
n the operational procedures employed in the network, and
n the data formats utilised in the network.
There are many alternative types of hard-type network architectures, the most common being:
n wide area network (WAN),
n metropolitan area network (MAN),
n local area network (LAN),
n personal area network (PAN)
n client/server network, and
n peer-to-peer network.
Note that:
n computers and/or other information and communication devices within a network are called
nodes,23 and
n computers and/or other information and communication devices which allocate resources
are called servers.24
Before we look at each of these alternative types of networks in a little more detail, it would
perhaps be useful to consider/explain some of the components that comprise a hard network.
186
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 187
n a bridge – to separate large networks into smaller more efficient networks or sub-networks,
n a switch (multi-port bridge) – to select network pathways/links within a network for the flow
of data/information, and
n a router – to forward data packets to their network destinations.
Of course, all of these network components (or nodes) will require connecting using either:
n a wired connection, and/or
n a wireless connection.
Computer workstation
All user computers connected to a network are called workstations or computer workstations
and are referred to as network nodes. The phrase ‘connected to a network’ means a computer
workstation that is configured with:
n a network interface card,
n appropriate networking software, and
n the appropriate physical cables if the network is hard wired, or the appropriate transmission/
receiving devices if the network is wireless.
Whilst a computer workstation does not necessarily need/require independent storage capacity,
because data files can be saved on the network file server, most computer workstations do
possess storage capacity if only for use as a back-up facility in the event of network problems.
File server
A file server stands at the centre of most networks and is, in essence, a computer that:
n stores and manages data files and software (e.g. end users’ files),
n manages the use and availability of shared resources,
n provides network users with data, information and access to other network resources,
and
n regulates communications between network nodes.
A file server may be dedicated – that is the computer workstation used as a file server is used
only as a file server – or non-dedicated – the computer used as a file server is also used for other
network-related tasks (e.g. it may also be used, simultaneously, as a network workstation).
Any computer workstation can function as a file server. Whilst the characteristics and speci-
fications of a file server would depend on the size and nature of the network served, the
functionality of a computer workstation as a file server is dictated by the network operating
systems (NOS) – whether it is a Novell Netware System, a Windows Server System or a UNIX
Server System.
187
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 188
The network interface cards used in a network are a major factor in determining:
n the speed of the network, and
n the performance of a network.
Put simply, the network interface card implements a range of specific physical layer26 and data
link layer27 protocols that are required for effective communication across a network.
Repeater
A repeater is an OSI layer 1 device. In hard-wired networks, communication signals can lose
strength as they pass across the network. Consequently, it may sometimes be necessary to boost
the communication signal with a device called a repeater – usually where the total length of
cable used in a network connection exceeds the standard set for the type of cable being used. A
repeater merely amplifies the signal (the data/information message) it receives and rebroadcasts
it across the network.
A repeater can be a separate device or it can (and often is) incorporated into a hub or switch.
Hub
A (standard) hub – also known as a concentrator – is a networking component (an OSI layer 1
device) which acts as a convergence point of a network allowing the transfer of data/information.
Put simply, a hub merely duplicates data/information received via a communications port and
makes it available to all ports, allowing data/information sharing between all network nodes
connected to the hub.
There are three types of hub:
n a passive hub – which allows the data/information to flow,
n a manageable hub – which allows data/information transfers to be monitored, and
n an active hub – which allows the data/information to flow but regenerates/amplifies received
signals before transmitting them along the network.
Bridge
A bridge is an OSI layer 2 device that facilitates:
n the connecting of a new network (or network segment) to an existing network (or network
segment), and/or
n the connecting of different types of hard-type topologies.28
The purpose of a network bridge is to ensure that only necessary data/information flows across
both sides of the network. To achieve such an aim a bridge can be used to:
n monitor the data flow/information traffic across both sides of the network, and
n manage network traffic to maintain optimum performance across the network.
Switch
A switch, or more appropriately a switching hub (an OSI layer 2 device) is a device which
filters and forwards data/information across a network. Whilst a standard hub simply replicates
the data/information received, a switching hub keeps a record of the MAC addresses (media
access control addresses) of the network nodes attached to it. When the switch receives data/
information for forwarding, it forwards the data/information directly to the recipient network
node identified by the MAC address attached to the data/information.
Most switches are active: that is they amplify the signal (the data/information message) as it
moves from one network node to another. They are often used in a star topology and/or a star
ring topology (see later).
188
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 189
Router
A router (an OSI layer 3 device) is a networking component which transfers data/information
from one network to another; and in a simple context is very similar to an intelligent bridge,
inasmuch as a router can/will:
n select the best network path to route a message – using the destination address and origin
address,
n direct network traffic to prevent head-on collisions – using the topology of the network and,
where necessary,
n prioritise network paths and links when particular network segments are busy.
Wired connections
Physical cabling is the medium from which a majority of network connections are created and
through which data/information is transmitted across a network from one network node to
another. There are, of course, several types of cabling currently in use and the choice of cable is
dependent on:
n the size of the network,
n the topology of the network, and
n the network protocol.
Consequently, whilst some networks may utilise a single type of cabling, others may utilise
many types of cabling.
The main types of cabling used in (computer) networking are:
n twisted pair cabling,
n coaxial cabling, and
n fibre optic cabling.
189
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 190
The disadvantage of unshielded twisted pair cabling is that due to its lack of shielding, it is
susceptible to radio and electrical frequency interference.
Shielded twisted pair (STP) cabling consists of four shielded pairs of wires twisted around
each other. Such cabling is suitable for networks situated in environments where possible
electromagnetic intrusion may occur and as a consequence interfere with network commun-
ications. However, such cabling can be fairly bulky and somewhat awkward to use because of
its shielding.
The advantage of shielded twisted pair cabling is that it offers protection against electro-
magnetic interference and possible network crosstalk.30
The disadvantages of shielded twisted pair cabling are:
n it is costly (relatively speaking) due to the additional shielding,
n it is often bulky and very inflexible, and therefore
n can be difficult to use.
Shielded twisted pair cabling is commonly used in Ethernet networks and often on networks
using star ring topology.
Associated variants of twisted pair cabling are:
n foiled twisted pair cabling (FTP) – unshielded twisted pair cabling surrounded by an outer
foil shield thereby increasing protection from external interference,
n screened unshielded twisted pair (S/UTP) – unshielded twisted pair cabling surrounded by
an outer braided shield,
n screened foiled twisted pair (S/FTP) – a combination of screened unshielded twisted pair
and foiled twisted pair cabling (with a combined braided and foil shielding), and
n screened shielded twisted pair (S/STP) – shielded twisted pair cabling but with an extra
outer braided or foil shield similar to coaxial cabling offering improved protection from
external interference.
Coaxial cabling
Coaxial cabling consists of a round, central conducting wire surrounded by an inner insulating
spacer (also called a dielectric31), a cylindrical conducting shield32 and an outer insulating layer.
The cable is designed to carry a high-frequency or broadband signal and is widely used in wired
computer networks, such as Ethernet,33 and the cable television industry.
Coaxial cabling can be either rigid (sometimes known as thicknet34) or flexible (sometimes
known as thinnet35). Whereas rigid coaxial cabling has a solid shield, a flexible coaxial cabling
has a braided shield. In addition the dielectric may be solid or perforated.
The advantages of coaxial cabling are:
n it can be costly,
n it can be inflexible (especially thicknet), and
n it can be difficult to install (again, especially thicknet).
190
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 191
n single-mode cabling which allows only a single mode (or wavelength) of light to be transmitted
through the fibre – it is often used for long-distance connectivity, and
n multimode fibre cabling which allows multiple modes of light to be transmitted through the
fibre – it is often used for workgroup applications and intra-building network applications.
n it can be costly (although comparable to, for example, copper wire cabling), and
n it can be difficult to install.
It is perhaps worth noting that fibre optic cabling is often used in the hard wiring of Tier 1
internet backbone networks.
Wireless connections
The term wireless networking refers to technology that enables two or more computers/computer
networks to communicate using standard network protocols, but without wired connections –
for example, a wireless local area network (LAN).
For connectivity, such a wireless network may, for example, use:
to communicate between the network nodes, network file servers and other information and
communication network devices. It may be:
n line of sight broadcast-based – in which a direct, unblocked line of sight must exist between
source and destination, or
n scattered broadcast-based – in which transmission signals are transmitted in multiple directions
(which can then bounce off physical objects to reach their destination).
For long-distance wireless networks, communications can also take place using:
n mobile telephony,
n microwave transmission, or
n satellite.
191
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 192
Within each of these a computer/terminal can communicate directly with all of the other
wireless enabled computers to share data/information files and network resources. A wireless
network can also use an access point (single and/or multiple) to provide connectivity for the
wireless computers and connect (or bridge) the wireless network to a wired network allowing
wireless networked computers to access wired network resources.
An access point can be hardware based, software based or both, and will of course vary:
n the wireless network distance (all access points have a finite distance), and
n the number of computers that can be linked wirelessly.
The advantages of wireless networks are that they are simple to develop and install, and relatively
cheap to install and maintain.
The disadvantages of wireless networking are that:
n such networks are susceptible to external interference and signal interception, and provide
limited security, and
n such networks are generally slower than wire-based networks.
A wide area network is a network which covers a wide geographical area, often involving an
array of computer and/or information and communication devices.
Typically, a wide area network would consist of two or more interconnected local area networks
(LANs), connected using either:
The best example of a wide area network would be the physical network underpinning the
internet. We can distinguish between two types of wide area network:
192
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 193
n it is an efficient and effective means of sharing information, services and resources, and
n it is flexible, responsive and adaptive to user demands/requirements.
n it can be difficult to maintain operationally, especially when a large number of local area net-
works (each with a large number of users) make up the decentralised wide area networks
n it can be difficult to manage and control data transactions and processing activities, espe-
cially peer-to-peer type local area networks, and
n security can be difficult to implement effectively.
193
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 194
the purpose being to facilitate the exchange and sharing of information and resources.
In a wider, less-restricting context, a local area network may comprise of a number of smaller
interconnected local area networks within a geographically compact area (e.g. within a large
corporate office and/or university campus), usually connected using a high-speed local network
communications backbone.
In smaller local area networks, workstations may act as both client (user of services/resources)
and server (provider of services/resources). Such a network is sometimes called a peer-to-peer
network because each node (workstation) within the network possesses equivalent responsibilities.
In larger local area networks, workstations may act as the client only and may be linked to
a central network server. Such a network is sometimes called a server network because clients
(individual workstations) rely on the servers for resources, data, information and processing
power.
The advantages of a local area network are:
n it is an efficient and effective means of sharing information, services and resources, and
n it is flexible, responsive and adaptive to user demands/requirements.
A local area network is distinguished from other kinds of network by three characteristics:
n size,
n transmission technology, and
n topology.
194
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 195
Client-server network
n the client’s computer/workstation runs the user interface – the first tier,
n the functional modules for the processing of data run on an application server – the second
tier, and
n the database management system that stores the data required by the second tier runs the
database server – the third tier.
The advantages of the three-tier client-server architecture (and the reasons for its increasing
popularity) are:
n the separation between application server and database server facilitates easier modification
and/or updating,
n the separation between application server and database server facilitates the easier replace-
ment of one tier without affecting the other tiers within the network, and
n the separation of application functions from database management functions/systems facilitates
more effective load balancing.44
Client-server networks can be both WAN-based and/or LAN-based, and tend to be the norm
for most corporate-based systems. Indeed, the client-server network architecture has become one
of the central ideas of computing and information systems, with most computer-based business-
related applications using the client-server model.
In a client-server environment, files are stored on a centralised, high-speed file server, with
appropriate access made available to clients – usually with the use of a username and password.
Because nearly all network services (e.g. printing services, e-mail and FTP services) are routed
through a file server it is designed to:
195
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 196
Peer-to-peer network
A peer-to-peer network (often abbreviated to P2P) is a network architecture in which each
workstation (or PC) within the network has equivalent responsibilities and capabilities.
In essence, a peer-to-peer network facilitates the connection of a number of workstations
(or PCs), so that network resources may be pooled together. For example, individual resources
connected to a workstation (or PC), such as various disk drives, a scanner, perhaps even a
printer, become shared resources of the network and available to/accessible from any other
workstation (or PC) within the network.
Unlike a client-server network in which network information is stored centrally on a
centralised file server and made available (subject to security protocols, of course) to client
workstations (or PCs), within a peer-to-peer network data and information is stored locally, on
each individual workstation (or PC) within the network. In essence, each workstation (or PC)
within a peer-to-peer network acts as:
n a client or user node, and
n a server or data/information store.
In a pure peer-to-peer network, a peer acts as both client and server. Such a network would
possess neither a central server nor a central router.47
In a hybrid peer-to-peer network, a central server maintains information on individual peers
and responds to requests for information about peers. The central server would not normally
store process/transaction files. Individual peers would normally be responsible for:
n hosting the information,
n informing the central network server which files they require, and
n downloading and/or transferring any shareable resources to other peers within the network
as requested.
A mixed peer-to-peer network would of course possess characteristics of each of the above.
196
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 197
Functionally (based on the network application) there are also three categories of peer-to-
peer network, these being:
n collaborative computing,
n instant messaging, and
n affinity computing.
Collaborative computing
Collaborative computing, also referred to as distributed computing, is a peer-to-peer network-
ing application through which idle, unused or spare CPU processing power and/or disk space
on a workstation (or PC) can be utilised by (an)other workstation (PC) within the network.48
Collaborative computing is most popular with science-based research organisations where
research projects may require vast amounts of computer processing power.49
Instant messaging
Instant messaging (internet relay chat) is perhaps the most common type of peer-to-peer net-
working application used and allows users to chat using text messages in real time.
We discussed internet relay chat in some detail earlier in Chapter 4.
Affinity computing
Affinity computing is the use of peer-to-peer networking to build/create so-called ‘affinity
communities’ or peer-to-peer networks facilitating the sharing of data and/or media files. Such
affinity communities are based on mutual collaboration – that is peer-to-peer network users
allowing other peer-to-peer network users to search for and gain access to information and
computer files held on their PCs.
Although all affinity computing requires users to possess a peer-to-peer networking utility/
software program together with an active internet connection, there are essentially two alternative
options/models:
n index-based peer-to-peer file sharing, and
n non-index-based peer-to-peer file sharing.
197
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 198
network the peer-to-peer utility actively seeks out other online clients using the same peer-to-
peer utility program and informs them of the user’s presence online, effectively creating the
network as individual clients log-on/log-off.
Clearly the size of the peer-to-peer network depends on the availability of the peer-to-peer
software utility – as the number of clients with the utility software increases, so does the potential
size of the network.
When a client launches a search for a specific data/media file, and:
n a match or number of matches are located, and
n the client selects the location of one of the returned matches,
the utility attempts to establish a connection with the client’s PC hosting/storing the file requested.
If the connection is successful the selected file will be downloaded – copied from the hosting
client’s PC to the requesting client’s PC. Once the file download is complete the connection is
terminated.
The advantages of a peer-to-peer network are it is:
n simple to create,
n easy to build, and
n inexpensive to maintain.
198
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 199
n defection attacks – using network resources without contributing to the network capacity,
n identity attacks – harassing network users,
n spamming attacks – sending vast amounts of unsolicited data/information across the
network.
The most appropriate defence – to minimise possible security threats – is to introduce:
n access policies to monitor network access – a protocol-based approach to monitor and
prevent intrusive network traffic being received through the P2P clients, and
n content policies to monitor/control the files – a surveillance-based software solution
approach to actively search for files based on their type, their name, their signature or even
their content.
The term network topology refers to the shape/map of a network and to:
n how different network devices are connected to each other, and
n how each of these network devices communicate with each other.
Whereas a physical topology would describe the physical connectivity of a network, that is
how network devices are physically connected, a logical topology would describe how data
and information flows within a network. For the moment we will consider physical (hard-type
network) topologies.
So, what types of physical (hard-type network) topologies are there? The most common
types of physical (hard-type network) topologies are:
n bus topology,
n ring topology,
n star topology,
n mesh topology, and
n hybrid topology.
Note: The star topology and the tree topology are often referred to as centralised topologies,
whereas the mesh topology is often referred to as a decentralised topology.
Before we look at each of these topologies in a little more detail it is useful to consider the
key factors that would dictate the design/selection of a network topology. These main factors
would include:
n the financial cost of installing the network topology,
n the technical viability of the network topology (e.g. maintenance and faultfinding/
troubleshooting),
n the potential scalability of the network topology and the potential for future expansion,
n the required capacity of the network topology, and
n the physical nature/constraints of the network topology (e.g. the geographical distances
involved).
199
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 200
Bus topology
A bus topology (also known as a linear bus topology) is a topology in which a set of clients are
connected through a shared communications line or a central cable, often called the bus or the
network backbone.55
There are two alternative types of bus (or connection lines):
n a regular bus – in which each network node is directly attached to the network backbone by
means of a shorter cable connection (see Figure 5.3), or
n a local bus – in which each network node is attached directly to the network backbone in a
daisy-chain configuration56 (see below).
Within a bus topology, communication signals are broadcast to all nodes on the network. Each
node on the network inspects the destination address of the signal as it travels along the bus or
the communication link. Remember, every node that comprises a network will have a unique
network address, either a data link control address (DLC), or a media access address (MAC). If
the signal’s destination address matches that of the node, the node processes the signal. If the
address does not match that of the node, the node will take no action and the signal travels
along the bus.57
In general, a bus topology is regarded passive58 inasmuch as the nodes situated on the bus
simply listen for a signal, they are not responsible for moving the signal along the bus or com-
munication link.
However, whilst such a topology is perhaps the simplest and easiest method to use to connect
multiple clients, at multiple nodes, operationally, such a network topology can nonetheless be
problematic. Why?
Consider the situation where two or more clients using two or more different network nodes
want to communicate at the same time, using the same bus/network connection. To minimise
the consequences of such a situation, a bus topology would employ:
200
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 201
More importantly, a network employing such a topology is generally more resilient to failure
inasmuch as failure at one node does not affect the operational capacity of other nodes on
the network.
The disadvantages of a bus topology are:
n they can be difficult to administer – especially for larger networks,
n they can be slow operationally, inasmuch as network performance may reduce as additional
nodes are added, and
n maintenance costs can be higher, certainly in the longer term.
In addition:
n the size of such networks may be limited – that is limited cable length means limited number
of nodes, and
n such networks are generally regarded as fairly insecure and easy to hack into, and a single
virus infection at a node within the network will often affect all nodes within the network.
As indicated earlier, using a local bus to connect/attach each network node directly to a network
backbone creates a daisy chain configuration – a topology in which each network node is con-
nected in a series to the next network node.
Within a daisy chain configuration, communication signals are broadcast to all nodes on the
network. Each node on the network inspects the destination address of the signal as it travels
along the bus or the communication link. If the address does not match that of the node, the
node will take no action and the signal is bounced along the communication link – in sequence,
from network node to network node – until it reaches the destination address. Once the signal
reaches the destination address, the destination node processes the signal.
Ring topology
A ring topology is a topology in which a network node is connected to two other nodes, thus
creating a closed loop ring. It is a topology in which every network node has two connections
to it, and in which only two paths between any two network nodes exist.
See Figure 5.4.
In a ring topology there are no terminated ends and each network node on the ring network
topology has equal rights and access, but only one network node can communicate at any time.
When a network node issues a message, the sending network node passes the message to the
next network node. If this network node is not the destination node, the message is passed to
the next network node, until the message arrives at its destination node. If, for whatever reason,
the message is not accepted by any network node on the network, it will travel around the entire
network and return to the sending node.
In a single-ring topology the signal travels around the circle in a single direction, usually
clockwise. In a double-ring topology (sometimes known as a counter-rotating ring topology) the
201
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 202
signal travels in two directions, both clockwise and anti-clockwise, the intention being to provide
fault tolerance in the form of redundancy in the event of a cable failure. That is if one ring fails, the
data messages can flow across to the other ring, thereby preserving the integrity of the network.
Unlike a bus topology, a ring topology is an active topology, inasmuch as each network node
repeats or boosts the message signal before passing it on to the next network node.
The advantages of a ring topology are:
n high data transmission speeds are possible because data messages flow in one direction
only (for a double ring topology in the first ring the data message would flow in a clockwise
direction, and in the second ring the data message would flow in an anti-clockwise direction
– that is in the opposite direction);
n growth/expansion of a network employing a ring topology normally has a minimal effect on
overall network performance;
n each node on the network has equal rights and access; and
n each node on the network acts as a repeater and allows a ring topology to span distances
greater than other hard-type topologies.
The disadvantages of a ring topology are:
n it is often the most expensive topology to implement,
n as a network topology, it requires more connections than a linear bus network topology and,
perhaps most importantly,
n the failure of a single network node will impact on the whole network.
Star topology
A star topology is a topology in which all network nodes are connected to a central network
node called a hub, which acts as a router for transmitted messages (see Figure 5.5).
Because the central network hub offers a common connection for all network nodes – that
is every network node will have a direct communications connection/link to the central network
202
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 203
Hub
hub – communication between peripheral network nodes across the network occurs by passing
data messages through the central network hub. In essence, peripheral network nodes may only
communicate with all other peripheral network nodes by transmitting messages to and/or
receiving messages from the central network hub only. The star topology is probably the most
common form of network topology currently in use.
The advantages of a star topology are:
n it is easy to implement and extend, even in large networks,
n it is simple to monitor and maintain and, perhaps most importantly,
n the failure of a peripheral network node will not have a major effect on the overall func-
tionality of the network.
The disadvantages of a star network topology are:
n maintenance/security costs may be high in the long run,
n it is susceptible to infection – if a peripheral network node catches a virus the infection could
spread throughout the network, and
n failure of the central network hubs can disable/cripple the entire network.
Mesh topology
A mesh topology (also known as a complete topology) is a topology in which there is a direct
link between all pairs of network nodes within a network, resulting in multiple paths/links
connecting multiple network nodes (see Figure 5.6).
In a fully-connected network with n nodes, there would be n(n − 1)/2 direct links. For example:
n a mesh topology with 10 network nodes would have 10(10 − 1)/2 = 90/2 = 45 potential direct
links, whereas
n a mesh topology with 100 network nodes would have 100(100 − 1)/2 = 9900/2 = 4950 poten-
tial direct links, and
203
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 204
n a mesh topology with 1000 network nodes would have 1000(1000 − 1)/2 = 999,000/2 =
499,500 potential direct links.
Because of the possible complexity, especially in large mesh topologies, a router is often used to
search the multiple paths/links between two network nodes and determine the best path/link to
use for the transmission of data messages. The choice of path/links between two network nodes
will be determined by, for example, factors such as cost, time and performance.
The advantages of a mesh topology are:
n small ones are easy to create and maintain,
n such a topology allows for continuous connections and reconfiguration around blocked
paths/links by hopping from network node to another network node until a connection can
be established, and
n they offer stability, safety and reliability inasmuch as a mesh topology allows communication
between two network nodes to continue in the event of a break in any single communica-
tion link between the two network nodes. That is the redundant connections make the mesh
topology very reliable even in networks with high-volume traffic.
The disadvantages of a mesh topology are:
n larger ones can be expensive and costly to install,
n they can be difficult reconfigure, and
n they can be difficult to administer, manage and troubleshoot.
Mesh topologies are most often employed in wide area networks (WANs) to interconnect
smaller local area networks (LANs).
Hybrid topology
A hybrid topology is a topology in which there is a combination of any two or more topologies
and results when two different basic network topologies are connected.
204
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 205
Star–bus topology
A star–bus topology (also known as a tree topology) is a topology in which a collection of
star networks are arranged in a hierarchical relationship and connected to a linear bus
backbone.
See Figure 5.7.
A star–bus topology has three key characteristics:
n individual peripheral network nodes (sometimes referred to as leaves) are able to transmit
messages to and receive messages from only one other network node,
n peripheral network nodes are neither able nor required to act as message repeaters and/or
signal regenerators, and
n the function of the central network node (often a network switch,60 sometimes referred to as
an intelligent hub) may be, and indeed often is, distributed along the network.
The advantages of a star–bus topology are:
n it is easy to extend,
n simple to maintain, and
n resilient – if an individual peripheral network node fails then the failure will not have a major
effect on the overall functionality of the network.
The disadvantages of a star–bus topology are:
n it can be difficult to configure (and physically wire), consequently maintenance costs may be
high,
n failure of a network switch can disable a large portion of the network, and
n if the network backbone link breaks, an entire network segment may be affected.
Star–ring topology
A variant of a ring topology is a star–ring topology or token ring network. A star-wired ring
topology functions as ring topology, although it is physically wired as a star topology (see
Figure 5.8), with a central connector called a Multistation Access Unit (MAU) which facilitates
the movement of messages from one network node to another in a circular or ring fashion.
205
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 206
Within a token passing network, signals are communicated from one network node to the
next network node – sequentially using a token or small data frame. When a network node
wants to transmit a message, it catches the token, attaches the data and a destination address to
it, and then sends it around the ring. Note that each node can hold the token for a maximum
period of time.
The token travels along the network ring until it reaches the destination address. The
receiving network node acknowledges receipt with a return message – attached to the token –
to the sending node. Once the sending network node has received the reply, the sending node
releases the token for use by another network node.
In essence token-passing configurations are deterministic inasmuch as it is possible to
calculate the maximum waiting and transmission times. In addition, such configurations can:
n use prioritising protocols to permit and prioritise transmissions from designated, high-
priority network nodes, and
n employ fault-detecting protocols to identify and compensate for network fault: for example,
selecting a network node to be the active network monitor.
206
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 207
technical sense, a protocol suite is the definition of the protocols and the protocol stack is the
software implementation of them.
There exist many different types/collections of protocols, with the number and variety of
protocols continually changing as new protocols emerge and old ones are abandoned in the
name of information and communication technology development.61 Clearly, the changing nature
of hard-type network protocols makes it very difficult to generalise about different protocols/
protocol suites because of their differences in purpose, sophistication and target audience/
technology. For example, some protocols may be defined as proprietary protocols62 – that is
they are ‘dedicated’ protocols which are only recognised by or used in computer networks
or information and communication applications from a particular manufacturer. They are
therefore generally not publicly documented – at least not officially! Others may be defined as
generic protocols, that is protocols which seek to provide a common structure, framework or
platform on which future computing and/or information and communication technologies
may be developed.
Nevertheless, despite such differences, most protocols/protocol suites – because of their
underlying raison d’être – will, at the very minimum, seek to specify at least one (if not more)
of the following activities:
We will consider two of the most important generic protocol stacks in contemporary infor-
mation and communication technologies applicable to networking and internetworking (or
more appropriately the internet) these being:
n the seven-layer reference model known as the OSI reference model or OSI protocol stack
(see Figure 5.9), and
n the four-layer reference model known as the internet model and/or the TCP/IP model (see
Figure 5.10).
207
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 208
208
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 209
In essence:
n the lower layers (physical layer, data link layer, network layer and transport layer) provide/
perform the more basic network-specific functions like routing, addressing and data flow
control, and are also known as the device layers, and
n the upper layers (session layer, presentation layer and application layer) provide/perform the
more advanced application-specific functions like data formatting, encryption and connec-
tion management.
Let’s look at each of the layers in a little more detail.
Physical layer
The physical layer (layer 1) relates to the network hardware, and defines the physical character-
istics of the transmission medium and the specifications for network devices, with the major
functions and services performed by/within the physical layer being:
n the establishment of a connection to, and the termination of a connection to, a communi-
cations medium,
n the control and management of resource sharing, and
n the conversion of data to transmittable signals.
At the physical layer, design issues are normally concerned with the context, nature and timing
of hardware interconnectivity.
Examples of layer 1 protocols would include:
n ISDN (Integrated Services Digital Network), and
n FDDI (Fibre Distributed Data Interface).
209
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 210
Network layer
The network layer (layer 3) defines the end-to-end delivery of data frames and provides the
functional and procedural means for transferring data frames from source to destination using
one or more networks while maintaining a required quality of service.63 The network layer is
responsible for:
In a practical context, network routers operate at this layer – determining how data is routed
from the source to the destination.
Examples of layer 3 protocols would include:
n IP (Internet Protocol),
n AppleTalk, and
n ARP (Address Resolution Protocol).
Transport layer
The transport layer (layer 4) provides the mechanisms for the reliable and cost-effective transfer
of data between network nodes/users. The transport layer is responsible for:
Some transport layer protocols also track the movements of data packets and where necessary
retransmit those data packets that have failed to arrive at their desitination address.
Examples of layer 4 protocols would include:
Session layer
The session layer (layer 5) provides the facilities for managing the dialogue, or more appro-
priately prioritising transmission, between application processes. The session layer is essentially
the user’s interface to the network and determines:
210
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 211
Presentation layer
The presentation layer (layer 6) defines the way that data is formatted, presented, converted and
encoded, and is responsible for the delivery and formatting of information to the application
layer for further processing and/or display. In essence, the presentation layer provides:
n data translation/conversion facilities,
n data encoding/decoding,
n data encryption/decryption services, and/or
n data compression/decompression mechanisms,
so that different types of systems can exchange data/information. That is, the presentation layer
makes the data transparent to surrounding layers and provides services to the (higher) applica-
tion layer in order to:
n enable the application layer to interpret the data exchanged, and
n structure data messages to be transmitted.
Application layer
The application layer (layer 7) provides a direct interface with application processes and describes
the way that programs interact/communicate with a network’s operating system. The application
layer establishes communication rights, initiates connections between applications and:
n provides the services software applications require to operate, and
n facilitates user applications interaction with the network services such as file transfer, file
management, e-mail, and many more.
Examples of layer 7 protocols would include:
n HTTP (HyperText Transport Protocol) – used on the web,
n FTP (File Transfer Protocol),
n SMTP (Simple Mail Transfer Protocol),
n IMAP (Internet Message Access Protocol), and
n WWW browsers.
. . . and finally
Clearly, the OSI reference model, with its layered approach, has many advantages and provides
many benefits, for example it:
n promotes understanding by reducing complexity,
n encourages standardisation, and
n promotes interoperability.
211
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 212
It is also worth noting that many computer network developers often (somewhat cryptically)
use the phrase ‘a layer 8 OSI reference model problem’ to mean a problem associated with the
‘human’ end user and not with the network!
Link layer
The link layer (also known as the network access layer) maps to/corresponds with the physical
layer and the data link layer of the OSI reference model. Although not technically a part of the
internet model, the link layer (or the network access layer) defines the method/process used
to pass data packets from the internet layer of one network node/device to the internet layer of
another network node/device, a process that can be controlled by either software, hardware,
firmware or a combination of some or all of them.
At the sending network node/device, the link layer would, for example:
n prepare data packets for transmission (by adding a packet header to the data packets), and
n transmit the data frames (collections of data packets) over the connecting medium.
(Inter)network layer
Originally known as the network layer, the (inter)network layer corresponds to the network
layer of the OSI reference model and manages the movement of data packets across a network.
It is responsible for ensuring data packages reach their destinations. Two important components
of this layer are:
n the internet protocol (IP), and
n the internet control message protocol (ICMP).
Whilst the internet protocol (IP) is the primary protocol within the TCP/IP (inter)network layer
inasmuch as it provides the mechanism to address and manage data packets being sent to nodes/
devices across a network, the internet control message protocol (ICMP) provides management and
error reporting facilities to assist in managing the process of transmitting and routing data pack-
ages between nodes/devices across a network. A data packet with an IP header is called a datagram.
212
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 213
Transport layer
The transport layer, which corresponds to the transport layer of the OSI reference model,
provides the mechanism for network nodes/devices to exchange data packets with regards to
software. In a TCP/IP reference model, there are two transport layer protocols:
n the Transmission Control Protocol (TCP), and
n the User Datagram Protocol (UDP).
The Transmission Control Protocol (TCP) is a connection-oriented mechanism in which
network nodes/devices establish a connection before data packets are transmitted and trans-
missions are monitored to ensure that:
n data packets are received complete,
n data packets are received undamaged,
n data packets are received in the correct sequence,
n data packets that are faulty and/or undelivered are retransmitted, and
n communication connections are terminated once a transmission has been successful.
The User Datagram Protocol (UDP) is a connectionless mechanism in which network nodes/
devices are not required to establish a connection prior to data packet transmission, and in
which speed is more important than accuracy of delivery.
Application layer
The application layer which corresponds to the session layer, the presentation layer and the
application layer of the OSI reference model is the layer that most common network-aware
programs use to communicate across a network with other network-aware programs and would
contain, for example, higher-level protocols such as:
n HTTP (HyperText Transport Protocol) for the web,
n FTP (File Transfer Protocol) for file transfer,
n SMTP (Simple Mail Transfer Protocol), POP3 (Post Office Protocol 3),
n IMAP (Internet Message Access Protocol), for electronic mail, and
n NNTP (News Network Transfer Protocol) for Usenet newsgroups.
. . . and finally
There can be little doubt that the development and widespread acceptance of the internet
model or TCP/IP reference model has provided many benefits and promoted the development/
introduction of many key information and communication technologies/features, for example:
n packet-switching64 (see below),
n logical addressing65
n dynamic message routing66
n end node verification,67 and
n name resolution.68
213
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 214
The internet
As suggested earlier, the internet is the largest internetwork in the world – a network comprised
of many thousands of independent hosts/networks that use TCP/IP to provide worldwide
communications – an internetwork that operates within a three-tier network hierarchy (see
Figure 5.11).
At tier 1 is a collection of backbone networks interconnected to form a decentralised mesh
network. A collection of core backbone networks that:
n link the parts of the internet together, and
n provide the primary data/information carrying lines of the internet.
Many of these backbone networks are now commercially owned, with some of the large multi-
national companies – including MCI,69 British Telecom,70 AT&T71 and Teleglobe72 – acting as
backbone network providers and therefore providing backbone connectivity.
At tier 2 (also called downstream tier 1) is a collection of mid-level transit networks,73 for
example:
n Network Service Provider (NSP) – an international, national or regional service provider
which provides bandwidth and network infrastructure facilities such as transit and routing
services, and
n Internet Service Provider (ISP) – a local service provider which provides customers with
internet access and customer support services.
These mid-level networks connect the stub networks at tier 3 (see below) and to the backbone
networks at tier 1.
At tier 3 is a collection of stub or internal networks (usually local area networks) and some-
times referred to as an intranet (see below) which carry data packets between local hosts (that
is nodes within a local area network).
These so-called stub networks include:
n commercial networks – for example .com or .co.uk. networks,
n academic networks – for example .edu or .ac.uk. networks – and
n other organisations/networks – for example .org.uk or .net. networks.
And of course many other diverse, worldwide physical networks both wired and wireless.
214
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 215
That is:
n national/international NSPs are responsible for developing, constructing, maintaining and
managing national or international networks, and sell bandwidth to regional NSPs,
n regional NSPs purchase bandwidth from national/international NSPs and sell on the band-
width (and other network services/facilities) to local ISPs, and
n local ISPs sell bandwidth and other internet services/facilities to end users (e.g. individuals,
companies and other organisations).
However, in order to function as an internetwork, individual networks (as autonomous systems76)
must interact/communicate with one another, that is individual networks must exchange data/
information. To exchange data/information backbone networks must be connected.
Individual networks can be connected using either:
n an internet exchange point77 (a convergence of many backbone networks interconnecting at
a single point), or
n a private connection (a convergence of a few backbone networks interconnecting at a single
point).
But how do individual networks exchange data/information?
The exchange of data/information between individual backbone networks is undertaken using
a process known as peering. Peering is the exchanging of internet traffic between networks
using different tier 1 backbone network providers and normally requires:
n a contractual agreement or mutual peering agreement,78
n a physical interconnection between the different networks (normally called a peering point),
and
n technical cooperation to facilitate the exchange of traffic.
Most peering points (peering via the use of internet exchange points) are located in collocation
centres79 (sometimes called carrier hotels) – a data centre where tier 1 backbone network pro-
viders co-locate their points of presence80 or connections to one another’s networks. That is a
peering agreement can only exist between tier 1 backbone network providers.
However, where individual tier 1 backbone network providers are interconnected using
a private connection it is also possible for a private peering connection between only a few
networks to exist.
So, how does the internet work? Have a look at the following example.
Imagine an administrative assistant at Tajajac Ltd (www.tajajac.co.uk) a UK-based retail
company wants to access the website of Damacasae Inc. (www.damasacae.com) a US-based
supplier. Since the internet is simply a network of networks, essentially Tajajac Ltd (as a local
area network) will connect to the internet using a local ISP with whom the company has a con-
tractual agreement. When connecting to the local ISP, the company Tajajac Ltd would become
part of the ISP’s network. The local ISP may then connect to a larger NSP’s network and would
therefore become part of their larger network.
When the administrative assistant types in www.damasacae.com into the internet browser,
the browser contacts the domain name server to get the IP address.
Note: Remember the IP address is unique to every webpage and computer and makes it
possible for computers to ‘recognise’ each other.
215
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 216
Once the IP address has been acquired, the computers can ‘communicate’ with each other
using TCP/IP.
In essence, the TCP (Transmission Control Protocol) is responsible for acquiring the data
to be sent over the internet and breaking data into small packets that can include, for example,
programming instructions, text, pictures, sound and/or video in variety of combinations. The IP
(Internet Protocol) is responsible for routing these packets of data through the network from the
source computer to the destination computer. When the data packets arrive at the destination
computer, the TCP reassembles them into a viewable webpage.
Intranet
Some of the main activities for which intranets are used include:
216
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 217
Whilst initial set-up costs may be high, for a company/organisation the benefits of an intranet
cannot be underestimated. Not only does it provide for:
n more effective use of company/organisational resources, and
n more efficient communication between internal and external agents,
it also facilitates:
n more effective time management, and
n provides for more secure data/information management.
217
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 218
Extranet
In a broad context, an extranet can be considered part of a company’s/organisation’s intranet –
a part that is extended to authorised external users/agents and can be defined as a network based
on TCP/IP protocols that facilitates the secure sharing of corporate/organisational information
and/or resources with external agents such as product/service suppliers, customers, corporate/
organisational partners and/or other businesses.
That is, it is an internet-based communication facility designed to support business to business
(B2B) activities.
In essence:
n an intranet provides various levels of accessibility to people who are members of the same
company/organisation, whereas
n an extranet provides various levels of accessibility to people who are not members of the
same company/organisation or, more appropriately, outsiders.
In general, for both security and privacy purposes, access to a company/organisation extranet
is normally controlled using a two-level access protocol – a valid username and password,
and/or the issuance of digital certificates. The use of such an access protocol:
n validates/authenticates the user as an authorised user of the company/organisation extranet,
n determines which elements/facilities of the company/organisation extranet the authorised
user has right of access to, and
n decrypts any secured encrypted elements/facilities of the company/organisation extranet the
authorised user has right of access to.
There is little doubt that since the late 1990s/early 2000s83 extranets – as a business to business
(B2B) facility – have become a popular means for companies/organisations to exchange infor-
mation ranging from:
n generic data/information such as price lists, inventory schedules and reports, delivery schedules
and ordering/payment facilities, to
n product/service specific data/information such as detailed product/service specifications.
218
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 219
Concluding comments
The emergence of semi-soft-type networks and the widespread adoption by many entity-
focused soft-type networks (or corporate organisations) of internet-based technologies (e.g.
intranets and extranets), and other related information and communication technologies has
prompted the emergence of what have become known as blended networks. That is the emergence
of soft-type networks (traditionally of a highly-structured and formal bureaucratic nature) whose
structures are increasingly blended with and in some cases dominated by online elements,
creating alternative virtual inter-relationships that operate and exist outside the ‘traditional’
bureaucracy of entity-based soft-type networks. New blended networks that whilst increas-
ingly informal and adhocratic, are nonetheless playing an increasing central role in the wealth
accumulation process (see Article 5.1.)
Article 5.1
Concluding comments
Soft-type, semi-soft-type and hard-type networks now dominate all business-related activities
from the departmental structure of companies/organisations, to the hierarchical allocation
of duties and responsibilities, to the use of information and communication technologies
in the processing of business transactions, and to the development and establishment of
219
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 220
Bibliography
Self-review questions
1. In relation to soft-type networks, briefly explain the difference between a bureaucracy and
an adhocracy.
2. Distinguish between:
n a hub,
n a bridge,
n a switch, and
n a router.
220
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 221
3. In relation to hard-type networks, define the term ‘network topology’ and distinguish
between two types of topologies.
4. Explain the advantages and disadvantages of a peer-to-peer network.
5. Distinguish between collaborative computing and affinity computing.
6. Distinguish between the OSI reference model and the TCP/IP reference model.
7. Describe the advantages and disadvantages of a client-server network.
8. Briefly explain why the internet is often referred to as a three-tier network.
9. What are the major differences between:
n an internet,
n an intranet, and
n an extranet.
10. Define and describe the advantages and disadvantages of:
n a bus topology,
n a ring topology, and
n a star topology.
Question 1
Distinguish between:
n a wide area network (WAN),
n a metropolitan area network (MAN),
n a local area network (LAN), and
n a personal area network (PAN).
Question 2
Intranets are now an essential corporate/organisational tool.
Required
Explain why the use of intranets has become so important and describe the main activities intranets are used for.
Question 3
The OSI model is a seven-layer reference model used as a template for the mapping of communications and
computer network protocols.
Required
Briefly describe the content and importance of each of the seven layers, and describe the advantages and
disadvantages of using such a reference model.
Question 4
Soft-type networks can be categorised as:
n formal bureaucracy,
n formal adhocracy,
n informal bureaucracy, or
n informal adhocracy.
‘
221
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 222
Question 5
An extranet exists when the intranets of two or more companies/organisations are linked together.
Required
Describe the main benefits that can accrue from a company/organisation linking its intranet with:
n the intranet(s) of its suppliers/service providers, and
n the intranet(s) of its customers/clients
Assignments
Question 1
Making whatever assumption you feel necessary, explain what type of network (i.e. a centralised wide area
network, a decentralised wide area network or a local area network) would each of the following types of
companies/organisations be likely to adopt:
n a financial institution with numerous offices located throughout the UK,
n a specialist retailer based in York with three retail outlets located in North Yorkshire,
n a bus company with a head office in Edinburgh and bus stations located in a number of cities throughout
the UK,
n a manufacturing company with a head office and factory located in Hull,
n a regional water authority with automated monitoring offices in Bristol and the surrounding area,
n a travel agent with three outlets in Manchester, and
n a local departmental store,
Explain and justify your selection.
Question 2
Clare Barber is an internal auditor with IQC, a large, London-based, consulting company. For the last finan-
cial year, IQC generated income of £200m from its consulting activities. In February 2007 the management
committee of IQC decided to restructure the company’s accounting and finance information systems. The
management committee have decided to migrate all accounting and finance-related applications currently run
on the company’s centralised mainframe to eight local-area networks with the migration to be complete by
March 2008. Clare is the audit department’s representative on the company’s systems committee responsible
for designing and implementing the new system.
222
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 223
Chapter endnotes
Required
n Explain what the term local-area network (LAN) means and describe its major components and configurations.
n What are the main advantages and disadvantages of using a LAN.
n Explain why a company such as IQC consulting would choose a distributed LAN system over the
centralised mainframe system, and describe the possible internal control problems that could arise from
adopting the new LAN.
Chapter endnotes
1
The term society is used here to denote a complex arrangement made up of people, groups,
networks, institutions, organisations and systems, and includes local, national and international
patterns of relationships.
2
Considerable literature exists that argues that nation and state are not identical, but inter-
dependent collective associations/structural arrangements that sometimes combine, coalesce
or fissure. This results in the possibility that not only may individual states arguably include/
comprise of many different nations, but also individual nations may include/comprise of many
different states. Whilst it is perhaps valid to suggest that in a small number of cases nation may
well equate with state, in most cases such a collective notion merely over-generalises the relation-
ship between territoriality, sovereignty and community. Moreover it over-simplifies the changing
context and structure of the nation and state as increasingly reformulated ‘plurilateral’ struc-
tures of regulation and authority emerge as a condition of capitalist priorities and increasingly
marginalise extant territorial power and state sovereignty.
3
Weltanschauung means to look onto the world. It refers to the framework through which an
individual and/or society interprets the world and interacts in or with it.
4
Not convinced? Consider for example, the German invasion of Poland in 1939, the Russian
annexation of Estonia, Latvia and Lithuania in 1945, the American involvement in Vietnam
in the late 1960s, the British/Argentinean Falkland Island conflict in 1982 and, perhaps more
recently, the American-led invasion of Iraq in 2003. Also the demise of the ‘Soviet Bloc’, the fall
of the so-called ‘Iron Curtain’, the creation of the UN and NATO, the development of the WTO
and the development and expansion of the EU. In all the above, the common denominator is
the desire of one social group (or indeed one nation or state) to create, either through forceful
intervention, mutual imposition and/or open negotiation, greater interconnectivity – whether
socially, politically and/or economically.
5
That is not to say that socio-political and socio-religious groups will not continue to arise and
seek to impose their will, either directly or indirectly, on the fabric of many modern societies.
On the contrary: for example, consider the continuing social conflicts in Africa, the almost ever
present socio-religious confrontation(s) in Afghanistan, the escalating political turmoil in Iraq and
the growing unrest in the Middle East, and their impact on the interrelationships between social
groups within the UK, the USA, Europe and indeed all the other western democracies.
6
The term control is used here in the context of promoting accountability and traceability.
7
Or semi hard-type networks.
8
Although such a distinction could be accused of ignoring the reciprocal nature of soft-type
networks, that is the extent to which the market capital and its associated ‘entity focused networks’
influence (directly and/or indirectly) the nature and existence of ‘self-focused networks’, which
in turn influence ‘entity focused networks’, which in turn feedback and influence ‘self-focused
networks’, etc.
223
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 224
9
A logical network is concerned with the connection pathways within a network and are
deemed to exist independently of the physicality of the network.
10
Actors within a social network can be a range of entities – from an individual, to a small local
association, to a large multinational corporate organisation.
11
Such relationships/dependencies may be directed (formal), undirected (informal) or mixed.
12
An example of such a network – a network often characterised by the existence of an imposed
external regulatory framework – would be a limited company (either public or/private), extern-
ally regulated by the requirements of the UK Companies Act 1985 (as amended).
13
Sound familiar? Of course it does! It’s the general systems theory notion that all systems are
comprised of small sub-systems!
14
The term bureaucracy is derived from the word bureau, used to refer to ‘an office . . . a
place where officials worked’. The Greek suffix kratia or kratos means ‘power or rule’ thus
the term bureaucracy means office power/office rule, or more appropriately ‘the rule of the
officialdom’.
15
Max (Maximilian) Weber (1864–1920), German political economist and sociologist, and
pioneer of the analytic method in sociology.
16
Karl Heinrich Marx (1818–83) – an influential philosopher, political economist and social
activist, most famous for his critique of capitalism.
17
Historical materialism or the materialist conception of history as an approach to the study of
history and society that contextualises changes in human history not only in terms of economic
and technological factors, but more importantly in terms of social conflict, and is generally
considered the intellectual basis of Maxism.
For Marx, the historical origin of the notion of bureaucracy was to be found within interplay
of four historical sources:
n religion,
n the formation of the state,
n commerce, and
n technology.
18
Bureaucracies tend to proliferate in periods of economic stability and growth, and somewhat
unsurprisingly, diminish in periods of economic instability and decline.
19
A highly-structured, well-defined hierarchy, generally appropriate to conditions of relative
stability.
20
A flexible, adaptable network structure, generally appropriate to conditions of relative
instability and change.
21
Bureaucracies as a form of (socio-political) network structure suffer from a number of
inherent defects, the main problems being:
n overly political lines of authority,
n overly complex organisational structures,
n excessive anonymity, and
n unclear areas of responsibility.
22
Although, over time, they may well eventually become overly complex, extremely unpredict-
able and difficult to manage.
23
A node is a processing location and can be a computer or some other information/
communication device (e.g. a printer). Every node that comprises a network will have a unique
network address, either a data link control address (DLC), or a media access address (MAC).
24
A computer and/or information and communication device that manages network resources,
for example:
224
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 225
Chapter endnotes
n a file server is computer (or collection of computers) that is dedicated to storing files,
n a print server is a computer that manages one or more printers,
n a network server is a computer (or collection of computers) that manages network communi-
cations traffic, and
n a database server is a computer dedicated to processing database queries.
25
A computer motherboard is the central or primary circuit board within a computer.
26
The physical layer is layer one in the seven-layer OSI model of computer networking and
refers to network hardware, broadcast specifications, network connection type and collision
control and other low-level functions. It performs services requested by the data link layer – the
major functions and services performed by the physical layer being:
n communications administration connection,
n network resources management, and
n data conversation.
27
The data link layer is layer two of the seven-layer OSI model. The data link layer:
n responds to service requests from the network layer, and
n issues service requests to the physical layer.
It is (at present) the most widespread LAN technology in use and has largely replaced all other
LAN standards.
225
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 226
34
Thin coaxial cable is also referred to as 10Base2 which refers to the specifications for thin
coaxial cable carrying Ethernet signals. The name 10Base2 is derived as follows:
n 10 refers to its transmission speed of 10 mbits/s (megabits per second),
n BASE is an abbreviation for baseband signalling, and
n 2 stands for the maximum segment length of 200 metres – although the actual maximum
segment length is 185 metres.
35
Thick coaxial cable is also referred to as 10Base5 which refers to the specifications for thick
coaxial cable carrying Ethernet signals. The name 10Base5 is derived as follows:
n 10 refers to its transmission speed of 10 mbits/s (megabits per second),
n BASE is an abbreviation for baseband signalling, and
n 5 stands for the maximum segment length of 500 metres.
226
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 227
Chapter endnotes
41
In a computing context a client is a system/user that accesses a remote service/facility located
on another computer within the same and/or related network to the client.
42
As part of a client server network architecture, a client can be defined as an application that runs
on a PC and/or workstation, and relies on a server to facilitate access to and/or management of
the performance of a processing operation(s). For example, an e-mail client is an application
which facilitates the sending and receiving of e-mails.
43
Indeed, servers on a client-server network may also perform some of the processing work for
client machines – processing which is often referred to as back-end processing.
44
Load balancing is the distribution of processing and communications activity evenly across
a network so that no single computer and/or information and communications device is over-
whelmed. Such balancing is important for networks where service demand is difficult to predict.
45
As compared to the now ancient and monolithic mainframe computing systems.
46
In a technical context, pure peer-to-peer networks/network applications are rare. Most
networks and network applications described as peer-to-peer often contain and/or rely upon
some non-peer elements.
47
A router is a computer networking device that forwards data (packets) toward their destina-
tions. In essence, a router acts as a junction between two networks to transfer data (packets)
between them. A router differs from a switch which merely connects network devices (or network
segments) to form a network.
48
Most distributed computing networks are created by users volunteering to release, or make
available to others any unused computing resources they possess.
49
An example of collaborative computing or distributed computing can be found at www.grid.org.
United Devices hosts a number of projects, for example research into smallpox, anthrax, cancer
and, most recently, human protein structure, on its Grid MP platform.
50
Bandwidth is a measure of frequency range and is a key concept in information and com-
munication fields. Bandwidth is closely related to the capacity of a communication channel –
the greater the bandwidth the greater the capacity. Issues of bandwidth and capacity are related
by the Shannon-Hartley theorem, which is concerned with the maximum amount of error-free
digital data that can be transmitted over a communication link with a specified bandwidth in
the presence of noise interference.
51
This is clearly not the case for a client-server architecture-based network with a fixed set of
servers, in which increasing the clients/users would reduce capacity, and potentially mean lower
data transfer rates for users.
52
The term single point of failure is used to describes any part, link and/or component of system/
network that can, if the part, link, and/or component fails, cause an interruption of the service
– ranging from a simple service interruption or processing delay to complete network failure.
53
Malicious software that is designed to destroy, disrupt and/or damage a computer system/
network.
54
Spyware is malicious software that covertly gathers user information through an internet
connection without the user’s knowledge and/or consent.
55
In networking, a bus is a collection of wires that connects nodes within a network and through
which data and information are transmitted from one computer in a network to another com-
puter in the network. Whilst the term ‘backbone’ is often substituted for the term ‘bus’, in a
contemporary context it is a term often used to describe the main network connections that
comprise the internet.
56
Peer-to-peer networks are often configured as a local bus.
57
Terminator connections are situated at the end of the bus – the communication links are
designed to absorb the signal once it has reached the end of the network topology and prevent
the signal from being reflected back across the bus.
227
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 228
58
Although most wired networks tend to be regarded as non-passive, almost all wireless net-
works are regarded as examples of passive bus networks.
59
Carrier Sense Multiple Access (CSMA) is a non-deterministic media access control (MAC)
protocol in which a node verifies the absence of other traffic before transmitting on a shared
physical medium (e.g. a bus).
60
A network switch is a computer networking device which connects network segments (a
portion of a computer network that is separated by a computer networking device – for example,
a router, a bridge or switch, and/or a repeater or hub). It is often used to replace a central net-
work hub. A switch is also often referred to as an intelligent hub.
61
Details of all extant protocols are outlined in Request for Comments (RFCs). For further
details on RFC’s see Chapter 4.
62
For example, the Token Ring protocol was a network protocol developed by IBM in the 1980s,
whereas LocalTalk was a network protocol developed by Apple Computer Inc. for Macintosh
computers.
63
Quality of Service (QoS) refers to ensuring that data packets reach their destination. Such
assurances are important, because:
n data packets may be dropped – that is the network routers fail to deliver,
n data packets may be delayed – that is data packets may take a long time to reach their
destination,
n data packets may jitter – that is a group of related data packets may reach their destination
a different times,
n data packets may be delivered out of order – that is the data packets arrive in a different order
to the one with which they were sent, and
n data packets may be corrupted – that is packets may be misdirected or incorrectly combined.
A traffic contract, a quality of service contract or a service level agreement specifies/defines the
quality of service required – thereby minimising the possibility of network problems/errors.
64
That is the segmentation and transmission of data packets over a network – possibly by
different routes.
65
That is the use of uniform hierarchical addresses to provide any network node/computer
connected to the internet with a unique identifying address.
66
That is the use of different network routes for data packets – from source to destination.
67
That is decentralised initiation, monitoring and termination of communication links.
68
That is the mapping of domain names to numeric addresses.
69
See www.mci.com.
70
See www.groupbt.com.
71
See www.att.com.
72
See www.teleglobe.com/en.
73
A transit network is a network which passes traffic between other networks in addition to
carrying traffic for its own hosts, and must have pathways to at least two other networks.
74
That is data is transmitted in packets across an internetwork that is comprised of multiple
interchangeable pathways from source to destination.
75
Which facilitates pathway redundancy – that is if a pathways fails an alternative pathway can
be used.
76
Autonomous Systems (AS) are the managed networks that comprise the internet. Often
operated by a NSP or an ISP, such networks act as both management domain and routing
domain, and are identified by a number assigned by ICANN (the Internet Corporation for
Assigned Names and Numbers).
228
.. ..
CORA_C05.qxd 6/1/07 11:01 Page 229
Chapter endnotes
77
An internet exchange point (IXP) is a physical infrastructure that allows different ISPs to
exchange internet traffic between their respective networks. These were originally known as
network access points (NAPs).
78
A mutual peering agreement (MPA) is a bilateral agreement which facilitates the exchange
of internet traffic between ISPs and/or NSPs without cost.
79
There are currently a little over 300 peering points worldwide.
80
A point of presence (PoP) is a physical point at which a network meets a higher level or even
primary data/information carrying line of the internet, and are mainly designed to allow ISPs
to connect into NSP networks.
81
A gateway is a computer and/or network node that acts as an entrance to another network
or another internetwork (e.g. the interet).
82
A firewall is a set of related software programs located at a network gateway and designed to
protect the resources of a intranet/private network from users from other networks.
83
Although some academics argue that the term ‘extranet’ is merely used to describe what
companies/organisations have been doing for many years – creating/developing interconnecting
private networks for the sharing of data/information – it was during the late 1990s/early 2000s
that the term ‘extranet’ began to be used to describe a virtual repository of data/information
accessible to authorised users only – over the internet.
84
The Extranet Benchmarking Association (see www.extranetbenchmarking.com) provides a
forum for business to identify the best practices of extranet initiatives through benchmarking,
allowing companies and organisations employing extranet facilities to:
n compare content,
n evaluate performance, and
n identify problem areas.
Membership is free to corporate members who have installed extranets or are planning to do so.
229
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 230
Contemporary transaction
6 processing: categories, types,
cycles and systems
Introduction
In an environment in which corporate success continues to be measured and assessed
principally on the level of economic returns generated for corporate shareholders, there
can be little doubt that failure to accommodate contemporary notions of freedom of wealth
accumulation and to offer unreserved support for the free pursuit of profit is often seen as
tantamount to committing corporate suicide – a ticket to ride on a solitary journey to the
corporate graveyard. Indeed, in today’s extremely volatile and highly competitive market,
a central feature of the search for this nirvana of:
is of course the temporal and spatial displacement of both tangible and intangible assets
and resources: or put more simply, the buying and selling of ideas, commodities and
symbols, people and identities, and goods and services.
As a fusion of political bureaucracies, social hierarchies, economic resources and
organisational technologies that comprise contemporary corporate entities, transaction
processing systems play a pivotal role in the portrayal, evaluation and governance of
the expanding domains of corporate economic activity. Such systems not only enable
social and economic activities to be rendered knowable, measurable and accountable
by homogenising, categorising and classifying economic events and activities, they also
enable the politicisation of wealth accumulation – in a specific and very particular way.
It is the constructed processing of real world transactions that facilitates the creation
of the now familiar (and sometimes misleading) pictures/descriptions of profitability and
wealth accumulation whose continued residency within the financial pages of the busi-
ness media (and thus their supposed/sustained believability) often appears to be beyond
question.
230
..
CORA_C06.qxd 6/1/07 11:02 Page 231
This chapter provides an overview and classification of the transaction processing systems
normally found within a company’s transaction processing cycles, namely:
Learning outcomes
This chapter analyses the key features of contemporary transaction processing, but more
importantly, it explores how and why such systems have become central to wealth creation
and the maximisation of shareholder wealth.
It provides:
n a contextual typology for the analysis and categorisation of contemporary transaction
processing, and
n an analysis and extended discussion on how such a contextual typology can be used
both to understand and control the increasingly complex and dynamic operations of
such companies.
By the end of this chapter, the reader should be able to:
n describe the main features of contemporary transaction processing,
n distinguish between different transaction processing categories, types (and sub-types),
cycles and systems,
n critically comment on the importance of such a contextual typology for understanding
wealth maximising organisations, and
n describe and critically evaluate the key transaction processing factors that both enable
and constrain wealth maximising organisations.
The reader should also be able to consider the implications of the Data Protection Act
1998 on contemporary transaction processing – especially transactions which result in
the generation and storage of information covered by the requirements of the Act.
Clearly there can be little doubt that today’s ‘global’ society is sustained through and increas-
ingly dominated by the global priorities of capital. A marketplace in which the company as a
created entity can and often does exercise both enormous power and enormous influence. Just
think of the power and influence exercised by companies such as Microsoft Inc., Time Warner
Inc., HSBC Ltd, Shell plc, and many other multi-listed, multinational companies.
231
..
CORA_C06.qxd 6/1/07 11:02 Page 232
And yet whilst the company (as a created entity) has clearly become an important servicing
component of the increasingly speculative logic of the competitive marketplace and thus
inseparable from the social, political and economic interests they serve, it is neither isolated nor
protected from the international mobility of capital and the temporal and spatial consequences of
globalisation. Company priorities are constantly reupholstered, reconfigured and redistributed
by not only the complex territoriality of inter-state politics or the social pressures of the labour
market processes, but more crucially by the competitive and often chaotic global priorities of
an ever-changing marketplace.
There can be little doubt then that companies are increasingly conditioned by a vast array of
competing social, economic and political constituencies. Indeed whilst companies have undoubtedly
become central to the globalising logic of capital as a vehicle through which once established social
and economic sovereignties are reconfigured, redesigned and reinstalled, they have perhaps
more importantly become a mirror of the dominance of the socio-cultural baggage associated
with western capitalism and the marketisation of wealth, its desire to forge interrelationships
and inter-dependencies and impose norms consistent with a self-image. A self-image founded
on a distinctive historical geography in which social technologies are increasingly developed
subordinate to the needs of a marketplace which is constantly changing and evolving, and in a
state of constant instability and unrest. A marketplace which as a competitive forum for trade
and exchange remains the primary mechanism through which profits are generated and share-
holder wealth is maximised – a mechanism whose inherent volatility continues to ensure its
outcomes are random, chaotic and unpredictable. But always entertaining!
So what has all this got to do with contemporary transaction processing? Well – remember
the key elements of systems thinking in Chapter 2? Clearly, for purposes of growth and indeed
survival, companies (as semi-open systems) need to/have to interact with other companies and
organisations – with other semi-open systems within the environment or, more appropriately,
within the marketplace. No matter how chaotic, unstable or unpredictable the market may
be, such interaction is fundamental and lies at the very heart of market-based competition,
wealth creation and profit maximisation. Interaction more often than not is achieved through
a company’s operations, its market-based activities, its transaction processing systems and the
movement and/or exchange of both tangible and intangible assets and resources.
How? Consider the following. A company acquires products, services and resources through
a process of exchange for:
n other products, services and/or resources, or
n legal title to other products, services and/or resources, or
n a legally enforceable promise to transfer legal title of other products, services and/or resources
(e.g. a promise to exchange assets) at a future agreed date.
When a company acquires products, services and resources:
n sometimes such acquired products, services and resources are consumed internally to create
other products, services and resources that can be exchanged externally (sold to other external
organisations);
n sometimes such acquired products, services and resources are converted and exchanged
externally without any internal consumption; and
n sometimes such acquired products, services and resources are merely stored (without any
conversion – without any change) and then exchanged externally.
Clearly the acquisition, consumption and/or disposal of such products, services and resources
results in either a present and/or future flow of funds. A flow of funds which inevitably impacts
on either:
232
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 233
Before we consider the relationship between the corporate funding cycle, value chain, value
cycle and a company’s transaction processing cycles and system, it would perhaps be useful to
a consider a few generic, albeit extremely important, characteristics of contemporary trans-
action processing cycles and systems; characteristics often regarded as the ‘fundamentals’ of
transaction processing cycles and systems.
Such characteristics include:
n flexibility,
n adaptability,
n reflexivity,
n controllability, and
n purposive context.
233
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 234
can perhaps be best defined as movement, activity and/or change performed automatically and
without conscious decision.
For contemporary transaction processing cycles and systems, such flexibility, adaptability or
reflexivity should seek to ensure that:
n changes to operating structures, functions and/or processes are relevant and appropriate, but
more importantly,
n fundamental functions and processes continue to cope with and operate within an increas-
ing unstable and uncertain environment.
Controllability
There can be little doubt that a central feature of success, a key component to continued survival
– in a corporate context at least – is control. Contemporary transaction processing systems should
contain within their operational arrangements, appropriate structures to ensure;
n the safe custody of products, services, and resources,
n the proper authorisation of exchange transactions,
n the correct recording and accounting for exchange transactions,
n the accurate execution and proper completion of exchange transactions, and
n the appropriate control and management of exchange transactions.
Clearly, whilst flexibility, adaptability and reflexivity are essential prerequisites for continued
survival, the importance of managing and controlling the impact of resource movements and
exchange transactions is perhaps beyond question, with such control often operationalised as
internal control within a company’s transaction processing system.
Internal control is based on:
n the separation of administrative procedures (or SOAP), and/or
n the segregation of duties (or SOD).
The issue of control was introduced in Chapter 3. We will return to a brief but more functional
consideration of internal control later in this chapter, and a more in-depth critical evaluation
of internal control and systems security in Chapter 14.
Purposive context
Purposive context refers to the need to ensure that contemporary transaction processing cycles
and systems remain not only input focused but more importantly output orientated. That is con-
temporary transaction processing cycles and systems should not be process driven. Their present
functions should not be determined solely by the histrionics of past activities/successes. In
a commercial context, such a dependency on past glories/successes would be tantamount to
long-term economic suicide. Why?
Put simply, in terms of contemporary transaction processing cycles and systems, purposive
context means inherent corporate structures, functions and/or processes must be purposeful.
They must exist and function for reasons other than the bureaucracy of self-survival or self-
propagation.
Okay – so now that we have a broad understanding of the fundamentals of contemporary
transaction processing cycles and systems, what about the relationship between contemporary
transaction processing cycles and systems and:
n the corporate funding cycle,
n the value chain, and
n the value cycle.
234
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 235
Whilst this division may not always be as clear as some business commentators and finance
academics would suggest (some sources/applications of funds may well be categorised as both
short-term and long-term), the aim of any corporate funding policy is to ensure that a company
possesses an adequate level of funds (both cash and non-cash funds) appropriate to its level
of activities and suitable to the supply and demand requirements for such resources within
the business.
Clearly on a day-to-day basis, working capital is essential, and the importance of balancing
levels of stocks, debtors, creditors and of course cash is beyond question. However, working
capital or short-term funding is not the only aspect of funding that has an impact of a company’s
operational capabilities and its abilities to generate shareholder wealth. Long-term funding or
long-term sources and applications of funds also have a major impact, mainly because of their
235
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 236
size and timing – that is many of these ‘non-working capital’ sources and applications tend to
be large-value items that either
n occur/reoccur regularly say weekly, monthly or even annually (e.g. tax payments, lease
payments, dividends, interest and, possibly, the acquisition and disposal of fixed assets),
n occur irregularly as one-off events (e.g. new equity and loan finance and/or redemption of
old equity and loan finance).
At the heart of the corporate funding cycle is of course contemporary transaction processing
– that is the practice of business and the activity of commodity exchange through which funds
are acquired, profits are generated and wealth is created. Indeed any redefining of a company’s
funding/financing policies and/or objectives, for example:
n decreasing the level of investment in stocks to increase cash flow,
n amending sales and debtor policies to increase cash flow, and/or
n the acquisition of additional resources to increase production – to increase sales and con-
sequently cash flow,
will require (at the very least) perhaps a reconfiguring of a company’s contemporary trans-
action processing systems and activities and/or a redefining of its management/administrative
control procedures.
The value chain is a model which analyses an organisation’s strategically relevant activities,
activities from which competitive advantage is derived. Porter (1985) suggested a value chain
model composed of two distinct groups of activities – primary activities and support activities.
Porter suggested primary activities could be divided into:
n inbound logistics – the receiving and warehousing of raw materials and their distribution to
manufacturing as they are required,
n operations – the processes of transforming inputs into finished products and services,
n outbound logistics – the warehousing and distribution of finished goods,
n marketing and sales – the identification of customer needs and the generation of sales, and
n service – the support of customers after the products and services are sold to them.
And support activities could be divided into:
n infrastructure – organisational structure, control systems, company culture,
n human resource management – employee recruiting, hiring, training, development and
compensation,
n technology development – technologies to support value-creating activities, and
n procurement – purchasing inputs such as materials, supplies, and equipment.
236
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 237
So, what is the relevance of the value chain to contemporary transaction processing? The
value chain model continues to remain a useful (if often criticised) analytical model for:
n articulating a company’s core competencies,
n defining a company’s fundamental activities, and
n identifying essential relationships and processes,
on which the company can plan its pursuit of competitive advantage and wealth maximisation
through:
n cost advantage2 – through either reducing the cost of individual value chain activities or by
reconfiguring the value chain, and/or
n differentiation3 – through either changing individual value chain activities to increase product/
service uniqueness or by reconfiguring the value chain.
Clearly, there are many ways in which a company can reconfigure its value chain activities to
either reduce costs and/or create uniqueness – all of which rely fundamentally on a redefining,
rearranging and/or reconfiguring of the contemporary transaction processing activities within
relevant value chain activities.
There can be little doubt that the responsibility for value management and for wealth creation
is no longer merely the responsibility of the financial manager. The obligation to pursue and
adopt wealth maximising strategies and procedures now extends to all levels of tactical and
operational decision making. And yet, for:
237
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 238
n the operational manager concerned primarily with day-to-day service delivery and short-
term performance measurements, and
n the tactical manager concerned primarily with resource management and accountability,
the notion and indeed importance of shareholder value can be an elusive, vague (and some
would say irrelevant) and often distant concept to adopt and/or even comprehend.
The value cycle model (see Figure 6.4) seeks to address this shortfall.
The value cycle is an inductive model that in essence seeks to provide a ‘system view’ of
the company and adopts a holistic view of a ‘value creating’ organisation/company. In doing
so the value cycle model seeks to establish connections/linkages between strategic, financial
and operational thinking and activities, and emphasises value relationships between different
corporate functions within a company’s value chain. More importantly, the value cycle model
seeks to balance resource allocation across the value chain for sustainable competitive advant-
age and, where possible, align objectives and performance measures across a company’s value
chain.
As suggested by Vaassen (2002) the value cycle is a model that enables:
visualisation of segregation of duties, the clear description of the coherence between pos-
itions and events within organisations, the relationship between flows of goods and cash
flows, and the classification of any firm in a typology of organisations (2002: 34).
Indeed, whilst in a contemporary context the value cycle – and value cycle management – has
become synonymous with the efforts to:
n introduce and integrate more technology into transaction processing activities and procedures,
and
n synchronise processes and procedures across the corporate transaction processing activities,
238
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 239
Whilst clearly this is nothing new – it is really just a repackaged version or restructured
application of systems thinking (see Chapter 2), it does provide a suitable functional context –
incorporating the funding cycle and the value chain into a framework within which the holistic
nature of contemporary transaction processing activities and related systems and procedures
can be appropriately considered.
Now that we have a context within which to locate contemporary transaction processing
activities, let’s have a look at them in a little more detail.
Why do we need a classification? Consider the number of active trading companies registered
not only in the UK but in Europe, the USA, in Asia or indeed globally! In addition consider the
following facts:
n No two companies are the same.
n No two companies operate in the same way.
n No two transaction processing systems are the same!
Understand the problem? Sound familiar. Of course it does! It’s the same problem you may
have come across when evaluating the comparative performance of two companies using, for
example, financial performance analysis or financial/management ratios.
All companies possess a distinctive uniqueness – a corporate disposition based on a vast
range of interrelated and interconnected characteristics and qualities particular to the com-
pany. Characteristics and qualities founded upon an ever-changing chronicle of past, current
and future events and occurrences that reveal themselves in the existence of differences, for
example in:
n degrees of geographical diversification,
n management hierarchies and decision-making processes,
n financing and funding policies,
n levels of organisational technology, and/or
n operational policies and procedure.
Clearly, because of the vast number of trading, registered public and private companies, and
indeed the varied nature of their activities (for plcs just look at the variety of companies included
in the FTSE 100, FTSE 250 or FTSE 350 indices5) it is perhaps important to provide a rational
context/framework – a general classification – if only to bring some sense of order and under-
standing to what superficially appears to be a seemingly infinite array of chaotic variety and
diversity. A classification of company types and sub-types – of transaction processing cycles and
systems – into an ordered arrangement based on a defined range of characteristics, relationships
and/or distinctive differences/similarities.
Indeed, whether inductive6 and/or deductive7 the purpose of any such classification of trans-
action processing systems is:
n to enable a description of the structure and relationship of such transaction processing sys-
tems to other similar transaction processing systems, but more importantly,
n to simplify relationships to facilitate discussion and the construction of general statements
about such classes of transaction processing systems.
239
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 240
Adapted and extended from Davis et al. (1990) (after Wilkinson et al. (2001) and Starreveld et al.
(1998) (after Vaassen (2002)), this typology of transaction processing systems – see Figure 6.5
– is an inductive classification.
Indeed, inasmuch as its foundation is empirical observation, this taxonomy of transaction
processing systems is a generalised hierarchical classification (see Figure 6.6): one developed
from specific facts and observations over many years by many academics (certainly too many
to list or identify individually). Nevertheless despite its celebrated history it is perhaps import-
ant to recognise that this classification is neither neutral nor unbiased. It is a classification
developed upon a number of classic liberal economic assumptions such as:
n commodity/service exchange is the foundation of corporate wealth generation,
n all companies are wealth maximising, and
n all (or at least most) companies are free to enter (and exit) markets without constraint
and/or penalty.
240
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 241
For the purposes of this typology, the following terminology will be used:
n the term categories will be used to refer to a group/sub-set of companies possessing common
characteristics and/or sharing common attributes,
n the term types will be used to refer to the company business type/sub-type within a category,
n the term cycles will be used to refer to the cycles of operation within the company business
type/sub-type, and
n the term systems will be used to refer to the systems within a company’s cycle of operations.
Clearly this initial stage classification is intuitive which perhaps accounts for its rather vague
superficiality and simplicity. Nevertheless it is an appropriate starting point and perhaps
important to recognise that whilst in an empirical context such a distinction exists (or appears
to exist) it is also important to acknowledge that the two categories are:
n by no means definitive, and
n by no means exclusive.
This is because diversification within business activities does, according to contemporary port-
folio theory at least, minimise business risk and the possibility of financial loss. Look for example
at the following companies:
n HBOS plc,
n Tesco plc, and
n Legal and General plc.
All of the above three companies are established, well-known and, highly respected FTSE 100
companies. All three are fairly well diversified (geographically, operationally and strategically),
and all three not only enjoy the benefit of substantial market confidence in their business
activities (albeit that such confidence is sometimes unpredictable and often temperamental),
they are all, without any doubt, extremely profitable.
For example, for the year 2004, HBOS plc announced profits of £4592m,9 Tesco plc announced
profits of £1600m10 and Legal and General plc announced profits of £1222m.11
(QED?12 – perhaps!)
Within the above two categories, five types of contemporary transaction processing structures
can be identified (each with two sub-types), as follows.
241
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 242
242
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 243
n constructive industry-based companies such Ford plc (car manufacturer), Hitachi Ltd (electrical
goods manufacturer), Vodafone Group plc (mobile phone manufacturer), Carlsberg UK Ltd
(brewery), Diageo plc (drinks manufacturer), Associated British Foods plc (food manufacturer)
and British American Tobacco plc (cigarette manufacturer),
n extractive industry-based companies such as BP plc (oil extraction and petroleum production)
and UK Coal plc (coal mining and extraction),
n agrarian industry (farming and agriculture)-based companies,
n energy production and distribution industry-based companies such as Npower plc (energy
supplier) and BG Group plc (gas production/distribution).
Non-continuous production companies are contract production companies (normally demand
focused) that develop/construct/manufacture commodities ‘on demand’ or more appropriately
‘on contractual agreement’ and would include, for example:
n house building/property development companies (such as Barrett Developments plc and
George Wimpey plc),
n aircraft development and construction companies (such as BAE Systems plc),
n engineering manufacturing companies (such as Wolseley plc), and
n shipbuilding companies (such as Harland and Wolff Heavy Industries Ltd).
243
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 244
n rail services companies (such as Virgin Rail Group Ltd and, GNER Holdings Ltd),
n postal services companies (such as DHL plc, Interlink plc and Post Office Ltd (owned by
Royal Mail Group plc)),
n security services companies (such as Group 4 Securicor plc).
Non-specific time/space companies are companies that provide non-specific time facilities and/
or space capacity for customers and clients. Such business types would generally offer fee-based
services en masse and would include, for example:
n cinema services (such as Odeon Cinemas Ltd, UGC Cinemas Ltd),
n leisure and sport facilities (such as David Lloyd Ltd),
n localised public transport operators (such as London Underground Ltd), and
n generic (UK-wide) public transport operators (such as Stagecoach Group plc).
A subjective classification
As you may have already recognised, the above classification of business types/sub-types is at
best subjective. For example, whilst the distinctions between type 1(a) and 1(b), between type 2(b)
and 2(c), and between type 1(a) and 2(a) are undoubtedly tenuous and certainly questionable,
the distinction between some of the business sub-types, for example sub-types 1(a)(i), 2(b)(i),
2(c)(i) and 2(c)(ii) is also unquestionably problematic. In addition some of the example com-
panies cited within the business sub-types can easily be included within another business sub-type
– certainly those companies that are well diversified (see earlier).
For example, consider again Tesco plc. Included in type 1(a)(i) (see above) the company is
not only the UK’s largest food retailer (with approximately 30% of the market share for the year
2006), it now provides a wide range of:
n non-food retail services (including brown14 and white15 goods),
n restaurant and café facilities,
244
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 245
which would probably place Tesco plc in business sub-types 1(a)(i), 2(a)(i), 2(c)(i) and 2(c)(ii).
So why include the company in business sub-type 1(a)(i)? Simple – Tesco plc’s market share
of non-food items (all those listed above) is only a mere 7% for the year 2004.16
So now we have a typology within which companies are separated into two broad categories,
categories which are themselves divided into five business types, each with two business sub-
types, let’s complete our typology by introducing the notion of transaction processing cycles
and transaction processing systems.
Whatever the company business type/sub-type, within that company a number of transaction
processing cycles or cycles of operation will exist, although the exact nature and character of
such cycles of operation will differ from company to company, mainly due to structural and/or
functional issues.
Structural issues emerge from differences in:
n management practices,
n decision-making procedures,
n operational processes, and
n levels of technology.
Functional issues emerge from differences in degrees of integration. For example, whilst in
some companies the cycles of operation may be distinct and clearly identifiable, in others such
cycles of operation may be combined and/or merged or amalgamated together for either:
n operational reasons – for example to make the cycles more efficient by reducing processing
procedures and increase processing effectiveness, or
n financial reasons – for example to reduce costs and promote financial efficiency (and of
course maximise shareholder wealth).
Clearly, whatever the precise nature and character of a company’s transaction processing cycles
and/or systems its underlying rationale will remain the same – to ensure the expedient, efficient
and effective processing of transactions and (as a consequence) the maximisation of share-
holder wealth.
So exactly what are these cycles of operation? Within a company four functional cycles of
operation (see Figure 6.7) – can exist, these being:
n the revenue cycle,
n the expenditure cycle,
n the conversion cycle, and
n the management and administrative cycle.
Before we look at each of these in a little more detail, it would be useful to note that it is at the
cyclical and systemic level within a company’s cycles of operation and transaction processing
systems that control is operationalised, at least in a functional context. We will return to this
issue later in the Chapter 14.
245
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 246
246
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 247
Such expenditure requires the commitment of current and/or future net current assets, that is
either:
n the incurrence of a liability (creditor-based expenditure cycles), and/or
n the reduction of current assets (non-creditor-based expenditure cycles).
It is probable that all business types (and sub-types in) 1(a), 1(b), 2(a), 2(b) and 2(c) would
use both creditor and non creditor cycles which would most probably co-exist as a single
expenditure cycle.
The term asset conversion means any process, procedure and/or event that results in a trans-
formation and/or a change in the use, function, purpose, structure and/or composition of
an asset to another use, function, purpose, structure and/or composition. In this definition an
asset can be defined simply as anything owned by a company that has commercial value (that
is, it can produce a stream of current and/or future incomes) or has a current and/or future
exchange value.
Clearly then, the asset conversion cycle of operation is associated with physical modification
– with a production process – with the conversion of unrelated raw materials/products/
commodities into finished cohesive saleable products/commodities.
Such conversion/modification may of course vary from, for example;
n the refining of oil and the production of petroleum-based products (such as BP plc and
Shell plc),
n the production/manufacture of cars (such as Ford plc),
n the construction of houses (such as Barrett Developments plc and George Wimpey plc),
n the production of brown goods (LG plc and Hitachi Ltd), and
n food and drinks manufacturing (Associated British Foods plc, Cadbury Schweppes plc and
Diageo plc).
Clearly, as a part of the corporate exchange process, such a cycle of operation would exist and
function as a connection between the corporate expenditure cycle and the corporate revenue
cycle. As a consequence it is more than likely that some overlap in procedures and processes will
exist and that considerable variation between business types/sub-types will also exist.
It is probable that business types (and sub-types in) 1(b), 2(a), 2(b) and 2(c) would utilise
some form of asset conversion cycle.
247
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 248
The management cycle is concerned not only with designing, developing, planning, programming
and evaluating, but more importantly the control of business processes and procedures to
ensure:
Although the precise nature and context of each of the above system with be dependent on the
company type/sub-type, for our purposes we will use the following distinction;
n fund management systems will refer to systems, procedures and processes concerned with
the management of fund flows (cash and non-cash) within the business – normally at the
operational and tactical management level,
n finance management systems will refer to systems, procedures and processes concerned with
the management and control of financing requirements of the business – normally at the
tactical and strategic level,
n asset management systems will refer to systems, procedures and processes concerned with
the acquisition, retention, disposal and management of capital assets, and
n accounting management/control systems will refer to systems, procedures and processes
concerned with general ledger management.
It is probable that all business types (and sub-types) would utilise some form of management
and administrative cycle, although the level of importance and influence attached to each system
would clearly depend on the business type/sub-type.
Although we will look at each of the systems in great detail later, for example:
it would nevertheless be useful to complete our typology and briefly consider the systems that
would normally be present within each of the four cycles of operation discussed above.
Revenue cycle
Within a corporate revenue cycle of operation the following systems would normally exist:
n marketing systems,
n transportation/delivery systems, and
n receipting (sales and debtors) systems.
248
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 249
Expenditure cycle
Within a corporate expenditure cycle of operation the following systems would normally exist:
n purchasing/acquisition systems,
n receiving and inspection systems,
n payment systems, and
n payroll systems.
See Figure 6.9.
Conversion cycle
Within an asset conversion cycle of operation the following systems would normally exist:
n product development systems,
n production planning/scheduling systems,
n manufacturing operations systems,
n production management systems, and
n cost management systems.
249
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 250
Management cycle
Within a corporate management and administrative cycle of operation the following systems
would normally exist:
n fund management systems,
n finance management systems,
n asset management systems, and
n general ledger control systems.
See Figure 6.11.
250
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 251
n volume expansion – that is the ever-increasing volume of business transactions that com-
panies now have to manage, and
n velocity compression – that is the growing social and economic demands to reduce trans-
action processing times.
n it is the company type/sub-type that determines the precise nature of that company’s trans-
action processing systems, but also
n it is the transaction processing system that determines – within certain structural and
regulatory parameters/requirements – the nature, function and performance a company’s
accounting information system.
Remember (also from Chapter 1) that whilst it may appear to be highly structured and closely
regulated, all accounting information (in particular financial accounting statements) is politically
and economically constructed. Accounting information is simply a constructed representation
through which selected aspects of the exchange process can be measured, defined and legitimated
(see Hines, 1988; Bryer, 1995; Cooper and Puxty, 1996). A constructed representation whose
foundation resides within the data collected as a consequence of transaction events being pro-
cessed within a company’s transaction processing systems.
How does this work? Imagine the accounting information system as a reproduction of the
company’s transaction processing system – a virtual duplicate that is created using a specific
rule set, one based upon generally accepted accounting concepts and conventions. That is, for
data relating to a transaction event to enter – to be allowed access to a company’s accounting
information system – such data must comply with a specific set of rules, for example:
n data about transaction events must be expressed in financial terms – the money measurement
convention,
n data about similar transaction events must be treated in the same way – the consistency
convention, and
n the transaction events (which the data represents) must relate and be relevant to the company
– the entity convention.
251
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 252
There are many other relevant examples available of how contemporary accounting concepts
and conventions, such as:
are used as the rule set to determine access to a company’s accounting information system.
So what about transaction processing cycles and systems and a company’s accounting
information system? Within each of the cycles of operation discussed earlier – within each of
the transaction processing systems identified earlier – there will exist a number of identifiable
contact points at which:
n transaction data from individual transaction processing systems will be extracted and trans-
ferred to the accounting information system – an exit point, and
n transaction data from the accounting information system will be extracted and transferred
to an individual transaction processing systems – an entry point.
n an exit point is when an event is initiated within the relevant transaction processing system
– that is exit from the relevant transaction processing system, and
n an entry point is when an event is initiated within the accounting information system – that
is entry into the relevant transaction processing system.
An exit point will result in an accounting entry/event, whereas an entry point will result in a
transaction processing event See Figure 6.12.
Do you recognise these exit points? They are the instances at which a transaction event
becomes an accounting event – an entry in a company’s accounting records – the point at which
the bookkeeping accounting entries occur!
Consider the following examples.
252
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 253
Unfortunately, this is not strictly correct! Remember that in contemporary financial account-
ing there are three ledgers:
n the general ledger,
n the sales (or debtors) ledger, and
n the purchases (or creditors) ledger.
These ledgers are essentially databases – databases in which data is stored in a particular format
according to particular, specific and highly structured rules. It is the general ledger from which
a company’s financial statements (the profit and loss account, the balance sheet, the cash flow
statement) are prepared. The sales (or debtors) ledger and the purchases (or creditors) ledger
are really memorandum ledgers which exist merely to store and maintain detailed information
about individual debtors and creditors. However, all individual debtor and creditor balances
also appear in the general ledger in total – within either the debtors control (or total) account
and the creditors control (or total) account.
So the accounting entries would really be:
n Dr debtor control (or total) account
n Cr sales
in the general ledger, but also memorandum entries in the sales (or debtors) ledger in the indi-
vidual debtor’s account, that is:
n Dr debtor’s individual account.
253
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 254
As with the above, the creditor is recognised at the point at which legal title is exchanged for a
future promise to pay: when the invoice is sent by the supplier, the accounting entry occurs and
the creditor (the legally enforceable debt) is created. Again this is the contact exit point – from the
purchases system within the corporate expenditure cycle to the accounting information system.
Again the accounting entries would be:
n Dr purchases
n Cr creditors control (or total) account
in the general ledger, but also a memorandum entry in the purchases (or creditors) ledger in
the individual creditor’s account, that is:
n Cr creditor’s individual account.
When payment is received from the relevant debtor (through whatever agreed means – cash,
cheque, and/or BACS17), the accounting entries would be:
n Dr bank
n Cr debtors control (or total) account
in the general ledger, but also a memorandum entry in the sales (or debtors) ledger in the
individual debtor’s account, that is:
n Cr debtor’s individual account.
And as payment is made to the relevant creditor, the accounting entries would be;
n Dr creditors control account
n Cr bank
in the general ledger, but also a memorandum entry in the purchases (or creditors ) ledger in
the individual creditor’s account, that is:
n Dr creditor’s individual account.
Clearly, payment, either received in full from the debtor and/or paid in full to the creditor, will
result in the debt being (fully and) legally discharged!
254
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 255
payment – for example payment within 30 days of the invoice date. Failure to pay will require
an outstanding debt reminder being despatched to the debtor. After all the debt cannot simply
continue to exist. Not only would that constitute bad financial management practice and severely
impact on corporate cash flow – especially where the levels of such debtors are high – the continu-
ing existence of such a debtor within a company’s accounting information system would (where
the debt appears unlikely to ever be paid) also contravene the prudence concept/convention.
So, how would a debtor reminder be generated? A simple review (and increasingly automatic
review) of the debtors accounts within the sales (debtors) ledger (within the accounting infor-
mation system) would of course reveal any outstanding balances – not only the financial amount
but also the time period that such a debt has been outstanding. It is based on the information that:
n any reminder would be despatched to relevant debtors, and/or
n any further transactions with the debtor would be prevented until the outstanding debt has
been fully discharged, or if the debtor had a trading account, the balance of the account had
been sufficiently reduced to allow further trading and, where necessary,
n any legal action for the recovery of the legally enforceable debt would be initiated, especially
where a debtor has failed to pay despite a number of polite reminders.
Recognise this latter group? In a financial accounting context these would constitute journalised
entries and/or adjustments.
Clearly the importance of operational efficiency and effectiveness within a company’s trans-
action processing systems cannot be overstated; nor can the need for control, more specifically
internal control. Internal control can be defined as management processes designed to provide
reasonable assurance that the objectives of reliable financial reporting, effective and efficient
operations, and compliance with laws and regulations are achieved.
255
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 256
Such internal control includes all procedures, processes and protocols, financial and other-
wise, established by the management in order to ensure:
n business activities of the company are undertaken in an orderly and efficient manner,
n compliance with management policies and adherence to extant regulatory requirements,
n the safeguarding of all assets, and
n as far as possible, the accuracy and completeness of accounting records and financial
information.
Securing effective internal control requires:
n an understanding and appreciation of the control environment,
n an understanding of relevant control activities,
n an understanding, identification and analysis of the risk,
n an assessment of information and communication channels both within the company and
within the environment, and finally
n an appreciation and understanding of monitoring transaction processes.
We will discuss/evaluate each of the above issues in more detail in Chapter 14.
The Data Protection Act 199818 (DPA 1998) protects personal information held about indi-
viduals and regulates the processing of data relating to individuals or, more appropriately,
data subjects.19
DPA 1998 applies to information held on or obtained from computers and to certain manual
records. It gives rights to the individual data subject and imposes responsibilities on:
n the individual data subjects,
n the organisations holding the data, and
n the employees of those organisations who use the information.
DPA 1998 implements part of the European Convention on Human Rights. It applies only
to information about individuals (such as names, addresses, personal reference numbers,
income, entitlement to benefits). It does not apply to non-personal data, such as that relating
to businesses and limited companies. Remember DPA 1998 only protects personal data about
people who are alive.
DPA 1998 applies to every company/organisation that maintains lists, databases or files
(paper or electronic) containing personal details of:
n staff – for example personnel information such as home address and date of birth,
n clients – for example account details, agreements, contact details and BACS payment details,
n customers – for example account details, contact details, credit card details, and/or
n other related parties.
All companies are required to:
n comply with the provisions of DPA 1998,
n comply with guidelines and interpretations of DPA 1998 issued by the Information Com-
missioner, and
n be registered with the Information Commissioner.
256
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 257
DPA 1988 gives effect in UK law to EC Directive 95/46/EC and it replaces the Data Protection
Act 1984: it was brought into force on 1 March 2000.
DPA 1998 provides the following definitions:
n Data subject – an individual who is the subject of the personal information (data) and who
must be living for the provisions of the Act to apply.
n Data controller – a person who determines the purposes for which, and the manner in which,
personal data are, or are to be, processed. (This may be an individual or an organisation, and
the processing may be carried out jointly or in common with other persons.)
n Data processor – a person who processes data on behalf of a data controller. However the
responsibility for correct processing under DPA 1998 remains with the data controller.
DPA 1998 also contains eight data protection principles which are designed to ensure data is
properly handled:
n First principle – personal data shall be processed fairly and lawfully.
n Second principle – personal data shall be obtained only for one or more specified and lawful
purposes, and shall not be further processed in any manner incompatible with that purpose
or those purposes.
n Third principle – personal data shall be adequate, relevant and not excessive in relation to
the purpose or purposes for which they are processed.
n Fourth principle – personal data shall be accurate and, where necessary, kept up-to-date.
n Fifth principle – personal data processed for any purpose or purposes shall not be kept for
longer than is necessary for that purpose or those purposes.
n Sixth principle – personal data shall be processed in accordance with the rights of data sub-
jects under the Act.
n Seventh principle – appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental loss or destruction
of, or damage to, personal data.
n Eighth principle – personal data shall not be transferred to a country or territory outside the
European Economic Area, unless that country or territory ensures an adequate level of protec-
tion of the rights and freedoms of data subjects in relation to the processing of personal data
DPA 1998 also gives rights to individuals in respect of personal data held about them by others.
The rights are:
n right to subject access,20
n right to prevent processing likely to cause damage or distress,21
n right to prevent processing for the purposes of direct marketing,22
n rights in relation to automated decision taking,23
n right to take action for compensation if the individual suffers damage by any contravention
of the Act by the data controller,24 and
n right to take action to rectify, block, erase or destroy inaccurate data.25
Further details on the provisions of the Data Protection Act 1998 are available on the website
accompanying this text.
In addition, the complete text of the Data Protection Act 1998 is available @
www.opsi.gov.uk/ACTS/acts1998/19980029.htm, with the UK Information Commissioners
guidance available @ www.ico.gov.uk/what_we_cover/data_protection.aspx.
257
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 258
Concluding comments
Contemporary transaction processing systems are socially, politically and economically significant.
Not only do they play a leading role in ensuring that the exchange process at the heart of
contemporary wealth maximisation is efficient and effective, they are without doubt a crucial
factor in the search for corporate sustainability and indeed future success.
Whilst the nature, structure and functional efficiency of a company’s transaction processing
systems will invariably be the product of a enormous diversity of interrelated and interconnected
characteristics and qualities, some commonality between the vast range of wealth maximising
companies does nonetheless exist, as suggested by the inductive typology present in the main
discussion.
References
Bryer, R.A. (1995) ‘A political economy of SSAP 22: Accounting for goodwill’, British Accounting
Review, 27, pp. 283 –310.
Cooper, C. and Puxty A. (1996) ‘On the proliferation of accounting (his)tories’, Critical Perspectives
on Accountancy, 7, pp. 285–313.
Davis, J.R., Alderman, C.W. and Robinson, L.A. (1990) Accounting Information Systems: A Cycle
Approach, Wiley, New York.
Hines, R.D. (1988) ‘Financial accounting: in communicating reality we construct reality’, Accounting,
Organisations, and Society, 13(3), pp. 256–261.
Porter, M.E. (1985) Competitive Advantage: Creating and Sustaining Superior Performance, The Free
Press, New York.
Starreveld, R.W., De Mare, B. and Joels, E. (1998) Bestuurlijke Informatieverzorging, Samson, Alphen
aan den Rijn.
Vaassen, E. (2002) Accounting Information Systems – A Managerial Approach, Wiley, Chichester.
Wilkinson, J.W., Cerullo, M.L., Raval, V. and Wong-On-Wing, B. (2001) Accounting Information
Systems, Wiley, New York.
258
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 259
Bibliography
Bodnar, G.H. and Hopwood, W.S. (2001) Accounting Information Systems, Prentice Hall, London.
Gelinas, U.J., Sutton, S.G. and Hutton, J. (2005) Accounting Information Systems, South Western,
Cincinnati, Ohio.
Hall, J.A. (2004) Accounting Information Systems, South Western, Cincinnati, Ohio.
Lucy, T. (2000) Management Information System, Letts, London.
Mosgrove, S.A. Simkin, M.G. and Bagranoff, N.A. (2001) Core Concepts of Accounting Information
Systems, Wiley, New York.
Websites
www.accaglobal.com
(Chartered Association of Certified Accountants)
www.cimaglobal.com
(Chartered Institute of Management Accountants)
www.ft.com
(Financial Times)
www.economist.com
(Economist)
www.guardian.co.uk
(Guardian)
www.accountingweb.co.uk
(General accounting website)
www.bbc.co.uk/news
(BBC Online)
www.vnunet.com
(VNUNET)
www.theregister.com
(The Register)
Self-review questions
259
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 260
6. What transaction processing systems are normally found within a company’s revenue cycle?
7. Distinguish between the following contact points: exit point, entry point and null point.
8. Explain the main requirements for the securing of effective control within a transaction
processing system?
9. In relation to the Data Protection Act 1998 define the following terms:
n data subject,
n data controller, and
n data processor.
10. Describe the eight key principles contained within the Data Protection Act 1998.
Question 1
Ergon plc was a Cambridge-based UK listed company. During the late 1990s the company produced digital
positioning equipment for the global transportation sector, especially the merchant navy. The company’s
products were sold throughout Europe, North America, Australia and Canada, and were widely regarded as
the best in the market. Indeed during the period 1993 to 2003 the company’s digital positioning equipment
consistently won high praise for both its design and capabilities.
In January 2004, however, Ergon plc went into liquidation, with reported debts of £230m. In March 2005, after
extensive investigation, the company receivers, Hopwind LLP, published its findings on the failure of Ergon
plc. The report suggested that the principal cause of Ergon plc’s failure had been inadequate internal control
within the company’s revenue cycle operations, in particular the management of debtor payments.
Required
Describe the primary function of a revenue cycle for a company such as Ergon plc and explain how a lack of
internal control could lead to the eventual collapse of the company.
Question 2
Louis P. Lou is managing director of Ann de-Pandy Ltd an established female lingerie retail company located
in the north and the south-west of England. The company has been operating successfully for many years
with the period between 1998 and 2004 being one of exceptional growth both in market share (customer
numbers and sales) and overall profitability.
Over the past three years the company has continued to enhance its accounting information system and
has recently upgraded its computer network, and will from August 2006 introduce an extensive web-based
e-commerce facility. Louis P. Lou is however concerned that the accounting information system development
– especially the development of a web-based e-commerce facility could potentially reduce the company’s
level of control over its business operations.
Required
As the company’s systems accountant prepare a brief report for the managing director of Ann de-Pandy Ltd
addressing the managing director’s concerns.
Question 3
Lantern plc is a growing UK company which produces a range of biochemical products for the agricultural
sector in the UK and the USA. Because of recent problems regarding the purchasing of raw chemical products,
260
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 261
Assignment
you have been asked by the managing director to make a presentation to the Board of Directors entitled
The importance of contemporary transaction processing system in wealth maximising companies.
Required
Draft out the main points of the presentation.
Question 4
The Data Protection Act 1998 contains eight data protection principles which are designed to ensure data is
properly handled. The data protection principles are listed on page 257.
Required
Critically evaluate the eight data protection principles contained in the Data Protection Act 1998 and explain
their relevance to a company that stores personal data on clients and debtors.
Assignments
Question 1
Microsoft Engineer Charged With Fraud – FBI says he resold $9 million in software, bought cars,
jewellery, and yacht.
Sales of Microsoft’s high-end software were brisk last year – at least for one employee who was charged
on Wednesday 11 December 2002 with illegally pilfering and selling $9 million worth of it for his own profit.
Daniel Feussner, a mid-level Microsoft engineer who headed up one of Microsoft’s .Net technology pro-
jects, was arrested after an FBI probe uncovered his scheme. Feussner allegedly ordered products through
Microsoft’s internal purchasing programme and sold them on the street. According to a complaint filed
a day before his arrest with the US District Court in Seattle, federal authorities say Feussner used his
earnings to acquire a lavish car collection, a $172,000 yacht, expensive watches and diamond jewellery. He
is charged with 15 counts of fraud and could face a maximum of five years in prison and a $250,000 fine
for each charge, according to a spokesman for the US Attorney’s Office in Seattle.
Microsoft released a statement on the matter, raising an issue that prompted some analysts to say that
most companies should worry about internal control. ‘We take employee theft very seriously and realize
the effects it can have on the value we provide our customers and shareholders,’ it said in the written
statement. ‘We have a number of internal measures in place to identify theft and work very closely with the
appropriate authorities on these matters.’
While working as a manager of a speech-recognition project out of Microsoft’s .Net development group,
among other positions, Feussner used internal purchase orders to buy high-end server software, which
he then sold for cut-rate prices while keeping the proceeds, the complaint alleges. Orders passed
through a New York software vendor called ClientLogic, which would mail products to Feussner. He
then sold the software out of a Seattle-area parking lot for cash, as well as through a middleman company
called Cybershop Inn, court records indicate. Some 1700 products filtered through the scam, including
development software, and copies of Microsoft’s Windows operating system, beginning in late 2001,
authorities said. The FBI said that Feussner’s arrest is part of a larger probe into illegal use of Microsoft’s
internal purchasing programme. Matt Berger, IDG News Service, 13 December 2002, Available @
www.pcworld.com/news
261
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 262
Required
(a) Describe the main functional cycles of operation that may exist in a company such as Microsoft Inc.
(b) Critically assess the key objectives of control within the transaction processing cycles of a company such
as Microsoft Inc.
(c) Based on the information above, explain:
n what control activities appear to have failed,
n why the control activities appear to have failed, and
n how Daniel Feussner took advantage of such failures.
Question 2
The Enron collapse
Enron left behind $15bn of debts, its shares become worthless, and 20,000 workers around the world
lost their jobs. Many banks were exposed to the firm, from lending money and trading with it. JP Morgan
admitted to $900m of exposure, and Citigroup to nearly $800m. Former high-ranking Merrill Lynch bankers
have been charged with fraud in connection with Enron transactions. Andersen, which failed to audit the
Enron books correctly, collapsed with the loss of 7500 jobs in the US, and 1500 in the UK. BBC News
Online, 08 July 2004, Available @ www.bbc.co.uk/news
Ebbers guilty of Worldcom fraud
Former Worldcom chief executive Bernie Ebbers has been convicted of conspiracy and fraud in connec-
tion with the 2002 collapse of the telecoms giant. Mr Ebbers, 63, who is to appeal against the verdict, was
also found guilty of seven counts of filing false documents. Shareholders lost about $180bn (£94bn) in
Worldcom’s collapse – the largest bankruptcy in US history – and 20,000 workers lost their jobs.
Mr Ebbers could face up to 85 years in prison when he is sentenced on 13 June 2005.
Worldcom emerged from bankruptcy last year and is now known as MCI. A federal jury in Manhattan had
spent eight days deliberating before returning their verdicts. BBC News Online, 15 March 2005, Available
@ www.bbc.co.uk/news
Required
Whilst very different companies, both the Enron Inc. and Worldcom Inc. collapses have significant similarities.
The source of their respective failures rests almost entirely on a lack of control.
Research the above corporate collapses and answer the following:
(a) What were the key objectives of control within Enron Inc. and Worldcom Inc.?
(b) What control activities appear to have failed in Enron Inc. and why did the control activities appear to have
failed?
(c) What control activities appear to have failed in Worldcom Inc. and why did the control activities appear to
have failed?
(d) How have the Enron Inc. collapse and the Worldcom Inc. collapse affected:
n contemporary notions of control (especially internal control), and
n the regulatory framework managing/controlling those responsible/accountable for the existence of internal
control/corporate governance
262
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 263
Chapter endnotes
Chapter endnotes
1
The terms ‘reflex’ and ‘reflexivity’ can be defined in many ways, for example an involuntary
action and/or reaction, and/or an automatic response to an external stimulus/input, and/or an
involuntary movement or response.
2
Porter (1985) identified 10 cost drivers related to value chain activities:
n economies of scale,
n learning,
n capacity utilisation,
n linkages among activities,
n interrelationships among business units,
n degree of vertical integration,
n timing of market entry,
n firm’s policy of cost or differentiation,
n geographic location, and
n institutional factors.
3
Porter (1985) identified several drivers of uniqueness:
n policies and decisions,
n linkages among activities,
n timing,
n location,
n interrelationships,
n learning,
n integration,
n scale, and
n institutional factors.
4
This typology is adapted and extended from Starreveld et al. (1998) after Vaassen (2002).
5
The FTSE 100 is made up of the UK’s 100 largest companies by market capitalisation, repres-
enting approximately 80% of the UK market. It is used extensively as a basis for investment
products, such as derivatives and exchange-traded funds, and is the recognised measure of the
UK financial markets. The FTSE 250 is made up of mid-capitalised companies, representing
approximately 18% of UK market capitalisation. The FTSE 350 is made up of the UK’s large
capitalisation and mid-capitalisation companies (FTSE 100 + FTSE 250 indices).
6
An inductive approach is when the specific observations are used to determine a rule and/or
relationship. Consequently an inductive approach to classification is often called a bottom-up
approach because using such an approach a classification is derived from specific observations
– that is generalisations are developed from specific facts.
7
A deductive approach is when the rule is given first and is then followed by examples of the
rule. Consequently a deductive approach to classification is often called a top-down approach
because using such an approach a classification is developed from generalised assumptions –
that is specific conclusions from generalised assumptions.
8
Although the term ‘company’ is used throughout this discussion on contemporary trans-
action processing categories, types, cycles and systems, such discussion may well also apply to
other organisational configurations.
9
See www.hbosplc.com/investors/includes/05-03-02_RNS.pdf.
10
See www.tesco.com/corporateinfo.
263
.. ..
CORA_C06.qxd 6/1/07 11:02 Page 264
11
See http://lgen.client.shareholder.com/downloads/2004_Full_Year_Results.pdf.
12
Quod erat demonstrandum meaning (in English) ‘which was to be shown’.
13
Amazon.co.uk is the trading name for Amazon.com International Sales, Inc. and Amazon
Services Europe SARL. Both companies are subsidiaries of Amazon.com, the online retailer of
products that inform, educate, entertain and inspire. The Amazon group now has online stores
in the USA, Germany, France, Japan and Canada. Amazon.co.uk has its origins in an inde-
pendent online store, Bookpages, which was established in 1996 and acquired by Amazon.com
in early 1998.
14
The term used to describe appliances such as computers, televisions, radios and other home
electronics. The terminology originates from the time when many televisions and radios had
wood or fake wood cabinets.
15
The term used to describe large appliances such as refrigerators, washers and dryers. The
terminology was derived from the standard white colour of these appliances that existed until
recent years.
16
http://www.tescocorporate.com.
17
Bank Automated Clearance System – allows for the electronic transfer of monies into bank
accounts.
18
Further details on the provisions of the Data Protection Act 1998 are available on the web-
site accompanying this text www.pearsoned.co.uk/boczko.
In addition, the complete text of the Data Protection Act 1998 is available @ www.opsi.gov.uk/
ACTS/acts1998/19980029.htm, with the UK Information Commissioners guidance available @
www.ico.gov.uk/what_we_cover/data_protection.aspx.
19
See the main text below for a definition of a data subject.
20
Data Protection Act 1998 s7, s8 and s9.
21
Data Protection Act 1998 s10.
22
Data Protection Act 1998 s11.
23
Data Protection Act 1998 s12.
24
Data Protection Act 1998 s13.
25
Data Protection Act 1998 s12(a), s14 and s62.
264
..
CORA_C07.qxd 6/1/07 11:03 Page 265
Introduction
Data are worthless . . . but information is priceless! (Anon)
The purpose of a data processing system, in particular a transaction-based data process-
ing system, is to ensure the accurate conversion/transformation2 of data into information.
Whilst such a conversion/transformation can of course be accomplished using a wide
variety of methodologies and an ever-expanding range of processing technologies, such
a conversion/transformation would invariably involve a number of integrated activities/
functions, these being:
n a development function – for the creation of data records/data files to act as a repository
of data or to store data;
n a maintenance function – for the amendment of, addition to, and/or deletion of data
records/data files held within the data store;
n a retrieval function – for the interrogation and manipulation of data records/data files
held within the data store;
n a disposal (or archiving) function – for the removal of data records/data files from the
data store (subject to any extant legislative restrictions); and
n a management function – for the coordination and control of the above development,
maintenance, retrieval and disposal functions.
Commencing with a brief review of the nature of data and data management, this chapter
explores a range of issues related to:
n data processing,
n data storage,
n data flow analysis, for example:
l dataflow diagrams,
l entity-relationship diagrams,
l systems/document flowcharts,
l decision tables, and
l organisational coding systems/charts of account, and
l databases – in particular relational databases.
265
..
CORA_C07.qxd 6/1/07 11:03 Page 266
Chapter 7 Data management, data processing and databases: storage and conversion
Learning outcomes
Data management
As suggested earlier, data are worthless . . . but information is priceless. To be useful, data requires
processing. More importantly, it requires processing in an organised and controlled manner.
Such processing – whether it is manual-based processing or computer-based processing, or
indeed a combination3 (we will look at these in a little more detail later in this chapter), would
normally comprise of a number of mutually interdependent stages, these being:
n data selection,
n data conversion,
n data capture,
n data input,
n data storage,
n data maintenance,
n data processing, and
n data output (or more appropriately information generation).
Let’s have a look at each of these stages in a little more detail.
Data selection
The term data selection can be defined as a process of filtering or, more precisely, a process
of determining the appropriateness and relevancy of data. Such data selection would norm-
ally be based on pre-determined criteria as necessitated by end user needs/requirements, for
example:
n the content of the data,
n the structure/format of the data, or
n the context/relevance of the data.
266
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 267
Data management
Data conversion
Data conversion can be defined as a process or group of processes which convert(s) data from
one data format to another. Data conversion is usually necessary where the data is relevant but
presented in a structure/format that is inconsistent with the requirements.
Consider the following:
On 30 March 2007, MGA Ltd, a UK-based retail company, received an invoice from GHF
GmbH,4 a German-based supplier, for services received during February 2007. MCA Ltd’s
year end in 31 March 2007. It is likely that the invoice received from GHF GmbH would be
priced in euros. Consequently before the invoice can be processed the monetary value of the
invoice would need to be converted to sterling.
Data capture
Data capture can be defined as the acquisition of data. Where data is selected for processing it
is important to ensure all such data is processed. Data capture is therefore often considered to
be a controlling process/function designed to ensure the full and complete processing of all
selected data.
Note: In many data processing systems, data selection, data conversion and data capture are
viewed as a single stage.
Data input
Data input can be defined as the entry of data into a processing system. Broadly speaking,
there are two types of data input:
Physical input
Physical data input is data input in which the source of the data is hard copy document. Such
input is normally associated with offline data entry and is generally used in batch processing –
that is where data are collected perhaps over a period of time before being processed.
Examples of such physical input/batch processing would be:
n time-cards completed by individual employees on a daily basis, which are then collected by
payroll personnel and used to calculate individual employee weekly wages; or
n invoices received on a daily basis from product suppliers/service providers which are collected
and processed for payment at the end of a week.
Non-physical input
Non-physical data input is data input in which the source of the data is not a hard copy
document. Such input is normally associated with online data entry. Such non-physical data
input is often referred to as paperless data input or virtual data input.
There are two types of non-physical input, these being:
267
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 268
Chapter 7 Data management, data processing and databases: storage and conversion
Data storage
Data storage can be defined as the structured accumulation of data.
Within manual-based processing such data storage would perhaps be limited to physical
paper-based systems, for example a hard copy file system. Pre-computer, data storage also used
paper tape and punch cards.
Within computer-based processing, such data storage could be:
n magnetic storage – using different patterns of magnetisation on a magnetically coated surface
to store data;
n semiconductor storage – using semiconductor-based integrated circuits to store data;
n optical disc storage – using tiny pits etched on the surface of a circular disc to store data; data
are read by illuminating the surface with a laser diode and observing the reflection; and/or
n magneto-optical disc storage – using optical disc storage in which the magnetic state on
a ferromagnetic surface stores data; the data are read optically and written by combining
magnetic and optical methods.
There are many future data storage technologies in development, perhaps the most promising being:
n holographic storage – using crystals or photopolymers to store data, and
n molecular storage – using electrically charged polymers to store data.
Data maintenance
Data maintenance can be defined as the preservation of data integrity, and generally involves
the development of processes and procedures that not only ensure the correctness, accuracy
and validity of all stored data, but more importantly maintains the relevance of all stored data.
As such, data maintenance processes and procedures would be concerned with monitoring
and controlling access to stored data – in particular authorising access related to the addition,
deletion, amendment and/or removal of data from the data store.
Data processing
Data processing can be defined as any process and/or procedure, or series of processes and/or
procedures, that converts data into information.
We will look at two alternative approaches to data processing in more detail later in this chapter.
268
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 269
Data output
Data output can be defined as the exit of data out of a processing system. Broadly speaking,
there are two types of data output:
n physical output, and
n non-physical output.
Physical output
Physical data output is produced in the form of a hard copy document – for example, a debtor
invoice, or an employee pay slip.
Whilst historically physical data output was regarded as the norm, in contemporary computer-
based processing – especially computer-based accounting information systems – such physical
data output is perhaps now the exception rather than the rule and is becoming increasingly
rare day by day owing to cost and efficiency factors.
Non-physical output
Non-physical data output is data output in the form of a virtual (and increasingly) web-based
document. For many business/accounting-related transactions such non-physical output has
become increasingly the norm; a contemporary example of which would be providing customer
statements/invoices using a secure password protected website.
In a literal sense, the term data7 means that which is given, however in a more general context, the
term data (sometimes referred to as data element) is often used to mean a representation of facts,
concepts or instructions in a formal and organised manner, more specifically as a representation
of the attributes of an entity. So what is an entity . . . and what are attributes?
Put simply, an entity can be defined as something that possesses a distinct and separate
existence, though not necessarily a material or physical existence. For example, an entity
can be:
n an object – for example, a product/service, or
n a person – for example, a customer/client or supplier/provider, or
n an event – for example, the sale of a product or the provision of a service,
When data are collected they need to be stored and maintained. Whilst there are a number of
alternative media that can be used some are more efficient than others. For example:
n in a manual-based system/process the storage medium would more than likely be a physical
storage medium – for example, a paper file-based facility or a microfiche/microfilm-based
facility,8 whereas
n in a computer-based system/process such a medium could be a virtual storage medium – for
example, a digital file-based facility.
269
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 270
Chapter 7 Data management, data processing and databases: storage and conversion
Random data storage, perhaps unsurprisingly, means data storage without any predictable or
systematic pattern. Such data storage is designed to allow data to be:
n stored in any location, and/or
n accessed in any order,
270
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 271
271
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 272
Chapter 7 Data management, data processing and databases: storage and conversion
Data element
A data element would have two key characteristics:
n data element name, and
n data element value.
Data field
A data field would have two key characteristics:
n field length, and
n data type.
Field length
The field length of a data field refers to the number of continuous positions (or characters)
required within a particular data field to store a specific data element type. In the above example
the field length of field 7 of LKT plc’s customer record is 8 positions (or characters).
Data type
The data type refers to the class or category of data stored in a particular data field. Such data
types can vary from:
n an alphabetic data type – that is alphabetic characters only (e.g. a name),
n a numeric data type – that is numeric characters only (e.g. a customer reference number),
n an alpha-numeric data type – that is a combination of alphabetic and numeric characters
(e.g. a customer address),
n a time and/or date numeric type data – that is a point in time data (e.g. 050507 (5 May 2007)),
n value data – that is a numeric value using either a fixed or floating decimal point (e.g.
£1300.00), to
n a raw type data – that is graphic and/or audio/visual data.
In the above example, the data type of each of the 12 field’s of LKT plc’s customer record is as
follows:
Field Data type
1. Numeric type data
2. Alphabetic type data
3. Combined numeric and alphabetic type data
4. Alphabetic type data
5. Combined numeric and alphabetic type data12
6. Numeric type data
7. Numeric type data – (fixed decimal point)
8. Alphabetic type data
9. Numeric type data – (date type data)
10. Numeric type data
272
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 273
Data record
As suggested earlier, a data record can be defined as a group or collection of data fields/data
elements. In the above example, the data record for Potremic Inc is the complete customer
record containing all 12 data fields and all 99 data characters.
Data file
A data file is an organised collection of data records. In the above example, one type of data file
would be a data file containing all 25,000 records of each of the customers of LKT plc. Such a
customer record data file would – as we will see – be considered a master file.
Within a data file, data records can be organised sequentially or non-sequentially.
Whereas a sequentially ordered file is a file in which data records are stored in an organised
manner according to a specific data record, for example debtor records in a debtor file may
be organised in debtor number order or debtor name, a non-sequentially order file is a file in
which data records are stored in a random unorganised manner.
We will return to the issue of sequential/non-sequential data files later in this chapter.
So, are there different types of data files? Yes there are! In general, within a file orientated
approach, two specific categories/levels of files would be used, these being:
n primary files or source files – because such files contain original source data derived from the
system environment, or
n secondary files or derivative files – because such files contain duplicate data derived from the
transaction file.
Primary files
The main types of primary files within a file orientated approach would be:
n a master file,
n a transaction file, and
n a reference file.
A master file would contain data related to or concerned with a specific entity or group of
entities. In an accounting information systems context, the general ledger, the creditor ledger,
or indeed the debtor ledger would be regarded as a separate and individual master file.
A transaction file would contain data related to or concerned with a specific current event.
In an accounting information systems context such events would be, for example, accounting
transactions such as sales, purchases, the payment of an invoice, the receipt of payment from a
debtor, etc.
A reference file would contain data related to or concerned with a specific group of attri-
butes: attributes required to complete a transaction event or group of transaction events. In an
accounting information systems context such attributes could be, for example, a product list-
ing, a price listing or a customer/client listing, or a product supplier/service provider listing.
Secondary files
The main types of secondary files within a file orientated approach would be:
n a history file,
n a report file, and
n a back-up file.
273
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 274
Chapter 7 Data management, data processing and databases: storage and conversion
A history file, sometimes referred to as an archive file, would contain data related to or
concerned with specific past events. In an accounting information systems context such events
would be, for example, completed accounting transactions. Such data would be derived from
the transaction file.
A report file would contain data derived from the master file and/or the transaction file, and
would be generated for a specific purpose. In an accounting information systems context such
reports would include, for example, a stock status report, a doubtful debt listing or a creditor
payment listing, etc.
A back-up file would contain data derived from the transaction file and would be generated
for security purposes to ensure that a copy of all source data is available. Because transaction
file data is frequently changing as transactions are processed, the back-up file would require
frequent revision to ensure its contents reflected all processed transactions.
Secondly, determining the purpose for which a data file(s) will be used will provide an indication
of how long data records and data files should be retained – for example should data records/
files be retained for a month, six months, a year or six years.13
Thirdly, establishing the degree of commonality required between data records in different
data files – that is the extent to which data records in different data files should be capable
of consolidation and/or shared by different users – will provide an indication of what security
arrangements should be used to maintain the integrity of individual data records/data files and
prevent the unauthorised addition, deletion and/or alteration to data records/data files.
So what are the advantages and disadvantages of a file orientated system?
In addition, if well-designed, such an approach can handle large volumes of data very efficiently.
The disadvantages of a file orientated approach is that it can become very cumbersome (lots
of duplication of data files), very complex, difficult to manage, overly bureaucratic and highly
politicised, often resulting in the limited sharing of data. In addition, it can result in the excessive
274
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 275
duplication of data and high levels of data inconsistency due to the limited enforcement of data
standards. More importantly, such system can be difficult to update and/or change – especially
where extensive structural change to data content and/or file organisation is required.
275
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 276
Chapter 7 Data management, data processing and databases: storage and conversion
And what of data orientated systems/database systems? Whilst such systems clearly increase
user accessibility and promote improved flexibility, they are very costly to develop and can be
very complex to maintain.
So which is the most popular? Pre-1980s the file orientated approach was probably the most
popular, but since the mid/late-1980s (and certainly since the early 1990s), the data orientated
approach/database system has become the most popular. Why?
Whilst there can be little doubt that the increasing availability of information and com-
munication technologies (certainly since the early 1990s) and the ever-reducing cost of database-
related technologies has clearly contributed to the increasing popularity of the data orientated
approach and its increasing integration into a wide range of information and communication
related applications, its widespread adoption – especially in business-related/accounting-related
information systems – has perhaps more to do with the increasingly ‘in vogue’ view that data should
be regarded as an organisational resource, whose efficient management (and use) is central to
the development and maintenance of shareholder wealth. Certainly this is true in today’s ever-
more sensitive and competitive information dominated marketplace.
So what do we mean by the efficient management of data? Put simply, this means not only
establishing efficient and effective facilities for the accurate capture and release of data, it also
means developing and maintaining appropriate and acceptable levels of:
n data redundancy,
n data consistency,
n data integration,
n data accessibility,
n data flexibility,
n data security, and
n data integrity.
276
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 277
Using a file orientated approach may require data to be entered more than once, especially
where the same data is duplicated within a company/organisation.
Consider the following.
PLT Ltd is a Coventry-based manufacturing company. The company has six departments.
Because PLT Ltd uses a file orientated approach to store and maintain product/service data,
each department holds it own separate master file of product/service details. To update the
data record of a particular product/service, it would be necessary to determine on which of
the master files a copy of the product/service data is maintained (remember the product/
service data may be held in each master file), access the relevant master file and then update
the relevant master file. This could mean that each of the six master files may need to be
updated separately.
Using a data orientated approach/database system, this multiple updating would not be neces-
sary. Why? Because only a single product/service master file would be maintained within PLT
Ltd, as a company-wide/organisation-wide resource accessible by each of the six departments
within the company. To update the product/service master file would therefore only require a
single data entry/data update.
Data redundancy
Data redundancy is concerned with the usability of data or more appropriately the likelihood
that data may become defective and unreliable. Clearly, levels of data redundancy are negatively
correlated to levels of efficiency – that is the higher the levels of data redundancy, the lower
the levels of efficiency.
So what types of data redundancy are there? There are two types, these being:
Direct redundancy occurs where data in a data file (using a file orientated approach) or data
in a data table (using a data orientated approach/database system) is a copy of data held in
another file or database record. Indirect redundancy occurs where data in a data file (using a
file orientated approach) or data in a data record (using a data orientated approach/database
system) can be derived from data held in another data file or data record.
Using a file orientated approach creates opportunities for both direct and indirect data
redundancy to occur. Indeed, as demonstrated in the PLT Ltd illustration above, using a file
orientated approach can lead to significant levels of direct data redundancy in stored data: that
is the existence of many copies of the same data, resulting in not only the inefficient use of data
storage space but perhaps more importantly the possibility of data inconsistencies.
Using a data orientated approach/database system, data are integrated as an amalgamation
of several otherwise distinct data files. Whilst such an amalgamation clearly minimises (but not
eliminates) the possibility of direct data redundancy – that is the likely existence of multiple
copies of the same data within the database system – the possibility of indirect data redundancy
nonetheless remains.
Using a data orientated approach/database system, incidences of data redundancy – whether
direct or indirect – can be greatly reduced by normalisation. Normalisation is a series of tech-
niques that make up a process which seeks to convert complex data structures into simple,
stable data structures by organising data to reduce the possibility of data anomalies/data incon-
sistencies emerging.
We will look at normalisation later in this chapter.
277
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 278
Chapter 7 Data management, data processing and databases: storage and conversion
Data consistency
Data consistency is concerned with uniformity, and the standardisation of data within either
a file (or series of files) and/or a database.
Clearly, improved levels of data consistency and data uniformity are positively correlated
to levels of reliability – that is the higher the levels of data consistency, the higher the level
of data reliability.
Consider the following.
TLE Ltd is a new Leeds-based retail company. The company will commence trading in
the next few months in seven retail outlets located throughout the north-east of England.
Although the majority of company staff will be work in only one retail outlet, because of the
eclectic nature of some of its products TLE Ltd expects some specialist staff will work at
more than one retail outlet.
The company uses a file orientated approach to store and maintain personnel data with the
manager of each retail outlet holding a separate master file of the staff employed at the retail
outlet they manage.
For those specialist staff working at more than one retail outlet, such an approach would result
in the excessive duplication of personnel data. More importantly using a file orientated approach
could also result in:
n a high level of data inconsistency – for example, changes to specialist personnel staff data
may be incorrectly documented or completely omitted, and (perhaps more importantly)
n a low level of standardisation – personnel data may be stored differently by each manager at
each retail outlet
Using a data orientated approach/database system to store and maintain personnel data
centrally in the company’s head office in Leeds would of course not only reduce the opportunity
for data inconsistencies to occur, it would also – almost certainly – eliminate any possible
standardisation issues.
Data integration
Data integration is concerned with the opportunity to combine two or more data sets for the
purposes of either:
Clearly, effective data integration not only reduces possible data duplication, it also moderates
the requirement for excessive data storage capacity and, of course, improves data availability/
accessibility.
Using a file orientated approach can limit the possible levels of data sharing. Why? Sometimes
for economic reasons, for example, the cost/time required to process data for data sharing
purposes may be prohibitive; sometimes for technical reasons, for example, data sharing may
be difficult because of data inconsistencies and/or a lack of data standardisation between data
files; and sometimes for political reasons, for example, a manager may refuse and/or may make
it difficult to gain access to data which they manage/control.
Using a data orientated approach/database systems of course eliminates some, if not all, of
the above problems and allows for a higher degree of monitored data sharing and controlled
data integration.
278
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 279
Data accessibility
Data accessibility is of course concerned with the practicality and suitability of facilities used to
provide users with access to data/data files and, whilst there can be little doubt that data use is clearly
related to user accessibility, determining the suitability of data access facilities/opportunities can
be problematic. Why? Because when determining the appropriateness of user access facilities/
opportunities, issues of data security and data integrity must also be considered. For example,
whilst unrestricted and/or unmonitored access may well promote high levels of user activity, such
potential ‘open access’ could adversely affect data integrity/security: that is potential users may
steal, fraudulently alter and/or even corrupt data. Conversely, constraining accessibility – for
example, imposing severe restrictions on user access – may well help to maintain the integrity and
security of the data, but could also adversely affect both the numbers and levels of user activity.15
Using a file orientated approach clearly constrains accessibility inasmuch as data may exist in
separate data files owned by different users/different applications. Conversely, using a data orientated
approach/database system improves accessibility due to the centralisation of data storage.
Data flexibility
Data flexibility is concerned with the ease and cost effectiveness with which data can be modified.
Using a file orientated approach, flexibility is often very low. Why?
Because data is often defined and organised by the individual (within the company/organisation)
who effectively owns the data. More importantly, because multiple copies of the same data may
be owned by different individuals within the company/organisation and stored in different
locations within the company/organisation, amendment to or modification of any such data
may be difficult and expensive.
Using a data orientated approach/database system, flexibility is often very high because the
data are held in a single location. Indeed, such flexibility is often seen as the prime advantage of
a data orientated approach/database system.
Data security
Data security is concerned with ensuring that data are kept safe from corruption and that access
is suitably controlled. Data security is closely related to data privacy and data confidentiality.
Using a file orientated system, because data may be maintained separately in a number
of different locations, there may always be a chance that some data may be lost. Using a data
orientated approach/database system, because data is maintained in the same location, all or
most data may be vulnerable to loss especially if back-up copies are not routinely maintained.
Of course, using a data orientated approach/database system does allow for a the imposition
of a comprehensive data security system although such security systems can be expensive to
implement and difficult to manage/monitor.
Data integrity
Data integrity is concerned with minimising possible data inconsistencies and ensuring that
data within a data file (using a file orientated approach) or data table (using a data orientated
approach) is accurate. Levels of data integrity can be monitored using a range of integrity
checks. Such integrity checks can be categorised as follows:
n type checks,
n redundancy checks,
n range checks,
n comparison checks, and
n constraint (or restriction) checks.
279
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 280
Chapter 7 Data management, data processing and databases: storage and conversion
Type checks are designed to ensure that the data type within a data field in a data record is
correct – for example, checking whether a data type within a numeric data field is numeric.
Redundancy checks are designed to ensure that the data within a data file, data table or data
set is useable. (If you recall – we discussed direct and indirect redundancy earlier.)
Range checks are designed to ensure that a data item’s value occurs within a specified range
of values – for example, in a data field recording an employee’s age such a check could ensure
that an employee’s age is, say, >16 and <75.
Comparison checks are designed to compare data within a data field and/or group of
data fields, or with data within another data field and/or group of data fields: for example,
comparing the salary of a group of employees is within the salary range/salary scale for those
employees.
Constraint checks are designed to ensure that any constraint, condition or restriction imposed
on data within a data field, data table or data set are complied with – for example, to ensure legal
constraints over the deletion of data within a data field – especially data of a personal nature –
are complied with.
Whilst both the file orientated approach and the data orientated approach/database system
provide opportunities for the application of all of the above integrity checks, using the data
orientated approach/database system helps not only to centralise the imposition of such integrity
checks, but also minimises the cost of such checks whilst maximising their effectiveness.
Data processing
As suggested earlier, data processing can be defined as any process and/or procedure, or series
of processes and/or procedures, that converts data into information.
There are two alternative types of data processing approaches:
n manual-based data processing, and
n computer-based data processing.
Broadly speaking, manual-based data processing can be defined as the processing of data
using, primarily, human-based resources. It does not necessarily signify the complete absence
of information and communication technologies, but merely that the use of such resources
whilst important is nonetheless of a secondary nature. Such data can loosely be categorised
as either:
n routine business-related transaction data, or
n non-routine business-related transaction data.
280
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 281
Data processing
For a number of reasons – perhaps the most important being that such manual-based pro-
cessing is:
n generally very slow,
n often very costly, and
n invariably an inefficient use of company/organisation resources.
The last is particularly the case where an individual manual-based process becomes politicised
and seen as being owned by a group and/or department within a company/organisation.
Note: Where manual-based data processing is used for the processing of routine business-
related transaction data, such processing would normally involve:
n the collection of transaction data into groups or batches (into a transactions data file), and
n the processing/updating of the master file when either:
l a predetermined processing limit or batch size has been reached, or
l a timetabled processing deadline has expired.
So how would the updating of the master file – that is the updating of the master file data with
the data accumulated within the transaction file – take place?
There are two alternative approaches, these being:
n sequential file updating, and
n non-sequential (or random access) file updating.
Using sequential updating, the data in the transaction file would be validated, edited where
appropriate and then sorted into the same order as the master file. The master file would then
be updated in master file order.
Using non-sequential updating, the data in the transaction file would be validated, edited
where appropriate and the master file would then be updated in transaction file order.
Whichever approach is used, an updating report would be produced for audit trail purposes.
Although non-sequential updating is much simpler, it can and generally does tend to be
much more time consuming, especially where a large volume of data records require updating.
As a consequence, manual-based processing generally uses a sequential updating approach.
281
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 282
Chapter 7 Data management, data processing and databases: storage and conversion
n the data processing is temporally and spatially separated – that is it occurs at different times
and/or in different places.
Why? Put simply, computer-based processing can process transactions at great speed and with
great accuracy. More importantly it can process transactions at a very low unit cost and offers
a wider choice of secure storage facilities and processing alternatives.
So, what types of computer-based processing alternatives are there? There are essentially two:
n computer-based processing in which data is processed periodically (with either sequential
updating or non-sequential updating) – usually referred to as batch processing, and
n computer-based processing in which data in processed immediately – usually referred to as
online processing (although it is sometimes referred to as online real-time processing).
282
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 283
Data processing
Friday: At the end of each working week payroll clerk no. 1 reviews the payroll depart-
ment files (updated by the personnel department) to determine the employment
status/number of full-time factory employees. The payroll clerk then prepares
a bar code-based timecard for each full-time factory employee and delivers these
to the factory foreman on Friday at 4:30 pm. At the same time the payroll clerk
collects the current week’s completed timecards. The factory foreman confirms
the validity of each timecard, and places it in a wall mounted open storage unit
near the clocking-in/clocking-out facility at the entrance to the factory. Each
full-time employee is required to clock-in using the timecard on arrival and
clock-out using the timecard on departure. The factory week commences on
Monday 7:00 am and ends on Friday 4:00 pm. The collected timecards are
returned to the payroll office and securely stored until Monday 9:00 am.
Monday: Using a bar code reader, payroll clerk no. 2 calculates the attendance times of
each factory employee from the timecards and calculates the payable hours.
A list of the payable hours for each factory employee is passed to payroll
clerk no. 1. Using the updated payroll data provided by the personnel depart-
ment each week, from the personnel master file payroll clerk no. 1 prepares a
283
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 284
Chapter 7 Data management, data processing and databases: storage and conversion
payroll register containing details for each employee of the total net pay (gross
pay less relevant deductions).
Tuesday: The payroll manager authorises and approves the payroll register and forwards
the payroll register to the creditor department for review. The creditor depart-
ment manager reviews the payroll register, authorises the payment and issues
a disbursement voucher.
Wednesday: The disbursement voucher and payroll register are forwarded to the cashier’s
office for review/reconciliation. A file transfer for the payment of the wages
is authorised and the BACS payment approved and processed. The payroll
register is returned to the payroll department for filing and the disbursement
voucher returned to accounting for processing and entry into the accounting
system.
Thursday: Wages are paid into individual full-time factory employee bank accounts.
Friday: At the end of each working week payroll clerk no. 1 reviews the payroll depart-
ment files . . . and so the batch processing cycle begins again.
n it can provide low-cost processing and, because of the periodic nature of the processing,
n it can be easy to control.
More importantly, not only can batch processing provide a clear processing audit trail, it can
also be very efficient where large volumes of data are processed.
The disadvantages of batch processing are:
n the majority of transactions are executed in a short period of time – possibly fractions of a
second in some cases, and
n the majority of interactions between the user and the online system are for a short period
of time.
284
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 285
Data processing
As such, online processing remains popular for the processing of, for example:
n ATM transactions,
n stock receipts/issues,
n quotations/reservations requests such as insurance quotations/airline reservations,
n EPOS transactions, and
n credit card/debit card verification/validation.
Consider the following example.
Remember an ATM19 is simply a remote data terminal with two input devices20 and four out-
put devices.21 All ATMs are connected to, and communicate with, a host processor22 which
285
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 286
Chapter 7 Data management, data processing and databases: storage and conversion
acts as a gateway through which all the various ATM networks in the UK become available
to the cardholder.
Because the cardholder is requesting cash, the host processor would generate an elec-
tronic funds transfer from the cardholder’s account to the host processor’s account. Once
the funds have been transferred to the host processor’s bank account, the host processor
would send an approval code to the ATM authorising the ATM to dispense the cash. The
host processor would then transfer the cardholder’s funds into the merchant’s bank account
(the bank account of the company operating the ATM) – in our example HSBC plc – usually
the next bank business day. In this way, HSBC plc is reimbursed for all funds dispensed
by its ATM.
Note: Most UK banks impose a limit on how much a cardholder can withdraw from their
account using the ATM network in a 24-hour period, although the amount does differ sub-
stantially from bank to bank.
In the above example there was no charge for the cash withdrawal. However, where an
ATM is owned and operated by a company other than a bank/financial institution, for example
Link (see http://www.link.co.uk), it is common for a nominal charge to be incurred by the
cardholder, usually between £1.50 and £2.50 per cash withdrawal.
286
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 287
Data processing
Historically, when mainframe computers were measured not by the size of their memory capacity/
processing capability, but by the number of rooms they occupied, centralised processing was
the norm. It was a processing approach adopted by the vast majority of companies/organisations
– an approach in which all data was processed at a single head office location. Why?
For three reasons: Firstly, because of the high cost of data processing technologies, centralised
data processing was viewed as the most cost-effective means of processing large amounts of data
– a way of reducing data processing infrastructure costs. Secondly, because of the ever-changing
complexities of using such data processing technologies, centralising data processing was seen
as the most effective means of minimising possible duplication. Thirdly, because of the need for
coordination, control and accountability, centralising data processing technologies were seen as
the most efficient means of ensuring uniformity in the enforcement of processing standards and
the imposition of data/processing security requirements. So why the demise?
Put simply, all forms of imposed bureaucracy – all forms of controlled centralisation – inevit-
ably fail, whether as a result of internal pressure generated by ever-increasing inefficiencies23
and inflexibilities, or external pressure associated with environmental innovation and change.
Indeed, it was:
excited by the ever-changing demands of the business environment, and fuelled by the ever-
more dramatic advancements in information and communication technologies/capabilities that
perhaps somewhat inevitably resulted in the demise of centralised processing. So what are the
advantages and disadvantages of distributed processing?
The advantages of distributed processing are:
287
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 288
Chapter 7 Data management, data processing and databases: storage and conversion
288
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 289
Whilst a logical data flow diagram focuses on the content of data flow, a physical data flow
diagram focuses on the context of the data flow. A logical data flow diagram describes what data
flows and a physical data flow diagram describes how data flows. The emphasis of both types is
on identifying:
n the system/process boundaries that surround the data flow,
n the external entities involved in the data flow,
n the data involved in the data flow,
n the activities/events that occur within the data flow,
n the rules used to process the data and manage the data flow, and
n the data stores/files created and/or maintained as part of the data flow.
So, what notation is used in data flow diagrams? Although there are a number of variations
concerning data flow diagram notation26 for our purposes, we will use the following:27
n a square to indicate an entity,
n a circle to portray a process,
n two parallel lines to indicate a data store/file, and
n an arrow to portray the direction of a dataflow.28
See Figure 7.6.
Briefly:
n an entity (also referred to as external source/external destination) can be either an object
and/or a subject which contribute data to and receive data from a process,
289
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 290
Chapter 7 Data management, data processing and databases: storage and conversion
n a process is an activity or event and/or procedure which transforms and/or manipulates data,
n a data store/data file is a location at which data is retained either temporarily or perman-
ently,29 and
n a named data flow arrow depicts the flow of data either to a process or from a process – that
is data flow arrows must either start or end at a process, and cannot occur directly between:
l data stores and/or
l external entities and/or
l a data store and an external entity.
290
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 291
Such a data flow diagram is known as a top level or level 1 data flow diagram, and is designed to
provide a description of the internal structure of the system or, more appropriately, a descrip-
tion of the component data flows and processes that comprise the system. See Figure 7.8.
Because there are of course no clear rules to determine what is or is not a level 1 process it
can be difficult to know where to start. There are three optional analytical approaches that can
be used to identify a practical starting point, these being:
n resource flow analysis,
n organisational structure analysis, and
n document flow analysis.
The resource flow analysis approach is useful when the system consists largely of the flow of
resources. Such resources are traced from their input into the system, to their processing, and
their output from the system. The rationale behind this method is that data normally flows in
the same direction and on the same pathways as such resources.
The organisational structure analysis approach considers the main roles that exist within the
organisation, rather than the goods or information that flow around the system, the aim being
to identify the key processes and determine which functional areas are relevant and which are
not. Why? Because the data flows between such processes (and relevant external entities).
291
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 292
Chapter 7 Data management, data processing and databases: storage and conversion
The document flow analysis approach considers flows of data in the form of documents or
computer input and output, the key stages in the approach being:
n determine the process/system boundary,
n list the major documents and their sources and recipients, and
n identify major data flows such as telephone and computer transactions.
292
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 293
it is important to remember that not only must decomposition levels within a data flow model
(that is a collection of hierarchically related data flow diagrams) be consistent with each other
– that is the data inputs and data outputs at a higher level data flow diagram must correspond
to those of all the constituent sub-processes at the next lower level data flow diagram – but
that whilst a system may comprise of a number of processes and lower level sub-processes, the
number of decomposition levels (that is levels of sub-processes) may differ, indeed will often
differ between the individual constituent sub-processes of a system.
293
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 294
Chapter 7 Data management, data processing and databases: storage and conversion
294
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 295
Of course, where appropriate, further decomposition of the level 2 data flow diagram into lower
level(s) may be useful.
To ensure data flows are clearly presented, it is important – where possible, to:
n combine processes,30
n exclude minor data flows,31
n combine external entities, and
n combine data stores.
So, are there any general dataflow diagram conventions? Essentially there are five key conven-
tions, these being:
n the entity rule – that is an entity must be either a source of data inputs or a destination for
data outputs,
n the process rule – that is a process must have both input flows and output flows,
n the data store rule – that is data stores must have both input flows and output flows,
n the data from rule – that is data flows from a source entity and/or a data store and must flow
into a process, and
n the data to rule – data flows to a destination entity and/or a data store must flow out of a
process.
Remember, when drawing a data flow diagram:
n think logical, not physical, and
n think data flow, not control process.
295
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 296
Chapter 7 Data management, data processing and databases: storage and conversion
n Are all data flows connected to two elements – a process and a terminator, or a data store or
another process? If not, why not?
n Does any data flow to a process where it is not used and/or is not required? If it does, why
does it?
Flowcharts
A flowchart is essentially a picture – a map of a process, a flow or a system. More precisely it is
a diagrammatic representation of a system, a computer program or a document flow, and as
such can be used for a variety of purposes, for example:
n to identify the logic of a system, computer program or document flow,
n to identify and/or define a system, computer program or document flow boundary,
n to identify system, computer program and/or document flow redundancies and/or delays,
n to identify possible areas of improvement, and
n to develop a common understanding about a system, computer program or document flow.
So what symbols are used in flowcharting? There are a vast number, the most common being:
n an oval – to indicate both the start and end of a process, flow or system,
n a box – to represent an individual activity within a process, flow or system,
n a diamond – to illustrate a decision point,
n a circle – to indicate the connection of a particular activity within a process, flow or system
to another activity within another process, flow or system,
n a triangle – to indicate a file or store of data/information,
n a document – to indicate the source of data,
n a flow line – to indicate the directional path of a process, flow or system.
. . . by level of detail
There are essentially three different levels of detail, these being:
n a macro level flowchart,
n a midi level flowchart, and
n a micro level flowchart.
296
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 297
297
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 298
Chapter 7 Data management, data processing and databases: storage and conversion
. . . by type/category
There are essentially three different types/categories of flowchart:
n a systems flowchart,
n a document flowchart,
n a program/computer flowchart.
Systems flowchart
A systems flowchart provides a logical diagram of how a system operates and:
n illustrates the system in a step-by-step fashion,
n illustrates the conversion process from input to output, and
n indicates which functions are manual and/or computer-based.
A systems flowchart is:
n vertical,
n linear, and
n procedural.
See Figure 7.13.
298
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 299
Document flowchart
A document flowchart illustrates the flow of documentation and information within a system
– from origin to destination – and is concerned with:
n horizontal,
n columnar, and
n documentary.
Program/computer flowchart
A program/computer flowchart provides an illustration of the processing stages within a
computer-based system, for example a batch processing system or an online processing system.
A program/computer flowchart is:
n vertical,
n linear, and
n procedural.
Such flowcharts can be used to illustrate/record the flow of resources and/or information within
a system and/or process – an important aspect of which is an indication as to whether a set of
procedures or a flow of documents within a system/process incorporate appropriate:
n authorisation procedures,
n custody procedures,
n control procedures, and
n recording procedures.
Drawing a flowchart
Whilst there are many alternative ways in which a system, document, and/or a program/com-
puter flowchart can be constructed, and indeed a vast range of software programs available with
which to draw such a flowchart (e.g. see Smartdraw7 available @ www.smartdraw.com), it
is nonetheless important that a clear understanding of each activity that takes place within
the system/flow and/or process is developed/obtained, and that each decision stage within the
system/flow and/or process is correctly identified. The main stages in flowcharting a system, a
document flow and/or a computer program/process would be:
n where possible observe the system, document flow and/or the computer program/process to
establish the context and boundaries of the system/flow/process,
n prepare a detailed record of the activities/decision stages observed/identified,
n sequence/arrange the activities/decision stages observed/identified, and finally
299
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 300
Chapter 7 Data management, data processing and databases: storage and conversion
300
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 301
n design/draw the flowchart, representing the system, document flow and/or the computer
program/process exactly as observed/identified, recorded and sequenced/arranged.
There are a number of general flowcharting conventions. For our purposes, the most important
conventions/rules are:
n the direction rule – that is within the flowchart, flows should generally commence on the top-
left corner and flow from left to right and from top to bottom,
n the consistency rule – that is all flowcharting symbols should be used consistently throughout
the flowchart and where appropriate a legend should be provided,
n the sandwich rule – that is all processing symbol should be sandwiched between an input
symbol and an output symbol,
n the narrative rule – all flowcharting symbols should contain a brief descriptive label, and
301
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 302
Chapter 7 Data management, data processing and databases: storage and conversion
n the multiple copy rule – where multiple copies of documents are used in a system, flow and/or
a process, these should be shown as overlapping symbols.
Entity-relationship diagram
An entity
An entity32 is essentially something that exists in the form of resources, events and agents. That
is something that can be identified by means of its attributes – the unique characteristics that
distinguish one entity (or an entity set/type)33 from another entity.
An entity can be classified as:
n an independent (or strong) entity – that is an entity that does not rely on another entity for
identification,
302
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 303
n a dependent (or weak) entity – that is an entity that does rely on another entity for identifica-
tion, or
n an associative entity (also known as an intersection entity) – that is an entity used to associate
two or more entities in order to reconcile a many-to-many relationship (see below).
Attributes
An attribute describes the entity to which it is associated – attributes which apply to all occur-
rences of the entity/entity type. Attributes can be classified as either an identifier or a descriptor.
Whereas an identifier – more commonly referred to as a key – uniquely identifies an entity,
a descriptor describes a non-unique characteristic of an entity. A given attribute belonging to a
given entity occurrence can only have one value.
The primary key is the attribute (or group of attributes) that serve to identify uniquely an entity.
Where two or more data items are used as the unique identifier this is referred to as compound
key. If several possible primary keys exist, such keys are referred to as candidate keys, and where
an attribute of one entity is a candidate key for another entity, it is termed a foreign key.
A relationship
A relationship is an association between two entities and/or entity types. Such relationships are
classified in terms of degree, connectivity, cardinality and existence.
Degree of a relationship
The degree of a relationship can be defined as the number of entities associated with the
relationship.
A binary relationship exists where an association between two entities exists.34 A recursive
binary relationship exists where an entity is related to itself: for example, a company employee
may be married to another company employee. A n-ary relationship exists where an association
between more than two entities exists.35 Such relationships are generally composed of two or
more interacting binary relationships.
The cardinality of a relationship defines the maximum number of entities/entity types that can
be associated with an entity/entity type.
A one-to-one (1:1) relationship occurs when entity A is associated with entity B and entity
B is associated with entity A. An example of a one-to-one relationship would be where the
managers of a company/organisation are allocated to an individual personal office. For each
manager there exists a unique office and for each office there exists a unique manager.
A one-to-many (1:n) relationships occurs when for entity A, there are 0, 1 or many instances
of entity B, but for entity B, there is only 1 instance of entity A. An example of a 1:n relationships
would be where a department within a company/organisation has many employees but each
employee can only be employed by/in a single department.
A many-to-many (m:n) relationship occurs when for entity A, there are 0, 1 or many
instances of entity B, and conversely for entity B there are 0, 1 or many instances of entity A. An
example of a m:n relationship would be where an internal auditor can be assigned to no more
303
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 304
Chapter 7 Data management, data processing and databases: storage and conversion
than three audit projects at the same time and where individual audits projects are required
to have at least four assigned internal auditors. That is an individual internal auditor can be
assigned to many audit projects and an individual audit project can have many internal auditors
assigned to it. Here the cardinality for the relationship between internal auditors and audit
projects is 3 and the cardinality between audit projects and internal auditors is 4.
Each of the above types of connectivity can be represented diagrammatically (see Figure 7.16).
Existence
Existence denotes whether the existence of an entity is dependent upon the existence of
another entity. The existence of an entity in a relationship can be defined as either optional or
mandatory.37 For example:
n if an entity must always occur for an entity to be included in a relationship, then the rela-
tionship is considered mandatory, or
n if an entity is not required, then the relationship is considered optional.
304
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 305
305
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 306
Chapter 7 Data management, data processing and databases: storage and conversion
Decision tables
As we have seen, whilst flowcharts – in particular program flowcharts – can be used to pro-
vide a representation of a system, procedure or process, such a descriptive technique may
not always be suitable, especially when attempting to describe a complex decision process. An
accepted alternative to flowcharting a system, procedure or process is to construct a decision
table, although such tables are often used in addition to, as opposed to instead of, such
flowcharts.
A decision table is a table designed to represent the logic of an activity and illustrate the
possible combinations of available outcomes. Such tables are typically divided into four
quadrants, these being:
n conditions,
n condition alternatives,
n actions, and
n action entries.
See Figure 7.19.
306
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 307
n if the total value of the order is in excess of £2500 and the invoice is paid within 10 days
of the invoice date a discount of 5% is received – payments made after day 10 do not
attract a discount,
n if the total weight of the order is in excess of 500kg special delivery containers are used
for which a charge is made – if the value of the building materials order is in excess of
£2500 no charge is made for the special delivery containers,
n if the customer requests delivery outside the UK an additional charge is imposed – if
the value of the building materials order is in excess of £2500 and the invoice is paid within
10 days no charge is made for the overseas delivery.
307
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 308
Chapter 7 Data management, data processing and databases: storage and conversion
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
A decision table to represent the above customer policy could be constructed as follows.
Because this is a simple binary decision table in which the decision rule is yes (Y) or no (N),
the number of possible conditions is: [(2 alternatives for condition 1) × (2 alternatives for
condition 2) × (2 alternatives for condition 3) × (2 alternatives for condition 4)] or = (24) = 16.
See Table 7.1.
In the above decision table:
n the possible conditions are:
l payment within 10 days,
l cost in excess of £2500,
l weight in excess of 500kg, and
l overseas delivery,
n the condition alternatives (of which there are 16 possibilities) are indicated with a Y (yes) or
N (no),
n the possible actions are:
l discount,
l delivery charge, and
l container charge, and
n the possible action entries are indicated with an X.
To simplify the above decision table, firstly we can eliminate column 8, column 10, column 12
and column 16 – there are no actions to be implemented. Secondly, we can apply the dash rule
to columns where existing pairs can be merged – that is where an alternative does not make a
difference to the outcome. The dash (–) signifies that a condition can be either yes (Y) or no
(N), and action will still take place.
The revised decision table would look like Table 7.2.
1, 2 3, 4 5, 13 6, 14 7 9 11, 15
308
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 309
1, 2, 3, 4 5, 13 6, 14 7 9, 11, 15
We can apply the dash rule again to produce a further simplified and final decision table –
see Table 7.3.
Coding system
A code can be defined in many ways, for example, it can be defined as:
n a collection of rules or principles or law, for example a legal code, or
n an organised collection of instructions, for example a computer code, or
n an arbitrary compilation of symbols and/or characters, for example a security/access code, or
n a structured arrangement of alpha-numeric characters, for example an information code.
For our purposes, we will use the last option above and define a code as a system of alpha-numeric
characters used to represent a data/information set.
Where such codes are used to facilitate the accumulation, storage and transfer of data and/or
information, such use is referred to as encoding. Where such codes are used to control, protect
or restrict access to data and/or information, such use is referred to as encryption.
We will consider the issue of encryption later in Chapter 13. For the moment we will use a
coding system for encoding purposes.
In accounting information systems, a code/coding system may be:
n numeric (or number-based) – for example a credit card/debit card number or a network
IP address,
n alphabetic (or letter-based) – for example a computer network user name and/or password,
and/or
n alpha-numeric (or letter and number-based) – for example a customer reference number
and/or an employee’s payroll reference number.
309
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 310
Chapter 7 Data management, data processing and databases: storage and conversion
In a commercial/business context, the use of a coding system – for encoding purposes – can be
classified as either:
n a chart of account-based codes, or
n a non-chart of account-based codes.
Before we look at each of these in detail, consider the following question: What are the charac-
teristics of a good coding system? In general, the characteristics of a good code and/or coding
system are:
n a coding system must have a clearly defined structure,
n a coding system must be sufficiently flexible to cope with expansion,
n a coding system must be adaptable to user needs,
n a coding system should be meaningful,
n each individual code within the coding system must have a unique identity,
n each individual code within the coding system should be sequential,
n each individual code must be universal and standard (within a company/organisation), and
n each individual code should be as short as possible (where human interface is expected).
It is for this latter reason that many company/organisation charts of accounts appear to be very
similar.
310
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 311
All companies within the European Union (EU) are bound by and required to adopt extant
directives which comprise the EU company law regulatory framework. In particular, all coun-
tries within the EU have adopted the EU Fourth Directive which provides prescribed formats
for company profit and loss accounts and balance sheets. For example:
n in the UK the required formats were adopted via the UK company law framework – currently
Schedule 4 of the Companies Act 1985,
n in Germany the required formats were adopted via the German commercial code (the
Handelsgesetzbuch (HGB)), and
n in France the required formats were adopted via the French accounting plan (the Plan
Comptable)).
In addition, as of 2005, listed companies on many of the largest stock exchanges (including all
the major EU-based exchanges) are required to adhere to additional reporting requirements as
prescribed by IASC International Financial Reporting Standards – in particular IFRS 1.
Consider the example chart of accounts for HUBS Ltd in Appendix 7.1. The chart of accounts
for HUBS Ltd is hierarchically structured into three levels – see the summary codes – as follows:
n the geographical locations of the company,
n the internal (departmental) structure of the company, and finally
n the structure of the company’s financial statements – that is the balance sheet and the profit
and loss account.
Have a look at the following.
Decode the following codes:
n 50-51-0402/3
n 10-11-0900-3-3-2-10
n Hull – Production department – Plant and Machinery – Cost – Assets acquired during the year.
For the narrative: Rent paid for premises used solely by the accounting department in
Manchester, the code would be: 40-71-1000-1.
For the narrative: Overtime paid to hourly paid part-time production staff in Southampton, the
code would be: 20-51-900-1-6-0-02.
311
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 312
Chapter 7 Data management, data processing and databases: storage and conversion
Databases
It was at about the same time that Charles Bachman began development of the first database
management systems.
The relational model was first proposed by Edgar F Codd in 197044 and although research
prototype databases using the relational model were announced as early as 1976,45 the first
commercial products did not appear until the early 1980s.46
During the latter part of the 1980s research activity focused on distributed database systems,
with the 1990s seeing attention shift toward object-oriented databases. The early 21st century
has witnessed a consolidation of databases technologies together with extensive development
research in the increasingly fashionable area of XML47 databases.
312
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 313
Databases
Using a hierarchical data model, the Employees would represent the parent segment of the
hierarchy and the Children would represent the child segment of the hierarchy. That is an
employee may have many children, but each child can only have one parent.
But what if both the mother and the father of the child were employees of GHK Ltd? That
would mean the one-to-many (1:n) relationship central to the hierarchical data model would
be violated, because not only can an employee have more than one child, a child can have
more than one parent! The relationship is therefore a many-to-many (m:n) relationship and,
effectively, the hierarchy becomes a network.
313
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 314
Chapter 7 Data management, data processing and databases: storage and conversion
tables,50 which can be used to store data without reference to and/or consideration of any other
physical orientation and relationship.
We will look at the relational data model and its use/application in relational databases in a
little more detail later in this chapter.
Within a database environment, there are five separate elements, these being:
n the database schema,
n the database audience,
n the database management system (DBMS),
n the database administration system (DBAS),51 and
n the physical database.
Database schema
A database schema is essentially a structural narrative describing the logical structure of the
database, that is:
n the type of data held within a database, i.e. the objects/facts represented in the database, and
n the structure/organisation of data stored within a database, i.e. the relationships between
each of the objects/facts represented in the database.
Whilst, there are, as suggested earlier, a number of alternative approaches (or data models) that
can be used to structure/organise data within a database, there are essentially three levels to any
data model/schema, these being:
n the external level schema,
n the conceptual level schema, and
n the internal level schema.
314
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 315
Whereas the logical view considers how the users and/or user applications understand/perceive
data within the database – that is how data appears to be stored – the physical view con-
siders how the data are physically arranged and stored within the database.
Why is such a separation of view important? Firstly, it allows independent customised user
views – that is each user within the database audience is able to access the same data, but has a
different customised view of the data: changes to one user’s view does not impact on another
user’s view. Secondly, it hides the physical storage details from users and therefore allows the
database administrator within the database administration system to change the database storage
structures without impacting on the users’ view of the database.
315
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 316
Chapter 7 Data management, data processing and databases: storage and conversion
Database audience
There are three broad classes of users within the database audience, these being:
n the application programmer – responsible for creating, altering, amending and managing
the database,
n the database administrator (via the database administration system) – responsible for con-
trolling all operations within the database, and
n the end-user, who access the database via the database management systems using either:
l a pre-defined user program, and/or
l a direct query using an appropriate query language.
316
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 317
Such database management systems are often classified according to the database schema/
data model they are designed to support – for example, a network database management system,
a relational database management system, or an object orientated database management system.
Why?
Put simply, some database management system functions/activities are data model inde-
pendent, that is they are not determined by the data model adopted within the database.
Such data model independent functions/activities would include, for example, processes and
procedures associated with:
n managing database performance,
n providing authorisation services,
n maintaining data integrity,
n ensuring functional concurrency, and/or
n monitoring data security.
Many database management system functions/activities are data model dependent – that is they
are determined by the data model adopted within the database. Such data model dependent
functions/activities would include, for example, processes and procedures associated with:
n accessing data within the database, and/or
n interrogating/querying data within the database.
Put simply, a database management system provides a means of performing a series of basic
procedural functions often classified as:
n data control functions – using a data control language,
n data definition functions – using a data definition language,
n data manipulation functions – using a data manipulation language, and
n data interrogation functions – using a data query language.
317
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 318
Chapter 7 Data management, data processing and databases: storage and conversion
Note: Although there are many types of data definition languages, data manipulation languages
and data query languages available, currently the most popular ‘all encompassing’ language is
SQL (structured query language) which is used to retrieve and manipulate data in a relational
database. SQL is a fourth generation non-procedural language.
We will look at SQL in a little more detail later in this chapter.
In the case of SQL, data definition functions are defined by a series of commands such as
‘truncate’, ‘create’ and ‘alter’.
Data dictionary
A data dictionary is a key component of the database management system and contains
definitions and representations of all data elements stored within the database. Its purpose is to:
n specify the attributes of the data within the database, and
n stipulate user access limitations and/or security constraints imposed on specific data fields/
data records within the database.
For example, a company/organisation may use a database to store data on its customers – one
aspect of which could be the customer number/reference. Information on the structure of the
customer number/reference would be held in the data dictionary – information such as:
n the name of the data element,
n a description of the data element,
n data records which contain the data element,
n the source of the data element,
n the data field length, and
n the data field type.
In addition, the data dictionary would provide details on:
n which data processing procedures/programs can use the data element,
n which process outputs will contain the data element, and
n which users are authorised to create, amend and/or delete such a data element.
318
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 319
So what are the advantages of using a data dictionary? Firstly, it ensures data consistency and
promotes data integrity. For example, a company/organisation may use a database containing
several tables which hold the same data elements (e.g. customer name and address). Using a
data dictionary would ensure that the format of data elements would be consistent through-
out the database. Secondly, it facilitates expansion. For example, where additional tables are
required to be added to a database, tables which will contain data elements already held in other
existing tables, it is not necessary to define each of those data elements again.
Perhaps the most significant disadvantage of using a data dictionary is that without proper
management, such a data dictionary could become out-dated and irrelevant – especially where
additions to, deletions of, and amendments to, data elements in the data dictionary are not
properly monitored/controlled.
In the case of SQL, data manipulation capabilities defined by a series of commands such as
‘insert’, ‘delete’ and ‘update’.
There are essentially two types of data manipulation languages, these being:
n a procedural data manipulation language which allows the user/user application to define
how the data within the database should be manipulated, and
n a non-procedural data manipulation language (or declarative data manipulation language)
which allows the user/user application to define what data within the database is needed
rather than how the data should be manipulated/retrieved.
Transaction control
One of the key control functions of a database management system is to enforce database
transaction models/processes that possess appropriate data integrity properties. To do so, most
database management systems enforce what are often referred to as ACID rules, these being:
n Atomicity – all the tasks in a transaction must be performed completely or cancelled,
n Consistency – every transaction must preserve the integrity of the database: that is all trans-
actions must leave the database in a consistent state,
n Isolation – transactions cannot interfere with each other,
n Durability – completed transactions cannot be aborted or the results of the transaction discarded.
319
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 320
Chapter 7 Data management, data processing and databases: storage and conversion
In practice, however, many database management systems allow the selective relaxation of some
of the above rules where to do so would have a positive affect/impact on overall performance.
Concurrency control
In a database management system concurrency control is concerned with the management of
database transactions and is used to:
n ensure transactions are executed in a safe and secure manner,
n ensure transactions are not lost when recovering failed and/or aborted transactions,
n ensure transactions follow the above ACID rules, and
n ensure simultaneous users cannot edit/amend/delete the same data record, at the same time.
The database administration system is responsible for the overall control of the database system/
resource. Where there is sharing of a common database between communities of multiple
users, the database administration system – in particular the database administrator – plays a
vital role in:
n the planning, design and implementation of the database environment,
n the maintenance of all database facilities, and
n the management and coordination of database-related activities.
Why? Because such sharing requires control. More specifically, such sharing requires:
320
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 321
n the establishment of rules and regulations for the supervision of user/user application
access,
n the development of operational guidelines and procedures for the coordination of user/user
application access, and
n the creation of appropriate processes and protocols for the management of database change,55
in order to protect the integrity and ensure the security of the database resource.
Physical database
Whilst it is of course necessary for a database to possess an identifiable physicality, it is import-
ant to note that, in reality, the physical database will often bear little relation to the logical
structure of the database. Why? Because as new and more efficient storage technologies and
media develop so the physical structure/physical nature of the database will change. Such change
will not necessarily affect the logical structure of the database.
The physical database would comprise of two components:
n a physical structure in which to store the data – for example sequential, non-sequential,
indexed, etc., and
n a physical medium on which to store the database (e.g. disc, tape).
By far the most popular type of database in use – at least within a business/commercial context
– a relational database is simply a database whose structure is defined by the relational data
model in which data is organised as a collection of tables logically associated with each other by
common shared attributes.
A relational database consists of two interrelated components:
n a structural component – that is a set of tables (also-called relations)56 in which data elements
are stored, and
n a manipulative component – that is an interrogative facility with which to create, amend,
question, and/or manipulate data and tables.
Structural component
Within a relational database, data elements are organised into collections of record-like structures,
with the relationships between data elements expressed by means of tables57 which are used to
represent58 artificial and/or real-world objects (or more appropriately entities), with each data
field within a table representing a selected attribute. That is:
n each row within the table contains data about a specific type of entity represented within the
table, and
n each column within the table contains data about a specific attribute of that entity.
A table can be defined as an un-ordered collection of rows each of which consists of one or
more un-ordered attributes (columns).
Where a database consists of more than a single table, it is likely that some commonality
between a number of the tables would exists: that is some of the data elements and/or data attri-
butes would be repeated in more than one of the database tables. This is an important feature
of tables within a relational database.
321
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 322
Chapter 7 Data management, data processing and databases: storage and conversion
n Table 7.4 contains sample data extracted from MKPL Ltd’s sales database,
Table 7.4 MKPL Ltd sample data extracted from a sales database
n Table 7.5 contains sample data extracted from MKPL Ltd’s stock database, and
Table 7.5 MKPL Ltd sample data extracted from a stock database
n Table 7.6 contains sample data extracted from MKPL Ltd’s customer database.
322
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 323
Table 7.6 MKPL Ltd sample data extracted from a customer database
4933EA Edwards, T.T. 70 Hutchinson Road, High Stile. HI62 5XY 3,000
3331CA Cahill, R. 593 Upton Street, Low Bridge. LO15 6BA 2,000
4030DA Davison, B. 36 Fowler Street, High Stile. HI01 3CD 4,000
5682SI Simon, L.M. 767 Howitt Close, Low Bridge. LO6 5LX 2,000
1011JA Jarvis, N. 75 Worman Street, High Stile. HI17 8ML 6,000
3010HE Helman, L.P. 87 Austin Close, High Stile. HI17 5YY 9,000
7803DE Derwert, N.U. 67 Newbold Street, Low Bridge. LO8 7BJ 3,000
8233LE Lewis, E.K. 371 Bashaw Road, Midshire. MI16 4HK 3,000
6535ST Stockman, Y. 136 Dullea Road, Midshire. MI12 7MO 7,000
5003RO Rogers, R.T. 573 Graley Street, Low Bridge. LO7 7DE 4,000
8841SI Simpson, O.S. 251 Hawkswood Street Low Bridge. LO19 8YH 4,000
Within each of the above tables, there is a data element/attribute unique to each table – that is
a primary key, for example:
n within the sales database table (see Table 7.4) – the sales invoice number,
n within the stock database table (see Table 7.5) – the stock item number, and
n within the customer database table (see Table 7.6) – the customer reference number.
Note: In each of the above, the primary keys are a single data element/attribute (within a
data field). It is not uncommon for a primary key within a table to be a combination of data
elements/attributes.
Also, within each of the above tables, there is a data element/attribute not unique to each
table – that is a secondary key, for example:
n within the sales database table (see Table 7.4) – the transaction date of the sales, and
n within the stock database table (see Table 7.5) – the stock description.
Foreign keys are used to link database tables. Two examples within the sales database table (see
Table 7.4) would be:
n the customer reference number – this would link the sales database table to the customer
database table in which the customer reference number is a primary key, and
n the product item number – this would link the sales database table to the stock database table.
To maintain the integrity of the database, there are four basic regulatory requirements, these being:
n every column in a row must be singled valued – that is there can be only one value in a cell,
n all non-key attributes in a table should describe a characteristic of the object identified by the
primary key,
n a primary key value in a table cannot contain a null (blank) value – often referred to as the
entity integrity rule, and
n for every foreign key value in a table there must be a corresponding primary key value in
another table in the database – often referred to as the referential integrity rule.
Manipulative component
Within a relational database it is important to be able to manage the data contained within the
database. Perhaps one of the most popular computer languages used to create, modify, retrieve
and manipulate data within a relational database is SQL.
323
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 324
Chapter 7 Data management, data processing and databases: storage and conversion
During the 1970s, a group of researchers at the IBM Inc. research centre in California developed
a database system that became known as ‘System R’. The design was partially based on the ideas
explored by Edgar F. Codd in his 1970 seminal paper.59 Structured English QUEry Language
(SEQUEL) was designed to manipulate and retrieve data stored in System R. The acronym
SEQUEL was later condensed to SQL.60
Although the late 1970s saw IBM Inc. develop a number of commercial products based on the
System R prototype that implemented SQL, it was not until 1979 when Relational Software, Inc.
introduced Oracle (version 2) that the first commercial implementation of SQL became available.
SQL was adopted as a standard by ANSI (the American National Standards Institute) in 1986
and by ISO (the International Organisation for Standardisation) in 1987, although it has sub-
sequently undergone a number of major revisions/additions.
Note: SQL is not a conventional computer programming language in the normal sense that
Visual Basic, C++, Java are. SQL is a language used exclusively to create, manipulate and inter-
rogate databases, and is concerned with data and results. Each SQL statement produces a result,
whether that result is an update to a record, a deletion of a record, a query, or the creation of a
database table.
Let’s have a look at some of the SQL keywords we introduced earlier in our discussion on
database management systems. For this we will use the following brief scenario:
Rockpool plc is a UK-based book retailer. The company owns and operates 392 high street
bookshops located throughout the UK and Europe. The company has estimated that it currently
holds approximately 1.2 million English language books, and 900,000 non-English language
books on a diverse range of subjects.
The company maintains a database of all books held at all 392 retail locations, and all 22 of
its major storage depots located in the UK, France, Germany, Norway and Spain.
SQL keywords61
To create a database, the SQL command would be:
CREATE DATABASE database_name;
To create a database called Books, that is a register of all the books held by Rockpool plc
(essentially a stock register), the SQL command statement would be:
CREATE DATABASE Book_Register;
To create a table within a database, the SQL command statement would be in the generic form:
CREATE TABLE name (col1 datatype, col2 datatype, col3 datatype, etc . . . );
To create a table called Books, the SQL command statement would be:
CREATE TABLE Books (Product Item Number INTEGER, Book Title TEXT,62 Publisher TEXT,
Author TEXT, ISBN No, INTEGER, Price CURRENCY, Year of Publication DATE, Location
INTEGER);
To create a table called Users, the SQL command statement would be:
CREATE TABLE Users (Last Name TEXT,63 First Name TEXT, User ID TEXT, Location TEXT,
Department TEXT, Employee Number INTEGER, Access Level INTEGER);
Note: It is important to remember that once a database table is created the structure is not
necessarily fixed. As requirements change, the structure of the database is likely to evolve to
ensure all requirements are fulfilled.
324
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 325
198201 Accounting Information Systems Prentice Hall Romney 0-13-196855-6 47.99 2006 New Jersey
119897 Corporate Financial Management Prentice Hall Arnold 0-27-368726-3 44.99 2005 London
152463 Business Accounting and Finance McGraw Hill Davies 0-07-710809-4 35.99 2005 Maidenhead
115267 Organisational Behaviour McGraw Hill Buelens 0-07-710723-3 40.99 2005 Maidenhead
192817 Principles of Marketing Prentice Hall Brassington 1-40-584634-8 42.99 2006 London
112768 Company Law Longman Griffin 0-58-278461-1 34.99 2005 London
Last name First name User ID Location Department Employee number Access level
Now that we have created our database and two tables (Books and Users), which would
appear as shown in Table 7.7 and Table 7.8 above, let’s have a look at the SQL keywords we
introduced earlier.
Note: For illustration purposes, both the Books table, and the Users table have been
populated with example data.
Data control
The first group of SQL keywords is the data control language (DCL) which manages the author-
isation aspects of data and permits the user/user applications to control who has access to view
and/or manipulate data within the database.
The most common keywords are:
n grant – this authorises one or more users/user applications to perform an operation or a set
of operations on an object, and
n revoke – this removes or restricts the capability of a user/user application to perform an
operation or a set of operations.
Such granting and/or removal of privileges can occur on a number of levels, for example
n a global level,
n a database level, and
n a table level.
Global level
For example:
GRANT ALL ON *;
REVOKE ALL ON *;
The asterisk (*) means show all.
325
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 326
Chapter 7 Data management, data processing and databases: storage and conversion
Database level
For example:
GRANT ALL ON Book_Register
REVOKE ALL ON Book_Register
where Book_Register is the name of a database (see example below).
Table level
For example:
GRANT ALL ON Locations;
REVOKE ALL ON Locations;
where Locations is the name of a table (see example below).
Data definition
The second group of SQL keywords is the data definition language (DDL) which allows the
database administration system to:
n initialise/create the database,
n define and describe the data within a database,
n construct a data dictionary for the data within a database,
n specify the attributes of the data within the database, and
n stipulate user access limitations, and/or
n impose security constraints on specific data fields/data records within the database.
The most common keywords are:
n create – this causes an object to be created within the database,
n truncate – deletes all data from a table but not the table (a non-standard, but common SQL
command), and
n alter – this modifies an existing object in various ways, for example:
l add – this causes an existing object to be added within the database, and
l drop – this causes an existing object to be deleted within the database . . . usually
irretrievably.
For example, to create a table called Locations, the SQL command would be:
CREATE TABLE Locations (Location ID INTEGER, Location Name TEXT, Location Address
TEXT Location Country TEXT, Location Telephone Number INTEGER);
To remove all rows from a table, the SQL command statement would be:
TRUNCATE TABLE Locations;
To add an e-mail address column to the Users table, the SQL command statement would be:
ALTER TABLE Users
ADD COLUMN eMail Address BOOLEAN;
326
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 327
Last First name User ID Location Department Employee Access E-mail address
name number level
Last name First name User ID Location Employee Access E-mail address
number level
Data manipulation
The third set of SQL keywords are the standard data manipulation language (DML) elements.
The most common key words are:
n insert – used to add zero or more rows to an existing table,
n update – used to modify the values of a set of existing table rows, and
n delete – used to remove zero or more existing rows from a table.
For example, to insert an object into a database table, the SQL command statement would be
in the generic form:
INSERT INTO target (field1, field2, field3, etc . . . )
VALUES (value1, value2, value3, etc . . . );
To insert a book record for the book titled Corporate Accounting Information Systems, into
Books, the SQL command would be:
INSERT INTO Books (Product Item Number, Book Title, Publisher, Author, ISBN number,
Price, Year of Publication, Location)
VALUES (119282, Corporate Accounting Information Systems, Prentice Hall, Boczko T,
0-27-36848-76, £42.99, 2007, London);
To insert a user record for user Jonathan Fisher, the SQL command statement would be:
INSERT INTO Users (Last Name, First Name, User ID, Location, Department, Employee Number)
VALUES (Fisher, Jonathan, JFisher, Hull, Finance, 68965)
327
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 328
Chapter 7 Data management, data processing and databases: storage and conversion
Last name First name User ID Location Employee Access E-mail address
number level
To update an object in a database table, the SQL command statement would be in the
generic form:
UPDATE table,
SET new value,
WHERE criteria;
For example, to move user Jonathan Fisher from Hull to York, the SQL command statement
would be:
UPDATE User
SET Location ‘York’
WHERE Employee Number 68965;
Note: The Employee Number is used to set the criteria because the it is unique to each indi-
vidual employee.
The revised User table would look like Table 7.12.
Last name First name User ID Location Employee Access E-mail address
number level
To delete an object in a database table, the SQL command statement would be in the generic
form:
DELETE FROM table
WHERE criteria;
For example, to delete user Christopher James, the SQL command statement would be:
DELETE FROM USER
WHERE Employee Number 66878;
328
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 329
Note: The Employee Number is again used to set the criteria because the Employee Number is
unique to each individual employee.
Using the sample data introduced in Table 7.7 (as amended), this would produce the following
data – see Table 7.13.
Romney 198201 Accounting Information Systems Prentice Hall 0-13-196855-6 47.99 2006 New Jersey
Arnold 119897 Corporate Financial Management Prentice Hall 0-27-368726-3 44.99 2005 London
Boczko 119282 Corporate Accounting Information Prectice Hall 0-27-36848-76 42.99 2007 London
Systems
Davies 152463 Business Accounting and Finance McGraw Hill 0-07-710809-4 35.99 2005 Maidenhead
Buelens 115267 Organisational Behaviour McGraw Hill 0-07-710723-3 40.99 2005 Maidenhead
Brassington 192817 Principles of Marketing Prentice Hall 1-40-584634-8 42.99 2006 London
Griffin 112768 Company Law Longman 0-58-278461-1 34.99 2005 London
Designing and developing a database can be an expensive, often political, and invariably a time-
consuming task, requiring input from a wide diversity of individuals/professionals. However,
a well-designed, properly developed database can provide enormous benefits, some of which
would include:
n improved data efficiency,
n improved data consistency,
n enhanced data integration,
n simplified data management,
n improved data access,
n improved data ownership, and
n reduced data redundancy.
329
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 330
Chapter 7 Data management, data processing and databases: storage and conversion
So, what are the key stages in the development of a database? These would be:
n database planning,
n database design,
n database design evaluation,
n database testing, and
n database implementation (including database maintenance).
Database planning
The purpose of the database planning stage is to:
n define the scope of the planned database,
n ensure the development is consistent with the company’s/organisation’s information and
communications technology strategy and, perhaps more importantly,
n ascertain the viability/feasibility of such a database – that is the costs and/or benefits of
developing and using such a database.
Database planning would include, for example:
n defining the database environment,
n determining an adequate storage structure – that is the physical database,
n determining a valid back-up/recovery strategy,64
n establishing an appropriate access strategy – who can use what and when, and
n defining data requirements and extending/amending the existing data dictionary.
Database design
The purpose of the database design stage is to determine the data content of the database – that
is develop a conceptual level schema. Although the precise nature of the design stage would
differ from company to company and from organisation to organisation, in general there are
two approaches that can be used in designing a relational database, these being:
n a bottom-up approach to database design, and
n a top-down approach to database design,
330
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 331
There are six levels of normal form, which are numbered, perhaps unsurprisingly, from 1
(the lowest form of normalisation – referred to as 1st normal form or 1NF) to 6 (the highest
form of normalisation – referred to as 6th normal form or 6NF).
Note: For database applications it is generally only necessary to normalise to the 3rd normal
form.
An un-normalised table is a table that contains repeating data/attributes within the rows in
the table – that is the same data may be stored in a number of places within a table which could
lead to possible data inconsistencies.
The data fields included in the original ‘single’ data table are currently as follows:
331
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 332
Chapter 7 Data management, data processing and databases: storage and conversion
n customer number,
n customer name,
n customer address,
n customer postcode,
n sales advisor name,
n sales advisor ID,
n stock item number,
n stock item description,
n quantity ordered, and
n unit price.
Table 1
n sales order number,
n stock item number,
n stock item description,
n quantity ordered, and
n unit price.
Second, create a new table containing the repeating groups of data. The new table would con-
tain the following:
Table 2
n sales order number,
n sales order date,
n customer reference,
n customer name,
n customer address,
n customer postcode,
n sales advisor name, and
n sales advisor ID.
We now have two tables and a database in the 1st normal form.
Table 1
n stock item number, and
n stock item description.
332
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 333
Table 2
All the above groups of data (except for the primary key) would be removed from the original
1st normal form table 1 (see above). The revised table would contain the following:
n sales order number,
n stock item number,
n quantity ordered, and
n unit price.
Note: stock item number is the primary key.
Table 3 (unchanged 1st normal form table 2)
n sales order number,
n sales order date,
n customer reference,
n customer name,
n customer address,
n customer postcode,
n sales advisor name, and
n sales advisor ID.
We now have three tables and a database in the 2nd normal form.
Table 2
n sales advisor name, and
n sales advisor ID.
Table 3
All the above groups of data (except for the primary key) would be removed from the original
2nd normal form table 3 (see above). The revised table would contain the following:
n sales order number,
n sales order date,
n customer reference, and
n sales advisor ID,
together with the unchanged tables:
Table 4 (unchanged 2nd normal form table 2)
n stock item number, and
n stock item description,
and
333
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 334
Chapter 7 Data management, data processing and databases: storage and conversion
n customer reference, customer name, customer address, customer postcode – called CUSTOMERS
n sales advisors: sales advisors ID, sales advisor name – called SALES ADVISORS
n stock item number, stock item description – called STOCK ITEMS
n sales order number, sales order date, customer reference, sales advisor ID – called SALES
ORDERS, and
n sales order number, stock item number, stock quantity, and unit price – called SALES ORDER
DETAILS.
n identifying all relevant entities about which data will be accumulated and stored in the
database,
n determining how such entities are related to each other, and
n developing a relational representation of such relationships – a representation often referred
to as an entity-relationship diagram.
(We looked at entity-relationship diagrams earlier in this chapter.)
For the remainder of the discussion, we will use the top-down approach. Consider the
following brief scenario:
AKL Solutions Ltd is a Manchester-based IT services provider offering a range of IT-related
training programmes for corporate clients in the Greater Manchester area. All training pro-
grammes are provided by the company’s in-house consultants. The company is currently
designing a database for the sale of its training programmes.
Using the top-down approach, the design process would include some, if not all, of the
following stages:
334
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 335
If you recall (from our previous discussion on entity-relationship diagrams), entity relationships
can be categorised as either:
n one-to-one – referred to as (1:1),
n one-to-many – referred to as (1:n), or
n many-to-many – referred to as (m:n).
335
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 336
Chapter 7 Data management, data processing and databases: storage and conversion
Remember: It is only necessary to identify data that are relevant now, or will be relevant in the
near future, to the real-world flows being modelled.
It is important to ensure that all newly created data elements conform to the existing require-
ments of the company’s/organisation’s data dictionary, and therefore important to determine
the characteristics of each data element – that is establish:
n a data element description – what the data will represent,
n a data element name – what the data will be known by,
n a data element type – what the data is,
n a data element length – how large the data element and the data length are.
For AKL Solutions Ltd such characteristics could be as shown in Tables 7.14 to 7.17.
Data element description Data element name Data element type Data element length
336
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 337
337
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 338
Chapter 7 Data management, data processing and databases: storage and conversion
n the primary key for the training consultant would be the consultant’s employee ID, and
n the primary key for the invoice/account would be the invoice/account number.
Such relationship constraints can be implemented in many ways, perhaps the most common
being:
n as part of the data entry procedures, or
n as part of a monitoring protocol in the database management system.
Database testing
Once the database design has been evaluated (with any design faults corrected) and approved,
the database requires testing and assessment. Such testing could comprise of:
n testing individual database components – both software and hardware components,
n testing the whole database – for stability and connectivity,
n testing user acceptance of the database,
338
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 339
Database implementation
Once a suitable design has been evaluated and approved, and testing has not revealed any
significant problems, the database would – subject to company/organisational requirements –
be implemented. In doing so, it is important to:
n establish a suitable entry policy – to control user access,
n establish adequate security controls – to prevent possible data theft,
n establish a regular testing/assessment programme – to monitor and validate database context,
and
n establish appropriate database maintenance procedures to:
l monitor database performance,
l where appropriate, reorganise user needs/requirements,
l review database procedures, and
l evaluate the use of new technologies.
Although the REA has become a source of much debate its adoption and use has been and
indeed continues to be limited, mainly because its use would require a substantial change and
move away from the traditional double-entry events-based approach that is used in the vast
majority of accounting information systems.
339
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 340
Chapter 7 Data management, data processing and databases: storage and conversion
Concluding comments
In a 21st century business context, data have become a vital resource with data acquisition
and management now dominated by technologies that regularly facilitate the accumulation,
processing and transfer of volumes of data that were unimaginable a generation ago. Indeed,
there can be little doubt that the increasing availability and use of computer-based data capture,
online processing and computer-based data management (in particular database systems) has
revolutionise contemporary understanding of the economic and political value of data.
340
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 341
References
Chen, P.P. (1976) ‘The entity-relationship model: toward a unified view of data’ in ACM Trans-
actions on Database Systems, 1(1), pp. 9–36.
Coad, P. and Yourdon, E. (1991) Object-Oriented Systems Analysis, Prentice Hall, New Jersey.
Codd, E.F. (1970) ‘A Relational Model of Data for Large Shared Data Banks’ in Communications of
the ACM, 13(6), pp. 377–387.
Gane, C. and Sarson, T. (1979) Structured System Analysis, Prentice Hall, New Jersey.
McCarthy, W.E. (1979) ‘The REA Accounting Model: a Generalised Framework for Accounting
Systems in a Shared Data Environment’ in Accounting Review, 57(3), pp. 554–578.
Nobes, C. and Parker, R. (2004) Comparative International Accounting, 8th edition, FT Prentice Hall,
London.
Self-review questions
Question 1
To be converted into useful information, transaction data requires processing. In an accounting information
systems context, such processing requires the data to be structured and organised using file orientation
and/or data orientation.
Required
Distinguish between a file-orientated approach and a data-orientated approach, and critically evaluate the
advantages and disadvantages of each type, and the organisational characteristics that often determine which
type will be adopted.
Question 2
‘Computer-based data processing is inherently risky.’ Discuss.
‘
341
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 342
Chapter 7 Data management, data processing and databases: storage and conversion
Question 3
Because of the increasing volume and complexity of business transactions, various system of processing data
have emerged. In a contemporary context, such systems include batch processing and online processing.
Required
Briefly describe the key characteristics of each of the above types of processing systems and discuss the
advantages, disadvantages and uses of each type.
Question 4
Distinguish between the following types of flowcharts:
n systems flowchart,
n document flowchart, and
n program flowchart,
and explain the advantages and disadvantages of using such flowcharts as analysis tools.
Question 5
The increasing use of information technology has necessitated the need for increasingly sophisticated coding
systems and charts of accounts.
Required
Describe the qualities and characteristics of a good coding system and explain how a company would devise
a chart of accounts relevant to its current and potential commercial activities.
Assignments
Question 1
ELF Ltd is an Edinburgh-based company that has been under the control of the same family for the past
50 years. During that time the company has been run on a friendly, informal basis with little reference to
the principles of internal control and/or formal documentation. As a result of a recent fraud by a purchasing
assistant, just over two years ago the directors of the company reorganised the company’s purchasing and
receiving procedures in order to guard against a recurrence of the purchase fraud. The directors have asked
you to review the current system of internal control and the functions of the documents in the company’s
purchasing and receiving of goods for resale. In particular, the directors have asked you to prepare a system
flowchart of the current purchasing/receiving system.
Following discussions with the company directors, you are aware that the company operates the following
departments:
n a requisitioning department,
n a purchasing department,
n a receiving department,
n a stores department,
n a purchasing ledger (accounts) department,
n cashier/treasury department.
342
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 343
Chapter endnotes
The general purchasing procedures are as follows. The requisitioning department raises a purchase request.
This purchase request is forwarded to the purchasing department. The purchasing department then obtains
a quotation from an approved supplier. Once the quotation has been received and approved, the purchasing
department raises a purchase order (four copies). Two copies of the purchase order are sent to the supplier,
one is sent to the receiving department and one to the purchase ledger department.
Prior to delivery the supplier is requested to send one copy of the purchase order back to the purchasing
department as acknowledgement of the purchase order receipt. When the goods are delivered a goods
received note (GRN) (three copies) is received. One copy is filed in the receiving department, one is kept by
the stores department and one is sent to the purchase ledger department, where it is matched and filed with
the appropriate purchase order. The supplier retains a delivery note – authorised (signed) by an appropriate
member of staff from the receiving department. When the invoice is received from the supplier the purchas-
ing department matches the purchase order, GRN and invoice, and authorises payment. All payments are
made by cheque and require authorisation from the company cashier.
Required
Prepare a document flowchart of the above purchasing system and comment on any problem areas.
Question 2
There are essentially three optional types of computer-based processing, these being:
n periodic processing with sequential updating,
n periodic processing with non-sequential updating, and
n immediate processing.
Required
For each of the following applications, specify (with reasons) which of the above processing alternatives is
likely to be the most suitable:
n the reservation of a seat on a scheduled airline flight,
n the preparation of weekly payroll,
n the preparation of monthly statements for credit customers,
n the posting of journal entries
n the preparation of payments to suppliers/service providers,
n the preparation and submission of purchase orders to suppliers,
n the assessments of debtor balances and the preparation and distribution of payment reminders, and
n amendments to employee payroll details.
Chapter endnotes
1
For the purposes of our discussion we use the term ‘data’ in a very specific context: we will
use it as a term referring to business-related transaction data.
2
The term ‘conversion’ is used where no change in the structure and/or composition of the data
occurs. The term ‘transformation’ is used where a change in the structure and/or composition
of the data occurs.
3
Such processing is sometimes referred to as hybrid processing.
4
GmbH – Gesellschaft mit besrankter Haftung – meaning company with limited liability is the
German equivalent of the UK private limited company (plc).
343
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 344
Chapter 7 Data management, data processing and databases: storage and conversion
5
Using an appropriate GUI (Graphical User Interface).
6
Source data could include for example:
n text-based documents (printed or handwritten) such as internal memoranda, letters, surveys,
reports, instruction manuals, business cards, index cards, etc.,
n number-based documents such as financial statements, payroll records, time sheets,
n forms-based documents such as questionnaires, application forms of any kind (credit cards,
loans, product registration, etc.),
n image-based documents such as photographs, charts, and graphs, and
n mixed-format documents such as bank statements, credit card statements.
7
As a plural of the term ‘datum’.
8
Microfiche/microfilm are both compact analogue storage media that are still used in many
research/library institutions.
9
The term ‘storage’ is sometimes used (somewhat incorrectly in the author’s opinion) inter-
changeably with the term ‘memory’. Where both terms are in use, the term memory is generally
used for the faster forms of storage and the term storage is generally used for the slower forms
of storage.
10
For example RAM (Random Access Memory).
11
In a limited sense, the terms ‘attribute’ and ‘data element’ can be, and indeed often are, used
interchangeably.
12
Although the example data value is only numeric it is also possible that the data value could
be a combination of numeric and alphabetic characters (e.g. a UK postcode).
13
Remember for some types of data, specific legal requirements may apply – for example the
Data Protection Act 1998 and the Limitations Act 1980.
14
Data set can be defined as a set of data elements bearing a logical relationship which is
organised in prescribed manner.
15
Indeed, a number of anecdotal studies on users of computer-based information systems have
suggested that severe access restrictions can also adversely affect data integrity as users often
attempt to find alternative means of access and/or alternative sources of data.
16
Usually in the form of an exchange of economic consideration.
17
The processing cycle can be defined as the throughput processing period – from input to
output. Such a throughput processing period can commence when:
n a specified batch content limit has been reached – for example, a batch of say 100 invoices,
n a specific time period has expired – for example every seven days or every 14 days, or
n a specific date/time has been reached – for example the 19th day of each calendar month.
18
Whilst it is of course possible for online processing to consist of four stages, for example:
n stage 1 – an input stage where individual data are input,
n stage 2 – a collection stage where individual data are collected into a secure temporary data
file,
n stage 3 – a processing stage where the master file is updated based on input of the controlled
data file, and
n stage 4 – an output stage,
the use and popularity of such online processing has declined significantly over recent years.
19
Contrary to popular belief ATMs are not an American invention. The ATM was actually
invented by John Shepherd-Barron in the early 1960s. He installed the world’s first ATM at a
branch of Barclays Bank in Enfield, North London, in 1967.
344
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 345
Chapter endnotes
20
The two input devices are:
n a card reader which captures the account information stored on the magnetic stripe and/or
chip on the back of the debit/credit card. The host processor uses this information to route
the transaction to the appropriate bank/financial institution, and
n a keypad which allows the cardholder to:
l identify him or herself as the cardholder by entering the appropriate PIN, and
l inform the bank/financial institution what kind of transaction is required – for example
a cash withdrawal, an account amendment, an account balance request or a change of
PIN, etc.
21
The four output devices are:
n a speaker which provides the cardholder with auditory feedback when the keypad is used,
n a display screen which provides the cardholder with a menu of transaction options,
n a receipt printer which provides the cardholder with a paper receipt of the transaction (if
requested), and
n a cash dispenser which consists of a secure vault, a cash-dispensing mechanism which con-
sists of an electric eye that counts each note as it exits the cash dispenser and a sensor which
tests the thickness of each note to ensure:
l two or more notes are not stuck together, and
l issued notes are not excessively worn, torn or folded.
22
The host processor may be owned by a bank or financial institution, or it may be owned by
an independent service provider.
23
For example the inefficient/inequitable allocation of resources and/or distribution of
information.
24
Because distributed systems provide dedicated resources for user processes, response times
can be greatly reduced.
25
See Chapter 6.
26
Two common variations to the data flow diagram notation are, for example, the Gane and
Sarson (1979) notation and, the Coad and Yourdon (1991) notation.
27
This notation is based on the Coad and Yourdon (1991) data flow diagram notation.
28
Alternatively, the Gane and Sarson (1979) data flow diagram notation provides the
following:
n a square to indicate an entity,
n a rounded square to portray a process,
n an open box to indicate a data store/file, and
n an arrow to portray the direction of a dataflow.
29
In a physical data flow diagram there can be a number of alternative types of data stores,
for example:
n permanent computerised data store/file,
n temporary (or transient) computerised data store/file,
n permanent manual data store/file, and
n temporary (or transient) manual data store/file.
30
As a general rule, no data flow diagram should contain more than 12 process boxes.
31
For example, where data is retrieved from a data store, it is not necessary to show the selection
criteria used to retrieve it.
345
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 346
Chapter 7 Data management, data processing and databases: storage and conversion
32
A regular entity is an entity of independent existence – that is any physical object, event,
and/or abstract concept on which factual data can be obtained. A weak entity is an entity of
dependent existence – that is an entity whose existence is dependent on another entity.
33
An entity set (or entity type) is a collection of similar entities.
34
This is the most common type of relationship.
35
Often referred to as a General Entity-Relationship Model (GERM).
36
Where both entities are independent, the direction of the relationship is arbitrary.
37
Such relationships are often referred to as a relationship’s ordinality.
38
In the simple decision table, there would be two condition alternatives – that is a yes or a no
for each condition. In an extended-entry decision table, there could be many alternatives for
each condition.
39
This chart of accounts was originally developed by Ron Hornsby, University of Lincolnshire
and Humberside (now University of Lincoln) with whose kind permission it has been reproduced.
40
Such a chart of accounts is often imposed for macro economic purposes – for the collection
of statistical data by national governments.
41
A query language is a computer language used to make enquiries into databases and/or
information systems. Such query languages can, broadly speaking, be classified as either data-
base query languages or information retrieval query languages. For example:
n SQL (Structured Query Language) is a well-known query language for relational databases, and
n DMX (Data Mining eXtentions) is a query language for data mining models.
42
For example in the early 1960s the System Development Corporation (based in California,
USA) sponsored a conference on the development of computer-centred databases. See http://
www.cbi.umn.edu/collections/inv/burros/cbi00090-098.html.
43
Charles W. Bachman was a prominent computer scientist/industrial researcher in the area of
databases. He received the Turing Award in 1973 for his work on database technologies and was
elected as a Distinguished Fellow of the British Computer Society in 1977 for his pioneering
work on database systems.
44
Codd, E.F. (1970) ‘A Relational Model of Data for Large Shared Data Banks’ in Commun-
ications of the ACM, 13(6), pp. 377–387.
This paper is available @ http://www.acm.org/classics/nov95/toc.html.
45
For example the System R project at IBM.
46
For example Oracle and DB2.
47
eXtensible Markup Language – a special purpose markup language capable of describing
many different kinds of data.
48
CODASYL (Conference on Data Systems Languages) was an IT industry consortium formed
in 1959 to guide the development of a standard programming language that could be used on
many computers. Its discussions eventually resulted in the development of COBOL. Although
some derivative CODASYL committees continue to the present day, CODASYL itself no longer
exists with interest in CODASYL fading in the early 1980s due to growing interest in relational
databases.
49
As defined by the CODASYL specification.
50
Using the relational data model, a table can be defined as a collection of records, with each
record in a table containing the same fields.
51
In some smaller companies/organisations database administration is sometimes undertaken
by a single individual – the database administrator – whereas in larger companies/organisations
such database administration is often undertaken by a department of technical personnel.
52
The American National Standards Institute (ANSI) Standards Planning And Requirements
Committee (SPARC) architecture (1975).
346
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 347
Chapter endnotes
53
Including data fields, data records and data files.
54
Because terminology can differ, for our discussion we will use the terminology used in
Microsoft SQL Server 2005 edition.
55
Such change could of course relate to:
n structural change – that is change to the database schema,
n technological change – that is change to the physical database, and/or
n definitional change – that is change to either user access to the database resource and/or user
rights to use the database resource.
56
Hence the term ‘relational database’.
57
Such tables are – in a technical context – more appropriately referred to as relations; hence
the term ‘relational database’.
58
Remember such tables only describe how the data appear within both the conceptual level
schema and the external level schema. The data are actually stored in the manner described in
the internal level schema.
59
See note 42 above.
60
Because the word SEQUEL was a trademark held by Hawker-Siddeley Ltd in the UK. Hawker-
Siddeley Ltd eventually merged into British Aerospace (BAe) in 1977.
61
For a complete listing of the keywords available for Microsoft SQL Server 2005 Edition, have
a look @ http://msdn2.microsoft.com/en-us/library/ms189822.aspx.
62
In some database management systems the keyword TEXT may not be supported, in
which case a specific string length has to be declared – for example: CHAR(x), VCHAR(x) or
VARCHAR(x), where x is the string length.
63
As note 62.
64
For example, establishing the periodic dumping of the database on to backup tape and,
where necessary, establishing secure recovery procedures for the reloading of the database from
the backup tape.
65
For example, where a customer cannot be created without a sales order.
66
For example, where a sales order cannot be deleted without deleting all the customer data.
67
For example, where to update customer data, it must be updated for each sales order the
customer has placed.
68
It is important to note that these are only advisory guidelines.
69
Some REA data models include a 4th entity of locations, defined as physical objects and/or
spaces not owned by the company/organisation. The use of this 4th entity is by no means widely
accepted.
70
Resources are the assets of a company/organisation used to generate revenue. However
resources do not include some traditional accounting assets, for example debtor accounts.
71
There are three classes of events:
n operating events – that is what happens,
n information events – that is what is recorded, and
n decision/management events – that is what is done (as a consequence).
347
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 348
Summary codes
LOCATION: DEPARTMENT: FINANCIAL LEDGER SUMMARY
10 COMPANY 11 ALL DEPARTMENTS 0100 CAPITAL
20 SOUTHAMPTON 21 PURCHASING/SALES 0200 LOANS
30 LONDON 31 RECEIVING/DESPATCH 0300 CURRENT LIABILITIES
40 MANCHESTER 41 STOCK1 0400 FIXED ASSETS
50 HULL 51 PRODUCTION 0500 STOCK
60 NEWCASTLE 61 SERVICE 0600 DEBTORS
70 GLASGOW 71 ACCOUNTING 0700 CASH
80 BRISTOL 81 PERSONNEL 0800 MATS COST OF SALES
91 ADMINISTRATION 0900 WAGES COST OF SALES
1000 OCCUPANCY
1100 ADMINISTRATION
1200 COMMUNICATIONS
1300 FINANCIAL
1400 TAX
1500 SALES
ORD’Y SHARE CAP & RES, SUMM’Y CODE 0100 PRIOR CHGE CAP, CODE 0200
0100/0 ORDINARY SHAREHOLDERS FUNDS, TOTAL 0200/0 ALL LOANS & PREF SH
0100/1 -do-, AUTHORISED SHARE CAPITAL 0200/1 AUTH PREF SHARES
0100/2 -do-, ISSUED SHARE CAPITAL 0200/2 ISSUED PREF SHARES
0100/3 -do-, CAPITAL RESERVE 0200/3 LOANS
0100/4 -do-, GENERAL RESERVE
0100/5 -do-, REVALUATION RESERVE
0100/6 -do-, PROFIT & LOSS ACCOUNT
1
Includes Raw Materials and Finished Goods.
348
..
CORA_C07.qxd 6/1/07 11:03 Page 349
0400/1 ALL CLASSES OF FIXED ASSET, ORIGINAL COST, BALANCE BROUGHT FWD
0400/2 -do-, -do-, CURRENT PERIOD, ASSETS DISPOSED OF
0400/3 -do-, -do-, -do-, ASSETS ACQUIRED
0400/4 -do-, -do-, -do-, ASSETS HELD, BALANCE CARRIED FORWARD
0400/5 -do-, DEPRECIATION, BALANCE BROUGHT FORWARD
0400/6 -do-, -do-, CURRENT PERIOD, ON ASSETS DISPOSED OF
0400/7 -do-, -do-, -do-
0400/8 -do-, -do-, BALANCE CARRIED FORWARD
0400/9 -do-, WRITTEN DOWN VALUE, BALANCE CARRIED FORWARD
0401/1 to 0401/9 FIXED ASSETS, LAND & BUILD’GS, CODING STRUCT AS ABOVE
0402/1 to 0402/9 -do-, PLANT & MACHINERY, CODING STRUCT AS ABOVE
0403/1 to 0403/9 -do-, FIXTURES & FITTINGS, CODING STRUCT AS ABOVE
0404/1 to 0404/9 -do-, MOTOR VEHICLES, CODING STRUCT AS ABOVE
349
..
CORA_C07.qxd 6/1/07 11:03 Page 350
Chapter 7 Data management, data processing and databases: storage and conversion
350
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 351
351
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 352
Chapter 7 Data management, data processing and databases: storage and conversion
352
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 353
353
.. ..
CORA_C07.qxd 6/1/07 11:03 Page 354
..
CORA_C08.qxd 6/1/07 11:04 Page 355
Part 3
..
CORA_C08.qxd 6/1/07 11:04 Page 356
Part overview
Part 3 of this book provides a detailed review of the major corporate transaction process-
ing cycles.
Chapter 8 explores the corporate revenue cycle – both debtor-based sales systems
(including where appropriate web-based sales systems) and non-debtor-based sales
systems (including electronic POS systems and web-based sales systems), and considers
the impact of information and communication technology enabled innovations on revenue
cycle related activities. Chapter 9 explores the corporate expenditure cycle – both creditor-
based expenditure related systems and non-creditor-based expenditure related systems.
It also considers payroll related systems.
Finally Chapter 12 explores the practical aspects of e-commerce, in particular the uses of
e-commerce innovations and technologies in transaction related activities, the problems and
opportunities presented by the integration of e-commerce facilities into corporate account-
ing information systems and the regulatory issues related to the use of e-commerce.
356
..
CORA_C08.qxd 6/1/07 11:04 Page 357
Introduction
In a broad sense, the revenue cycle can be defined as a collection of business-related
activities/resources and information processing procedures, concerned with:
Inasmuch as the primary objective of the revenue cycle is to maximise income (and of
course profits), by providing customers/clients with the right product, at the right price,
at the right place and at the right time, the revenue cycle is indelibly linked to and
closely integrated with a company’s/organisation’s marketing model.1 That is to function
efficiently and maximise retailing income it is important for the company/organisation to
be able to:
So what would such an integrated ‘market-based’ revenue cycle be used for? In a market-
ing context it would be used to:
357
..
CORA_C08.qxd 6/1/07 11:04 Page 358
n establish what criteria will be used to monitor the efficiency of the revenue cycle, and
n determine what criteria will be used to evaluate the effectiveness of the revenue cycle.
in a more strategic context, the accounting information system would be used to safe-
guard revenue cycle resources and ensure:
Learning outcomes
This chapter explores a wide range of issues relating to the corporate revenue cycle, in
particular:
n debtor-based sales systems (including where appropriate web-based sales systems),
and
n non-debtor-based sales systems (including electronic POS systems and, of course,
web-based sales systems).
By the end of this chapter, the reader should be able to;
n describe the major activities and operations contained within the corporate revenue
cycle,
n explain the key decision stages within the corporate revenue cycle,
n demonstrate an understanding of the key internal control requirements of a corporate
revenue cycle,
n demonstrate a critical understanding of the potential risks and threats associated with
inappropriate internal control, and
n consider and explain the impact of information and communication technology enabled
innovations on the corporate revenue cycle.
358
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 359
The revenue cycle is concerned with the inflows of assets and/or resources into the company/
organisation – in particular income/earnings generated from, or more appropriately by, business-
related activities. In an accounting context, such income can be classified as either:
n capital income – that is income generated from the disposal of either tangible or intangible
fixed assets, or
n revenue income – that is income generated from:
l the sale of current assets,
l the delivery of customer services, and/or
l the provision of other non-trading activities/services (e.g. rental income from the leasing
of surplus property).
We will look at additional issues/requirements associated with capital income later in this
chapter. For the moment, we will consider revenue cycle issues/requirements associated with
income/earnings generated from the sale of products/provision of services – that is revenue
income/earnings. Why?
Because whilst the source of such revenue income may vary from company to company or
organisation to organisation, for example:
n for context type 1(a) and 1(b)2 companies/organisations such revenue income would more
than likely be product orientated/related, and
n for context type 2(a) companies/organisations, such revenue income would be partially
product orientated/related and partially services orientated/related, and
n for context type 2(b) and 2(c) companies/organisations such revenue income would more
than likely be service orientated/related,
such income will – in terms of volume (and possibly value) – invariably constitute the majority
of the income received by a company/organisation.
Consider the following. During 2005:
n Tesco plc revenue income from continuing operations/turnover was £37,070m (see
www.tesco.com),
n Sainsbury plc revenue income from continuing operations/turnover was £16,364m (see
www.jsainsburys.co.uk),
n Marks and Spencer plc revenue income for continuing operations was £7,710m (see
www.marksandspencer.com).
As we saw earlier, in an organisational context, the revenue cycle can be described as an integrated
collection of income-related business systems, processes, procedures and activities (see Figure 8.1)
indelibly connected to a company’s/organisation’s marketing function/activities.
Indeed, unless a company/organisation occupies a monopoly position within a market-
place and is capable of enjoying or is allowed to enjoy all the benefits associated with such a
position, all revenue cycle transactions (or at least, the vast majority of revenue cycle transactions)
will be market driven or, more appropriately, demand orientated. That is the demand for a
359
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 360
360
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 361
361
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 362
The threat from new companies/organisations entering the marketplace is low where:
So what is the relevance of such factors on a company’s/organisation’s revenue cycle? Put simply,
it is the combined impact of the above factors that invariably determines the strategic context
of company’s/organisation’s revenue cycle transactions – that is how the company manages
the threats presented by and opportunities offered by the collective impact of such market-
based factors/forces. For example, a company/organisation may elect to pursue a cost leadership
strategy – that is to provide its products/services at a price lower than any of its competitors,
and use it product/service price structure to:
Finally, a company/organisation may elect to pursue a segmentation (or focus) strategy – that
is concentrate on a specific regional market, a specific range of products or a specific group of
services, or indeed a specific group of customers/clients.
Revenue cycle
In a debtor-based revenue cycle the property of an asset/service (i.e. the legal title to an asset/
service) and the possession of an asset/service (i.e. the physical custody of an asset/service) are
exchanged for a legally binding promise to pay at some predetermined future date or within a
predetermined future period. Such transactions are often referred to as credit sales.
In a non-debtor-based revenue cycle, such property and possession of an asset/service is
exchanged for the legal title to (property) and custody of (possession) another asset. Whilst
such an asset will usually be cash or a cash equivalent it can, in both a legal and business con-
text, refer to any mutually agreed asset. Such transactions are often referred to as cash/cash
equivalent sales.
Before we discuss each of the above types of revenue cycle in a little more detail, first some
clarification.
Whilst we often refer to the debtor-based revenue cycle and the non-debtor-based revenue cycles
as separate (independent) revenue cycles they are, in essence, interdependent cycles. Whilst
some systems, processes, procedures and protocols will be shared by both revenue cycles, some
will invariably be unique to the debtor-based revenue cycle and some to the non-debtor-based
revenue cycle. Have a look at Figure 8.2.
362
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 363
Revenue cycle
363
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 364
(We will discuss the uses and implications of RFID technologies on revenue cycle transactions
later in this chapter.)
That is, with revenue transactions in which the transaction is validated and authorised so that
it is agreed and payment is authenticated and authorised prior to the completion of the revenue
transaction.
The non-debtor-based revenue cycle is therefore an object (or transaction) orientated
revenue transaction cycle.
Generally such non-debtor-based revenue transactions will occur within companies/
organisations classified as context types 1(a) and 1(b), and perhaps also 2(a) and 2(b). As with
debtor-based revenue cycle transactions, the processing of such non-debtor-based revenue
transactions will also involve the use of a wide and increasingly integrated range of information
and communication technologies – most of which are now web-based.
Such a debtor-based revenue cycle can be divided into four component systems:
n the marketing system,
n the retailing (or customer/client ordering) system,
n the distribution and delivery system, and
n the payment management system.
See Figure 8.3.
The purpose of the marketing system is to identify an appropriate market and/or customer/
client base for the company’s/organisation’s goods/services.
See Figure 8.4.
It is in effect the company/organisation interface with the ‘outside’ world in both:
Macro-based context
364
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 365
n the nature of the market – for example, is the market a person-based one where the products/
services are aimed at individual customers/clients or a company-based one where the
products/services are aimed at corporate customers/clients,
n the location of the market – for example, is the market a UK-based domestic/national one
and/or is it an overseas-based international one, and
n the level of market competition within the market – for example, is the market competition
aggressive and proactive or is it competition passive and reactive,
and in doing so establish a potential customer/client base for the company’s/organisation’s
products/services.
365
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 366
Micro-based context
In terms of the product/service, the system would be used to assist in determining the life cycle
stage/position of the product/service – for example, is the product/service at:
n the development stage of its life cycle,
n the market introduction stage of its life cycle,
n the growth stage of its life cycle,
n the maturity stage of its life cycle, or
n the declining stage of its life cycle,
and in doing so establish:
n an acceptable pricing structure for the product/service,
n an appropriate advertising and promotion strategy for the product/service, and
n a suitable distribution policy and delivery system for the product/service.
366
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 367
367
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 368
Irrespective of the method used to receive the customer order, it is however important to
ensure/confirm that:
n all relevant and appropriate data is accurately collected, and
n all relevant and appropriate data is correctly recorded,
368
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 369
n the assessment history of the customer/client – that is have they sought to extend their credit
facilities in the past and have such applications been approved/rejected.
Where after such an assessment some doubt still remains over the customer’s/client’s suitability
for extended credit facilities, it may be necessary to obtain an external third-party assessment of
the customer’s/client’s current risk status – possibly from an online credit assessment agency,
for example:
n Equifax @ www.equifax.co.uk,
n Experian @ www.experian.co.uk,
n Callcredit @ www.callcredit.co.uk, and/or
n CheckSURE @ www.checksure.biz.
Once the identity of the customer/client has been confirmed, it would be necessary to estab-
lish their credit risk, possibly with an external agency where a large amount of credit is being
requested. An example credit check report produced by CheckSURE on British Airways plc is
available on the website accompanying this text www.pearsoned.co.uk/boczko.
If the customer’s/client’s credit risk/credit rating is acceptable – that is within a range approved
by the company/organisation – the company/organisation can then:
n authorise a credit limit for the customer/client, and
n impose payments terms for the customer/client.
n the products ordered by the customer/client are available in stock and ready for immediate
distribution,
n the products ordered by the customer/client require manufacture and the production resources
are currently available for their immediate manufacture, or
n the services ordered by the customer/client are available for immediate provision,
369
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 370
Where products and or services are not available – either as completed stock or as manu-
factured products and/or deliverable services – due to a lack of immediately available resources
to manufacture the products and/or provide the service, the customer/client order will need to
be suspended and the customer/client offered the opportunity to:
n confirm either acceptance of the delayed delivery,
n order alternative products, or
n cancel the order.
370
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 371
371
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 372
In a legal context it could result in the company/organisation facing a claim for damages,
especially where the customer/client has entered into other third-party agreements/contracts
on the basis of the order confirmation.
To minimise the possibility of the above occurring, many companies/organisations now
use integrated store/warehousing systems as part of their in-house supply chain management
processes, to:
n the location(s) of the stores – that is whether stock items are held in a single secure location
or a number of geographically dispersed locations,
n the volume of the stock items issued and received – that is how many stock items are issued
and received during a trading period,
n the nature of stock turnover – that is whether stock items are issued/received on a cyclical
basis, a seasonal basis or at a similar level throughout the year,
n the value of the stock turnover – that is whether store items are generic and of a low retail
value, or unique and of a high retail value,
n the nature of the systems used to record the issue of receipt of stock items – that is what issu-
ing system is used (paper-based, IT-based, web-based or a combination) and,
n the nature of the technologies used to manage and control the movement of stock items –
that is are stock items bar coded or RFID tagged.
We will discuss the management of current asset stocks and the use of store/warehousing
systems in the issue and receipt of stock items in detail in Chapter 11. Here we will just provide
a brief outline.
Consider, for example, a web-based ordering facility. Once the customer/client has sub-
mitted an order and it is confirmed by the company/organisation (and subsequently accepted
by the customer/client), an approved stock issue request would be generated in the store/stock
warehouse for the issue of the products from the company/organisation store/stock warehous-
ing facility. The unique reference number generated on confirmation of the customer/client
order would correspond directly with the number of the stock issue request generated in the
store/warehouse, thereby creating a traceable connection between the customer/client and the
372
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 373
physical stock items. The stock item references (or catalogue reference) used by the customer/
client during the product selection process and by the company/organisation to confirm the
availability of the products to the customer/client, would also be used to identify the location
of the stock items within the company’s/organisation’s store/stock warehouse facilities.
Where all the products ordered by the customer/client (and included in the store issue
request) are issued and forwarded to despatch for delivery to the customer, the store issue request
would be electronically marked ‘completed’ to indicate a completed product issue. In some stores/
stock warehousing systems, such a marking would generate a customer/client notification to
inform them that the products they ordered have been despatched (with such notifications,
where they are used, being increasingly e-mail-based).
Where some of the products ordered by the customer/client (and included in the store
issue request) are not issued (e.g. a stock item/product may not be currently in stock), the
store issue request would be electronically marked ‘to be completed’ to indicate a partially
completed product issue. Again, such marking would generate a customer/client notification
to inform them of which products have been despatched and provide a likely delivery date for
the remaining products. Such a ‘to be completed’ store issue request would be monitored on
a regular basis with the undelivered products checked to stock items/products received in store.
Once the outstanding/undelivered products arrives from the supplier, the products would be
recorded as a store receipt and immediately issued. The ‘to be completed’ store issue request
would then be electronically marked ‘completed’ to indicate all the order products have been
despatched. Again, a customer/client notification would be generated to inform the customer/
client that the remaining outstanding/undelivered products have been despatched.
n a specific set of aesthetic characteristics (e.g. related to the colour and/or design of the
product), and/or
n a specific group of technical features (e.g. related to product operability and performance),
373
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 374
374
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 375
Once a distribution/delivery order has been raised, and the distribution/delivery number
matched to the sales order request, the distribution/delivery orders would be used to generate
a distribution/delivery schedule – often referred to as a transportation schedule. Whilst many
distribution and delivery systems produce such transportation schedules at the end of a trading
period (e.g. at the end of the day), in reality such schedules are updated in real-time to minimise
the possibility of distribution/delivery errors.
So what would a transportation schedule contain? Put simply it would contain a list of pro-
duct deliveries to be made to customers/clients during a particular period, for example during
a working day say between 9:00 am and 5:00 pm. Where distribution/delivery is an in-house
service, such transportation schedules would generally be date orientated, vehicle specific and
location/area-based.
Consider the following example:
KPO Ltd is a York-based electrical supplier. The company supplies household electrical
products to companies/organisations throughout the UK from its store/warehouse facility in
York. The company operates an in-house product distribution/delivery service, using a fleet
of 15 vehicles, for the transportation of products to UK-based customers/clients.
On 18 May 2007, vehicle L459 (registration number YY06 YTL), was provided with a trans-
portation schedule containing five scheduled deliveries in the York/Harrogate area.
Until recently, most companies/organisations would – prior to the delivery – contact the
customer/client (either by telephone, text message or e-mail) and inform them of the expected
delivery time of their ordered products. Increasingly, however, a significant number of com-
panies/organisations are now using an automated company/organisation-based information
service which the customer/client can contact – usually 24 hours before the due delivery date
– to obtain a precise delivery time. Why?
Not only is it more cost effective for the company/organisation, it also places the obligation
on the customer/client to obtain the information.
KPO Ltd provides customers/clients with a delivery hotline number and a web address for
them to contact up to 24 hours before the delivery to obtain conformation details.
So, what happens next? Because:
n the customer/client order is linked to a stores issue request, and
n the stores issue request is linked to a distribution/delivery order, and
n the distribution/delivery order is linked to a transportation schedule of deliveries,
to complete the retail/distribution and delivery process it is important for the customer/client
to authorise and acknowledge receipt of the products.
Back to our example:
Vehicle L459 (registration number YY06 YTL) has the following scheduled deliveries:
For each delivery, on receipt, the customer/client (or their assigned representative) authorises
the receipt of the products.
375
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 376
Whilst historically, transportation schedules were often multiple copy, paper-based schedules
with authorisation merely a signature from an authorised signatory, today such transportation
schedules are often electronic documents stored on an IT-based, hand-held device (probably a
notebook, tablet or PDA6) often with web-based capabilities. At each point of delivery/delivery
location, the products are scanned using an RFID tag (see later), to confirm the product details
and the product delivery, and the receipt authorised by the customer/client by signing and
dating a customer/client receipt, usually using a notebook, tablet or PDA-based document.
The delivery is now complete. The legal title to the products (that is ownership of the property),
and possession of the products have been transferred to the customer/client – and a legal debt
now exists for payment for the products. For the customer/client a copy distribution/delivery
order is included with the products. On completion of each delivery, confirmation details are
stored on the hand-held device.
Back again to our example:
For delivery 3, for whatever reason, no customer/client was available to authorise and
acknowledge receipt of the products. The products were retained and a notice of delivery
was provided for the customer/client informing them of the time of the attempted delivery,
giving contact details for re-arranging the delivery.
So, why is this important from an accounting information perspective? Because the receipt of
the delivery confirmation is used certainly in a post-invoicing system (see later) to generate the
invoice and of course create the accounting entries.
376
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 377
n where the service requested by the customer/client is a fixed-priced service, the service provi-
sion request would be used to identify the cost, and
n where the service requested by the customer/client is a variable priced service, the service
request would be used to identify the resources required to complete the service provision
for the customer/client (where the cost of the service is dependent on the resource used in
its provision), and allocate the actual cost of, for example, staff time and of resources/assets
used during the provision of the service requested by the customer/client.
Once the service has been provided and completed, the customer/client would be required to
confirm their acceptance of, and satisfaction with, the service provided. For profession-based
services, such confirmation would more than likely be in the form of an authorised completion
document/certificate – possibly electronic, although it is still the case that such confirmation
documents are often paper-based. For skill-based and/or manual-based services – especially
where the service provider may have a number of customers/clients to visit during a delivery
period (e.g. a day), customer/client confirmation of acceptance of, and satisfaction with, the
service provided would probably be obtained by requesting the customer/client to sign an elec-
tronic document stored on an IT-based, hand-held device – probably a notebook, tablet or PDA.
Consider the following example:
OPL Ltd is a Hull-based plumbing contractor providing a range of repair, maintenance and
installation services. The company employs 15 qualified plumbers and has a fleet of 15 vehicles.
On 26 June 2007, Jon Simms (employee reference 389487) using vehicle C3P (registration
number TH06 LUY), was provided with a service schedule containing four service deliveries
in the Hull area, as follows:
n service 1 is to a small company in Hull,
n service 2 is to a retail hotel in Hessle,
n service 3 is to a high street retailer in Beverley, and
n service 4 is to a medium-sized company in Willerby.
Each vehicle carries a small store of items, which is restocked from the company’s main store
at the end of the week, with each plumber (service provider) using a Windows-based PDA to
record service provision details. Each plumber’s PDA is updated each day to provide details
of the following day’s service requirements.
On arrival the plumber opens the relevant service delivery request for the customer/client
and the plumber’s time at the customer/client commences. All store items used during the
service provision are itemised and recorded. On completion, the customer/client confirms
acceptance of and satisfaction with the service provided by signing an electronic document
stored on the plumber’s Windows-based PDA. The service plumber’s time at the customer/
client then ceases as the service is now complete.
On completion of the final service provision for the day, Jon Simms sends confirmation
details of all services undertaken and completed (including materials used in the provision
of the requested services and the time taken to provide the requested services) from the
vehicle using a secure online weblink to OLP Ltd.
Once a service delivery confirmation has been received by OPL Ltd, an invoice would be
generated and, of course, the accounting entries created.
377
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 378
many companies/organisations – including many established high street retailers – there are an
increasing number of companies/organisations (especially those involved in the distribution/
delivery of products) who choose to outsource to an external carrier some part, if not all, of
their distribution/delivery services. This is especially the case where a company/organisation
requires the use of a global distribution network for the secure transportation of products to
customers/clients all over the world.
The selection of a distribution and delivery mechanism between:
So what are the advantages and disadvantages of outsourcing the distribution and delivery of
products? For the company/organisation, the advantages are:
n it avoids the need for companies/organisations to develop costly distribution and delivery
infrastructures,
n it allows the company/organisation to focus on other core business aspects/areas,
n it provides access to specialist skills and experience which may not be available within the
company/organisation, and
n it can provide significant cost savings for the outsourcing company/organisation.
378
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 379
There are many different types of bills of lading the most common being as follows:
n a straight bill of lading is a document which provides that products are consigned to a specified
customer/client, that is the carrier is required to provide delivery only to the named con-
signee in the document. Such a bill of lading is also known as a non-negotiable bill of lading.
n an order bill of lading is a document which provides that the company/person in possession
of the bill of lading can reroute the products to a third party if so required. That is delivery
is to be made to the further order of the consignee. Such a bill of lading is also known as a
negotiable bill of lading.
n a bearer bill of lading is a document which provides that the delivery of products to which the
bill of lading refers can be made to whoever has possession of the bill.
Wherever the type of bill of lading used, it serves three purposes. Firstly, it can serve as evidence
that a valid contract of carriage exists. Secondly, it can serve as a receipt signed by the carrier
confirming whether goods matching the contract description have been received in good
condition. Thirdly, it can serve as a document of transfer governing the legal characteristics of
physical carriage.
Further information on the documentation requirements for exporting products from the
UK is available from SITPRO Ltd7 @ www.sitpro.org.uk.
Note: Where a UK company/organisation undertakes trade8 with a company/organisation in
another European Union (EU) member state, the company/organisation is required to provide
details of these transactions for statistical purposes. Intrastat is the system used to collect these
statistics. Currently there are two main types of Intrastat declaration depending on whether the
value of a company’s/organisation’s imports or exports is above or below a predetermined
threshold. In 2006 the threshold limit was £225,000. For further details on Intrastat declara-
tions, and the web-based submission of an Intrastat declaration see www.uktradeinfo.com/
index.cfm?task=intrahome.
379
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 380
380
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 381
process in a little more detail, it would perhaps be useful first to consider the three optional
approaches used in invoicing, these being:
n the pre-invoicing approach,
n the on-demand invoicing approach, and
n the post-invoicing approach.
Pre-invoicing approach
Using the pre-invoicing approach – sometimes referred to as ‘before delivery’ invoicing – the
invoice is created and despatched/forwarded to the customer/client as soon as the customer/
client order is approved: that is once a customer/client order conformation has been issued. The
implicit assumption in using this approach is that once a customer/client order confirmation
has been issued, the products/services will be delivered.
This is not a widely used invoicing approach because customers/clients may often receive
the invoice before the products/services have been delivered/performed, a practice which some
customers/clients may find objectionable.
On-demand invoicing
Using the on-demand invoicing approach (sometimes referred to as ‘on-delivery’ invoicing), the
invoice is created and despatched/forwarded to the customer/client with the products/services.
Again, this is not a widely used invoicing approach although it is used by many online retailers.
Post-invoicing
Using the post-invoicing approach (sometimes referred to as the ‘after-delivery’ approach), the
invoice is created and despatched/forwarded to the customer/client once the products/services
have been delivered and a customer/client authorised product/service delivery confirmation is
available.
This is the most widely used invoicing approach – an approach which is often combined
with payments procedures in which customers/clients pay on a statement of account basis
(e.g. at the end of a calendar month). In such situations, the invoices received during a calen-
dar month will usually be for information purposes only.
Where a customer/client pays, following any agreed period of credit, on receipt of an invoice,
such a method is often referred to as the open invoice method. Where a customer/client pays,
following any agreed period of credit, on receipt of a statement of account, such a method is
often referred to as the balance forward method. (In our discussion, we will assume the post-
invoicing approach is used.)
381
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 382
Of course, the need for such phasing of invoice/statement of account distribution or, more
appropriately, cyclical billing can be eliminated by the use of electronic web-based/EDI-based
invoicing – where the number of invoices/statement of accounts distributed is irrelevant. It is
just a simple to distribute 10 invoices electronically as it is to distribute 10,000!
So what information is required to produce an invoice and, perhaps more importantly, what
type of information would an invoice contain?
The information required to create an invoice would include, for example, the following:
n the customer/client reference – to confirm the authenticity of the customer/client,
n the customer/client order number – to confirm the validity of the customer/client order,
n the quantity of the products/nature of the services delivered – to confirm the quantity of
products delivered/services performed, and
n the price of the products/services delivered – to confirm the prices of products delivered
and/or services performed.
Remember, all of the above will be available when the customer/client order is confirmed.
The information contained within an invoice would include, for example, the following:
n the supplying company/organisation name/address,
n the supplying company/organisation contact details (e.g. postal address, telephone number,
e-mail address, website address),
n the supplying company/organisation VAT registration number,
n the invoice number – the reference number for the document,
n an invoice date (normally the tax point date for VAT purposes),
n the customer/client order number,
n the delivery date of the products/services,
n a description of the products/service supplied,
n details of the quantity of products/service supplied,
382
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 383
383
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 384
It is perhaps worth noting that whilst paper-based invoices are still issued by a number of
companies/organisations, a growing number are now using non-paper-based electronic invoices,
either with a web-based extranet facility and/or a web-based EDI facility.
A debit memorandum entry would also be made in the individual debtor’s account in the sales
ledger (also known as the debtors ledger).
Remember, however bizarre it may appear this is essentially triple entry, not double entry!
New debtor
Where the transaction relates to a new debtor – the new debtor account will be debited.
Remember, the new debtor account would have been created during the initial credit check
stage (see above). It is at the credit check stage that the customer/client would have been issued
with a debtor reference (account number), and information about the payment terms and
conditions relating to the account.
Existing debtor
Where the transaction relates to an existing debtor, the existing debtor’s account will be debited
– that is amended and the balance increased. Remember, for an existing debtor it should not
be possible to incur a debt greater than the current approved account limit/credit limit on the
debtor’s account. That is it should not be possible to increase the account balance over and
above the current approved account limit/credit limit on the debtor’s account. This is because
the customer/client order and ultimate sale to which the invoice relates should have only been
approved where:
n the customer’s/client’s account limit/credit limit is sufficient to allow the transaction/sale, or
n the customer’s/client’s account limit/credit limit has an amendment/increase to allow the
transaction/sale.
So, how would the above accounting entries be processed and recorded?
384
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 385
transactions. Using an online (4 stage) accounting system, a sales journal would act as a ‘before
the event’ control summary.
Whilst 4 stage online processing has been, and indeed still continues to be, the preferred process-
ing system for many companies/organisations (probably because of its similarity to the traditional
hard-copy-based batch processing system), the increasing use and availability of the 3 stage online
processing accounting systems has undoubtedly increased the popularity of real-time processing.
Debtor management
Once the products/services have been supplied to the customer/client and an invoice or state-
ment of account (where invoices are used for information purposes only) has been issued and
presented to the customer/client for payment, it is important to ensure that all payments are
collected. A failure to collect due payments can have significant and long-term consequences
on a company’s/organisation’s working capital. Indeed, history is replete with examples of
companies and organisations which have failed, not because of a lack of market opportunities,
product/service demand or a lack of customer loyalty, but primarily because of a lack of pro-
active working capital management.
So, what do we mean by a debtor management sub-system? As a series of sequential events/
activities, a debtor management sub-system generally comprises of four activities:
n the collection and recording of payments made by customers/clients,
n the reconciliation of customer/client account balances,
n the assessment of doubtful debts, and
n the write-off of bad debts/irrecoverable debtor accounts.
See Figure 8.9.
The key documentation of such a debtor management sub-system would be:
n the debtor account,
n a debtor account adjustment,
n the debtor statement of account,
n a debtor account payment reminder, and
n an application to write-off.
385
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 386
with the choice of payment method used by the customer/client determined by the company/
organisation supplying the products/services. In general, for new customers/clients, a company/
organisation would normally use the open invoice method, with the balance forward method
used only for those customers/clients with an established trading relationship/payment record.
So how can a customer/client submit payment on receipt of an invoice or statement of
account? There are generally four methods a customer/client can use, these being:
n payment by bank transfer (BACS) using BACSTEL-IP (see Chapter 4),
n payment by EFT – using a debit or credit card,
n payment by cheque10 – through the mail or by personal visit, and/or
n payment by cash – by personal visit.
Where at all possible, a company/organisation should dissuade customers/clients from using
payment methods that involve payment by cheque and/or payment by cash – simply because of
the cost.
Cheques and cash require processing, recording, secure storage, banking and periodic recon-
ciliation, all of which can incur substantial additional costs for a company/organisation.
Payment by BACS
Payment by BACS using BACSTEL-IP (see Chapter 4) would generally be used (although not
exclusively) by company/organisation-based customers/clients – more specifically in business-
2-business (B2B) transactions with repeat customers where regular automated payments are
made.
The advantages of using BACS as a payment method are:
n it reduces the time and the cost of administering payments and can assist in the management
of cash flow and therefore improve financial control;
n it eliminates (almost totally) the need for human intervention in the payment process and
therefore the possibility of human error;
n it reduces risk of loss, late payment and/or theft for customers/clients; and
n it allows for the automated settlement of payments between companies/organisations.
The main disadvantage is the costs involved in the setting up/using of the BACS payment by
BACSTEL-IP. Consequently, as a payment method it is suitable only for those companies/
organisations making more than, on average, 150 payments a month.
Payment by EFT
Payment by EFT can be either:
n a card-based EFT – for example payment using a debit/credit card, or
n a non-card-based EFT – for example Pay-By-Touch (see later in this chapter).
Whereas card-based EFT is the dominant payment method and generally used by individual,
non-company or non-organisation-based customers/clients, non-card-based EFT whilst grow-
ing in popularity is (in the UK at least) currently restricted to individuals only.
So what are the advantages and disadvantages of accepting payment by card-based/non-
card-based EFT?
The advantages include:
n it allows a company/organisations to reach a wider customer/client base – for example it
allows a company/organisation to accept payment by phone, by mail and/or online,
n it improves cash flow since payments by EFT usually clear more quickly than cheque payments,
386
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 387
n it can improve company/organisation security since less cash and less cheques are stored
(however temporarily) on company/organisation premises, and
n it reduces administration costs and the need for the reconciliation of banked receipts.
n the administrative and management costs involved in setting up agreements for process
ETF-based payments,
n the costs involved in acquiring the technologies to process payments by EFT,
n the costs involved in developing the technical and administrative procedures to manage the
acceptance and processing of EFT payments, and
n the costs associated with the possible increased in fraud as a result of accepting EFT payments,
especially card-based payments.
We will look at the process of payment by card-based/non-card-based EFT later in this chapter.
Where an early payment discount is allowed, the transaction would be recorded in the general
ledger as follows:
n Dr discounts allowed,12
n Cr bank account,
n Cr debtor’s control account.
A credit memorandum entry would also be made in the individual debtor account in the sales
ledger (debtors ledger).
Again, remember it is essentially triple entry, not double entry!
So, how would the debtor account be updated? There are, of course, various ways in which
a customer/client debtor account can be updated. A commonly used approach (although it is
by no means universally accepted) is as follows.
Where the customer/client provides payment electronically – for example using payment
by BACS or by EFT, the debtor account would be updated on receipt of the funds (especially
387
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 388
where the debtor account reference is transmitted with the transfer of funds): that is the above
triple entry – the updating of the general ledger and the sales ledger (debtors ledger) – would
occur at the same time.
Where the customer/client provides payment manually, for example using payment by
cheque and/or cash, it is likely that the debtor account would be updated by batch processing
at the end of the day: that is the above triple entry – the updating of the general ledger and the
sales ledger (debtors ledger) – would occur at separate times:
n the general ledger would be up dated online on receipt of the payment, and
n the sales ledger (debtors ledger) would be updated by batch processing, probably at the end
of the trading day.
Of course, in addition to the above, a debit and/or credit memorandum entry would also be
made in the individual debtor’s account in the sales ledger (debtors ledger).
From an internal control context, it is important that any adjustment is:
n appropriately authorised – usually by a financial accounting manager, and
n properly documented – using a journal to record the accounting entry.
388
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 389
It is important that a company/organisation identify and correct any errors that may exist
between the debtor’s control account in the general ledger and the total of the individual debtor
account balances in the sales ledger (debtors ledger). This is because the existence of such errors
could not only result in a loss of income – where debtor accounts in the sales ledger (debtors
ledger) are understated – it could, more importantly, result in the qualification of the company’s/
organisation’s financial statements.
In a practical context, the reconciliation between the debtor’s control account in the general
ledger and the total of the individual debtor account balances in the sales ledger (debtors ledger)
is often an automated procedure. Indeed, many contemporary financial accounting packages
not only allow user companies/organisations to select the frequency of such a reconciliation,
they also allow user companies/organisations to determine – based on the nature of the error(s)
discovered – the remedial action to be taken to correct the error(s).
Whilst such an automated reconciliation process does have many advantages, for example it
minimises:
n the level of human intervention in the reconciliation process, and
n the overall cost of the reconciliation exercise,
n a customer/client fails (for whatever reason) to make the appropriate payment(s) within an
agreed period, and
n efforts to determine the reason(s) for such a failure to make payment (e.g. telephone calls
and/or e-mails to the customer/client) have been unsuccessful.
In such circumstances, prudence would suggest that such an outstanding debt should be con-
sidered doubtful and action to recovery it commenced.
389
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 390
Although specific debt recovery procedures will differ from organisation to organisation,
in general such procedures would involve some, if not all, of the following four stages:
n the issue of a formal reminder for payment,
n the issue of a formal demand for payment,
n the determination of legal judgment on the outstanding debt, and
n the collection of the outstanding debt.
During such a debt recovery process (especially during stages 1 and 2) it is likely that the company/
organisation may also elect to use the services of a private debt collection agency. Whilst such
an approach has become increasingly popular in recent years, it requires careful monitoring to
ensure that the provisions of s40 Administration of Justice Act 1970 concerning harassment are
fully observed.
390
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 391
Zero recovery occurs where the company/organisation has pursued the outstanding debt (as
above) without success. For example, during the debt recovery process evidence may have
emerged that the customer/client would not be able to satisfy the outstanding debt – perhaps
the customer/client has filed for bankruptcy (if an individual) or liquidation (if a company),
in which case the whole of the outstanding debt will need to be written off.
Partial recovery occurs where the company/organisation has pursued an outstanding debt
(as above), and recovered only part of the debt from the customer/client, in which case only
part of the outstanding debt – the unrecovered balance – will need to be written off.
No recovery occurs where the company/organisation has not pursued an outstanding
debt (as above), that is legal action has not been taken to recover the outstanding debt. This is
simply down to cost. Some UK companies (including for example a number high street cloth-
ing retailers and utility service providers) do not pursue outstanding debts below a minimum
amount,18 although such companies/organisations do not make such debt collection/debt recovery
policies publicly known.
In an accounting context, such a write-off would be recorded in the general ledger as
follows:
n Dr bad debts account,
n Cr debtor’s control account.
In addition, a credit memorandum entry would also be made in the individual debtor account
in the sales ledger (also known as the debtors ledger).
391
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 392
At the end of the financial period, bad debts would be written off to the profit and loss
account as an expense, as follows:
n Dr profit and loss account,
n Cr bad debts account.
Note: Where an outstanding debt (or part of an outstanding debt) is written off, the individual
debtor account of the customer/client in the sales ledger/debtors ledger should be closed, to
prevent any future transactions.
For the customer/client, such actions by the company/organisation – the legal pursuit of
the debt, the imposition of a CCJ and, where necessary, the write-off of the debt would have
significant consequences for the customer’s/client’s credit rating and would severely affect their
ability to obtain credit in the future.
Debt factoring
Debt factoring can be defined as a purchased service (often from a subsidiary of a major clearing
bank)19 in which a factor acquires the right to receive payment from a company’s/organisation’s
debtors in return for an immediate payment of cash (of the face value of the debt less an agreed
discount) to the company/organisation.
Although many variations exist, there are essentially two types of factoring:
n recourse factoring – where the risk of non-payment/non-recovery of the debt is borne by the
company/organisation selling the debts, and
n non-recourse factoring – where the risk of non-payment/non-recovery of the debt is borne
by the factoring company purchasing the debts.
So, how does debt factoring work? Procedures differ from company to company, but generally,
n 80 to 85% of the value of debts that are factored is paid to the company/organisation upon
agreement with the factor, with funds usually transferred from the factor to the company/
organisation during the next working day; and
n 15 to 20% is paid to the company/organisation when either the debt is paid to the factor
(recourse factoring agreement) or it becomes due (non-recourse factoring agreement).
The cost will, of course, depend on the factoring company – but charges will normally com-
prise of:
n an administration fee – usually between 1 and 4% of the value of the debts factored, and
n a finance fee – usually 1 to 2% above the current base rate on the amount advanced.
392
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 393
Whilst many critics of the trend for customer relationship management systems have suggested
that the storage and use of such customer/client-related information is by no means a contem-
porary phenomenon, it is of course the use of information and communication technologies
that has revolutionised the capabilities of such systems – especially in terms of the collection,
processing and management of such information.
So what are the main operational problems of such systems? These stem from five issues:
n the technological issue – that is what information and communication technologies will be
used for the collection, processing and analysis of customer/client information,
n the administration issue – that is what methodologies will be used for the integration of
heterogeneous collections of customer/client information,
n the information issue – that is what internal data/information structure will be used,
and how detailed the data/information will be (that is what levels of abstraction will be
used),
n the acquisition issue – that is what knowledge discovery procedures and/or data/information
acquisition processes will be used, and
n the security issue – that is who will be allowed access to the data/information and on what
basis such access will be determined and approved.
Although there can be little doubt that such integrated customer/client relationship management
systems have a number of company/organisation benefits, generally related to the 3Es (economy,
effectiveness and efficiency), the commercialisation of customer/client information that occurs
in the use of such systems has resulted in many questions being raised concerning the socio-
political legitimacy of such systems – in particular the data protection issues associated with the
collection and storage of confidential customer/client information.
However, despite such questions the astronomical growth in popularity that such customer/
client relationship management systems have enjoyed over the past few years, is perhaps an
indication that they are now a necessary feature of a company’s/organisation’s portfolio of
business-related management systems and, given the evermore competitive nature of the busi-
ness environment, perhaps here to stay.
393
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 394
Clearly, any failure in processes and controls associated with the debtor-based revenue cycle
could have significant consequences for the company/organisation and could result in:
n a loss of company/organisation assets,
n a loss of data/information,
n a loss of customers/clients and, perhaps most importantly,
n a loss of revenue income (and profits).
How? Have a look at the following.
Marketing system
A failure within the marketing system of a company/organisation could result in:
n the inappropriate identification of marketing opportunities,
n the inaccurate assessment of market competition, and
n the ineffective marketing of products/services.
Retailing system
A failure within the retailing system of a company/organisation could result in:
n the acceptance of incomplete customer/client orders,
n the acceptance of inaccurate customer/client orders,
n the acceptance of orders from customers/clients with excessive credit or poor credit rating,
n the acceptance of invalid and/or illegitimate orders,
n the loss or misplacement of customer/client orders,
n failure to fulfil legitimate customer/client orders, and
n the occurrence of repetitive stock-outs.
In addition, the failure of retailing system security procedures/access protocols could allow
unauthorised persons to gain access to secure customer ordering systems and result in:
n the theft of confidential customer/client data,
n the misappropriation of assets, and/or
n the infection/corruption of customer/client files.
394
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 395
Clearly, the last although still in use in many smaller companies/organisations is, as a revenue
collecting system, very much in decline.
395
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 396
Clearly, the first of the above is not an EFT-related system and is rarely used in everyday
revenue cycle transaction-based activities. It is, however, included because it represents an
important back-up processing system should technologies fail!
The settlement stage usually takes three working days, although it can take longer.
396
.. ..
CORA_C08.qxd 6/1/07 11:04 Page 397
Validation stage:
n the merchant enters the customers card data into its system by either:
lswiping the customer’s card through the magnetic stripe reader (a PDQ machine)25, or
l inserting the customers card into a smart card reader (chip and PIN), or
l keying in the customer’s card details manually, and
n the authorisation software validates the customers card.26
Authorisation stage:
Following validation, the merchant needs to authorise the transaction to ensure that the customer/
cardholder has sufficient funds to finance the purchase. If the transaction value is less than
the agreed MSA27 limit, the EFT system will authorise the transaction offline. If the transaction
amount is equal to or above the MSA limit, the transaction details will be forwarded online to
the acquirer for authorisation.
Where the transaction is authorised offline, the merchant will receive either a transaction
authorised28 or transaction declined29 response. Where the transaction is sent online, the acquirer
may return a transaction authorised, transaction declined or transaction referred30 response.
If the transaction is authorised the merchant must either:
n obtain the customer/cardholder’s signature or, more likely,
n request the customer/cardholder to input their PIN number into the smart card holder
key pad.
For the former, if the signature on the transaction slip does not match the signature on the card
the merchant must decline the transaction. For the latter, if the pin number entered remains
incorrect following a number of attempts, the merchant must either:
n decline the transaction, or
n request a signature and further identification from the customer/cardholder to confirm their
identity.
397
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 398
Settlement stage:
Details of all transactions marked for payment are sorted and forwarded to the appropriate
acquirer for settlement (payment). The acquirer will acknowledge receipt of the file and confirm:
Once all data checks have been satisfied the merchant will be reimbursed accordingly.
Reconciliation stage:
The reconciliation stage is essentially a feedback stage that provides the merchant with a range
of transaction reports including:
Online processing using an EFT system – cardholder not present (nPoS EFT)
Cardholder not present transactions are normally associated with:
Such online processing is normally associated with so-called distance contracts,31 that is a con-
tract where there has been no face-to-face contact between the consumer and a representative
of the company/organisation selling the goods and/or services, or someone acting indirectly on
the business’s behalf, such as in a showroom or a door-to-door sales person, up to and including
the moment at which the contract is concluded.
(We will examine such transaction including web-based e-commerce transactions later in
this chapter and in more detail in Chapter 12.) For the moment let’s look at the process.
The validation stage and the authorisation stage are more or less the same whether the customer/
cardholder is present and/or the customer/cardholder is not present. Clearly, however, when
the customer/cardholder is not present there are a number of problems, for example:
n the merchant cannot view the card to assess and/or confirm its authenticity, and
n the merchant cannot obtain objective authorisation via either the customer/cardholder’s
signature or the customer PIN.
In addition, for mail order/call centre-based transactions card details may need to be keyed in
manually increasing the risk of possible data entry errors.
Clearly the use of online processing (pPoS EFT and nPoS EFT), and indeed to some extent
offline processing, also presents many risks – perhaps the greatest being that of fraud resulting
from:
n employee skimming – that is the copying of customer/cardholder card details onto a blank
card (using either a magnetic card reader and/or computer software), and increasingly
n hacking (or more appropriately cracking)32 – that is either forced entry to non-secure com-
puter systems or the interception of information designed to obtain confidential (for our
purposes, credit card) information.
398
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 399
To assist in the prevention of fraud an increasing large range of anti-fraud measures can and
indeed are used to minimise the possibility of fraud, some of the more popular being:
For a review of card processing and the procedures a merchant should adopt if card fraud is
suspected, have a look at the following HSBC plc website:
www.hsbc.co.uk/1/2/business/needs/card-fraud.
Finally
To facilitate point-of-service EFT (for both offline and online payments), a company/organisation
must have a merchant account (and ID)40 issued by an acquiring bank. In addition, to process
online payments a company/organisation must also have:
n voice recognition,
n signature recognition,
n fingerprint recognition,
n iris recognition,
n face recognition, and
n hand geometry recognition,
are now widely used in a range of security sensitive/identification sensitive areas – for point-
of-service EFT systems, as at end 2006, the current favoured technology appears to be pay by
touch43 using fingerprint recognition. This is a biometric-based payment service which enables
consumers to pay for the purchase of goods and/or services with the touch of a finger without
the need for debit or credit cards, cheques or indeed cash, essentially using a finger scan to
authorise the point-of-service EFT transaction (see www.paybytouch.com).44
Before we look at pay by touch in a little more detail, it would perhaps be useful to provide
some general context to our discussion on biometric systems.
399
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 400
Biometric identification technologies are essentially pattern recognition systems and generally
involve four stages:
n enrolment – that is a record associating a specific identifying biometric feature with a specific
individual is created,
n accumulation – that is storing a record of the biometric feature either in a permanent, non-
movable facility (e.g. a centralised database) or on a decentralised portable storage module
(e.g. on a smart card),
n acquisition – that is when identification is required, a new sample of the biometric feature is
acquired (e.g. a new iris scan and/or a new fingerprint scan), and
n matching – that is the newly acquired sample is compared to the stored sample and if the
newly acquired sample matches with the stored sample, there is a positive identification.
In the above we have assumed that only a single biometric measurement is used for identification
purposes. Such a system is referred to as an unimodal (or monomodal) biometric system: that is
a biometric system which relies on a single source of biometric data, information or evidence
for identity authentication. Where two or more biometric measurements are used concurrently
for identification purposes, such a system is referred to as a multimodal biometric system: that
is a biometric system which relies on multiple sources of biometric data, information and/or
evidence for identity authentication. Finally where a single biometric measurement is used
for identification purposes but is used concurrently with another form of variable input (e.g.
a number, word or phrase), such a system is referred to as an unimodal+ (or monomodal+)
biometric system: that is a biometric system which relies on a single source of biometric data,
information or evidence and an additional input variable for identity authentication.
Because biometric identification technologies used in point-of-service EFT systems are used
to not only establish but also confirm the identity of an individual,45 such biometric identifica-
tion technologies tend to be unimodel+ (or monomodal+) systems, that is:
n the initial biometric measurement establishes/determines the identity of the individual, and
n the additional input variable confirms the identity of the individual.
Pay By Touch
Whilst the use of biometric identification technologies in point-of-service EFT systems have been
gradually increasing in the USA since 2002, the Pay By Touch scheme currently being piloted by
the Midcounties Co-operative stores in Oxford (see Article 8.1) is the first of its kind in the UK.
To participate, a customer/client must enrol, usually online. Once enrolment is complete
the customer/client is provided with a Pay By Touch wallet (www.paybytouch.com), which
essentially stores the customer’s/client’s direct debit details/bank account information. As part
of the enrolment process the customer must create a search number and a password.
The search number (usually a six to eight digit number of the customer’s/client’s choosing)
is required to access the customer’s/client’s Pay By Touch wallet each time they use the Pay By
Touch facilities. The password is required by the customer/client to manage their Pay By Touch
wallet online. The Pay By Touch wallet can be amended and updated as often as the customer/
client deems necessary.
Once the online enrolment is complete and the direct debit account is approved (the customer/
client is informed by e-mail on approval) the customer/client must finalise the process (at a
participating store) within 60 days of the registration date, by presenting:
n a bank authorisation mandate form,
n a copy of a bank account statement,
n a Pay By Touch search number created during the online registration,
400
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 401
Article 8.1
Once stage two is complete and approved the facility is activated and the customer/client can
use the Pay By Touch point-of-service EFT systems.
It is important to note that all personal details (e.g. the customer’s/client’s Pay By Touch
wallet contents) and all biometric measurements/information is encrypted and stored in a
centralised database at a secure UK-based IBM data centre.
To use Pay By Touch at a checkout facility of a participating store, the customer/client
simply places their finger on the fingerprint reader and enters their search number. Once the
customer’s identity is authenticated, the total value of the purchases is approved and funds
are transferred from the customer’s/client’s bank account to the company’s bank account using
a standard direct debit facility.
So what are the advantages and disadvantages of biometric-based payment systems – in
particular fingerprint recognition systems.
The main advantages are:
n easy to use,
n customer/client convenience,
n eliminates the need for passwords, and
n reduces the possibility of fraudulent transactions.
401
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 402
402
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 403
Whilst each of the above web-based e-commerce facilities may appear to be very different
such differences are merely aesthetic and generally exist as a result of a desire by the company/
organisation (and the web designer(s)) to maintain the company’s/organisation’s brand image
online. In essence, all such web-based e-commerce facilities both function and operate in the
same way – processing similar types of transaction data, using similar types of internal controls/
system security procedures, and interacting within similar external agents.
So what are the advantages and disadvantages of a web-based sales system?
403
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 404
404
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 405
Using a central management facility, the EPOS terminal would update the stores stock records
for each individual product purchased by the customer. Where appropriate the stores facility
would also up link – probably using a intranet facility for internal regional stores and/or an
extranet facility of external suppliers, detail of stock requirements for products/product lines
which have fallen below the economic reorder quantity level. Finally, the EPOS terminal would
check the product register database and identify the current price of each product presented
for purchase by the customer. Once all products have been scanned, the EPOS terminal would
present – as a single value – the total value of all the customer’s purchases.
Where payment by cash is offered, a receipt would normally be printed and presented to the
customer in exchange for the appropriate cash payment. However, before accepting the cash
payment, it is likely that any paper cash tendered by the customer (e.g. £5, £10 and especially
£20 and £50 notes) would be scanned and checked for authenticity, usually using an ultra
violet light scanner to identify any possible forgeries. All authenticated cash would then be
placed in the EPOS terminal cash receipting lock box facility, the products and receipt pre-
sented to the customer, together with an appropriate amount of change if relevant. Once the
transaction has been completed the lock box facility would be closed and opened only at the end
of the next transaction.
Where payment by cheque is offered, again a receipt would be printed and presented to the
customer in exchange for payment. However payment would only be authorised and accepted
where a payment guarantee is provided – usually by means of a valid signed debit card acting
as a cheque guarantee card with, where necessary, additional appropriate identification. Where
such a guarantee is not provided by the customer, the cheque payment should be refused and
the sale transaction terminated or an alternative payment method requested. All valid cheques
would normally be placed in the EPOS terminal cash receipting lock box facility. Once the
transaction has been completed the lock box facility would be closed and opened only at the end
of the next transaction.
Clearly, the number and the value of cash-based/cheque-based payments received would
determine how an individual EPOS terminal cash receipting lock box facility would need to be
emptied – that is how often the EPOS terminal cash facility lock box should be removed and
replaced with an empty lock box.
It is of course important, for both safety and security reasons, that individual EPOS terminal
cash receipting lock boxes are regularly removed and securely transported to a protected and
access controlled environment (away from the shop floor) where cash and cheques can be
removed, counted, reconciled to individual EPOS terminal receipting records and prepare for
banking (if possible on the same day to minimise the need for expensive safe storage facilities).
Where limited cash/cheque deposits are received such deposits may be transported by company/
organisation staff. However, where a substantial amount of cash and cheques are received on
a regular basis it may be necessary to employ a security company (e.g. Group 4 Securicor
(www.g4s.com), for the transportation of deposits to the company’s/organisation’s bank.
The advantages of cash-based/cheque-based sales systems are:
n the transaction process is simple and visible,
n there is no need for an invoice (only a cash receipt), and
n on completion of the sales transaction there is an immediate receipt of liquid funds (cash
sales) and near cash funds (cheque-based sales).
The disadvantages are:
n the additional costs associated with the need for additional investment in cash receipting
facilities. In a large supermarket, such investment could be substantial, especially where the
use of an integrated network of cash register/till is required,
405
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 406
n the need for increased security (including perhaps the appointment of security staff and/or
an external security agency) to manage the movement of cash and prevent possible theft,
n the costs associated with the requirement to count, record, account for and control the
movement of cash, and the resulting cost of such activities, and
n the need to regularly bank all cash receipts and separately reconcile cash receipts banked with
cash receipts received from the sale of products.
Note: Many retail companies, for example Tesco plc, Asda plc and now Boots plc, actively dis-
courage the use of cheques (see Article 8.2). Could the use of cheques as a method of payment
soon disappear completely?
Article 8.2
406
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 407
payment methods, said the cheque is losing out to part of our lives, but people have moved on to
the debit card. The big banks put the total amount debit cards, which have now been around for almost
of consumer spending on the high street and via the 20 years.
internet at £240 billion in 2005. Cheques accounted ‘The rate of decline of the cheque has speeded
for less than 4 per cent of this. The value of cheque up dramatically over the past two years, they could
purchases fell 14 per cent compared to the year before be gone from the high street within five years. People
to around £9 billion. By contrast debit card spending find chip and PIN cards easier and more secure. It is
rose 9 per cent to £89 billion. interesting that retailers are leading the way on this.
APACS communications chief, Sandra Quinn, They find dealing with cheques, particularly if it is a
said: ‘Most people cannot remember the last time low number, is a real drain on their resources.’
they wrote a cheque and would not know where their
cheque-book is. You are seeing a transition where Source: 11 September 2006,
cheques have moved from being a mass-market www.dailymail.co.uk/pages/live/articles/news/
product to a niche product. Cheques are a traditional news.html?in_article_id=404708&in_page_id=1770.
Whilst there can be little doubt that the use of non-debtor-based revenue cycle sales systems
– especially EPOS-based and web-based sales systems – are now an essential feature of the
revenue cycle activities of many high street retailers, the use of non-debtor-based revenue cycle
sales systems is not without risk.
The main risk associated with an EPOS-based sales system is the acceptance of fraudulent
transactions – that is payments made by customers/clients using a stolen debit/credit card.
The main risks associated with web-based sales system, include:
n the infection of web-related information systems,
n the theft of customer/client-related data,
n the unauthorised access/viewing of confidential data, and
n the misappropriation of assets and/or resources.
And the main risks associated with cash-based/cheque-based sales system, include:
n the misappropriation of cash, and/or
n the misappropriation of cheques.
407
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 408
But how do these key control objectives translate into real-world activities – into practical
internal controls, not only general controls but also applications controls?
General controls
n organisational controls,
n documentation controls,
n access controls,
n asset management controls,
n management practice controls, and
n information system controls.
Organisational controls
Organisational controls generally refer to the separation or segregation of duties. Within the
revenue cycle such controls should ensure that there is an organisational separation between:
n activities related to the authorising of revenue transactions – for example the acceptance of
a new debtor, the authorising/amendment of a debtor’s credit limit and the acceptance of a
customer/client order,
n the distribution and delivery of a products/service to customers/clients,
n activities related to invoicing,
n activities related to the collection of payments from customers/clients,
n the management of debtor accounts, and
n the recording of financial transactions.
408
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 409
That is between:
n those involved in the creation and/or modification of revenue cycle programmes, and
n those involved in the day-to-day revenue cycle activities and processes.
Documentation controls
Complete and up-to-date documentation should be available for all revenue cycle procedures.
Such documentation should include, for example:
n organisational charts detailing the responsibility structure within the revenue cycle and the
separation/segregation of duties within each of the revenue cycle systems,
n procedural descriptions of all procedures and processes used within the revenue cycle,
n system flowcharts detailing how functions/activities within the revenue cycle operate,
n document flowcharts detailing what documents flow within revenue cycle systems,
n management control/internal control procedures detailing the main internal controls within
the revenue cycle – in particular the credit approval process and the debtor write-off process,
n user guides/handbook providing a broad overview of the main functions/activities within
the revenue cycle, and
n records of recent internal/external audits undertaken on individual revenue cycle systems.
Access controls
For all revenue cycle systems it is necessary to ensure that all tangible physical assets – for
example stocks held within company/organisation stores and/or cash/cheques temporarily
held within the company/organisation finance office – and all intangible information assets –
for example customer/client data/information – are protected and securely stored, with access
to such assets closely monitored.
Where information and communication technology is used as an integral part of the revenue
cycle systems and activities, it is important for both internal control and security purposes to
ensure that:
n assigned user names and passwords are used to authenticate users and authorise access to
revenue cycle transaction data and customer/client information,
n location and/or terminal restrictions are used, where appropriate, to control access to revenue
cycle-based data/information (e.g. confidential debtor account information should only
be accessible by appropriate staff (finance staff) at approved locations, such as within the
finance office), and
n transaction data/information is securely stored with access to both current transaction files/
master files and back-up copies of all transactions files/masters files restricted.
409
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 410
n the periodic review and assessment of the condition and value of the underlying asset –
for example the physical condition of individual stock items or the determination of the
recoverability of an outstanding debt.
Such reconciliations would include, for example:
n debtor reconciliation – a reconciliation of the balance in the debtor’s control account in the
general ledger and the total of the debtor account balances in the sales ledger (debtor ledger),
n stock reconciliation – a reconciliation of the balance in the stock account (or individual
stock accounts if different classes of current assets are stored) in the general ledger and the
physical stock(s) held in the store(s)/warehouse(s),
n bank reconciliation – a reconciliation of the balance in the bank account (or bank accounts
if a number of different accounts are used) in the general ledger and the bank statement for
each account,
n movement reconciliation – a reconciliation/record of assets prior to any movement/transfer
– for example a mail room assistant listing all cheques received in the post prior to the transfer
of such cheques to the finance/cashier’s office.
Application controls
As with all application controls, those applicable to the revenue cycle can be categorised as input
controls, processing controls or output controls.
Input controls
Revenue cycle input controls are designed to ensure the validity, appropriateness and correct-
ness of revenue cycle specific input data.
Such controls would include, for example:
n appropriateness checks, for example:
l data matching checks – comparing the customer/client order with either the stock issue
request, production order request (where a product requires manufacturing) or the service
provision schedule (where a service requires scheduling for delivery), and the customer/
client invoice,
410
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 411
l data entry checks – comparing the customer/client order with product/service price lists, and
l data validity checks – comparing payment receipts with the customer/client order and
invoice,
n authorisation procedure checks – for example customer/client identification checks and
credit approval checks/credit limit checks, and price list checks, to ensure the validity of
transactions,
n conversion controls tests, record count checks and/or completeness checks – for example
batch control totals, sequence totals and/or hash control totals, to ensure all data is pro-
cessed, and
n error tests/error correction procedure checks to ensure all incorrect data is identified appro-
priately and dealt with.
Where input data is transmitted from a source origin to a processing destination electronically,
additional supplementary input controls would normally be required.
Such additional input controls would include, for example:
Processing controls
Revenue cycle processing controls are designed to ensure only authorised revenue cycle trans-
action data are processed and all authorised revenue cycle transaction data are processed
accurately, correctly and completely.
Such controls would include, for example:
n file maintenance checks – to ensure that both debtor file records and transaction records are
efficiently maintained,
n file labelling checks – to ensure all revenue cycle data files are correctly labelled,
n verification checks – to ensure all revenue cycle transaction data are validated and approved
prior to processing,
n processing logic checks – to ensure that the actual processing steps by which data are trans-
formed or moved are consistent with defined procedures/protocols,
n limit checks – to ensure that all revenue cycle transaction data exist within defined process-
ing parameters (e.g. value of transaction, date of transaction),
n reasonableness checks – to ensure that revenue cycle transaction data are consistent with
processing expectations,
n sequence checks – to ensure that no interruptions or gaps exist in the sequence of trans-
action data processed,
n audit trail controls – to ensure that a visible trail of evidence and/or chronology of events is
available to enable the tracing of transaction events,
n control totals checks – to check that revenue cycle transaction file control totals are con-
sistent with the contents of the transaction file to which they relate, and
n data checks – to check for the existence of duplicate and/or missing data.
Output controls
Revenue cycle output controls are designed to ensure all revenue cycle output is authorised,
accurate and complete, and distributed to approved and authorised recipients only. Such con-
trols would include, for example:
411
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 412
n distribution controls to ensure the debtor statement of accounts are sent to the correct
customer/client,
n verification control to ensure the validity and accuracy of output information (e.g. invoices/
statement of accounts),
n reconciliation checks to ensure all transaction numbers are accounted for, and
n review/audit trail checks.
Where output data is transmitted from a processing origin to a user destination electronically,
additional supplementary output controls would normally be required.
Such additional output controls would include, for example:
n transmission tests to ensure that data are transmitted correctly,
n recipient identifier checks/controls to authenticate the recipient before the delivery of data/
information,
n security checks/controls to ensure data/information is delivered completely, and
n validation checks/controls to ensure data/information is received and accessed by the author-
ised recipient only.
In broad accounting terms, capital income can be defined as income receipts relating to the dis-
posal of capital assets and/or investments. As we saw earlier, the receipt of revenue income, and
the revenue cycle activities related to income generated from the sale of products and services
generally, commences with an external consumer/client activity or a series of related activities
(e.g. the submission of a customer/client order). The receipt of capital income from the disposal
of capital assets/investments, however, generally commences with an internal management
action/decision or series of related decisions/activities. For example, the receipt of such capital
income may result from:
n an internal management decision to raise additional capital funds for investment in other
capital projects/assets, or
n an internal management decision following a speculative request for an external agent to
purchase existing company/organisation assets, or
n a recurring asset replacement cycle decision.
We will look at capital income – in particular issues related to capital income resulting from the
disposal of company/organisation assets and investments – in more detail in Chapter 11.
412
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 413
413
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 414
Concluding comments
414
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 415
Bibliography
Self-review questions
415
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 416
Question 1
BeTiCe Ltd is a newly formed, UK-based retail company. The company will specialise in street fashion acces-
sories for both men and women, and will commence trading in three months, once a number of retail outlets
have been refurbished. At a recent management meeting the company financial director proposed that the
company should use a non-card payment system – particularly a Pay By Touch EFT system – for payments
by customers. He was however unable to provide precise details of how such a system would work.
Required
Provide a brief report to the company’s management committee and explain:
n how a Pay By Touch system would operate,
n the main stages involved in implementing a Pay By Touch system, and
n the main advantages and disadvantages of such a payment system.
Question 2
RTY plc is a UK retail company with retail outlets in the south-east and north-west of England. In total the com-
pany has six retail outlets in the south-east and eight in the north-west. The company currently employs 195 staff.
The company has been trading successfully for a number of years.
For the year ending 31 December 2002 the company’s turnover was £4.8m and its net profit for the year
was £1.1m. As part of the company’s information technology strategy, RTY plc is considering installing an
Electronic Point Of Sale (EPOS) system for use in all its retail outlets.
The company is, however, aware that the acquisition and development of an EPOS system would require not
only a substantial capital investment, but also a significant change in operating procedures at each of the retail
outlets – possibly involving staff redundancies.
The management board of RTY plc have asked you, as their recently appointed Systems Accountant, to prepare
a report on EPOS systems for presentation to the company’s management board at its next meeting in June 2003.
Required
Prepare a report for the management board of RTY plc on the development and implementation of an EPOS
system. Your report should provide;
n a brief description of how an EPOS system works,
n a review of the potential advantages and disadvantages of EPOS systems for the company, and
n an evaluation of the potential control problems RTY plc could face as a consequences of implementing a
company-wide EPOS system for its retail operations.
Question 3
ZKO Plc was an UK-listed company that produced digital audio equipment for the retail market. The company’s
products were sold throughout Europe, North America, Australia and Canada, and were widely regarded as
the best in the market. Indeed, during the period 1995 to 2001, the company’s digital audio equipment con-
sistently won high praise from both consumer groups and retail critics.
In January 2002, however, ZKO Plc suddenly went into liquidation. The company failed with debts amounting
to £105m.
The failure of the company was headline news around the world with press speculation focusing on the
possibility of large-scale financial reporting irregularities and potential management fraud.
416
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 417
However, in April 2002 the company receivers published their findings. Their report indicated that whilst some
unacceptable accounting irregularities had been evident in the company’s published financial reports for a
number of years, the principal cause of ZKO Plc’s failure had been inadequate control within its revenue cycle
operations – in particular the management of debtor payments.
The company receivers’ report concluded that:
whilst substantial profits were generated by sales transactions these profits were rarely converted into cash-
based resources. Moreover, the company increasingly maintained an unhealthy and somewhat excessive
level of debtors, many of which were clearly irrecoverable.
Required
Describe the main function of a sales system for a company such as ZKO Plc and explain the inherent risk
associated with the failure of such a system.
Describe the primary function of debtor management and explain the separation of duties necessary for
adequate debtor management in a company such as ZKO Plc. Indicate the problems that may occur in a
debtor management system when such separation of administrative powers does not exist.
Question 4
A company’s sales system functions not only as part of the corporate marketing cycle, but also as part of the
corporate asset interface/exchange process.
Required
Describe the accounting controls you would expect to find in a sales system designed for the sales of electrical
commodities and discuss how the failure of such accounting controls could potentially affect the valuation
and security of company assets and the disclosure of company assets in the annual financial reports.
Question 5
You have recently been appointed by the management board of JKL Ltd, a small electrical accessories
company, to design a company-wide computer-based sales/debtors system. To date, the company has
maintained a manual record system for its sales/debtors.
For the previous three financial year the company has had an average annual turnover of £18m (all sales are
in the UK), and average annual profits of approximately £4.4m. The company has approximately 50 employees
working at six locations throughout the UK: Manchester, which is the company’s head office, Birmingham,
Leeds, Swindon, Bristol and Newcastle. In Manchester, five staff are directly involved in sales/debtors system,
whereas in the remaining five locations only 10 members of staff are directly involved – two at each regional
location.
For the year ended 31 January 2007, approximately 95% of the company’s sales were trade sales to UK
retail companies, of which 88% of these sales were on credit. In addition, for the past three financial years,
bad debts relating to trade sales have averaged approximately 5% of the company’s turnover in each year,
resulting in lost income over the three years of approximately £2.7m. It is this loss of sales income that has
prompted the management board of the company to review its sales/debtors system.
The company purchases all its retail stock.
Required
Making whatever assumptions you consider necessary, prepare a draft design for the management board of
JKL Ltd indicating, where appropriate, the necessary control procedures you recommend in order to minimise
the growing level of bad debts.
417
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 418
Assignments
Question 1
UK card fraud has risen steadily over the past 10 years, from £83.3m in 1995 to £504.8m in 2004. Over the
same period, card usage and the number of cards issued has risen, and continues to rise in the UK. With
increasing card use comes an increased risk of exposure and . . . (companies) . . . should remain vigilant to
the potential fraud risk (http://www.hsbc.co.uk/1/2/business/needs/card-fraud).
Required
To assist in the prevention of fraud (especially in relation to point of service EFT), a large number of anti-fraud
measures are now available for retailers to use. Some of the more popular anti-fraud measures are:
n the use of forced online protocols,
n the use of floor limits,
n the use of ‘one-in-n’ checks – that is sample random transactions checks,
n the use of multiple transaction checks,
n the use of Hot Card files,
n the use of encryption,
n the use of Secure Sockets Layer (SSL),
n the use of Card Security Code (CSC),
n the use of address verification services (AVS), and
n the use of payer authentication.
Describe and critically evaluate each of the above anti-fraud measures.
Question 2
BPL Ltd is a small local retail company. The company sells a branded clothing range for 18–30 year olds.
During the past financial year (year ending 31 December 2005) the company had an annual turnover of £1.5m
and an annual net profit of approximately £700,000.
The company has two retail outlets located in Manchester and Oxford, and employs five part-time sales
assistants, one administrator and one manager.
Currently, sales are either over-the-counter sales at either retail location, or mail order sales from the company’s
annual catalogue. Over-the-counter sales can be for cash, credit/debit card payment or payment by cheque. Mail
order sales can be for credit/debit card payment and/or cheque payment only. All mail order sales are processed
at the company’s Manchester retail outlet. Last year 42% of the company’s turnover was from mail order sales.
For credit/debit card-related sales, the company operates a chip and pin-based ePOS (electronic point of sale)
system. All over-the-counter sales are processed by the sales assistants. All mail order sales are recorded by
the administrator.
Mail order sales are only accepted from authorised customers. These customers are authorised by the manager
in advance and are allowed 45 days’ credit. In the past financial year, however, the manager authorised the
write-off of £86,000 for bad debts arising from non-payment by mail order customers. Estimates for the current
financial year suggest that bad debt write-offs may exceed £100,000.
The manager has become increasingly concerned about the growing level of bad debts, and is exploring the
possibility of developing an internet-based e-commerce facility to replace its catalogue-based mail order
facility, and eliminate ever-increasing levels of bad debt.
Required
Describe the main function of a sales system for a company such as BPL Ltd and explain the inherent risk
associated with the failure of internal controls within such a system.
418
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 419
Chapter endnotes
Chapter endnotes
1
In a broad sense, marketing is concerned with identifying, anticipating and meeting the needs
of customers in such a way as to make a profit. Inasmuch as marketing generally operates at
two levels within a company/organisation:
n the strategic level – concerned with major long-term decisions that affect the whole organ-
isation, and
n the tactical level – concerned with applying the marketing mix in the most appropriate way:
that is organising promotions, setting prices, positioning the product/service, and organising
distribution and delivery,
a company’s/organisation’s marketing model can be defined as the company’s/organisation’s
unique combination of a marketing strategy and an appropriate selection of marketing tactics
to create a customer-orientated, profit-making business.
2
See Chapter 6.
3
Whilst we will use the term ‘individual’, it can refer to any non-corporate entity/organisation.
4
RFID (Radio Frequency IDentification) is a method of remotely collecting and/or retrieving
data with the use of RFID tags/transponders.
5
And the requirements of the Data Protection Act 1998.
6
Personal Digital Assistant.
7
SITPRO Limited, formerly The Simpler Trade Procedures Board, was set up in 1970 as the
UK’s trade facilitation agency. Reconstituted as a company limited by guarantee in April 2001,
SITPRO is one of the non-departmental public bodies for which the Department of Trade and
Industry has responsibility.
8
Such trade between member states is referred to as either:
n arrivals or acquisitions (purchases or imports), and
n dispatches or removals (sales or exports).
9
VAT-registered companies/organisations subject to extant VAT tax rules can offset VAT
payments related to inputs (purchases) against VAT receipts on outputs (sales).
10
These would also include payment by postal order and/or money order.
11
Demographically, such a payment method is perhaps only favoured by the elderly.
12
Where a cash discount is allowed – as an incentive to encourage customers/clients to pay
early – it is important to ensure that any such payment requirement is fulfilled. In the UK, a
number of companies have now discontinued the practice of offering early payment discounts
as customers/clients frequently accept such discounts without submitting payment within the
required period.
13
A formal reminder for payment would normally contain a reminder to the customer/client
for payment of the outstanding balance – usually within seven days – but also somewhat para-
doxically, an apology to the customer/client if payment has already been made before the receipt
of the formal reminder.
14
County court judgment.
15
Currently the statutory rate is 8% pa.
16
See s69 County Courts Act 1984.
17
Such a charge could be either:
n a fixed charge on specific assets/group of assets of the customer/client, or
n a floating charge on all the assets of the customer/client.
18
For a number of well-known UK companies this minimum level is currently £50.
419
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 420
19
Such companies often offer a range of debt management services, ranging from:
n sales ledger accounting, to
n credit insurance, to
n debt factoring/debt management.
20
In the main card schemes are MasterCard and Visa which together account for nearly 90%
of all the payment cards in circulation.
21
See Chapter 12 for further details on e-money.
22
For debit cards this will be the amount of money in the cardholder’s account (together with
any overdraft facility). For credit cards, this will be the amount of money that the card issuer is
prepared to lend the cardholder (the credit limit).
23
The acquirer (or acquiring bank) will be responsible for:
n forwarding transaction requests from the merchant to the card issuer so that the cardholder’s
identity can be verified and to ensure that the cardholder has sufficient funds available to
support the transaction;
n acting on behalf of the card issuer and authorising transactions where a referred transaction
requires further information from the card holder;
n collecting the settlement files from the merchant;
n forwarding settlement files to the appropriate card issuer;
n reimbursing the merchant with the funds payable on the transactions (less the merchant
service charge); and
n maintaining a Hot Card File – a record of all cards reported as being either lost or stolen.
Examples of UK acquirers are:
n Royal Bank of Scotland,
n Barclays Merchant Services,
n NatWest Streamline,
n Lloydstsb Cardnet, and
n HSBC Merchant Services.
24
It is possible and, indeed often the case, that a merchant has more than one acquirer.
25
A generic term for the machine used to ‘swipe’ a debit and/or credit card.
26
If the system has a Hot Card checking facility the customer’s card number will be checked
against a list of lost or stolen cards provided by the banks or other financial institutions/
organisations. If the customer’s card number matches a card number on the list, the merchant
must decline the transaction and retain the customer’s card.
27
Merchant Service Agreement.
28
The acquirer has agreed the transaction and has confirmed that the customer/cardholder has
the funds available and the merchant will receive payment for the transaction.
29
The acquirer has refused the transaction. No explanation will be offered by the acquirer: that
is the merchant will not be informed why the transaction was declined.
30
The acquirer has requested further information before deciding whether to authorise the
transaction. For example, the acquirer may request the merchant to obtain further confirmation
of the identity of the customer/cardholder before a decision on whether to authorise or decline
the transaction is made.
31
The Consumer Protection (Distance Selling) Regulations 2000 defined a distance contract
as: ‘any contract concerning goods and services concluded between a supplier and a customer
under an organised distance sales or service provision scheme run by the supplier who for the
purposes of the contract makes exclusive use of one or more means of distance communication
up to and including the moment that the contact is concluded’ (s3).
420
.. ..
CORA_C08.qxd 6/1/07 11:05 Page 421
Chapter endnotes
32
See Chapter 13.
33
Where a merchant is unsure about the validity of a customer/cardholder’s identity or has
suspicions about the transaction, the merchant can force the transaction to be authorised online.
34
A floor limit is an agreed limit between the merchant and acquirer. If the transaction amount
exceeds the floor limit, the transaction is forced online for authorisation.
35
Hot Card files contain details of lost and stolen cards. Where Hot Card checking is installed,
each time a merchant accepts a card as payment for a transaction, the system checks the card
number against entries in the Hot Card file. Obviously if the card number is listed, the merchant
must decline the transaction and retain the card.
36
SSL provides a secure method of transmitting and authenticating data over a network via
TCP/IP. Developed to enable the secure transmission of information over the Internet, SSL can
be used to reduce the risk of credit card information being intercepted.
37
Card Security Codes (CSC) were introduced as an anti-fraud measure for customer/
cardholder not present transactions (nPoS EFT) where objective verification/validation is not
possible. A CSC is a three-digit number (four-digit number for American Express) that is
generated automatically on manufacture. The CSC is printed on the signature strip on the back
of the card.
38
Address Verification Services (AVS) were also introduced as an anti-fraud measure for
customer/cardholder not present transactions (nPoS EFT) where objective verification/validation
is not possible. AVS entails the checking information about the customer/cardholder’s address.
39
Specifically to reduce the incidence of fraudulent internet-based transactions payer authenti-
cation enables online merchants to authenticate customer cardholder’s in real time.
40
A merchant ID is a unique electronic ID assigned to a merchant by an acquiring bank.
41
A Payment Service Provider (PSP) provides payment gateway services to enable a merchant
to process, authorise, settle and manage credit/debit card transactions.
42
The word ‘biometric’ is derived from the Greek words bios, meaning life, and metrikos,
meaning to measure.
43
It perhaps worth noting that the Pay by Touch service provided by paybytouch @ www.
paybytouch.com, does not actually use fingerprints, but uses micro measurements of an indi-
vidual’s finger which are then converted into a mathematical equation, encrypted and stored on
a secure database.
44
Established in 2003, Pay by Touch currently services over 154,000 retail clients, manages
personalised rewards programmes for more than 130 million opt-in consumers, and has more
than 2.3 million shoppers using biometric authentication products and services at over 2000
retail outlets in the USA (and Europe).
45
Biometric technologies are also used for identity verification and security screening purposes.
46
For example, many small out-of-town food retailers (e.g. Costcutter, see www.costcutter.co.uk),
often charge an additional fee for payment by debit and/or credit card if the value of the trans-
action is less than a minimum – often £5.
47
Whilst the majority of customers/clients in this category may make a conscious decision not
to use a debit/credit card to pay for the purchase of products, in some instances, a customer/
client may be precluded from using such payment facilities. For example, recent personal
bankruptcy and/or an excessive level of personal debt may result in an issuing bank/credit card
company withdrawing access to debit/credit card facilities.
421
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 422
Introduction
The expenditure cycle can be defined as a collection of business-related activities/
resources and information processing procedures, concerned with:
with the primary objective of the expenditure cycles being to minimise the total cost of
acquiring and maintaining the products/services required for the company/organisation to
function effectively, whilst maintaining the good image of the company/organisation.
See Figure 9.1.
In general, three types or variations of expenditure cycle can be identified:
It is perhaps worth noting that whereas both the revenue-related expenditure cycle and the
capital-related expenditure cycle would utilise many of the same company/organisation
procedures, process and controls (see later), the human resource-related expenditure cycle
– although primarily concerned with revenue-related expenditure such as the payment of
wages and salaries to employees – would utilise a number of procedures, processes and
controls unique to that expenditure cycle.
422
..
CORA_C09.qxd 6/1/07 11:06 Page 423
Why? Put simply, employee remuneration systems tend to be subject to very specific
and often very complex statutory requirements and fiscal regulations.
So, what role(s) would a company/organisation accounting information system play in
an expenditure cycle? Whilst in an operational context, the accounting information system
would be used to assist in:
in a more strategic context, the accounting information system would be used to safe-
guard expenditure cycle resources and ensure:
423
..
CORA_C09.qxd 6/1/07 11:06 Page 424
Learning outcomes
This chapter explores a wide range of issues related to the corporate expenditure cycle,
in particular:
n creditor-based expenditure-related systems,
n non-creditor-based expenditure-related systems, and
n payroll-related systems.
The expenditure cycle is concerned with the acquisition of assets, raw materials products and/or
services for business-related purposes.
The main objectives of the revenue expenditure cycle are to:
n ensure that all products, services and/or resources are ordered as needed/required by the
company/organisation,
n ensure all ordered goods are received,
n verify all products are received in an appropriate condition,
n safeguard products until required by the company/organisation,
n record and classify expenditure correctly and accurately,
n record and account for all expenditure cycle-related obligations/commitments,
n ensure that all disbursements/payments are for authorised and approved expenditure only,
and
n record and account for all expenditure cycle-related disbursements to suppliers/providers to
the correct account in the creditor’s ledger.
In an accounting context, such expenditure can be classified as either:
n capital expenditure1 – that is expenditure related to the acquisition and/or improvement of
either tangible or intangible fixed assets, and
n revenue expenditure2 – that is expenditure incurred as a result of
l the purchase of current assets,
l the repair and maintenance of fixed assets, and/or
l the purchase of supplier/provider services.
424
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 425
425
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 426
It is therefore not surprising that legislative provisions exist within the UK, the European
Union and indeed many of the WTO3 membership countries to prohibit agreements, business
practices and commercial conduct that may damage market competition and the free (or more
appropriately regulated) flow capital.
For example in the UK, the Competition Act 1998 prohibits:
n the use of anti-competitive agreements – see Chapter 1 of the Competition Act 1998,4 and
n the abuse of a dominant position in a market – see Chapter 2 of the Competition Act 1998.5
In addition, the Competition Act 1998 also established the Competition Commission (see
www.competition-commission.org.uk), as an independent public body to ‘conduct in-depth
inquiries/investigation into mergers, markets and the regulation of the major regulated
industries.’6
Because the Competition Commission has no power to conduct inquiries on its own
initiative, every inquiry/investigation undertaken by it is in response to a reference made to
it by another regulating/monitoring authority – usually the Office of Fair Trading (OFT), the
Secretary of State or the regulator of a sector-specific industry, for example OFWAT (Office of
Water Services) or OFCOM (Office of Communications).
As with the revenue cycle, there are two possible alternative types of expenditure cycle:
That is expenditure transactions in which the supplier/provider is selected, and approved prior
to the completion of any expenditure transaction. The creditor-based revenue cycle is therefore
a subject (or supplier/provider) orientated revenue transaction cycle.
Generally, such creditor-based expenditure cycle transactions will occur within companies/
organisations classified as context type 1(a)7 and 1(b), and perhaps also 2(b) and 2(c), with
426
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 427
n cash-based expenditure, or
n card-based expenditure,
and will occur within companies/organisations classified as context types 1(a) and 1(b), and
perhaps also 2(a), 2(b), and possibly 2(c) albeit to a very limited extent.
We will look at both cash-based, and card-based non-creditor expenditure later in this
chapter.
Such a creditor-based expenditure cycle can be divided into four component system:
427
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 428
428
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 429
n the product/service lead time – that is the time required for the product/service to be delivered,
n the terms of settlement offered by the supplier/provider, and
n the method of delivery used by the supplier/provider.
Remember, cheap is not necessarily best since a good supplier/provider may charge a higher
price for:
n the provision of good-quality management/quality control and guarantee the delivery of
defect-free product/services,
n the assured direct delivery of products/services to the right place, at the right time and in the
right quantities, and
n the provision of simplified administrative processes and authorisation procedures/arrangements.
Regarding this last point, increasingly, many companies/organisations now link the supplier/
provider register/database to the company’s/organisation’s creditor ledger within the accounting
429
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 430
information system, the benefit of this being that where a supplier/provider has provided products/
services to the company/organisation, it allows financial information such as:
n the level of trade undertaken with the supplier/provider, and/or
n the recent payment histories with the supplier/provider,
430
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 431
Article 9.1
Supplier contracts
If a purchaser is to get the best out of a potential sup- can take a monopolistic attitude, or if you can take an
plier it is seen as a good move to lock yourself into a opportunistic one. The skill is to constantly monitor
long-term contract. But will this not make the supplier how the balance of dependency is shifting. At one end
complacent and monopolistic in the long run? And in both parties could be independent of any reliance
a time of crisis, the purchaser will have no alternative on the other. In the middle you could have some
options. dependency, and ultimately you could find you are
Christopher Barrat, director of the Greystone Partner- totally interdependent. This will determine the degree
ship, writes: There are three questions here, and all of to which you lock yourself in.
them go to the heart of issues that purchasers face. The third point is about market flexibility. If you
First, I would challenge your initial assumption. have a long-term contract then it certainly should
‘Long term’ as a concept is hard to defend in the have strict definitions of how each party will behave
more flexible and networked marketplace of today. if there is a crisis, and this should include your rights
However, if you do believe you have a great deal, to seek alternative supplies. It is your duty as a pur-
then securing it with a contract is a good thing to do. chaser to ensure you have some alternative suppliers
Contracts also force both parties to make sure who you are at least ‘keeping warm’. Most suppliers
they have agreed the key elements of the deal, and are keen to break into customers who are linked to
that alone has benefits. I agree that this could make the competition, and what better time than when the
suppliers complacent – although it rarely makes them incumbent supplier has let them down.
monopolistic. Complacency comes because they You will only be left with no alternatives if you too
don’t have to fight for the business any more, so pro- have become complacent and forget to keep your
cesses can get sloppy and service drops. This is a supply network interested. Remember this is not a
reactive response to stability, which is very different marriage – it is a business relationship. You may have
from a proactive response of behaving in a mono- a partner at the moment, but don’t let that stop you
polistic way. Providing you were happy with the deal from the occasional flirtatious liaison: it can keep all
in the first place, then the contract helps to avoid parties fresh and interested in making things work.
monopolistic behaviour rather than encourage it.
If over the time of the contract the market forces Source: Advisor, 25 May 2006, Supply Management
have moved, then it will be these, rather than the http://www.supplymanagement.co.uk/EDIT/
attitude of supplier, that will determine whether they CURRENT_ISSUE_pages/CI_adviser_item.asp?id=14894.
431
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 432
Most companies/organisations separate the purchase/ordering system into three key stages:
n the purchase acquisition stage,
n the purchase requisition stage, and
n the purchase order stage.
Before we look at the purchase/ordering system in detail, it is worth noting that whilst the
purchase price of a product/service is an important component in a purchasing decision it is
only one of many costs that could occur as a consequence of expenditure cycle activity: that
is the purchase price is only one component of the total purchase cost incurred during the
purchase of a product/service.
So what are these other costs? Although some of these costs would apply to both products and
services, and some to products only or services only, in general these other costs would include:
n ordering costs – the administration costs associated with the processing of purchase orders
for products and/or services,
n delivery costs – the costs associated with the transportation of purchased products,
n payment costs – the administration and finance costs associated with the payment of invoices
for purchased products/services,
n receiving costs – the costs associated with the secure receipt of purchased products and/or
services,
n inspection costs – the costs associated with the quality assessment of purchased products,
n handling costs – the costs associated with the movement and administration of purchased
products,
n storage costs – the costs associated with securely storing purchased products,
n disruption costs – the costs associated with or resulting from the non-delivery of products/
services,
432
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 433
For the moment, we will look at issues associated with the acquisition of purchased products
only and consider issues associated with the acquisition of services later in this section.
433
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 434
n a legal obligation – for example a health and safety assessment or a CRB (Criminal Records
Bureau) check.9
The necessity for such a recurring service would normally occur as a consequence of a specific
identifiable event or series of events, that is for example:
n the purchase/acquisition of an asset or group of assets, or
n the provision of a specific activity/service.
Within a manual procedure the purchase requisition would be generated by the actions of/
through the intervention of an authorised employee. Such a procedure would normally be asso-
ciated with a small company/organisation in which stock movement is monitored by assigned
employees. Within an automatic procedure the purchase requisition would be generated by the
actions of a system-based monitoring procedure. Such a system would normally be associated
with a medium/large company/organisation in which high levels of turnover occur and stock
management/movements procedures are computer-based.
So what is a purchase requisition? This can be defined as a physical and/or electronic docu-
ment used to inform the purchasing department of a company/organisation that purchased
products and/or services are required for business purposes. The purchase requisition would
normally be prepared by the product/service user and duly authorised by the appropriate budget
holder/cost centre manager, in accordance with company/organisational management policy.
It would:
n specify the products/services required – those which are not available internally from within
the company/organisation,
n authorise the purchasing staff to enter the company/organisation into a supply contract
with an external company/organisation for the supply of the requested products/services,
and
n allocate/charge the cost of those products/services to a specified cost code or cost centre.
434
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 435
435
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 436
Using a two-copy purchase requisition system, one copy of the completed purchased requi-
sition would be sent to the purchasing department, via the internal mail system, and one copy
of the completed purchase requisition would be retained within the requisitioning department.
Using a three-copy purchase requisition system, one copy of the completed purchased requi-
sition would be sent to the purchasing department, via the internal mail system, (as above) and
two copies of the completed purchase requisition would be retained within the requisitioning
department. One copy would be retained by the requisitioning department’s administration
section and one would be retained by the individual section head/section leader generating/
instigating the purchase requisition. Such a system would normally be used in larger companies/
organisations where requisitioning departments are comprised of a number of individual
semi-autonomous sections and the responsibility for the generation of purchase requisitions is
delegated to individual section heads/section leaders within the requisitioning departments.
436
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 437
n an invoicing address,
n a delivery address requested terms, and
n the terms of references of the purchase order.
it is likely that the buying company/organisation may employ specific purchasing agents/
buyers to issue such purchase orders to approved suppliers/providers – that is specialists who
are responsible for either a specific type of product/service or a specific group/range of
suppliers/providers.
437
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 438
it is more than likely that an electronic purchase order system would be used – using perhaps
a secure EDI (Electronic Data Interchange) facility10 and/or B2B (Business-to-Business) extranet
facility.11
Why? For three key reasons: security, speed and cost.
Firstly, such facilities can provide a level of security not achievable with the traditional
paper-based purchase order systems – for example data encryption facilities, transmission con-
firmation facilities and many more – all of which can minimise, although not totally eliminate,
the possibility of confidential data (in our case purchase order data) going astray. Secondly,
unlikely the traditional paper-based purchase order system in which the purchase order has
to be physically delivered to the supplier/provider and can take a up to a number of days, the
transmission and delivery of the purchase order is instantaneous (well almost). And thirdly,
whilst the initial set-up costs of such a facility may be high, the cost per transaction is very small,
certainly compared to the cost of a transaction using the traditional paper-based purchase order
system.
The purpose of the budget holder/cost centre manager receiving a purchase confirmation
is twofold. Firstly, to confirm that an authorised purchase order for the requested products/
services has been sent to/transmitted to an approved supplier/provider and secondly to inform
the budget holder/cost centre manager – the originator of the purchase requisition – precisely
what products/service have been ordered from the supplier/provider. This latter point is extremely
important inasmuch as it confirms any variations that may have been made to the original
purchase requisition.
For example, variations could be:
n some of the requested products/services may no longer be available so substitute products/
services may have been ordered by the purchase office, or
n some of the requested products/service may not be available immediately so a number of
part deliveries may occur in order to fulfil the purchase requisition.
The purpose of the stores department receiving a purchase order confirmation would be to alert
the stores department of the forthcoming delivery of products and the need to update/amend
the stores records.
The purpose of the creditor management department receiving a purchase order confir-
mation would be to alert the creditor management department of the purchase order and the
forthcoming invoice.
438
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 439
439
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 440
Where the customer’s internal control systems require the production of a purchase order, such
a document would be generated automatically by the supplier, based on the replenishment
information provided by the customer.
So what if a company/organisation uses a number of product suppliers/service providers?
There is no reason why it could not enter into an agreement with a number of product suppliers/
service providers, with each agreement referring to a different range of products/services used
by it.
For the customer – that is the buying company/organisation – the main benefits/advantages
include:
n a reduction in stock levels,
n an improvement in stock replenishment rates/procedures,
n a decrease in ordering costs,
n a decrease in holding costs, and
n an elimination of product/service ordering activities.
For the supplier – that is the selling company/organisation – the main benefits/advantages include:
n an improved visibility of customer requirements,
n a reduction in customer returns, and
n a long-term commitment from the customer.
440
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 441
So, under what circumstances would the stock receipting facility reject a delivery? This would
happen where, for example:
441
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 442
n the purchase order number identified on the supplier’s delivery note does not correspond to
a valid purchase order number, and/or
n a substantial number of the products delivered by the supplier/supplier’s delivery agent have
failed a quality inspection test12 – that is the products are of an inferior quality, and/or
n a substantial number of the products delivered by the supplier/supplier’s agent are damaged.
On rejection the delivery would be returned to the supplier via the supplier’s delivery agent.
However, where for example:
n an incorrect quantity of products have been received from the supplier/supplier’s delivery agent,
n a small number of the products delivered by the supplier/supplier’s delivery agent have failed
a quality inspection test, and/or
n a small number of the products delivered by the supplier/supplier’s delivery agent are damaged,
it is likely that – subject to the supplier’s agreement – the delivery note would be amended to
reflect the actual products accepted by the company/organisation and the incorrect products/
damaged products would be returned to the supplier via the supplier’s delivery agent.
Note: An adjustment note (often called a debit note) would need to be prepared to authorise
the adjustment to be made to the supplier’s invoice for the returned products (see the discussion
below).
Once the products have been verified, approved and accepted from the supplier’s delivery
agent, and before the products are receipted into the central store within the store/stock
warehousing facility, the store/stock receipting facility would allocate a product identification
code/location marker for each of the products/groups of products received. Put simply:
n to manage and control the movement of stock into and out of the stock warehousing facility,
and
n to monitor the movement of products within the stock warehousing facility.
Such product identification codes/location markers would of course vary from organisation to
organisation and would primarily depend on:
n the size of the stock warehouse facility used by the company/organisation,
n the nature and type of products stored by the company/organisation and, of course,
n the degree of information technology used in the product/service ordering system and the
product/service receiving system.
So what type of location markers could be used? These could vary from:
n a simple, hand-written or pre-printed product code/location marker, to
n a more sophisticated, pre-printed barcode-based product code/location marker, to
n a state of the art RFID tag (see Chapter 12).
Once the accepted products have been appropriately marked, coded or tagged, and routed
into the central store, the store/stock receipting/issuing facility would prepare a goods received
note (sometimes called a receiving report), listing and detailing the products accepted from the
supplier/supplier’s agent.
Where a computer-based purchase order/product receiving system is used, the purchase
order would be authorised as complete, indicating the receipt of the products and the location
of the products in the store/stock warehousing facility. This authorisation would automatically
update the record of products in the store – often somewhat misleadingly referred to as the
stores ledger.
Where a paper-based purchase order/product receiving system is used, a paper-based goods
received note would be prepared, authorised and attached to the supplier delivery note and
442
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 443
the purchase order. The documentation (the purchase order, the delivery note and the goods
received note/receiving report) would then be forwarded to the store/stock warehousing control
facility. This facility would be responsible for updating the record of products in the store (see
below) and issuing products to operational departments within the company/organisation.
If you recall, we looked at the issue of store products to operational departments within the
company/organisation in detail in Chapter 8 – in particular the use of store issue requests.
443
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 444
444
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 445
Such a payment management system would – for internal control purposes – be divided into
two sub-systems:
n a creditor creation (invoice receipting) sub-system, and
n a creditor management sub-system.
Essentially, the creditor creation (invoice receipting) sub-system would be responsible for all
payment management aspects up to the payment of the invoice.
The key documentation of a creditor creation (invoice receipting) system would be:
n an invoice, and
n the creditor account.
445
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 446
product and/or service – that is in a legal context a debt is created when the successful delivery of
a product/service occurs. In practice, however, for the majority of business-related commercial
transactions, such a debt is often only recognised when the invoice for the products and/or
services is received from the product supplier/service provider because it is both easier and
simpler to do so. More importantly, because the invoice date is often very close to the product/
service delivery date – usually within a few working days, to use the invoice date for debt
recognition purposes has very little impact, if any, on daily decision making. It must, however,
be noted that where invoice-based debt recognition is used, adjustments are often required (for
year-end accounting purposes) for purchases of products/services which occur shortly before
the year-end date.
Consider the following.
Aktil plc, is a UK-based manufacturing company whose accounting year end is 31 March
2007. The company receives deliveries of raw materials for use in its production process
on a regular basis from a number of approved suppliers. During the last few days of March
2007/first few days of April 2007, the following transactions occurred:
n 28 March 2007 a delivery of raw materials was received from Yeted Ltd, cost £13,670.
The invoice was received on 31 March 2007.
n 29 March 2007 a delivery of raw materials was received from Seltle Ltd, cost £30,450.
The invoice was received on 5 April 2007.
n 30 March 2007 a delivery of raw materials was received from Hargot Ltd, cost £16,960.
The invoice was received on 4 April 2007.
n 31 March 2007 an invoice was received from Telil Ltd for raw materials which were
actually delivered on 2 April 2007. The cost of the raw materials was £2960.
n 1 April 2007 a delivery of raw materials was received from Mecte plc, cost £9870. The
invoice was received on 3 April 2007.
Which of the above deliveries should be included in the financial year 2006/07, and which
should be included in the financial year 2007/08?
Although the invoices have not yet been received from the supplier, the raw materials have
been delivered and the debt exists.
The objective of the verification/validation process is to ensure that the payment of a supplier’s/
provider’s invoice occurs only when the product(s) and/or service(s) have been received. Such
verification/validation would normally involve a match between three documents:
446
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 447
Secondly, matching the invoice to the goods received note (GRN)/receiving report (RR) would:
n verify the products/services have been received from the product supplier/service provider, and
n verify the quantity/quality of products/services received from the product supplier/service
provider.
This process is often referred to as the ‘traditional three document’ verification process.
So who would be responsible for undertaking such a verification process? Whilst the alloca-
tion would differ from organisation to organisation, it is common for such a verification
process to be undertaken by an employee or a group of employees within the finance office –
in particular within the purchase ledger section of the finance office. This would be for internal
control purposes.
It is important to ensure that wherever possible the employee or employees undertaking the
verification process are not involved in:
n the product/service ordering process, or
n the product/service receiving process.
A credit memorandum entry would also be made in the individual creditor’s account in the
purchases ledger (also known as the creditors ledger).
New creditor
Where the transaction relates to a new creditor a new creditor account would need to be
created. However, before a new creditor account can be created in the purchases ledger (creditors
ledger) and the supplier/provider to which the account relates is assigned a creditor reference
(account number), it is important to confirm that the supplier/provider is an approved product
supplier/service provider for the company/organisation. This is because the use of unapproved
product supplier/service providers could result in, for example:
n the payment of higher than normal prices for products/services,
n the loss of possible discounts,
n the receipt of inferior quality products/services, and/or
n the imposition of inappropriate settlement terms by the supplier/provider.
Put simply, if the supplier’s/provider’s details are not contained within the approved supplier/
provider register/database (see earlier), it is important – for internal control purposes, systems
447
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 448
security purposes, quality assurances purposes and, most importantly, fraud prevention pur-
poses, to determine:
n how a transaction between an unapproved product supplier/service provider and the
company/organisation occurred,
n why a transaction between an unapproved product supplier/service provider and the
company/organisation occurred, and
n who authorised the transaction between an unapproved product supplier/service provider
and the company/organisation.
Whilst possible explanations could range from:
n the obvious and the innocent – for example the supplier/provider register/database is not
up-to-date, in which case procedures should be amended to ensure it is, to
n the sinister and the fraudulent – for example employees deliberately using unapproved
suppliers/providers for their own personal gain and to the detriment of the company/
organisation,
such transaction must, if at all possible, be eliminated.
Once established and verified, the new creditor account would be credited.
Existing creditor
Where the transaction relates to an existing creditor, the existing creditor’s account will be
credited – that is amended to reflect the additional purchase – and the balance increased.
Creditor management
The creditor management sub-system is designed to ensure:
448
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 449
449
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 450
processed for payment, marked paid and then stored in an invoice paid invoice file. Such a
system is often used by smaller companies/organisations where a limited number of invoices are
processed for payment.
450
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 451
department/cashier’s office would review the content of the disbursement voucher. If no problems
are identified, a senior manager within the treasury department/cashier’s office would authorise
the transfer of funds and electronically submit the payment file using the appropriate BACS
protocols to the company’s/organisation’s bankers to enable the payments to be transferred to
individual supplier/provider bank accounts. This file transfer would of course be encrypted and
require authorisation by an assigned senior manager within the company/organisation.
Remember, the processing of payments is a four-stage processing procedure (arrival, input,
process and output) within a three-day processing cycle,15 comprising of:
n arrival day (arrival/input stage) – the receipt of a company’s/organisation’s payment/transfer
file at BACS Payment Schemes,
n processing day (input and processing stage) – the acceptance and processing of all data
through BACS Payment Schemes and transfer onto the paying banks, and
n entry day (output stage) – requested payments/transfers are simultaneously debited and
credited to the relevant bank and/or building society accounts.
Once complete the disbursement voucher and associated documentation (e.g. BACS transfer
receipt) would be forwarded to accounting for recording.
Where an early payment discount is received, the transaction would be recorded in the general
ledger as follows:
n Dr creditor control account,
n Cr discounts received,
n Cr bank account.
A debit memorandum entry would also be made in the individual creditor account in the
purchase ledger (creditors ledger).
Where the submission of payments to product suppliers/service providers is made by bank
transfer (BACS) using BACSTEL-IP, the creditor account could be updated online in real-time
on payment of the funds (especially where the creditor account reference is transmitted with the
transfer of funds): that is the above triple entry – the updating of the general ledger and the
purchases ledger (creditors ledger) – would occur at the same time.
Where payment is made by cheque, the creditor account would be updated on the issue of
the cheque and the payment of the funds – usually using an offline batch processing system.
451
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 452
n errors in pricing – for example products received from the supplier/provider may have been
inappropriately priced resulting in the supplier’s/provider’s invoice prices being either under-
or over-stated, and
n errors in payment – for example:
l an allocation error where payments made to a supplier/provider may have been recorded
in or allocated to the wrong creditor account, or
l a transposition error where payments made to a supplier/provider may have been recorded
incorrectly (wrong amount).
In an accounting context:
n errors in provision would be recorded in the general ledger as follows:
l Dr creditor control account,
l Cr purchases account,
n under-pricing errors would be recorded in the general ledger as follows:
l Dr purchases account,
l Cr creditor control account,
n over-pricing errors would be recorded in the general ledger as follows:
l Dr creditor control account,
l Cr purchases account,
n allocation errors would be recorded as a contra entry in the general ledger as follows:
l Dr creditor control account,
l Cr creditor control account,
n transportation errors would be recorded in the general ledger as follows:
l Dr creditor control account,
l Cr sales account.
Of course, in addition to the above, a debit and/or credit memorandum entry would also be
required in the individual creditor accounts in the purchase ledger (creditor ledger).
As with the revenue cycle and adjustments to debtor accounts, it is important – from an
internal control context – that any adjustment to the creditor accounts is:
n appropriately authorised – usually by a financial accounting manager, and
n properly documented – using a journal to record the accounting entry.
It is important that a company/organisation identifies and corrects any errors that may exist
between the creditor control account in the general ledger and the total of the individual creditor
account balances in the purchases ledger (creditors ledger).
In a practical context, the reconciliation between the creditor control account in the
general ledger and the total of the individual creditor account balances in the purchases ledger
(creditors ledger) is often an automated procedure. Indeed, many contemporary financial
452
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 453
accounting packages not only allow user companies/organisations to select the frequency of
such a reconciliation, they also allow user companies/organisations to determine – based on the
nature of the error discovered – the remedial action to be taken to correct the error(s).
Whilst such an automated reconciliation process does have many advantages, for example it
minimises:
it is important that management is aware of the results of each reconciliation, since an exces-
sive level of errors could indicate a serious information management/internal control issue. As
a result, many contemporary ‘off-the-shelf’ financial accounting system allow user companies/
organisations to create customised reconciliation reports, detailing for example:
Electronic invoicing
To reduce administrative bureaucracy, streamline processing costs and improve invoice pro-
cessing, some companies/organisations now receive invoices electronically using EDI. This
allows the company/organisation to automate its invoice verification process and use computer-
based verification for the matching of the purchase order (PO), the goods received note
(GRN)/receiving report (RR) and the product supplier’s/service provider’s invoice. Only those
invoices which fail the automated computer-based verification process would require manual
verification – so-called manual verification by exception.
The advantages of electronic invoicing are greater efficiency, more effective invoice process-
ing and, of course, substantially lower invoice verification costs.
453
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 454
products have been received/the services have been delivered, and such receipt/delivery has
been verified, payment can be made, with only those invoices failing the verification process
requiring manual processing. Obviously for such invoice-less payment processing to function
adequately, it is critical that:
n accurate and up-to-date product/service prices are available from suppliers/providers to
ensure correct prices are quoted for the products/service ordered, and
n comprehensive receipting/inspection procedures are used by the purchasing company/
organisation to ensure products/service are delivered as requested.
The advantages of invoice-less payment processing are reduced documentation processing and
therefore substantially lower administration costs.
As with the debtor-based revenue cycle, any failure in processes and controls associated with
the creditor-based expenditure cycle could have significant consequences for the company/
organisation, and could result in:
n a loss of company/organisation assets,
n a loss of data/information,
n a loss of suppliers/providers and, perhaps most importantly,
n a loss of revenue income (and profits).
454
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 455
In addition, the failure of retailing system security procedures/access protocols could allow
unauthorised persons to gain access to secure product/service ordering systems, and result in:
n the issue of fraudulent purchase orders, and
n the possible theft of assets.
455
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 456
Cash-based expenditure
Cash-based expenditure is sometimes referred to as petty cash expenditure because such expen-
diture is often only concerned with small value purchases, for example office stationary items
and employee-based expenses such as travel costs. Whilst such expenditure is perhaps inevitable
– emergencies arise despite the best planning – for both internal control and, more importantly,
cash flow/cash management purposes, the excessive use of cash-based expenditure should,
where at all possible be:
n closely monitored,
n reduced to a minimum,
n restricted to very small value products and services.
Note: There are no legal restrictions on what a company/organisation can/cannot pay out of
petty cash. However for Revenue and Customs purposes, wages and/or wage-related expenses
should never be paid from the petty cash.
We will look at the use of petty cash systems – in particular petty cash imprest systems – in
detail in Chapter 11.
Card-based expenditure
The use of card-based expenditure has become increasingly popular in some companies/
organisations – especially in B2B retailing. Why? For a number of business-related reasons/benefits,
perhaps the most important being more efficient and effective financial administration.
So what is card-based expenditure? Such expenditure is normally employee-based expenditure
– expenditure which occurs where an authorised employee, usually a mid-level manager, is
allowed to incur expenses using a company/organisation charge or credit card.
So, what is the difference between a company/organisation charge card, and credit card?
A company charge card account balance would be paid in full by the company at the end of
the account period, usually by direct debit, and as such no interest is chargeable. With a credit
card account, 45 days’ interest-free credit is provided, with the flexibility for the company to
decide how much will be paid. Of course, any balance which exists after the 45-day period will
of course be subject to interest charges.
Charge/credit cards can be used for:
n business-related accommodation costs,
n business-related travel expenses, or, where appropriate,
n customer/client entertainment expenses.
Whilst many, if not all, companies/organisations which operate such card-based expenditure
schemes impose fairly stringent limits/restrictions on:
n what can be regarded as legitimate expenditure, and
n how much an employee may spend (a card limit),
456
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 457
Whenever cash- or card-based expenditure is incurred, there are inevitably risks. Such risk
would include:
As with revenue cycle activities (see Chapter 8) in a practical context such internal controls
can be categorised as either general controls or application specific (expenditure cycle specific)
controls.
457
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 458
General controls
General controls applicable to the expenditure cycle could be categorised as:
n organisational controls,
n documentation controls,
n access controls,
n liability management controls,
n management practice controls, and
n information systems controls.
Organisational controls
Within the expenditure cycle such controls should ensure that there is a separation of duties
between:
n those involved in activities related to the authorising of expenditure transactions,
n those involved in the receiving of products/services from suppliers/providers,
n those involved in storing purchased products – that is undertaking a custodial function,
n those involved in activities relating to the making of payments to suppliers/providers,
n those involved in the management of creditor accounts, and
n those involved in the recording of financial transactions.
In addition, as we saw with the revenue cycle, there should also be a separation of duties between:
n systems development personnel, and
n systems operations personnel.
That is between:
n those involved in the creation and/or modification of expenditure cycle programs, and
n those involved in the day-to-day expenditure cycle activities and processes.
Documentation controls
Complete and up-to-date documentation should be available for all expenditure cycle procedures.
Such documentation should include, for example:
n organisational charts detailing the responsibility structure within the expenditure cycle and
the separation/segregation of duties within each of the expenditure cycle systems,
n procedural descriptions of all procedures and processes used within the expenditure cycle,
n systems flowcharts detailing how functions/activities within the expenditure cycle operate,
n document flowcharts detailing what documents flow within expenditure cycle systems,
n management control procedures/internal control procedures detailing the main internal
controls within the expenditure cycle,
n user guides/handbook providing a broad overview of the main functions/activities within
the expenditure cycle, and
n records of recent internal/external audits undertaken on individual expenditure cycle systems.
Access controls
Where information and communication technology is used as an integral part of the expenditure
cycle systems and activities, it is important – for both internal control and security purposes –
to ensure that:
n assigned users’ names and passwords are used to authenticate users and authorise access to
expenditure cycle transaction data and supplier/provider information,
458
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 459
n location and/or terminal restrictions are used – where appropriate – to control access
to expenditure cycle-based data/information – for example confidential creditor account
information should only be accessible by appropriate staff (finance staff) at approved locations
(e.g. within the finance office), and
n transaction data/information is securely stored with access to both current transaction
files/master files and back-up copies of all transactions files/masters files restricted.
n the efficient scheduling of data processing activities relating to the purchase of products,
services and/or resources and the recording of expenditure payments,
n the appropriate authorising of all data/information processing procedures, and
n the effective management and use of information and communication systems resources.
Application controls
As with all application controls, those applicable to the expenditure cycle can be categorised as
input controls, processing controls and output controls.
Input controls
Expenditure cycle input controls are designed to ensure the validity, correctness and appro-
priateness of expenditure cycle specific input data.
Such controls would include:
459
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 460
Where input data is transmitted from a source origin to a processing destination electronically,
additional supplementary input controls would normally be required. Such controls would
include for example:
n transmission tests – to ensure the completeness of the transmission,
n security checks – to ensure the authenticity of the customer/client and the legitimacy of the
transmission, and
n validity checks – to ensure/confirm the completeness of the transaction data.
Processing controls
Expenditure cycle processing controls are designed to ensure only authorised expenditure cycle
transaction data are processed and such data are processed accurately, correctly and completely.
Such controls would include for example:
n file maintenance checks – to ensure that both creditor file records and transaction records
are efficiently maintained,
n file labelling checks – to ensure all expenditure cycle data files are correctly labelled,
n verification checks – to ensure all expenditure cycle transaction data is validated and approved
prior to processing,
n processing logic checks – to ensure that the actual processing steps by which data are trans-
formed or moved are consistent with defined procedures/protocols,
n limit checks – to ensure that all expenditure cycle transaction data exist within defined
processing parameters (e.g. value of transaction, data of transaction),
n reasonableness checks – to ensure that expenditure cycle transaction data are consistent with
processing expectations,
n sequence checks – to ensure that no interruptions or gaps exist in the sequence of trans-
action data processed,
n audit trail controls – to ensure that a visible trail of evidence and/or chronology of events is
available enabling the tracing of transaction events,
n control totals checks – to check that expenditure cycle transaction file control totals are
consistent with the contents of the transaction file to which they relate, and
n data checks – to check for the existence of duplicate and/or missing data.
Output controls
Expenditure cycle output controls are designed to ensure all expenditure cycle output is
authorised, accurate and complete, and distributed to approved and authorised recipients only.
Such controls would include for example:
n distribution controls to ensure creditor payments are made to the correct supplier/provider,
n verification controls to ensure the validity and accuracy of output information,
n reconciliation checks to ensure all transaction numbers are accounted for, and
n review/audit trail checks.
Where output data is transmitted from a processing origin to a user destination electronic-
ally (e.g. payments to suppliers/providers), additional supplementary output controls would
normally be required. Such controls would include for example:
n transmission tests to ensure that data are transmitted correctly,
n recipient identifier checks/controls to authenticate the recipient before the delivery of data/
information,
n security checks/controls to ensure data/information is delivered completely, and
n validation checks/controls to ensure data/information is received and access by the authorised
recipient only.
460
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 461
Capital expenditure is concerned with the purchase of both tangible and intangible fixed assets
for retention and use within the company/organisation. The objectives of the capital expenditure
cycle/fixed assets management are to ensure, inter alia, that:
n all fixed asset acquisitions and disposals are properly planned, suitably evaluated, appro-
priately approved (with supporting documentation) and accurately recorded,
n all fixed asset transactions (including the allocation of depreciation expenses) are properly
recorded, monitored and controlled,
n all fixed assets accounting records are accurately maintained and regularly updated,
n all acquired fixed assets are securely maintained (and periodically reconciled/reviewed), and
n all appropriate property titles/custody rights to such fixed assets are obtained, and securely
stored.
We will look at capital expenditure/fixed assets management in more detail in Chapter 11.
461
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 462
As suggested earlier, the human resource-related expenditure cycle18 (or payroll cycle) can
be defined as a collection of business-related activities/resources and information processing
procedures concerned with ensuring the timely and appropriate compensation of company/
organisation employees. It is directly related to the company/organisation Human Resource
Management (HRM) cycle (or personnel cycle) whose primary objective can be defined as the
effective management and development of the company’s/organisation’s employee workforce,
and would include procedures, processes and controls associated with:
n the recruitment of new employees,
n the training of current employees,
n the assignment of work-related tasks,
n the evaluation of employee performance and, of course,
n the voluntary and/or involuntary discharge of employees.
Whilst there can be little doubt that the employee workforce of a company/organisation – what-
ever its context type – represents an important, valuable and wealth creating asset/resource,
its value is (quite rightly) only recognised when the asset/resource has been consumed/used.
Because unlike other assets/resources within a company/organisation which are generally owned
by the company/organisation, employees are not ‘owned’. They are, in general, employed for
the services/skills they can provide and the contribution and added value they can bring to the
company’s/organisation’s activities. Although there are some categories of employees whose
contractual obligations can be, and indeed often are, sold or transferred from one company/
organisation to another such employees are the exception rather than the norm.
Perhaps the most common example of the sale of an employee would be the transfer of
a professional footballer from one football club (e.g. AC Milan) to another (e.g. Chelsea). See
Article 9.2 below.
462
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 463
Article 9.2
Before we look at the HRM/payroll cycle in greater detail, it is useful firstly to identify the
source of major inputs into, and the destination of its major outputs from, the HRM/payroll
cycle, and, secondly to consider the role/function of a company’s/organisation’s accounting
information systems in the efficient functioning of an HRM/payroll cycle.
The major sources of HRM/payroll cycle inputs would be:
n company/organisation departments (e.g. the HRM department) – information on recruitment/
appointments, conditions of employment, termination of employment and details on
employee deductions, hours worked and/or products produced,
n government agencies – information on income tax and National Insurance deductions/
payments, employment laws, rules and regulations (including health and safety),
n other non-statutory bodies (e.g. trade unions) – information on conditions of employment,
rates and pay, etc., and
n employees – information on/authorisation of voluntary deductions (e.g. savings schemes,
charitable donations and/or pension contributions).
The major destination of HRM/payroll cycle outputs would be:
n company/organisation departments (including the HRM department) – information on
staffing/employment levels and budget commitments,
n company/organisation departments (in particular accounting and finance) – information on
both employee payments and payments to other statutory/non-statutory agencies,
n employees – payment of net pay,
n government agencies – payment of income tax and National Insurance, and the provision of
statutory payroll information, and
n insurance companies/pension funds – payments of employee and, where appropriate, employer
contributions.
Note: Whilst the above lists of sources and destinations are by no means exhaustive, they do
however provide a representative sample of the main sources and destinations found in the
majority of companies/organisations.
So what function(s) does a company’s/organisation’s accounting information system provide/
play in the efficient functioning of a company/organisation HRM/payroll cycle?
463
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 464
in terms of HRM/payroll, the nature and context of the functions/activities provided by the
accounting information systems would invariably depend upon a number of key organisational
features/characteristics, for example:
n the type of employees comprising the company/organisation workforce – for example
professionally qualified employees, skilled technicians, semi-skilled operators or manual/
unskilled employees,
n the payment process used by the company/organisation – for example employees may be
paid in cash, by cheque or by BACS transfer,
n the basis on which employees are compensated/remunerated – for example time-based
remuneration, production-based remuneration or a fixed rate remuneration,
n the frequency at which employees are paid/compensated – for example employees can be
paid by weekly wages or by monthly19 salary, and
n the nature of the payroll process – for example a positive payroll20 or a negative payroll.21
That said, in an HRM/payroll context, certainly for companies/organisations operating within
the UK, within Europe and indeed within much of the USA, the company’s/organisation’s
accounting information system is seen as providing three basic functions/support activities,
these being:
n the processing of transaction data relating to the remuneration of employees,
n assisting in the safeguarding of company/organisation assets, and
n the provision of payroll-related information for decision-making purposes.
464
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 465
would include:
We will look at what each of these departments do and then consider the relevance of their
activities to the functions/service support provided by the company’s/organisation’s account-
ing information system.
n the issue of time cards and/or job cards to employees – where employees are paid by the hour
or by the number of goods produced (normally associated with weekly paid staff),
n the issue of time sheets – where employees are paid a fixed salary (normally associated with
monthly paid staff),
n the collection of employee time cards/job cards/time sheets, and
n the authorisation of hours worked/goods produced by employees.
Payroll department
The payroll department would be responsible for:
465
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 466
Treasury department/cashier
The treasury department/cashier would be responsible for:
n the preparation of the payroll payments,
n the financing of the payroll payments, and
n the authorisation of payment transfers to individual employee accounts (assuming wages are
paid to employees using the BACS payment system).
The treasury department/cashier would also be responsible for authorising the payment of
income taxes, National Insurance Contributions and pension deductions to relevant third parties,
in addition to any other voluntary deductions (e.g. an employee SAYE (Save As You Earn
scheme)), and/or other statutory imposed deductions (e.g. County Court imposed attachment
of earnings deductions).22
466
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 467
467
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 468
It is from the data contained within the payroll master file that:
n employee time cards, job card/work cards or time sheets are generated and issued to
employees,
n employee pay adjustment notifications are identified and issued to payroll,
n internal documentation such as a cumulative earnings register, a company/organisation
employee inventory, a employee location inventory and a skills/competencies register are
prepared, and
n statutory documents such as employee P45s and P60s are produced in addition to other
statutory third-party reports.
It is therefore important that the payroll master file provides an accurate and up-to-date rep-
resentation of the status of employees contained on the employee inventory listing. Where a
company/organisation maintains/uses an online payroll master file system, which is becoming
increasingly the case, it is particularly important that:
n access to the payroll master file data is limited to authorised persons only – for example
HRM department employees only,
n any edits, deletions, additions and/or changes made to the payroll master file are appro-
priately validated and correctly authorised, and
n a clear and verifiable audit trail for each edit, deletion, addition and/or change exists.
468
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 469
location inventory25 for each department/cost centre. Clearly, changes can and indeed some-
times would be made to departmental payroll budgets. However such changes if significant26
would of course not only require senior management approval, but more importantly detailed
financial justification. For example, if additional employees are requested, would the additional
number produce any added value to the company/organisation and/or any identifiable increase
in company/organisation revenue? If so, when would the increased revenue be realised, how
much revenue would be produced and would the increase in revenue exceed the cost of the
additional employees?
It is this consolidated/sorted data transaction file that would be used to prepare and calculate
employee payroll payments.
The payroll master file data for each employee and the consolidated/sorted data transaction
file content for each employee would be interrogated and matched, and the gross pay for each
employee calculated as follows:
n for wage-based employees remunerated on a hours worked basis – the gross pay for the
employee would be calculated by multiplying the hours worked by the employee (from the
data transaction file) by the approved rate of pay for the employee (from the payroll master
file) – with any overtime premiums and bonuses added as appropriate,
n for wage-based employees remunerated on a goods produced basis – the gross pay for the
employee would be calculated by multiplying the goods produced by the employee (from the
data transaction file) by the approved rate of pay for the employee (from the payroll master
file) – with any bonuses added as appropriate, and
n for salary-based employees – the gross pay for the employee would be calculated as a
fraction of the employee’s annual salary with the fraction representing the period worked by
the employee. For example 1/12th of an employee’s annual salary would be paid where an
employee is remunerated at the end of every calendar month, or 1/13th of an employee’s
annual salary would be paid where an employee is remunerated at the end of each four-week
period (or lunar month). Where such employees are also entitled to payment for overtime
work such payments are normally paid in the month following. That is overtime worked in
April would normally be paid at the end of May.
469
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 470
Finally, a payroll register would be produced. The payroll register is merely a listing or report
containing details of each employee’s gross pay, total deductions and total net pay. Historically
it was at this point in the payroll procedure that employee pay cheques and pay advices were
produced. However, these days, with the vast majority of payroll payments now being paid
using BACS, only individual employee pay advices would be produced. These pay advices (or
pay slips as they are often referred to) would normally be issued by the payroll department to
individual employees on the day before payday.
Note: Because each employee of the company/organisation would be assigned to a specific
product/function or located in a specific service department, the cost of the employee (in terms
of gross pay) would be allocated to a specific cost centre/budget centre of the company/
organisation. This means that often as part of the payroll register, a cost centre allocation would
also be produced and reconciled to the total gross pay in the payroll register.
470
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 471
For internal control purposes, each of the above accounting entries should of course be
supported by appropriate journal vouchers acting as the source documentation for each of
the accounting entries.30 In addition, following the above set of accounting transactions, the
balance of the payroll control account should be zero. As a result the internal control check
associated with the above accounting entries is often referred to, somewhat unsurprisingly, as
a zero balance check.
It would be the responsibility of the accounting department (more specifically the management
accounting department) to produce the periodic financial statements/management statements
for departmental managers – more appropriately cost centre/budget centre managers.
471
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 472
Asset-related controls
Such controls are typically associated with maintaining the integrity and security of payroll-
related assets and would include:
n the maintenance of statutory employee files within the HRM department including the
regular verification of employee master file details and the periodic verification of employee
status details,
n the application of detailed employee appointment procedures including the verification of
applicant’s skills and experience, references and employment history,
n the management and coordination of employee status changes through the HRM department,
and
n the use of security procedures regarding the allocation and transfer of payroll payments.
All payroll payments should be paid directly into the employee bank account using the
BACS system. Payroll payments using cheques and/or cash should be prohibited . . . without
exception!
n within the HRM/payroll cycle a distinct separation exists between the pre-payment stage,
the payment stage and the post-payment stage,
n no personal relationship exist between:
l those employees responsible for the maintenance of employee personal records (within
the HRM department),
l those employees responsible for the preparation and calculation of payroll payments,
and
l those employees responsible for the processing and payment of wages and salaries to
company/organisation employees, and
n where at all possible, employees involved in the preparation and calculation of payroll pay-
ments, and/or the processing and payment of wages and salaries to company/organisation
employees, are rotated on a frequent basis to prevent potentially ‘dangerous’ employee rela-
tionships developing between payroll staff and other employees.
It is perhaps also important, if not essential, that appropriate education and training on:
are also made available to relevant HRM/payroll staff. Where possible, such education and
training should be combined with the use of work-based performance metrics to assess:
Information/data-related controls
Such controls are typically associated with ensuring the integrity and validity of payroll trans-
action data and payment information, and would include:
n the use of secure online payroll data collection (in the place of physical documents such as
time cards, job cards and/or time sheets),
n the use of both physical and logical access controls32 to prevent unauthorised access to
payroll data,
n the encryption of payroll data to ensure data security,
472
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 473
473
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 474
474
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 475
n the accuracy of payments made to employees by the HRM/payroll cycle and, in particular,
n the level of errors – fraudulent or otherwise – occurring in:
l the maintenance of employee data, and
l the processing of payroll payments.
Where information suggests that:
n the costs associated with the provision of such an in-house facility exceed the appreciable
benefits of keeping such a provision within the company/organisation, or
n the effectiveness and efficiency of such an in-house facility has fallen below a level that would
be regarded as acceptable – for example excessive levels of over-payments or frequent errors
in the recording of payroll related data,
it would of course be a dereliction of their duty and responsibility to the shareholders/
stakeholders of the company/organisation for the strategic managers not to consider the
possibility of outsourcing some, or indeed all, of the HRM/payroll cycle. Obviously, where
such a decision is taken, its impact on the company/organisation – in particular on the staff
employed within the in-house HRM/payroll facility, could be substantial. As a consequence,
decisions to outsource part or all of an in-house facility can be controversial especially where
possible redundancies may result.
We will have a look at outsourcing in a little more detail later in this chapter.
There are of course a large number of possible consequences associated with the failure of
payroll-related controls. For the purposes of simplicity, we will classify such consequences into
the following categories:
n employee-related consequences,
n third-party-related consequences, and
n company/organisation-related consequences.
Employee-related consequences
Such consequences could include:
n the use of inappropriate recruitment procedures and the appointment of unqualified staff/
employees,
n a failure to recognise behavioural irregularities among employees – for example unusually
high levels of absenteeism,
n a failure to identify possible employee conflicts of interest,
n the incorrect use of employee evaluation procedures,
n the improper application of employee remuneration packages, and
n the unauthorised deduction of funds from employee payments.
Third-party-related consequences
Such consequences could include:
n a failure to meet statutory fiscal obligations – for example the incorrect payment of income
and National Insurance deductions,
n a failure to comply with extant employment laws,
n the violation of legal/statutory requirements, and
n a failure to comply with employee pension requirements.
475
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 476
Company/organisation-related consequences
Such consequences would include:
n the incorrect/fraudulent disbursement of pay and/or deductions,
n the duplication of payments to employees,
n the fraudulent alteration of employee pay,
n the unauthorised amendment to payroll master file,
n the inputting of incorrect payroll data – for example hours worked/goods produced,
n the inaccurate processing/calculation of payroll payments,
n the possible theft of payroll payments,
n the loss, alteration and/or unauthorised disclosure of payroll data,
n the incorrect allocation of payroll expenditure, and
n the inappropriate withholding of payroll liabilities.
Outsourcing
In our discussion so far, we have assumed that the HRM/payroll cycle operates as an in-house
process/procedure, staffed and managed internally within the company/organisation. Many
companies/organisation however now outsource some or all of their HRM/payroll services/
activities, using either:
n a payroll bureau, or
n a professional employer organisation.
Despite such disadvantages, the use of payroll bureau services – especially in small and/or
medium-sized companies/organisations has become increasingly popular.
Examples of such payroll bureau include:
n Wispay Payroll Bureau @ www.wispaypayrollbureau.co.uk,
n Compupay Bureau @ www.compupaye.com,
n PSC Payroll @ www.pscpayroll.com, and
n 1st Choice payroll @ www.1stchoicepayroll.co.uk.
In general, a payroll bureau would provide services37 relating to:
n the processing and management of all payroll-related data – often using multi-media input,
n the processing of starter and leaver calculations (including P45 management services),
476
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 477
Outsourcing
n direct communication with third parties (e.g. Revenue and Customs, pension administrators,
etc.),
n the provision of a question and answer service – usually through a designated coordinator,
n the automatic processing of all regular payroll additions/deductions,
n the provision of client specified management reporting in alternative formats,
n the archiving of payroll output,
n the delivery of payroll output, and
n the provision of payslips – including self-service electronic payslips.
Essentially, the professional service organisation and the client company/organisation enter into
a contract that apportions the traditional employer responsibilities between them. Although
contracts can vary in terms of:
n the period of the contractual agreement – for example short-term (less than a year) to long-
term (over a year and up to five years),
n the range of services to be provided by the professional employer organisation, and
n the cost of the services to be provided by the professional employer organisation,
in the majority of circumstances the professional employee organisation will (for a monthly
fee) provide all employee payments and employee benefits packages, and assume administrative
responsibilities for payroll, human resources and employment taxes, leaving the client company/
organisation to focuses on traditional growth areas and future directions for the business.
Note: Because the client company/organisation and its employees reside on the payroll of
the professional employer organisation, the use of the professional employer organisation is
sometimes, somewhat incorrectly, referred to as employee leasing. Examples of professional
employer organisations include for example:
So, for a client company/organisation, what would be the advantages and disadvantages of
using a professional employee organisation? The advantages would include:
477
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 478
Regarding this last point – it is important to note that whilst the use of a professional employer
organisation can relieve a client company/organisation of a vast range of administrative duties,
and potentially provide employees with a range of benefits that may not otherwise have been
available, such benefits/advantages may come at a price – for example:
n a loss of control over the appointment and termination of employees within the company/
organisation, and
n a loss of control over the selection of employee benefits that should be made available to
employees.
478
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 479
Bibliography
Concluding comments
Bibliography
479
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 480
Question 1
The following documentation is commonly used in a creditor-based expenditure cycle:
n purchase requisition,
n purchase order,
n goods received note,
n receiving report,
n creditor invoice, and
n disbursement voucher.
Required
For each of the above, describe the purpose and function of the documentation within the expenditure
cycle.
Question 2
HLU plc is a UK-based retail company. During a recent systems review of its creditor-based expenditure
cycle, you noted the following requirements:
n employees responsible for the receipting of products from product suppliers cannot be involved in the
approving/authorising of invoices for payment to creditors,
n employees responsible for the approving/authorising of invoices for payment to creditors cannot be
involved in the processing of payments to creditors,
n employees responsible for the processing of payments to creditors cannot be involved in the reconciliation
of the company bank account, and
n employees responsible for the receipting of products from product suppliers cannot be involved in periodic
stock checks of products in store.
480
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 481
Required
Explain:
n the purpose of each of the above requirements within a company such as HLU plc, and
n the problems which could occur should the above requirements not be complied with.
Question 3
You have recently been appointed Systems Accountant at BHJ Ltd, a small electrical accessories company.
Your main brief is to design a company-wide computer purchasing system. To date the company has main-
tained a semi-manual record system for all its purchases.
For the previous five financial years the company has made average annual purchases of £15m (all
purchases are from UK suppliers) and average annual profits of approximately £9m. The company has
47 employees working at seven locations throughout the UK: York, Hull, Birmingham, Oxford, Swindon,
Bristol and Portsmouth.
For the year ended 31 March 2007, approximately 95% of the company’s purchases were on credit. The
company is currently reviewing its purchasing system and is considering introducing a fully computerised
purchasing system with the possibility of a web-based purchasing protocol linked to selected suppliers.
Required
Making whatever assumptions you consider necessary, prepare a draft report for the management board of
BHJ Ltd, detailing the following:
Question 4
Describe the accounting controls you would expect to find in the purchasing system of a high street retail
company, and discuss how the failure of such accounting controls could potentially affect the valuation and
security of company assets and the disclosure of company assets in the annual financial reports.
Question 5
SEC Ltd, a small electrical accessories company, wants to design a company-wide computer purchasing
system. To date the company has maintained a semi-manual record system for all its purchases.
For the previous three financial years the company has made average annual purchases of £34m (all pur-
chases from UK suppliers) and average annual profits of approximately £10.6m. The company has approximately
350 employees working at six locations throughout the UK: Manchester, which is the company’s head office,
Birmingham, Leeds, Swindon, Bristol and Newcastle.
You have recently completed an audit of activities within the purchasing department within SEC Ltd. The
department employs 15 buyers, seven supervisors, a manager and clerical personnel. Your audit has disclosed
the following conditions:
n The company has no formal rules on conflicts of interest. Your analysis produced evidence that one of the
15 buyers in the department owns a substantial interest in a major supplier and that he procures supplies
averaging £150,000 a year from that supplier. The prices charged by the supplier are competitive.
‘
481
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 482
n Buyers select proposed sources without submitting lists of bidders for review. Your tests disclosed no
evidence that higher costs were incurred as a result of that practice.
n Buyers who originate written requests for quotations from suppliers receive the suppliers’ bids directly from
the mail room. In your test of 100 purchases based on competitive bids, you found that in 55 cases the
lower bidders were awarded the purchase order.
n Requests to purchase (requisitions) received in the purchasing departments in the company must be
signed by persons authorised to do so. Your examination of 200 such requests disclosed that three
requisitions, all for small amounts, were not properly signed. The buyer who had issued all three orders
honoured the requests because he misunderstood the applicable procedures. The clerical personnel
responsible for reviewing such requests had given them to the buyer in error.
Required
(a) For each of the above, explain the risk, if any, that is incurred if each of the conditions described pre-
viously is permitted to continue and describe the control(s), if any, you would recommend to prevent
continuation of the condition described.
(b) Explain the main function of a purchasing system employed by a company such as SEC Ltd, the risks
associated with its failure and the controls that can be installed in order to minimise the impact of such
risks.
Assignments
Question 1
OWS Ltd has been under the control of the same family Mr I and Mrs N Sane (who are now both 62 years old)
for the past 30 years. During that time the company has expanded rapidly. Unfortunately it still operates a
fairly simple manual-based/cheque-based purchasing system.
A document flowchart of the company’s current purchasing system is provided in Figure 9.11 below.
Required
Identify the major internal controls within the company’s purchasing systems and, where appropriate, suggest
possible improvements to the company’s purchasing system.
Question 2
You have recently been appointed as an accountant at LQOH, a Harrogate-based firm of certified accountants.
You are currently reviewing the payroll system of PLT plc. The company is a small local manufacturing com-
pany with an annual turnover of £4.2m and an annual net profit of approximately £1.2m. The company
currently employs a factory workforce of 56 employees and has an annual factory wage bill of £2.2m.
The following document flowchart (see Figure 9.12) of PLT’s factory payroll system was prepared during the
last systems audit of the company approximately three months ago.
Required
Based on the above flowchart, identify and describe the weaknesses within PLT’s factory payroll system and
recommend possible areas for improvement.
482
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 483
Assignments
483
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 484
484
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 485
Chapter endnotes
Chapter endnotes
1
Capital expenditure is sometimes referred to as fixed assets expenditure.
2
Revenue expenditure is sometimes referred to as current assets expenditure.
3
The World Trade Organisation (WTO) is an international organisation concerned with: the
rules of trade between nations. Consisting of a series of negotiated trade agreements ratified by
the governments of individual member states, many critics blame the WTO for extending and
reinforcing existing economic demarcations between the impoverished third world countries and
the rest of the world’s developed economies. As at December 2005, the WTO had 149 members.
For more information see www.wto.int.
4
This Chapter enacts Article 81 of the EC Treaty.
5
This Chapter enacts Article 82 of the EC Treaty.
6
The Competition Commission replaced the Monopolies and Mergers Commission (MMC)
on 1 April 1999.
7
See Chapter 6.
8
Clearly, for Data Protection Act 1998 compliance purposes, access to such a database would
need to be severely restricted to approved users only.
9
The Criminal Records Bureau is an executive agency of the Home Office set up to help
organisations make safer recruitment decisions. Its primary role is to reduce the risk of abuse
by ensuring that those who are unsuitable are not able to work with children and vulnerable
adults.
10
See Chapter 4.
11
We will discuss internet-based business-to-business (B2B) facilities in detail in Chapter 13.
12
In some instances, the quality inspection test may only be carried out on a random sample
of the products received. However, where a number of the randomly sampled products fail,
then the whole delivery consignment would be rejected and returned to the supplier.
13
With effect from 6 April 2006, a standard CRB check costs £31.00 and an enhanced CRB
check costs £36.00.
14
It is of course important to recognise that an early payment discount would only be taken
where there would be a net benefit to the company/organisation. That is where the financial
gain of the discount exceeds the financial costs associated with early payment – costs such as,
for example, borrowing funds to make the payment.
15
Remember also that the three days must always be three consecutive processing days.
16
Invoice-less payment processing is often somewhat confusingly referred to as invoice-less
invoicing.
17
To identify any duplicate product suppliers/service providers.
18
Also known as the employee remuneration cycle.
19
Whilst the calendar month is by far the most common, many companies/organisations use
a lunar month period – that is payment of salaries every four weeks.
20
A positive payroll can be defined as a payroll in which employee remuneration is calculated
each period based on hours worked and/or products produced/services provided. Such a payroll
is normally associated with weekly paid wages.
21
A negative payroll can be defined as a payroll in which employee remuneration is fixed each
period and adjusted only where additional remuneration is approved – for example the payment
of overtime and/or the payment for authorised expenses. Such a payroll is normally associated
with monthly paid salaries.
22
An attachment of earnings order is where a creditor has applied for, and the County Court
has approved, an order to allow the creditor to take funds directly from an individual’s wages
485
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 486
or salary. The individual’s employer must by law deduct the monies from the employee’s wages
or salary and make payments to the creditor up until the time the debt is paid off.
23
Although some companies/organisations use employee reference schemes which use a com-
bination of both alpha and numeric characters, by far the most common employee reference
schemes are those based on numeric characters only.
24
It is likely that an employee whose employment is either terminated or who leaves volun-
tarily will remain on the payroll master file for at least the current financial year in which their
employment ceased.
25
An employee location inventory is merely a list of staff employed in particular sections/
departments within a company/organisation.
26
Significant in this context means a substantial change in the number of employees within a
department/section, and excludes what could be regarded as normal or expected turnover in
employee levels.
27
For example see the Zeus Compact system (details available @ www.autotimesystem.co.uk)
which comprises of a swipe terminal that records employee time-keeping and a software
package that calculates hours worked/attended, and provides employee-based management
reports.
28
It is likely that submission deadlines for both weekly paid, and monthly paid employees
would be agreed in advance at the start of the accounting period/financial year.
29
As with payments to creditors – for which a separate creditor’s payment bank account is
used, for internal control purposes, a separate bank account should be used for the processing
of payroll payments. Such payments should not be made from the company’s/organisation’s
general bank account.
30
Remember, all accounting entries must be supported by source documentation. Such source
documentation can be categorised as:
n an invoice – for both sales and purchases,
n a cash voucher – for both payments and receipts, or
n a journal voucher – for all other accounting entries.
31
Currently (late 2006), Revenue and Customs require payments to be received within 14 days
of the end of each tax month or tax quarter.
Note: Tax months end on the 5th, so payments need to be received by Revenue and Customs
by the 19th of the month/quarter – although if payments are made using the BACS system, they
need to be received by the 22nd of the month/quarter. For Revenue and Customs purposes, tax
quarters end on 5th July, 5th October, 5th January and 5th April.
32
Whereas a physical access control could include for example the use of security/password
protected entrance controls to the payroll department – to restrict the movement of employees
into and out of the payroll department to authorised personnel only – a logical access control
could include, for example, the use of security users’ names and passwords for access to payroll
data files.
33
For example checking the validity of data fields such as employee reference numbers to
ensure that only approved/recognised employee reference numbers are accepted and processed.
34
For example checking the content of data fields such as employee reference number and/or
the number of hours worked to ensure that the correct format of data is included.
35
For example checking the content of data fields such as the number of hours worked and/or
the gross amount of pay awarded to an employee to ensure maximum limits are not exceeded.
36
A hash total can be defined as an otherwise meaningless control total calculated by adding
together numbers (such as payroll or account numbers) associated with a data set – a total
which is used to ensure that no entry errors have been made.
486
.. ..
CORA_C09.qxd 6/1/07 11:06 Page 487
Chapter endnotes
37
Obviously the services provided by the payroll bureau would of course be price sensitive, that
is, the larger the number of services required, the higher the cost of the service.
38
The use of a professional employer organisation often requires the legal termination of employee
contracts by the client company/organisation and re-appointment by the professional employer
organisation which may – quite understandably – confuse or even upset some employees.
39
A major advantage of small/medium company/organisation status is the exemption that can be
claimed for many legal regulations. However, because many professional employer organisations
are often very large companies/organisations such regulations may often apply to them resulting
in a once exempt small/medium-sized company/organisation being subject to monitoring and
legal regulations it may have otherwise avoided.
487
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 488
The beginning is the most important part of the work (Plato, The Republic, 360BC).
Introduction
The conversion cycle can be defined as a recurring collection of business related processes,
procedures and activities (including information processing operations) associated with
the production and manufacture1 of products. That is all those operational events and
activities within a company/organisation which contribute to the conversion of raw material
inputs into finished product outputs.2
The objectives of the conversion cycle are to ensure:
n the revenue cycle provides information to the conversion cycle on levels of demand
for the company’s/organisation’s products – information that can be used to budget
production and where necessary stock levels of raw materials and finished products, and
n the conversion cycle provides information to the expenditure cycle on the requirements
for the purchase/acquisition of raw materials, products and services based on budgeted
production requirements/raw materials and finished goods stock levels.
488
..
CORA_C10.qxd 6/1/07 11:07 Page 489
In a more tactical/strategic context, the accounting information system would be used to:
Learning outcomes
As suggested earlier, the conversion cycle is simply a collection of interrelated activities, all of
which contribute to the creation of a saleable product. Such activities include:
n product development,
n production planning/scheduling,
n manufacturing operations,
n production management, and
n cost management.
Have a look at Figure 10.1.
Note: Although we have identified cost management as a separate aspect of the conver-
sion cycle, in reality it is an integrated component of each of the individual conversion cycle
activities.
489
..
CORA_C10.qxd 6/1/07 11:07 Page 490
Product development
Product development can be defined as a conversion cycle process concerned with the concep-
tion, development, design and realisation of a new product. However, it is not only concerned
with the identification of new development opportunities and the generation of new product
ideas, but is, perhaps more importantly, concerned with establishing the feasibility/plausibility
of any new product.
A new product can be classified as either:
n a product that is new to the marketplace, or
n a product that is new to the company.
This idea of categorising a new product according to either its newness to market, and/or its
newness to the company was developed by Booz-Allen and Hamilton (1982)3 who suggested
that a product would be considered new to the marketplace where it was:
n a variation of an existing product/product line, or
n a revision or update of an existing product, or
n an augmentation/enhancement of an existing product/product line.
490
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 491
Product development
491
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 492
n September 2006: sixth generation iPod launched – improved display music search function,
30GB, 60GB and 80GB hard-drive models (product revision).
n January 2007: Apple Inc. announces the arrival of the iPhone (available June 2007) – an
integrated telecommunications device with multi-media capabilities (music and video)
signalling perhaps the beginning of the end of the iPod (new product).
So what about the development and design process? Broadly speaking, irrespective of whether
a product is new to the marketplace, or indeed, new to the company, it is very likely that the
product development process would involve, at the very least, three key stages, these being;
n a design stage,
n a development stage, and
n a launch stage.
Design
The design stage can be divided into three activities:
n design generation,
n design screening, and
n design testing.
Design generation
Design generation is concerned with the identification and generation of new product designs. Often
referred to as the fuzzy front end of product development – because of the general uncertainty
surrounding the outcome of any proposed new product design – it is perhaps the most crucial
aspect of any product development process, an aspect which whilst often time consuming, is
generally viewed as being a relatively inexpensive activity (Smith and Reinertsen, 1998).
Okay, so where do such designs originate? From many sources, for example, from customers,
competitors, employees, research and development groups internal and/or external to the
company/organisation, management, internal focus groups and many more. And they should
all be considered however bizarre they may appear to be. Remember, some of the most ridiculed
and derided product designs have not only gone on to become hugely successful and highly
profitable products but have, more importantly, gone on to become an essential aspect of
modern society. Can you imagine 21st century society without for example the aeroplane, the
motor car or the television!
Design screening
Design screening is concerned with the analysis of the new product design ideas/concepts – that
is the translation of a new product design into a business specific context and the elimination
of those ideas which whilst conceptually feasible are nonetheless technologically/commercially
doubtful.
It is generally concerned with four interrelated questions:
n Is the design of the product plausible? If so,
n is the manufacture of the product technically feasible? If so,
n is the target market for the product identifiable? And finally, and perhaps most importantly,
n is the production, distribution and retailing of the product likely to be profitable?
Design testing
The design testing stage is concerned with assessing the qualitative characteristics of the
design. In some industries – for example information and communication technology-related
492
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 493
Product development
Development
The development stage can be divided into two activities:
n product testing, and
n market testing.
Product testing
Product testing is concerned with assessing the quantitative characteristics of the product. It
generally involves two stages:
n producing a physical prototype of the new product – based on the approved design to
identify any required alterations/adjustments, and
n producing an initial run of the product to test/determine customer acceptance of the new
product.
This latter stage – the external testing of the product – is sometimes referred to as beta testing,
the purpose of which is to:
n assess the performance of the product in a range of external customer-related situations
and identify how the product performs in an actual user environment,
n determine any product defects/faults that are more likely to be revealed by the actual product,
and
n provide recommendations for possible product modifications/corrections.
Unlike alpha testing which is undertaken in a controlled internal environment using company/
organisation employees, beta testing is undertaken in an unrestricted external environment
using ‘real’ customers to perform the evaluation.
Market testing
Once the design has been evaluated (alpha tested), and a product developed and appraised (beta
tested), it may be necessary to consider the target market of the product. A gamma test (or
in-market test)5 is a product-based test that is sometimes used to determine/measure the extent
to which a new product will meet the need/satisfy the requirements of the target customers.
Such a test seeks to evaluate the product itself through a placement of the new product in a
field setting – for example a target distribution within a geographically constrained area for a
specific period of time. Such a test was recently used by the Midcounties Co-operative Society
in its trial testing of Pay-by-Touch in early 2006.6
Gamma testing can be used not only to identify the advertising and promotional require-
ments of the new product launch but, more importantly, to determine the likely selling price
and potential sales volume of the new product.
493
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 494
Launch
Whilst the product launch is of course the final stage of the product development process – a
stage that is often by far the most publicly visible (consider, for example, the much publicised
and very delayed product launch of Microsoft Vista7 during the early part of 2007) – it is perhaps
more importantly the first stage of the product life cycle.8 Prior to any new product launch,
whilst it is of course important to ensure that a new product launch plan/strategy has been pre-
pared and agreed, it is perhaps equally important to ensure:
n the new product has been successfully evaluated,
n market receptivity has been tested,
n all product documentation (including, for example, user documentation, operating manuals
and maintenance instructions) have been completed and finalised,
n all production processes have been validated and are fully operational,
n all advertising, product brochures, marketing materials, press releases and website pages
have been prepared,
n appropriate sales and distribution channels and target markets have been identified and
established, and
n all sales, service and support personnel have been fully trained.
Each of these is regulated by different combinations of legislation. For example in the UK:
n copyrights are regulated by the Copyright, Designs and Patents Act 1988 (as amended),
n trade marks are regulated by the Trade Marks Act 1994 (as amended),
n design rights are regulated by the Copyright, Designs and Patents Act 1988, the Design Right
Rules 1989 and the Design Right (Amendment) Rules 1992, and
n patents are regulated by the Patents Act 1977, the Copyright, Designs and Patents Act 1988,
the Regulatory Reform (Patents) Order 2004 and the Patents Act 2004.
Note: Although copyrights, trade marks, and design rights are often only enforceable in very
specific circumstances, they are nonetheless relatively cheap and fairly easy to obtain. Patents
however tend to involve complex approval processes and are, as a result, much more difficult
to obtain and even more expensive to defend and maintain.
The UK Patent office is responsible for intellectual property in the UK.9
494
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 495
Production planning/scheduling
Production planning/scheduling
Production planning
Production planning can be defined as the planning of human and non-human resources
for the purpose of producing products to accommodate customer/client requirements, and is
used to ensure that an appropriate quantity of products is manufactured as efficiently and
as economically as possible. Put simply, to ensure the right resources are available at the right
time, and at the right place to enable the production of the right goods.
There are many factors driving the need for effective production planning, perhaps the most
important of these being:
Although specific details and stages may differ from company to company or organisation to
organisation, depending on for example the nature of the production process – that is whether
products are manufactured to order or whether they are manufactured to stock, and the location
of the manufacturing process – that is whether products are produced in-house or whether some
of the manufacturing process is outsourced – in general, the development of a production plan
would include some, if not all, of the following stages:
Production scheduling
Production scheduling can be defined as the allocating of resources and the sequencing of
activities to ensure the efficient production of goods and services, the aim of such a schedule
being the management and coordination of resource flows within the manufacturing process,
and the identification and, where possible, the elimination of possible resource conflicts. Accurate
and effective production scheduling can not only improve the efficiency of production flows (and
thereby increase productivity) and minimise average production time (and therefore operating
costs), but perhaps more importantly maximise the utilisation of human and non-human
resources, and minimise the need for excessive stocks of raw materials, production components
and work-in-progress.
Note: Because production schedules will normally contain specific target start times/dates
and completion times/dates they can – and indeed invariably are – used as a control mechanism
to measure actual performance/achievements.
495
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 496
Manufacturing operations
The key part of any conversion cycle is of course the actual manufacturing process – that is
the physical creation of the product. Although the specifics of the manufacturing process(s)
would differ from product to product, company to company or organisation to organisation,
in general such manufacturing processes can be classified either by type or by orientation.
Have a look at Figure 10.3.
Classification by type
From a functional perspective, manufacturing processes can be classified as:
n continuous manufacturing (or flow manufacturing),
n batch manufacturing (or intermittent manufacturing), or
n on-demand manufacturing
Classification by orientation
From an orientational perspective, manufacturing processes can be classified as either:
n push-based, or
n pull-based.
496
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 497
Manufacturing operations
Push-based manufacturing
Continuous manufacturing and batch manufacturing are sometimes referred to as push-based
manufacturing inasmuch as such manufacturing is normally supply orientated – that is the
lower the levels of stock of a finished product the company/organisation possesses, the greater
the levels of manufacture. A push-based manufacturing system possesses two key features:
n all products are manufactured in accordance with a pre-determined demand forecast, and
n all information flows in the same direction as the production, that is from the company/
organisation to the customer.
Pull-based manufacturing
On-demand production is normally referred to as pull manufacturing inasmuch as such
manufacturing is normally demand orientated – that is the manufacture of a product only com-
mences when a sales order is received from a customer/client. In a pull-based manufacturing
system, information flows in the opposite direction to production – from the customer to the
company/organisation.
Since the latter part of the 20th century, increasing market competition, the availability of
new technologies and the ever-changing demands of customers/clients have resulted in the
emergence of a number of alternative manufacturing environments to the traditional push-
based manufacturing environment. Perhaps the most important of these have been:
n the lean manufacturing environment,
n the flexible manufacturing environment, and
n the adaptive manufacturing environment.
Although many manufacturing companies/organisations have for various reasons now moved
away from a dependency on the traditional manufacturing environment, variations of push-based
manufacturing still continue to be used, especially by those manufacturers who have relocated
their manufacturing operations to the so-called third world countries to exploit the low cost of
human resources.
It is also still popular with many petrochemical companies/organisations.
497
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 498
Inc. and, of course, Taichii Ohno and Shigeo Shingo17 of the Toyota Motor Company, co-
inventors of the Toyota Production System18 as immortalised in the writings of Norman Bodek.19
It was, and indeed still remains, a management philosophy – a set of core values and beliefs
whose raison d’être is to get the right things, to the right place, at the right time and in the right
quantity, whilst maintaining flexibility and openness to change. Focusing on the reduction of
over-production, the efficient use of transportation, the elimination of waiting, the elimination
of excessive stocks, the minimising of motion and the elimination of production defects, lean
manufacturing encapsulates three core concepts:
n reflective analysis,
n continuous improvement – often referred to as kaizen,20 and
n mistake-proofing – often referred to as poka-yoke,21
n minimising waste,
n maximising the use of scarce resources,
n decreasing production times,
n improving product quality and, where appropriate, product diversity,
n promoting risk sharing – between the company and the customer/client, and
n reducing production costs.
Whilst lean manufacturing was introduced with varying degrees of success, by a wide range of
companies/organisations during the late 1980s/early 1990s – especially US-based companies keen
to replicate the high profit margins of their Japanese competitors – in general lean manufactur-
ing and its various contemporary (re)incarnations has tended to work best in manufacturing
environments in which:
n product demand is fairly stable, and
n product variability is relatively low.
Examples of industries in which the lean ‘pull-based’ manufacturing environment has been
introduced and indeed continues to be used (with some success), include for example:
n the motor car manufacturing industry (e.g. Ford, General Motors, Toyota, Renault),
n the computer hardware production industry (e.g. Apple, IBM and Hewlett Packard), and
n the pharmaceutical industry (e.g. AstraZeneca).
498
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 499
Manufacturing operations
search for and adopt alternative forms of flexibility. The most common alternative adopted
by many of these companies was the relocation of manufacturing activities to economic agents
located outside the company. So began the era of outsourcing23 in the manufacturing industry.
perhaps the greatest challenge facing contemporary manufacturing is the issue of customisation:
that is improving the use of adaptive manufacturing systems to produce individually customised
output or, perhaps more specifically, improving the use of adoptive manufacturing systems
to efficiently combine the low unit cost mass production with the flexibility of pull-based (or
individual) customisation. So, what is pull-based (or individual) customisation?
Traditionally, customisation was categorised as:
n cosmetic customisation in which companies/organisations manufacture a standardised pro-
duct which is marketed to different customers, in different geographic/demographic market
segments, in different ways,
n transparent customisation in which companies/organisations provide customers with unique
products without informing them that the product is customised, or
n collaborative customisation in which companies/organisations produce a standardised pro-
duct, but the customer is able to customise the product within a pre-determined and often
restricted menu.
499
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 500
Production management
Put simply, the aim of production management is to ensure all production-related processes
and activities are organised efficiently, performed effectively and managed competently.
Cost management
Within the context of the conversion cycle, the term cost management is a term used to describe
a range of finance orientated planning and control techniques used for conversion cycle decision-
making purposes. We will look at cost management in more detail later in this chapter.
500
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 501
Note: some of these documents, whilst relevant to the conversion cycle, originate within
either the revenue cycle (see Chapter 8) and/or the expenditure cycle (see Chapter 9).
Such documents would include for example:
n a sales forecast,
n a production budget,
n a product design schedule,
n a customer order,
n a sales order,
n a bill of materials,
n a production schedule,
n a production order,
n a materials requisition,
n an equipment requisition,
n a labour work record,
n a movement record,
n an inspection report,
n a production completion document, and,
n a production order cost assessment report.
Sales forecast
A sales forecast is the expected demand for a company’s/organisation’s products based on
market requirements. Such a forecast is extremely important where push-based continuous
manufacturing or batch manufacturing is used to ensure over-production does not occur.
Production budget
A production budget provides a financial limit to the costs – materials, labour and expenses –
that may be incurred. Such costs would normally be established by reference to the product
design, the bill of materials and the production plan/schedule.
Such a production budget could be:
n process-based – where push-based continuous manufacturing is used,
n batch-based – where push-based batch manufacturing is used, or
n order/job-based – where pull-based on-demand manufacturing is used.
Customer order
A customer order is an externally generated revenue cycle document submitted by the customer/
client requesting the purchase of goods and/or the provision of services.
501
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 502
Sales order
A sales order is an internally generated revenue cycle document used to approve the sale of
products/services to a customer and/or client. It is generated in response to the receipt of a
customer order. Where pull-based on-demand manufacturing is used such a sales order would
initiate the manufacture of the product
Bill of materials
A bill of materials specifies the types of raw materials/components and the quantities of raw
materials/components to be used in the manufacture of a product. The bill of materials would
be related to a specific product design specification. Where such a specification is amended –
either as result of an internal company decision or customer/client demand – a revised bill of
materials would need to be produced. An example bill of materials is provided in Example 10.1.
Production schedule
A production schedule specifies the sequence and timing of operations to be used in the manu-
facture of the product. An example production schedule is provided in Example 10.2.
Production order
A production order (sometime referred to as a work order) is generally used in pull-based
on-demand manufacturing and is generated by the formal issue of a sales order to a client An
example production order is provided in Example 10.3.
Materials requisition
A materials requisition would authorise stores to issue raw materials/components to specific
individuals and/or work locations. For control purposes, such requisitions would normally
502
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 503
Equipment requisition
An equipment requisition would authorise the use of production equipment as specified in the
production schedule, and may require the relocation of existing equipment and/or the acqui-
sition of new equipment. An example equipment requisition is provided in Example 10.5.
503
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 504
504
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 505
Movement record
A movement record is used to authorise the movement of a product during its various stages of
manufacture and can be used not only to ensure production schedule timetables are adhered
to/complied with, but also monitor the process of manufacture.
Inspection report
An inspection report is used to ensure the quality of manufacture. Such quality inspections may
occur at any stage of manufacture and are generally designed to confirm that all product manu-
facturing requirements are complied with.
On 5 February 2007, the company received a manufacturing enquiry from NeiChiO, a Taipei-
based Taiwanese company for the manufacture of 60,000 NFC861 type 2 signal processors.
Because NeiChiO required a number of alterations to be made to the basic design of the
type 2 signal processor, extensive negotiations took place in Taipei and in London during
late February 2007 and early March 2007 to clarify the precise nature of the amendments
505
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 506
requested by NeiChiO. On 27 March 2007 LOQ plc submitted a fixed price bid for the
supply of the type 2 signal processors. The bid price was £732,000.
On 5 April 2007 NeiChiO submitted an official order to LOQ plc for 60,000 NFC816 type
2 signal processors to be delivered in three equal batches in June 2007, September 2007
and December 2007.
Assuming LOQ plc use paper-based documentation to process conversion cycle transactions
how would the conversion cycle activities associated with fulfilling the above order be documented?
Have a look at the following.
Prior to the submission of the bid to NeiChiO, LOQ plc prepared:
Note: The preparation of these was coordinated by production planning in consultation with
cost management and production design, with submission of the bid authorised by LOQ’s
production director.
On acceptance of the bid, NeiChiO submitted a formal customer order to LOQ plc. The
customer order provided details of:
On receipt of the customer order LOQ plc issued a sales order. The issue of the sales order
was coordinated by revenue cycle sales management staff.
Note: As suggested earlier, in a pull-based manufacturing environment, the issue of the sales
order effectively marks the commencement of the production/manufacture process.
On the issue of the sales order, the following documents would be generated:
n a bill of materials (based on the amended specification for the NFC861 type 2 signal pro-
cessors as detailed in the revised design schedule), providing details of:
l the types of materials and components required to satisfy the sales order, and
l the quantities of materials necessary to complete the order,
n a production schedule providing details of:
l the sequence of activities/operations required to manufacture the signal processors,
l the operational centres to be used in the manufacture of the signal processors – that
is which work centre(s) are within the manufacturing environment,
l the human and non-human resource requirements for each activity/operation within
the manufacturing process, and
l the time duration for each manufacturing activity/operation required to manufacture the
signal processors, and,
506
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 507
n a production order authorising the commencement of the manufacture of the order – the
manufacture of 55,000 NFC816 type 2 signal processors.
On the issue of a production order, the following documents (where necessary) would be
generated:
n a materials requisition directing the stores department to issue materials and/or component
parts to a specific location and/or an authorised individual,
n an equipment requisition allocating specific equipment/asset-based resources to the
production order,
n a labour work record providing details of the hours worked/expended on the manufacture
of the products,
n a movement record providing details of the movement of the production order from one
location/work centre to another location work centre, and
n an inspection report providing details of quality assessments undertaken during the manu-
facturing process.
Note: Each of the above documents would only be valid where an authorised production
order number/reference is used.
Once production is complete, the completed type 2 signal processors would be transferred
to stores awaiting delivery to the customer. On completion of production a production com-
pletion document would normally be finalised.
Although the production of the 60,000 NFC816 type 2 signal processors was a fixed price, it
would still be necessary – for both planning and control purposes – to identify any under/over-
spending that may have occurred during the production/manufacturing of the processors.
The actual costs incurred in the manufacture of the signal processors for NeiChiO would be
accumulated on a regular basis – probably using a batch approach. Such information would
be obtained from the materials requisitions, equipment requisitions and labour work records
related to the production order with the cost for each resource consumed derived by using
a standard and/or average unit cost, with all such accumulated costs monitored against
the original bid price to identify any potential under- and/or over-spending. Because the
manufacture of the signal processors covers a number of reporting periods (approximately
nine months) a production order cost assessment report would be produced monthly, based
on the production schedule, to provide a comparative assessment of the on-going cost of
the production order.
507
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 508
On 20 March 2007, the company received a manufacturing enquiry from JCN Inc., a
US-based computer manufacturer, for the manufacture and supply of 45,000 combined
GHP/SMN reflex multi-core processors for incorporation into JCN’s new fourth-generation
SMARTmap® notebook to be launched in March 2008.
The combined GHP/SMN reflex multi-core processor is a standard product that has been
manufactured and supplied by EFMM plc to a number of US, European and Asia-based,
computer manufacturers over the past 10 months.
On 2 April 2007 EFMM plc submitted a variable price bid for the supply of the above com-
ponents. The bid price was £1,623,000.
On 15 May 2007 JCN Inc. submitted (using a secure web-based facility) an official order
to EFMM plc for the supply of 45,000 combined GHP/SMN reflex multi-core processors for
delivery by 30 September 2007.
Assuming EFMM plc operates computer-based online documentation how would the con-
version cycle activities associated with fulfilling the above order be documented?
Let’s assume EFMM plc uses computer integrated manufacturing.26 For internal control purposes:
n all computer-based facilities are password protected and access to computer-based facilities
is restricted to relevant and appropriate departmental personnel,
n all production/manufacturing orientated transaction data are processed online and stored
on preformatted documentation within a central relational database, and
n all documentation is maintained in virtual/electronic format only – paper documentation is
only produced when requested/required.
In addition EFMM plc uses the following organisational functions/departments within its
conversion cycle:
n production design,
n production planning/scheduling,
n manufacturing,
508
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 509
n production management,
n stock management, and
n cost management.
On receipt of the manufacturing enquiry from JCN Inc., an enquiry was acknowledged and
a formal response automatically generated. The enquiry would be routed via production
management to the following three departments/functions:
n production design – to identify the product design specification and bill of materials for
the combined GHP/SMN reflex multi-core processor,
n production planning/scheduling – to prepare a forecast production/manufacturing time-
table, resource allocation and a detailed production schedule, and
n cost management – to prepare a cost estimate (based on standard costs) for the manu-
facture of 45,000 combined GHP/SMN reflex multi-core processors.
On receipt of the above information, production management would prepare the variable price
bid for JCN Inc. Production management would allocate a pending production order number.
Following review and approval by the production director the bid would be submitted to the
prospective customer.
Note: In addition to the above, on receipt of the manufacturing enquiry, an automatic customer
check would be undertaken to determine if JCN Inc. currently is or ever has been an existing
customer of EFMM plc. The purpose of this is to identify any possible future issues that may arise.
On receipt of the customer order from JCN Inc., EFMM plc would issue a sales order – an
automatic confirmation sales order receipt would be sent to JCN Inc.
Details of the issue of the sales order would be routed to production management who would
activate the pending production order, which would now be regarded as an active production
order. This would be made available to design management, production planning and cost
management. On receipt of the production order:
n design management would issue and forward the revised design specification and revised
bill of materials to production planning, and
n cost management would create/establish a ‘live’ budget for the sales order and forward
the budget details to production planning.
On receipt of the above, production planning would allocate and schedule resources, both
manufacturing resources and production staff requirements, for the completion of the pro-
duction, and identify key inspection dates during the manufacturing process.
Costs for the use of production equipment and other production overheads would be
allocated by cost management based on the production schedule.
Note: Records of all time allocations would also be submitted to HRM/payroll for recon-
ciliation with the individual production staff record of attendance.
509
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 510
First we consider the file-oriented approach and then the data oriented approach.
Primary files
As in the other transaction processing cycles, conversion cycle primary files can be classified as
either:
n a master file, or
n a transaction file.
Although the specific data contained within each file would vary from company to company or
organisation to organisation, each file would nonetheless serve a similar purpose.
Master files
Three possible master files may be used:
n a materials stock master file,
n a work-in-process master file, and
n a finished products/goods master file.
The materials stock master file would contain records of the raw materials, components and
other assemblies required by the company for the production process. The work-in-process
master file would summarise the materials, direct labour and overhead costs expended on
production orders currently in production, and the finished products/goods master file would
provide a record of completed stock items available for resale.
Transaction files
Three possible transaction files may be used:
n a production order file,
n a materials issues file, and
n an operations or routing file.
510
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 511
The production order file would contain details relating to current production orders and data
similar to the data elements contained in Example 10.3. An open production order file would
also include details of the movement of production through its production process (especially
where production occurs at different locations) to facilitate the monitoring of production
orders as they move through the physical production operations.
The materials issues would contain details of materials issued to production orders in
accordance with the approved bill of materials.
An operations file would contain details of production orders in progress.
Secondary files
These would include for example:
n a location file,
n a history file, and
n an inspection file.
A location file would contain details of the status of a work centre, department or production
location, and details relating to assigned production equipment and direct labour resources.
A history file would contain details of past production orders, work centre performances and
equipment utilisation. An inspection file would contain details of work centre, department or
location quality assessments.
Whilst the precise nature of the functions provided/activities undertaken by the accounting
information system in relation to the conversion cycle would differ from company to company
or organisation to organisation, in general the accounting information system would under-
take a range of cost management-related activities concerned primarily with the collection of
conversion cycle costs for two purposes:
n product costing – that is determining the total cost of a product/service, and
n performance measurement – that is assessing the performance of a function/activity within
the company/organisation.
Product costing
There are two stages to product costing:
n cost collection, and
n cost assessment.
511
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 512
Cost collection
The collection or accumulation of production costs and the updating of production records
would generally occur in concert with the actual physical production process, with the costs
collected/accumulated on the same basis as the production methodology adopted by the com-
pany/organisation. For example, costs would be collected/accumulated on:
n a process basis – where continuous manufacturing or flow manufacturing is used (sometimes
referred to as process costing),
n a job basis – where batch manufacturing or intermittent manufacturing is used (sometimes
referred to as job costing), or
n a production order basis where on-demand manufacturing is used (sometimes referred to as
contract costing or order costing).
Whichever process is adopted, the stages of the cost collection procedure would be as follows:
n the collection and assignment of all direct material costs, all direct labour costs and all direct
expenses – with the amounts charged on the basis of standard unit costs,
n the accumulation and assignment of production overheads – with the amounts charged on
the basis of a standard production overhead rate,
n the computation of the cost variances (for materials, direct labour, direct expenses and
production overhead costs) based on differences between the actual costs (actual produc-
tion × standard unit costs) and the expected costs (expected production × standard unit
costs).
Note: Variances between actual unit costs and standard unit costs would not form part of the
conversion cycle process.
When production is completed costs are transferred from the work-in-process file/record
to the finished goods file/record, with the total costs posted to the stock control account in the
general ledger.
Cost assessment
For cost assessment purposes, the vast majority of companies/organisations in the UK use one
of the following approaches (or an amended version) to determine the cost of a product and/or
service:
n an absorption cost-based approach,
n a variable cost-based approach,
n an activity cost-based approach,
n a target cost-based approach, or
n a standard cost-based approach.
512
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 513
n all direct labour costs – that is those labour costs that can be easily traced to the manufacture
of a product or the provision of a service,
n all direct expenses – that is those expenses directly applicable to the manufacture of a prod-
uct or the provision of a service, and
n a proportion of indirect production overheads.
Note: Indirect production overheads (or non-production overheads) are considered a period
cost and not a product cost/service cost – that is not until the product is sold and/or the service
is provided do they take effect.
Consider the following example.
XLT Ltd is a Hull-based company that manufactures desks. The company commenced trad-
ing on 1 January 2006. For the year ending 31 December 2006 production was expected to
be 40,000 desks. However the company actually produced 50,000 desks but only managed
to sell 45,000 desks.
Sales commission is also paid at a rate of 5% of total sales revenue. All desks are sold at a
retail price of £100.
Using an absorption cost-based approach we can prepare a profit statement for XLT Ltd for
the year ending 31 December 2006 as follows:
Production overhead absorption rate would be: £800,000/40,000 = £20 per unit
513
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 514
£ £
Sales 45,000 × £100 4,500,000
Production 50,000 × £71 3,550,000
Minus closing stock 5,000 × £71 355,000
3,195,000
1,305,000
Sales commission 5% × 4,500,000 225,000
1,080,000
Admin and sales costs 240,000
840,000
Over-absorbed production overheads 100,000
Profit 740,000
So what are the advantages and disadvantages of an absorption cost-based approach? The
advantages are:
n it provides a summary total cost for a product and/or service,
n it can be used to identify the profitability of a product and/or service, and
n it complies with the valuation requirements of SSAP 9 for stocks and work-in-progress.
514
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 515
Note: All fixed overheads are considered a time cost and are expensed in the year incurred.
Consider the following example:
RLK Ltd is a York-based company that manufactures chairs. The company commenced trad-
ing in 2003. For the year ending 31 December 2006 production was expected to be 60,000
chairs. However the company actually produced 55,000 chairs, but only managed to sell
50,000.
Sales commission is also paid at a rate of 5% of total sales revenue. All chairs are sold at a
retail price of £70.
Using a variable cost-based approach we can prepare a profit statement for RKL Ltd for the
year ending 31 December 2006 as follows:
So what are the advantages and disadvantages of a variable cost-based approach? The advant-
ages are:
n the contribution per unit is a useful indicator for management,
n there is no arbitrary allocation of costs,
n the recognition of cost behaviour provides better support for sales pricing and decision
making, and
n it allows better control information.
515
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 516
by Kaplan and Bruns (1987) such an alternative arose primarily in response to criticisms aimed
at the more traditional volume-based approaches.
Activity-based costing is founded on the understanding that costs arise because of the
activities utilised, not because of the products and/or services produced, with the management
and control of costs best achieved through the management of such activities.28 Rather than
levels/volumes of production, activity-based costing considers four different groups of activities
giving rise to overheads, such as movement, production demand, quality and design, and requires
all cost types to be identified and classified into:
RTY Ltd has provided the following information on the production of two products, the Jet
203 and the Kite 402.
Using an activity-cost based approach the total cost of each product could be calculated as
follows:
516
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 517
Number of customers 4 16 20
Cost per despatch £20,000/20 = £1,000
Number of units per despatch
Jet 203 2,000/4 = 500
Kite 402 1,000/16 = 62.5
Cost per unit £1,000/500 2
£1,000/62.5 16
So what are the advantages and disadvantages of an activity cost-based approach? The advan-
tages are:
n it is subjective,
n it is historical,
n it requires identification of cost drivers (activities),
n it requires the relating of activities to the production of a product/delivery of a service,
n it is an expensive and time-consuming exercise, and
n it does not comply with the valuation requirements of SSAP 9 for stocks and work-in-
progress.
517
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 518
on the total cost – for example, total cost plus a pre-determined profit margin – the target cost
of a product/service is established by reference to the external marketplace. There are three
alternative approaches to target costing these being:
Using a price-based targeting approach the target cost of a product/service is derived by sub-
tracting the desired profit margin from a competitive market price of a similar and/or equivalent
product/service.
Using a cost-based targeting approach the target cost of a product/service is derived by
establishing a total cost for a product/service by reference to costs incurred by the company.
The aim of this approach to seek to reduce, as far as possible, the costs incurred from the
buying-in of goods and services from suppliers.
Using a value-based targeting approach the target cost of a product/service is determined by
estimating the ‘value’ the market will place on the product/service (the value that the product/
service would bring to the customer/client and how much the customer/client would be willing
to pay) and then subtracting the desired profit margin.
Consider the following example.
RD Ltd requires a profit margin of 25% on all products. Using a price-based targeting approach,
what would the target cost of L0L4 be?
The target cost would be £300 − (£300 × 20%) = £240 and the profit per product would be
£60, that is 25%.29
Remember the target cost is merely an estimate and may well be considerably less than the
initial/current costs of a product/service. In such cases, such a target cost is regarded as a
product/service cost to be achieved over a period of time, hopefully before the product/service
reaches the maturity stage of its life cycle.30
For obvious reasons, a target-based cost approach may not be suitable for all product/
services. Such suitability would be determined by the nature of the product/service and perhaps
most importantly the nature and structure of competition within the market. For example a
price-based targeting approach can only be used where similar or equivalent products/services
are already available within the marketplace and a cost-based targeting approach can only
be used successfully where the company enjoys a significant position within the marketplace,
and can therefore pressurise suppliers into reducing supply costs so that its target cost is
achieved.
So, what are the advantages and disadvantages of a target based cost approach? The advan-
tages are:
518
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 519
There are many types of standards of which the following are the most common:
n a basic standard – that is a standard that is used unaltered over a long period of time and
which is deemed achievable under all operating conditions,
n an attainable standard – that is a standard that is achievable only under normal operating
conditions and in which some allowance is made for possible delays/inefficiencies, and
n an ideal standard – that is a standard that is achievable only under perfect operating conditions
and which assumes no inefficiencies.
So what are the advantages and disadvantages of a standard cost-based cost approach? The
advantages are:
Performance measurement
519
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 520
to enable the comparison of expected costs and revenues with actual costs and revenues, and
the calculation and analysis of cost and revenue variances.
Consider the following example.
The following results are available for the month of March 2007:
Budget Actual
Units of finished goods 400 500
Direct materials
Total (kg) 4,800 5,500
Cost per kg (£) 0.50 0.55
Total cost (£) 2,400 3,025
Direct labour
Total man hours 10,000 13,000
Cost per man hour 0.60 0.65
Total cost 6,000 8,450
Direct expenses 500 700
Indirect expenses (fixed costs) 2,000 2,400
£10,900 £14,575
We could prepare a flexed budget for KLP Ltd for March 2007 based on the production of
500 units as follows:
Budget Actual
Units of finished goods 500 500
Direct materials
Total (kg) 6,000 5,500
Cost per kg (£) 0.50 0.55
Total cost (£) 3,000 3,025
Direct labour
Total man hours 12,500 13,000
Cost per man hour (£) 0.60 0.65
Total cost (£) 7,500 8,450
Direct expenses (£) 500 700
Indirect expenses (fixed costs) (£) 2,000 2,400
13,000 14,575
£
Direct materials
(3,000 – 3,025) (25)
Direct labour
(7,500 – 8,450) (950)
Direct expenses
(500 – 700) (200)
Indirect expenses
(2000 – 2400) (400)
Total variance (13,000 – 14,575) (1,575)
n price-related variances – for example, price variances, rate variances, and/or expenditure
variances, or
n quantity-related variances – for example, usage variances, capacity variances and/or efficiency
variances.
520
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 521
£ £
Direct materials price variance
(0.55 − 0.50) × 5,500 kg (275)
Direct materials usage variance
(5,500kg − 6,000kg) × 0.50 250
(25)
Direct labour price (rate) variance
(0.60 − 0.65) × 13,000 hrs (650)
Direct labour efficiency variance
(13,000 hrs − 12,500 hrs) × 0.60 (300)
(950)
Direct expenses variances
(500 − 700) (200)
Indirect expenses variances
(2,000 − 2,400) (400)
Total variance (13,000 − 14,575) (1,575)
So why would such variances arise? For a number of reasons, for example:
n direct material price variances could arise due to the purchase of higher/lower priced
materials, possible price inflation, supplier discounts and/or foreign currency exchange rate
fluctuations,
n direct material usage variances could arise due to the purchase of inferior/superior quality
materials, manufacturing efficiency, pilfering and/or ineffective stock control,
n direct labour rate variance could arise due to the use of higher/lower skilled labour and/or
wage inflation,
n direct labour efficiency could arise due to the use of higher/lower skilled labour and/or
inaccurate time allocation, and
n direct/indirect expenses variances could arise due to price inflation, capacity efficiencies/
inefficiencies (e.g. excessive wastage and/or idle time) and/or resource usage efficiencies/
inefficiencies.
In using variance analysis, it is of course important to identify:
n the controllability of variances, and
n the responsibility for variances.
But should all variances be investigated? That depends! There are a number decision models
that can be used to determine whether a variance should be investigated, perhaps the most
common being:
n a percentage rule – that is a variance should only be investigated if it is greater than a pre-
determined percentage of the standard, and
n a statistical significance rule – that is a variance should only be investigated if it is greater
than the unusual occurrences using a normal statistical distribution.
Clearly, any failure in the processes and controls associated with the conversion cycle could
have significant consequences for the company/organisation and could not only result in a loss
of customers/clients, and as a consequence a loss of revenue income (and profits), but perhaps
more importantly a loss of company/organisation assets including confidential conversion cycle
information.
521
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 522
Poor development and design could not only result in the inefficient use of production resources,
for example inappropriate production scheduling, but perhaps more importantly could in
the short-term result in an increase in the overall cost of a product/service because of higher
warranty repair costs and, in the longer term, a loss of demand for the company’s/organisation’s
products/services.
In extreme cases poor development and design could also result in loss/personal injury which
may – in very serious cases – result in litigation and possible claims for damages.
So why does poor development and design occur? For many reasons, perhaps the most
common being:
The solution:
Over/under-production
Whilst over-production could result in the supply of finished products in excess of market
demand and therefore has an adverse impact on liquidity – for example, significant over-
production could not only have a detrimental effect on working capital, but could also result
in lower retail prices – under-production could result in loss of revenue and potentially a loss
of customers/clients.
Over/under-production can occur because of:
The solution:
522
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 523
Note: We will look at the management of fixed assets in detail in Chapter 11.
Events which may result in the disruption of conversion cycle activities – or unplanned inter-
ruption to conversion cycle activities, in particular manufacturing-related activities – can be
broadly classified as either:
n a management-related event, or
n an environment-related event.
A management-related event is an event which occurs as a result of the improper use and/or
incompetent administration of conversion cycle resources, examples of which would be:
n the inappropriate allocation of production resources – could result in excessive delays between
the generation of a production order and the start of production operations,
n the inefficient management of raw materials – could result in the delay of manufacturing
operations as a result of a lack of appropriate raw materials or, indeed,
n the recruitment of unqualified production staff – could result in the manufacture of faulty
an/or sub-standard quality products.
Although environment-related events are generally regarded as being ‘externally generated,’ very
often the history of such events lies within the internal management activities of the company/
organisation, for example:
n A labour dispute may well be precipitated by the actions of a trade union on behalf of
its members. However such a dispute may well have emerged from a failure of manage-
ment and staff representatives to negotiate an acceptable pay award for production-related
staff.
523
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 524
n A supply chain failure may result from a refusal by suppliers to supply and deliver raw
materials. However such a refusal may have resulted from a failure of management to meet
conditions imposed by raw material suppliers – for example payment conditions.
n The accidental destruction of conversion cycle resources whilst perhaps resulting from
an incidence of extreme weather (e.g. storm damage), could as a consequence have been
exacerbated by a failure of management to provide adequate disaster recovery planning.
Clearly any disruption to conversion cycle activities is unacceptable since such disruptions
can not only result in higher costs in the shorter-term but, more importantly, can adversely
affect company/organisation relations with customers/clients in the longer-term. Whilst future
uncertainties will always mean unplanned disruptions to conversion cycle activities will perhaps
be inevitable, the consequences of such interruptions can be greatly reduced by:
The solution:
The theft/loss of raw materials, work-in-progress and/or finished products is a major problem
area for manufacturing companies/organisations. Not only can such theft/loss result in a per-
manent loss of current assets, it can also result in an over-statement of stock balances and, as a
consequence, possible under-production.
The solution:
the inaccurate collection, processing and management of cost data/information not only
results in incorrect costs being charged to work-in-progress and/or finished goods and, as a
consequence, the incorrect valuation of work-in-progress and/or finished goods, but can, more
524
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 525
The loss, alteration and/or unauthorised disclosure (or theft) of confidential data can have
enormous consequences – both legal and financial – for a company/organisation, especially
where such data is customer/client/employee-related and regulated by the provisions of the
Data Protection Act 1998.
The solution:
As with revenue cycle activities (see Chapter 8), and expenditure cycle activities (see Chapter 9)
in a practical context such internal controls can be categorised as either general controls or
application specific (conversion cycle specific) controls.
525
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 526
General controls
The general controls applicable to the conversion cycle could be categorised as:
n organisational controls,
n documentation controls,
n access controls,
n authorisation controls,
n asset controls,
n management practice controls, and
n information systems controls.
Organisational controls
Within the conversion cycle such controls should ensure that there is a separation of duties between:
n those involved in activities related to the management and coordination of production-related
operations/activities,
n those involved in stores/warehouse-related activities and the management and control of
raw materials, work-in-progress and finished products, and
n those involved in the provision of conversion cycle-related data/information, specifically,
finance/accounting-based information.
Documentation controls
Complete and up-to-date documentation should be available for all conversion cycle procedures.
Such documentation should include, for example:
n organisational charts detailing the responsibility structure within the conversion cycle and
the separation/segregation of duties within each of the conversion cycle systems,
n procedural descriptions of all procedures and processes used within the conversion cycle,
n systems flowcharts detailing how functions/activities within the conversion cycle operate,
n documents flowcharts detailing what documents flow within conversion cycle systems,
n management control procedures/internal control procedures detailing the main internal
controls within the conversion cycle,
n user guides/handbooks providing a broad overview of the main functions/activities within
the conversion cycle – especially the production and manufacturing-related activities, and
n records of recent internal/external audits undertaken on individual conversion cycle systems
– for example an assessment of internal control procedures related to product development
and design activities.
Access controls
Where information and communication technology is used as an integral part of the conver-
sion cycle systems and activities, for example as part of a computer integrated manufacturing
system, it is important, for both internal control and security purposes, to ensure that:
n assigned users’ names and passwords are used to authenticate users and authorise access to
conversion cycle production data,
n production planning and control data/information is only accessible by approved manage-
ment staff,
n location and/or terminal restrictions are used, where appropriate, to control/restrict access
to conversion cycle-based data/information, and
n production data/information is securely stored with access to both current transaction files/
master files and their back-up copies restricted to approved management staff only,
526
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 527
Authorisation controls
It is important to ensure that all significant events and activities within the conversion cycle are
appropriately authorised, for example:
n the issue of production orders,
n the issue of raw materials,
n the scheduling of production activities,
n the transfer of finished products to the stores, and
n the write-off of production waste/scrap raw materials.
Asset controls
To ensure the continued protection of all assets, it is important that there is:
n regular reconciliation of physical stocks of raw materials, work-in-progress, and finished
products to stores records and general ledger records,
n periodic reconciliation of production performance to standard production requirements
and regular analysis of any significant variances, and
n a reconciliation of completed production orders to transfer orders authorising the move-
ment of finished products from production to the stores.
Application controls
As with all application controls, those applicable to the conversion cycle can be categorised as
input controls, processing controls and output controls.
Input controls
Clearly, it is important to ensure that controlled documentation (either physical/paper-based
documentation or virtual/computer-based documentation) is used for all production order
requests, resource requisitions (both labour and materials), work-in-progress movements and
finished goods transfers. It is important to ensure adequate controls exist to guarantee the
validity, correctness and appropriateness of conversion cycle input data. Such controls would
include for example:
n appropriateness checks – to ensure the consistency of input data,
n data validity checks – to confirm that input data is within expected parameters,
n data entry checks – to ensure input data is in the correct format,
n authorisation procedure checks – to confirm all data is appropriately authorised prior to
input and processing, and
527
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 528
n error tests/error correction procedure checks – to ensure all incorrect data is identified and
appropriately dealt with.
Where input data is transmitted from a source origin to a processing destination electronically,
additional supplementary input controls would normally be required. Such additional input
controls would include for example:
n transmission tests – to ensure the completeness of the transmission,
n security checks – to ensure the authenticity of the customer/client and the legitimacy of the
transmission, and
n validity checks – to ensure/confirm the completeness of the transaction data.
Processing controls
Conversion cycle processing controls are designed to ensure only authorised conversion cycle
transaction data are processed and all such data are processed accurately, correctly and completely.
Such controls would include for example:
n file maintenance checks – to ensure that both production records and work-in-progress
records are properly maintained,
n file labelling checks – to ensure all conversion cycle data files are correctly labelled,
n computational checks – to ensure all production orders and work-in-progress stock records
are correctly calculated and approved prior to processing,
n processing logic checks – to ensure that the actual processing steps by which data are trans-
formed or moved are consistent with defined procedures/protocols,
n limit checks – to ensure that all conversion cycle transaction data exist within defined pro-
cessing parameters (e.g. value of transaction, data of transaction),
n monitor checks – to ensure any resubmitted transactions (production orders that have been
rejected and require reworking) are correctly processed,
n reasonableness checks – to ensure that conversion cycle transaction data are consistent with
processing expectations,
n reconciliation checks – to ensure all resources (both raw materials and labour) are accounted
for and all production orders are consistent with the finished goods produced,
n sequence checks – to ensure that no interruptions or gaps exist in the sequence of trans-
action data processed,
n audit trail controls – to ensure that a visible trail of evidence and/or chronology of events is
available to enable the tracing of transaction events,
n control totals checks – to check that conversion cycle transaction file control totals are
consistent with the contents of the transaction file to which they relate, and
n data checks – to check for the existence of duplicate inconsistent and/or missing data.
Output controls
Conversion cycle output controls are designed to ensure all conversion cycle output is authorised,
accurate and complete, and distributed to approved and authorised recipients only.
Such controls would include for example:
n distribution controls – to ensure production orders are charged allocated to the correct cost
code/budget holder account,
n verification controls – to ensure the validity and accuracy of output information,
n reconciliation checks – to ensure all transaction numbers are accounted for, and
n review/audit trail checks – to ensure that a visible trail of evidence exists to enable the tracing
of conversion cycle output.
528
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 529
Where output data is transmitted from a processing origin to a user destination electronically
– for example payments to suppliers/providers – additional supplementary output controls
would normally be required.
Such additional output controls would include for example:
Period-based activity information is operational level information relating to the specific avail-
ability of conversion cycle resources and would include for example:
529
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 530
The term world class manufacturer is increasingly being used in accounting and finance related
texts – but what does it mean? Put simply, a world class manufacturer can be defined as a manu-
facturer that demonstrates the use of best practice and achieves a high level of competitiveness
in the areas such as:
n product/service quality,
n product/service price,
n product/service delivery,
n reliability,
n manufacturing flexibility/adaptability, and
n production innovation.
Invariably, the term world class manufacturing has become synonymous with terms such as flexible
manufacturing, adaptive manufacturing and the use of computer integrated manufacturing.
Concluding comments
Over the past few years conversion cycle activities have undergone a radical transformation
– a transformation that has not only resulted in an increasing abandonment of long-held,
traditional, push-based manufacturing environments in favour of an increasingly pull-based
manufacturing environment but, perhaps more importantly, the increasing integration of
information and communication technologies into almost all aspects of the conversion cycle.
530
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 531
References
Booz-Allen and Hamilton (1982), New Product Management for the 1980s, Booz-Allen and Hamilton,
Inc., New York.
Kaplan, R., and Bruns, W. (1987) Accounting and Management: A Field Study Perspective, Harvard
Business School Press.
Smith, P.G., and Reinertsen, D.G. (1998) Developing Products in Half the Time, (2nd Edition), Wiley,
New York.
Womack, J.P., Jones, D.T., Roos, D. (1991) The Machine That Changed the World: The Story of Lean
Production, Harper Business, London.
Bibliography
Self-review questions
1. Briefly describe the main activities and processes that comprise the conversion cycle.
2. Distinguish between alpha testing, beta testing and gamma testing.
3. Distinguish between push-based manufacturing, and pull-based manufacturing.
4. Distinguish between continuous manufacturing, batch manufacturing and on-demand
manufacturing.
5. Explain the role of a production order.
6. Explain the main problems associated with the use of paper-based documentation in the
processing of production/manufacturing orientated transactions.
7. What are the advantages/disadvantages of using a target-based costing approach?
8. Identify the main risks associated with the conversion cycle.
531
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 532
Question 1
‘Excessive stocks can camouflage manufacturing problems and lead to overproduction of products.’ Discuss.
Question 2
Explain why it is important for the accountant to be involved in product development.
Question 3
Briefly explain the internal control procedures that could be used to detect and/or prevent the following:
n the theft of work-in-progress by factory employees,
n the issue of a production order for products that are already overstocked in the company’s stores,
n the theft of completed production by stores clerks,
n the incorrect recording of time worked by factory workers (100 hours was claimed instead of 10 hours),
n the theft of expensive production equipment by the factory production manager.
Question 4
If the activity cost-based approach is seen as superior to the absorption cost-based approach and the
variable cost-based approach, why is it still rarely used in practice?
Question 5
You have recently been appointed as production accountant for a small manufacturing company that pro-
duces leather accessories and has recently been asked to explain the need for the following:
n the regular production of a master production schedule,
n the RFID tagging of materials, components and completed production,
n the use of passwords to control access to the management system responsible for generating production
orders, and
n the documentation of all spoiled production and scrapped materials and components.
Assignments
Question 1
UKP plc is a UK-based shoe manufacturer producing a range of orthopaedic shoes. The company produces
12 different styles of orthopaedic shoes, based on NHS demand. The company operates a computer-based
production planning/manufacturing systems as follows.
At the end of each production cycle (a production cycle is 10 days) the production planning department
prepares a master production schedule for the next production cycle detailing the styles and quantities of
532
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 533
Assignments
shoes to be produced during the next production cycle. The master production plan is used to prepare a
production operations list, for which a production order is generated for the production of each style of shoe.
Each production order is added to an open production order master file.
At the end of each day, the store clerk reviews the open production orders and the master production schedule
to identify the materials and components required to be issued for production purposes for the next day. All
materials are RFID tagged.
The 12 different orthopaedic shoe styles are produced at eight different production locations in the company’s
factory. Materials and components received by the factory workers at each production location are scanned
as they are used.
To operate the production equipment, factory workers use computer-based biometric fingerprint readers to both
commence and terminate the production. This information is used to monitor production levels and determine
remuneration levels. (All factory workers are paid a fixed basic wage plus a bonus based on levels of production.)
Once the shoes have been produced, each pair is RFID tagged and despatched to the company warehouse
for safe storage. Every one in 50 pairs of shoes produced is quality checked prior to despatch to the warehouse.
Required
Prepare a systems flowchart of the production system described above and describe the internal control
procedures you would expect to be included in such a production process.
Question 2
SCW Ltd is a small UK-based company that manufactures custom-made pine furniture. The company employs
12 specialist carpenters, four designers, one production scheduler, two administrators and a manager.
Because of the high reputation enjoyed by the company only one sales person is employed since the quality
of the company’s furniture attracts sufficient orders to maintain production at full capacity. When a customer
order is received, it is allocated to a designer who designs the product, manages the production process and
approves the final result. The production scheduler assigns at least two specialist carpenters to each order,
depending on factors such as complexity of the design and the requested date of delivery. Once the product
is completed, the production price is determined by accumulating all related costs and a percentage mark-up
is added to determine the sale price.
Required
(a) Prepare a list of the data elements that would be required to be able to plan, manufacture and monitor the
progress of a customer order.
(b) Explain what data elements would be required to calculate a sales price for a customer order.
(c) Prepare an systems diagram for the above production system – from the receipt of the customer order to
the completion and delivery of the finished product.
(d) Describe several reports that will be useful to the production scheduler and carpenter in performing their duties.
(e) A customer order has recently been received, the details are as follows:
l Order No: 498983
l Order details: One Cartier style dining room suite
l Customer No: Clare Barber, Ardslave, Western Isles, Scotland
l Order Date: 1 April 2007
l Delivery date: 1 October 2007
l Assigned designer: Jordon Reece-Spencer
l Assigned carpenters: Tony Barber
Louise Ritter
Briefly describe the possible internal control problems that could arise in the processing of this order.
533
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 534
Chapter endnotes
1
Although the terms are often used interchangeably we will adopt the following hierarchy –
manufacturing process is a component aspect of the production system, which is a component
aspect of the conversion cycle.
2
This chapter is primarily concerned with the production of tangible products.
3
Booz-Allen and Hamilton are US-based market research consultants.
4
Such recommendations would include, for example, a component specification for the new
product and a summary of additional assets/resources required to produce/manufacture the
new product including, where necessary, any possible staff training/development requirements.
5
In-market testing should not be confused with test marketing which seeks to determine the
overall marketability/financial viability of a new product.
6
Have a look at Article 8.1.
7
See www.microsoft.com/windowsvista.
8
Remember the four stages: introduction, growth, maturity and decline.
9
Further information is available @ www.patent.gov.uk.
10
This could involve for example the acquisition of additional human/non-human resources,
the relocating of existing human/non-human resources and, where necessary, the development
of training programmes for new and/or relocated personnel.
11
To minimise costs, the numbers in such batches tend to be very high.
12
Elias (Eli) Whitney (1765–1825): American inventor and manufacturer – promoted the
development of interchangeable parts in a manufacturing process.
13
Frederick Winslow Taylor (1856–1915): American engineer – promoted the use of standardised
patterns.
14
Frank Bunker Gilbreth (1868–1924): proponent of scientific management – pioneered the
use of motion studies.
15
Henry Ford (1863–1947): founder of the Ford Motor Company Inc. – promoted the use of
the modern assembly line in mass production.
16
Alfred Pritchard Sloan, Jr. (1875–1966): long-time president and chairman of General
Motors Inc. – also promoted the use of flow lines in the manufacturing process.
17
Shigeo Shingo (1909–90): Japanese industrial engineer and leading expert on manufactur-
ing practices and the Toyota Production System.
18
It is perhaps worth noting that acronyms such as World Class Manufacturing (WCM),
Stockless Production Systems (SPS), Continuous Flow Manufacturing (CFM) and many more
are all essentially derivatives of the Toyota Production System.
19
Norman Bodek popularised many of the Japanese quality tools, techniques and technol-
ogies that transformed American and European industrial practices in the 1980s and the 1990s,
including the work of Shigeo Shingo and Taiichi Ohno (Toyota Production System), Yoji Akao
(Quality Function Deployment), and Hoshin Kanri and Seiichi Nakajima (Total Productive
Maintenance). Norman Bodek is currently president of PCS Press, a publishing, training and
consulting company.
20
Kaizen is a Japanese term meaning change for the better or improvement, the English trans-
lation being continuous improvement or continual improvement.
21
The concept was originated by Shigeo Shingo as part of the Toyota Production System.
22
Such operational flexibility was often divided into three categories:
n input related flexibility – for example resource acquisition, usage and management,
n process related flexibility – for example production volume/capacity, and
n output related flexibility – for example market demand.
534
.. ..
CORA_C10.qxd 6/1/07 11:07 Page 535
Chapter endnotes
23
We consider outsourcing in detail in Chapter 16.
24
More paper, less trees!
25
See Chapter 7 for more details on this issue.
26
See Chapter 4 for further details on computer integrated manufacturing.
27
The absorption rates used to absorb overhead costs would normally be calculated on the
basis of expected production output and budgeted overheads. Since actual overheads and levels
of production are unlikely to equal such budgeted amounts, an under- and/or over-absorption of
overhead is likely to occur – for which a profit and loss account adjustment would be required.
28
Such activities are often referred to as cost drivers.
29
Remember, profit margin is profit expressed as a percentage of cost. Mark-up is profit
expressed as a percentage of selling price. Where the profit margin of a product/service is 25%,
expressed as a percentage of cost, the profit mark-up would be 20%.
30
Remember the life cycle of a product/service can be characterised as four stages: introduction,
growth, maturity and decline.
31
Companies/organisations prepare budgets using a range of approaches, for example:
n an incremental approach – an incremental budget can be defined as a budget that is amended
only for changes in the level of prices (inflation) and/or changes in levels of activity.
n a rolling approach – a rolling budget can be defined as a budget which once established is
constantly updated and/or amended to take into account developing circumstances, and/or
n a zero-based approach – zero-based budgeting can be defined as an approach to budgeting
which starts from the premise that everything to be included in a budget must be considered
and justified.
This is for a variety of reasons, for example to:
n assist in the planning of business-related activities,
n provide a channel of communication for such plans,
n assist in the coordination of business related activities, and
n facilitate the control and evaluation of costs and revenues associated with such business
activities.
32
Such interruptions are unplanned and occur outside the normal down time used for the
refurbishment and/or renewal of production resources.
33
For example:
n ensuring the continuing availability of power supplies by maintaining on-site generators,
and
n ensuring the continuing availability of production staff by undertaking active negotiations/
consultations with trade unions and other workforce representatives where changes to work-
place practices/rates of remuneration are proposed.
535
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 536
Introduction
In a broad sense, the management cycle can be defined as a collection of business-
related activities/resources and information processing procedures, relating to the efficient
and effective management of all company/organisational resources.
Put simply, the corporate management cycle is concerned with:
536
..
CORA_C11.qxd 6/1/07 11:08 Page 537
Finance management
Learning outcomes
Finance management
537
..
CORA_C11.qxd 6/1/07 11:08 Page 538
Before we look at the accounting information systems aspects of each of the above would
perhaps be useful to provide a brief explanation of each type of non-transactional financing
and then consider the internal controls relevant to each one.
Equity financing
Although different classes of shares can be issued by a company (subject of course to extant
regulatory requirements), the vast majority of shares in issue within the UK at present are
ordinary shares, whose associated rights include:
n the right to attend company meetings,
n the right to vote at company meetings,
n the right to receive dividends (see below),
n the right to receive a copy of the company’s accounts or, at least, summary financial state-
ment, and
n the right to transfer shares.1
Preference shares
Preference shares are irredeemable shares which provide the shareholder with:
n a preferential entitlement to receive a share of the profits of a company (a dividend) before
any payments are made to ordinary shareholders, and
n a legal right to receive a share of the company’s assets in the event of the company’s liquida-
tion, before any payments are made to ordinary shareholders, but only after appropriate
preferential creditor debts have been fully discharged.
In general, preference shares have a fixed dividend – that is a dividend which does not fluctuate
with the levels of company profits. In addition, some preference shares are cumulative preference
shares – that is dividends not paid in one year must be paid in a subsequent year (before any
ordinary share dividend is paid); although the vast majority are non-cumulative preference
shares – that is dividends not paid in one year are required to be paid in subsequent years.2
In a contemporary sense, the use of preference shares has become particularly popular in
venture capital-related schemes – for example new business start-ups and management buy-outs.
Ordinary shares
Ordinary shares are also irredeemable shares which provide the shareholder with:
538
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 539
Finance management
n an entitlement to receive a share of the profits of a company (a dividend) but only after other
demands have been met – including those of preference shareholders, and
n a legal right to receive any residual share of the company’s assets in the event of the company’s
liquidation – that is a share of the company’s assets after all creditor debts have been fully
discharged and appropriate payments to preference shareholders have been made.
In addition, unlike preference shares, ordinary shares have a fluctuating dividend – that is a
dividend which can change with the levels of company profits.
Redeemable shares
Redeemable shares are limited life ordinary shares – that is ordinary shares which an issuing com-
pany can buy back from shareholders at some agreed future date. A company issuing redeemable
shares must of course have other irredeemable shares in issue
Note: There is of course no maximum number to the shares a company can issue, and whilst
there is no minimum value of shares for a private limited company, a public limited company
must have an authorised (and issued)3 share capital of at least £50,000.
n the retained earnings will be represented by liquid assets within the company/organisation –
that is cash or a cash equivalent (e.g. a balance in a bank account or a short-term investment),
whereas
n the retained profits will be represented by the net movement of all assets/liabilities within the
company/organisation (which of course may or may not include cash and/or cash equivalents).
Remember, retained profits are an accounting adjustment. They are a balancing figure – a prod-
uct of the accruals basis of contemporary accounting and the duality of the accounting equa-
tion. They are perhaps the reason why a company may show substantial levels of retained
profits within its financial statements, but may be unable to satisfy its immediate financial com-
mitments and as a result be forced into liquidation and possibly cease trading.
Have a look at the following example.
LMP plc is a UK retail company that has been trading successfully for a number of years. The
management of the company has, however, become increasingly concerned because there
has been a substantial reduction in the company’s liquid funds (in particular the company’s
bank balances) for the year ending 31 December 2006, even though the company has con-
tinued to generate profits. Indeed, for the year ending 31 December 2006 the company’s bank
balance has fallen by £1,400,000 from 31 December 2005, even though the company’s profits
before tax for 2006 have increased on the previous year, and the company’s retained profits
for 2006 have increased on the previous year.
LMP plc financial statements for the years ending 31 December 2005 and 31 December 2006
are as follows:
539
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 540
The reduction in LMP’s liquid resources (cash and bank) could be explained as follows:4
£000s £000s
Profit before taxation (2006) 2,700
Inflow of funds
Share capital 600
Debenture 1,800
2,400
Outflow of funds
Fixed assets (3,000)
2,100
Changes in working capital
Increase in stock 1,000
Increase in debtors 1,900
Increase in creditors (1,000)
Payment of 2005 taxation 1,000
Payment of 2005 dividend 600
3,500
Decrease in bank (1,400)
2,100
540
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 541
Finance management
Clearly, the company is generating profits, but much of the company’s revenue from sales
appears to be increasingly debtor-based. In addition, the company appears to be investing
heavily in fixed assets with a substantial part of the investment being funded from revenue
receipts.
Debt financing can be defined as the borrowing from another person or persons (including
another company/organisation) of purchasing power from the future and represents (in most
circumstances) an obligation to repay a sum of capital, plus an agreed amount of interest.5
Such debt can be categorised as either:
n secured debt, or
n non-secured debt.
Secured debt
Secured debt can be defined as debt (usually long-term) in which a lender (creditor) is granted
a specific legal right over a borrower’s property/assets.6 The purpose of securing debt is to allow
a lender (creditor) to be able to seize, or more appropriately, sequester7 property/assets from a
borrower in the event that the borrower fails to properly satisfy the repayment requirements of
the debt, and/or adequately adheres to specific conditions imposed by the debt instrument.8
Such secured debt is referred to as a debenture,9 and any conditions attached to the borrowing
would normally be identified in a debenture trust deed.10
There are many types of debenture, the most common being:
Non-secured debt
Unsecured debt can be defined as debt – usually short- to medium-term – that is not collater-
alised or not secured against any property/assets of the borrower. Such debt would include, for
example, borrowing using:
Overdraft
An overdraft is borrowing which is repayable on demand. The maximum overdraft allowed for
a company/organisation on its current account(s) would normally be negotiated and agreed
with the bank prior to the facility being made available. Charges would normally include a fixed
initial setting-up charge together with interest calculated on a daily basis on the amount of the
overdraft.
The vast majority of companies/organisation will, at some time, finance some of their activ-
ities with a short-term overdraft. Why? Because overdrafts are relatively cheap, very flexible and
simple to arrange – although they can be somewhat risky inasmuch as overdrafts are, subject to
legal conditions/obligations, essentially repayable on demand.
541
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 542
Short-term loans
Short-term loans are essentially loans obtained from a bank or other financial institution which
are repayable within a year. However such loans can, and indeed often do, last much longer –
sometimes well in excess of a year. Borrowers will often renegotiate short-term loans at the end
of the loan period and, if agreed with the lender, simply extend the loan for another three, six
or nine months depending on the initial short-term loan agreement.
Bonds
A bond can be defined as a negotiable debt instrument, normally offering a fixed rate of interest
(coupon) over a fixed period of time, with an agreed redemption value (par). A debenture is
therefore a specific type of bond!
As a negotiable debt instrument, there are three categories of bonds:
n a domestic bond,
n a foreign bond, and
n a eurobond.
A domestic bond is a bond issued in the country in which the borrower is domiciled. It is a
negotiable debt instrument denominated in the home country currency and essentially available
for domestic distribution only.
A foreign bond is a bond issued in the country other than that which the borrower is
domiciled. It is a negotiable debt instrument denominated in the local currency of the issuer,
but available for international distribution.
A eurobond is a bond issued outside country of its currency (see the section below). Such
bonds are not only issued by borrowers domiciled in almost any country they can also be
acquired by investors domiciled in almost any country.
In addition, there are within each of the above categories, many possible types of bond, the
main ones being:
Convertible securities
542
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 543
Finance management
Such convertible securities will generally have a lower coupon rate than corresponding non-
convertible securities.
Derivative instruments
Derivative can be defined as financial instruments that derive their value from the value of
another financial instrument, underlying asset, commodity index or interest rate. The most
common type of derivatives are:
n futures,
n forwards,
n options, and
n swaps.
Futures
Futures are exchange-traded contracts18 that are now traded on various currencies, various
interest-bearing securities and various equity or stock indexes.
Futures are essentially binding obligations under which a person, a company or an organis-
ation buys and/or sells a specified asset at a specified exercise price on the contract maturity date.
The specified asset is not literally bought and sold but the market price of that contract at maturity
compared to the contract price will determine whether the holder of the future will make a
profit or a loss.
Unlike a forward (see later) which can possess a high degree of credit risk, futures are gener-
ally marked to market at the end of each trading day with the resulting profit or loss settled
on that day. Where futures are not marked to market at the end of the trading day, exchanges
will often seek to ensure that all participants are able to meet any claims arising from this
continuous settlement process by requiring participants to undertake a performance bond as
security for their obligations. Such a performance bond is known as the margin.
Forwards
Forwards can be defined as agreements to buy or sell a given quantity of a particular asset
(usually currency), at a specified future date at a pre-agreed price.
Forwards are ‘over-the-counter’ or OTC instruments that are traded not on organised exchanges
but by dealers (typically banks) trading directly with one another and/or with other parties.
The use of forwards in terms of foreign exchange are generally restricted to large com-
panies, governments and other major institutions who have access to extensive financial credit.
Individuals, partnerships and small businesses/private companies will generally not participate
in the forward market because of the costs involved in securing and maintaining the necessary
credit.
Swaps
There are essentially three types of swaps:
n currency swaps,
n interest rate swaps, and
n equity swaps.
543
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 544
Although an amount of principal is required in order to compute the actual cash amounts
that will be periodically exchanged, such an amount is notional inasmuch as there is no require-
ment to exchange actual amounts of principal in a single currency transaction.
The commonest form of interest rate swap is a fixed/floating interest rate swap, under which
a series of payments is calculated by applying a fixed rate of interest to a notional principal
amount is exchanged for a stream of payments similarly calculated but using a floating rate of
interest. An alternative form of an interest rate swap is the money market swap, under which
both series of cash flows are calculated using floating rates of interest based upon different
underlying indices, for example LIBOR (London Inter-band Offer Rate) and a commercial
paper rate, or a Treasury bill rate and LIBOR.
Commercial and investment banks, non-financial companies, insurance companies, invest-
ment trusts and government agencies, use interest rate swaps for several reasons including for
example:
Currency swaps
Currency swaps can be defined as a combination of a spot foreign exchange transaction and a
simultaneous forward foreign exchange contract reversing the initial spot transaction. However,
used in its more general meaning, currency swaps are a combination of:
n a spot foreign exchange transaction in which one currency is bought and sold for another
currency,
n a forward foreign exchange transaction in which, on a pre-determined future date, the initial
spot transaction is reversed, and
n an exchange of payments calculated by reference to prevailing interest rates applicable to
the swapped currencies. The payments exchanged may be floating rate payments in both
currencies, fixed rate payments in both currencies or fixed rate payments in one currency
and floating rate payments in another currency.
Transactions for which a company/organisation may use currency swaps would probably include
the following:
Equity swaps
Equity swaps can be defined as an exchange in which one party exchanges a payment equal to
the return on a specified equity index, a sub-index, a specified group or ‘basket’ of equities or
even an individual share, for a series of payments based on a short-term interest index, such
as LIBOR.
As with a interest rate swap, payments are calculated by reference to a notional principal
amount that is not exchanged. In principle, the exchange mechanism covers both increases and
544
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 545
Finance management
decreases in the index, and transactions can be denominated in either the same currency or in
different ones.
A company/organisation could use an equity swap for a number of reasons which would
include for example:
Options
Options are perhaps the most difficult derivative financial instrument to discuss, because whilst
they are essentially simple in concept, they can nevertheless be very complex.
The basic concept underlying an option is well known – quite simply it means choice.
Any option agreement is a contract which gives the holder the right but not the obligation to
buy (a call option)19 or sell (a put option)20 a specified underlying asset at a pre-agreed price21
(the strike price) at:
The holder of the option pays a premium to the writer of the option at the time the option
contract is entered into, reflecting its value at that time. If the strike price of the option was such
that if it were exercised today it would produce a profit for the holder, the option is said to be
‘in the money’. If the reverse is true, the option is said to be ‘out of the money’. And, if the strike
price of the option is such that if it were exercised today it would produce neither a profit nor
a loss for the holder, the option is said to be ‘at the money’. Consequently, the more an option
contract is in the money when it is entered into, the higher the premium that will be paid, or
put another way, the more an option contract is out of the money when it is entered into, the
lower the premium that will be paid.
Such a premium would however also be influenced by:
n length of time the option has to run to its maturity, since the longer the period the greater
the possibility that a favourable price change could take place in the underlying asset
making the option profitable for the holder, and
n the likelihood, based on historical experience, that the price of the underlying asset will be
subject to frequent and volatile price variation.
As with other derivative financial instruments, traded options can be based on stock market
equities, market indices, interest rates,22 bonds and currencies.
Transferable warrants
A warrant23 can be defined as a security that entitles the holder to buy or sell a certain additional
quantity of an underlying security, at an agreed price, within an agreed period of time.24 The
right to buy an underlying security is referred to as a call warrant, whereas the right to sell an
545
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 546
underlying security is known as a put warrant. There are of course many alternative types of
transferable warrants, the most common ones being:
n a traditional warrant – which is a warrant issued in conjunction with a bond (usually known
as a warrant-linked bond), and represents the right to acquire shares in the company issuing
the bond, and
n a naked warrant which is a warrant issued without an accompanying bond.
Equity
It is important to ensure that all share issues (whether by public offer, by placement, by intro-
duction or indeed by rights issue) are appropriately approved/authorised and comply with all
extant regulatory requirements.25 In addition, the company must:
n ensure an up-to-date record of all existing shareholders – a company share register – is
maintained,
n ensure all transfers of shares are appropriately documented, registered and certified,
n ensure the accurate preparation and payment of dividends to shareholders, and
n ensure the appropriate production of shareholder reports for Companies House.
All these tasks would normally be the responsibility of the company share registrar.26
For internal control purposes, it is important to ensure that adequate segregation of procedures/
separation of duties exists between all authorities and responsibilities relating to:
n the recording and processing of share issues and/or transfers,
n the custody and control of share certificates,
n the processing, registration and certification of share transfers, and
n the accounting for, and payment of, shareholder dividends.
546
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 547
Finance management
Again, for internal control purposes, it is important to ensure that adequate segregation of
procedures/separation of duties exists between all authorities and responsibilities relating to:
n the recording and processing of debenture issues, transfers, redemptions and/or conversions,
n the custody and control of debenture certificates,
n the processing, registration and certification of debenture transfers,
n the accounting for all debenture redemptions, and
n the accounting for, and payment of, debenture holder interest.
Non-secured debts
It is important to ensure an up-to-date record of all outstanding short-term loans, bond issues
(usually a bond register) and overdrafts is maintained, and that all non-secured borrowing is
appropriately approved and authorised. The company must:
n ensure all redemptions of short-term loans and/or bonds are appropriately documented,
registered and certified,
n ensure the accurate preparation and payment of interest, and
n ensure compliance with any imposed financial requirement – in particular ensure that
any agreed borrowing limit (e.g. on an overdraft facility) is not exceeded without prior
agreement.
For internal control purposes, it is important to ensure that adequate segregation of procedures/
separation of duties exists between all authorities and responsibilities relating to:
n the recording and processing of bond issues, transfers and/or redemptions,
n the borrowing of short-term funds,
n the custody and control of bond certificates,
n the processing, registration and certification of bond transfers,
n the accounting for the redemption of bonds/prepayment of loans/overdrafts,
n the accounting for, and payment of, bond interest, loan interest and overdraft charges/interest.
Derivative instruments
Where derivatives are regularly used to manage a company’s/organisation’s risk exposure then
as part of its risk policy27 the company/organisation must not only ensure that an up-to-date
record of all commitments relating to futures, forwards, options and swaps is maintained but,
more importantly:
n ensure the regular valuation and audit of all derivative transactions,
n ensure the regular monitoring of all derivative transactions to confirm compliance with extant
policies, procedures and regulations, and
n ensure the regular monitoring of all derivative dealers’ positions.
For internal control purposes, it is important to ensure that adequate segregation of procedures/
separation of duties exists between all authorities and responsibilities relating to:
n the determination of exposure requirements,
n the acquisition and disposal of derivatives, and
n the recording of, and accounting for, derivatives transactions.
Transferable warrants
It is important to ensure that all warrant issues are appropriately approved/authorised and,
where necessary, comply with all extant regulatory requirements, and an up-to-date record
547
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 548
of warrants issued by the company is maintained – this is especially the case for traditional
warrants. For internal control purposes, it is important to ensure that adequate segregation of
procedures/separation of duties exists between all authorities and responsibilities relating to
the authorisation, issue and recording of warrant issues.
Fund management
Fund management is concerned with the management of all forms of transactional financing,
that is financing that is directly related to or associated with:
n the revenue cycle activities of the company/organisation (inflows of funds), and
n the expenditure cycle activities of the company/organisation (outflows of funds).
Such transactional finance is, put simply, the life blood of a company/organisation and can, in
a broad sense, be categorised as either:
n cash-based transactional finance, and
n cash equivalent transactional finance.
548
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 549
Fund management
unlikely that cash-based revenue transactions will disappear from the economic landscape totally,
recent survey trends would appear to suggest that within the next 10 to 15 years – certainly within
the UK retail sector – it is likely that as little 3% of all non-debtor-based revenue transactions
will be cash-based.
it would of course be extremely unwise for any company/organisation to use cash as its major
medium of exchange to discharge outstanding debts/commitments relating to expenditure
cycle-related transactions, including payroll. This is for two reasons. Firstly, the costs associated
with managing large volumes of cash within the company/organisation and, secondly, the high
level of risk associated with possessing and securing large volumes of cash within the company/
organisation. (We will look at the petty cash issue later in this chapter.)
For revenue cycle transactions, with the exception of a few small companies/organisations, the
vast majority of consumer-based companies/organisations allow the use of:
n transferable payment documents (e.g. payment by cheque and/or postal order),29 and/or
n e-money-based payments (debit/credit card payments),
Before we look at fund management in a little more detail, it would perhaps be useful to
consider briefly the operational context of transactional finance.
Put simply, the distinction between cash-based transactional finance and non-cash-based
transactional finance is not the same as the distinction between debtor-based sales and non-
debtor-based sales (introduced in our discussions in Chapter 9), or indeed creditor-based
purchases and non-creditor-based purchases (introduced in our discussions in Chapter 10).
Why not? Because, the debtor/non-debtor distinction (for revenue cycle transactions) and
the creditor/non-creditor distinction (for expenditure cycle transactions) refers to the entry
context/classification of a transaction, whereas the cash-based/non-cash-based transactional
finance distinction refers to the exit context/classification of a transaction. See Figure 11.2.
Consider the following example.
549
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 550
SJK Ltd is a UK-based retail company. The company made the following sales during December:
£
Debtor-based sales 6,595
Non-debtor-based sales 4,700
All debtor-based sales were fully discharged (paid in full) during December.
n the cash-based transactional finance received during December was £2,625 (that is
£1,275 + £1,350), and
n the non-cash-based transactional finance received during December was £8,670 (that is
£5,320 + £2,460 + £890).
550
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 551
Fund management
n to ensure the proper management of all fund related balances (e.g. cash balances, bank
balances),
n to ensure the adequate maintenance of all fund-related accounting records – including the
periodic reconciliation of all fund balances, and
n to ensure the accurate supervision of all receipts and disbursements (including small cash
receipts and disbursements).
In an organisational context, fund management can be divided into three levels, these being:
Before we look at each of these in a little more detail, it is worth noting that in a Keynesian
context:
Operational fund management is often associated with Keynes’s so-called ‘transaction motive’.
551
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 552
Whilst there are many alternative cash management models available, two of the most
popular are:
n the Baumol (1952) cash management model, and
n the Miller–Orr (1966) cash management model.
c = 2kt/i
The Baumol cash management model assumes:
n the company/organisation is able to forecast its cash requirements with certainty,
n the company/organisation will receive a specific amount at regular intervals,
n the company’s/organisation’s cash payments will occur uniformly
n the opportunity cost33 of holding cash is known with certainty
n the opportunity cost of holding cash does not change over time, and
n the company will incur the same transaction cost34 whenever it converts securities to cash.
As a consequence, the Baumol cash management model may only be relevant if the pattern
of a company’s/organisation’s cash flows/transfers are uniform (same size), fairly consistent
(occur on a regular basis) and are predictable (known with a degree of certainty).
Consider the following example.
KLY plc is a UK-based retailer. The company regularly invests surplus funds in seven-day
notice short-term deposits on the UK money market. Currently such short-term deposits pay
an interest of 5% per annum. Also currently KLY plc has cash payments for each month
totalling £1,250,000 per month or £15,000,000 pa.
c = 2kt/i
c = (2 × 15.40 × 15,000,000/0.05)
= £96,125
That is the most economic amount of cash that KLY plc should transfer to its bank account
is £96,125 or, in an operational context, KLY plc should transfer cash three times a week
(£15,000,000/£96,125).
552
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 553
Fund management
Put simply, when a company’s/organisation’s cash flow reaches the upper limit, the company/
organisation buys sufficient marketable securities to reduce cash to a normal level of cash balance,
known as the return point. When a company’s/organisation’s cash flow reaches the upper limit,
the company/organisation sells sufficient marketable securities to increase cash back to the
normal level.35 If:
then the Miller–Orr model sets the range between the upper limit and the lower limit as:
r = 3[(0.75 × k × v/s)1/3]
rp = (l + r/3).
The finance director of the company has estimated that the minimum cash balance required
by the company is £80,000.
r = 3[(0.75 × k × v/s)1/3]
r = 3[(0.75 × 15.40 × 16,000,000/0.000123)1/3]
= 3 × 11,453
= £34,359
Therefore the upper limit would be £80,000 + £34,359 = £114,359 and the return point (rp)
would be:
rp = (l + r/3)
rp = £80,000 + £34,359/3
= £91,453
553
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 554
Comparison of models
So which model should a company/organisation adopt? Whilst the Baumol model is a simple
and easy to implement cash management model, the Miller–Orr cash management model is
perhaps more realistic inasmuch as it allows variations in cash balance within the upper limit
and lower limit, and allows the lower limit to be set according to the company’s/organisation’s
liquidity requirement.
If the Miller–Orr model is adopted, it is of course important that the lower limit cash
requirement is regularly reviewed to ensure that it accurately reflects the timing and flow of
funds into and out of the company/organisation.
Such lending and/or borrowing – undertaken using the UK Money Market – could be for
example:
n overnight – lending/borrowing repayable the next day,
n two-day notice – lending/borrowing repayable on demand with a notice period of two days,
n seven-day notice – lending/borrowing repayable on demand with a notice period of seven days,
n one month period – fixed period lending/borrowing repayable in one month,
n three month period – fixed period lending/borrowing repayable in three months,
n six month period – fixed period lending/borrowing repayable in six months, or
n nine month period – fixed period lending/borrowing repayable in nine months.
Interest rates are usually fixed for the period, although negotiable interest terms (e.g. rollover
interest terms using LIBOR) are available for fixed period lending/borrowing – at a premium.
Note: All lending/borrowing for notice periods, and/or fixed periods of less than one year,
are colloquially known as temporary money, even though it is possible for two-day notice
money and seven-day notice money to remain for periods in excess of one year.
Because of the possible value of funds that could be involved in such transactions (currently the
minimum lending/borrowing amount is £250,000) it is important not only to ensure adequate
written policies and procedures exist for all temporary lending/borrowing, and that senior
finance manager/director approval is obtained before any such lending/borrowing is under-
taken, but more importantly to ensure that an adequate segregation of procedures/separation
of duties exists between all duties and responsibilities related to and associated with the lending
and borrowing of temporary funds.
554
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 555
Fund management
By far the largest volume of receipts would of course be related to revenue cycle-related
transactions.
In addition, periodic and regular internal audits of all receipting activities should be undertaken
to ensure the adequacy, relevancy, appropriateness and cost efficiency of all internal control
procedures.
By far the largest volume of disbursements would of course be related to expenditure cycle-related
transactions.
555
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 556
To satisfy such internal control requirements, it would be necessary to establish formal procedures/
protocols for the processing and authorising of all receipting activities. In particular, it is import-
ant to:
n ensure supervisory approval for all cash/cash equivalent disbursements,
n ensure the existence of adequate processing internal controls, in particular an appropri-
ate segregation of procedures/separation of duties between authorisation management and
recording/accounting activities,
n ensure the daily reconciliation of all cash/cash equivalent transactions,
n ensure all expenditure cycle-related transactions – without exception – are paid using the
BACS payment systems,
n ensure all cancelled transactions are properly authorised,
n ensure the daily reconciliation of all cash/cash equivalent transactions,
n ensure all accounting records are updated regularly,
n ensure no payments are made from undeposited cash – that is no teeming and lading,
n ensure an authorised internal listing of all cash disbursement is produced (e.g. petty cash dis-
bursements), and
n ensure the secure storage and movement of cash and regular banking of cash receipts.
In addition, periodic and regular internal audits of all disbursement activities should be under-
taken to ensure the adequacy, relevancy, appropriateness and cost efficiency of all internal
control procedures.
556
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 557
Fund management
and managing a petty cash facility are greater than the benefits accrued from such a facility, then
such a facility will not be provided.
Although not universally the case, most companies/organisations that use/provide petty cash
facilities tend to use a petty cash imprest system to monitor and control such expenditure. A
petty cash imprest system is one in which a predetermined fixed amount is allowed, with the
replenishment of petty cash based on authorised/approved expenditure incurred: that is at any
time, the total of the cash together with any receipts will always equal the total amount allowed.
In some companies/organisations the replenishment of petty cash is made by the finance depart-
ment on a regular basis – say every two or four weeks. In others, it is undertaken by the finance
office as and when requested by the spending department.
Clearly, the level of petty cash would of course differ from company to company or organis-
ation to organisation. Indeed, it may well differ from department to department within the same
company/organisation. However, as a general rule the amount of petty cash should be as low as
is practically possible – based of course on the average amount of petty cash required over a
reimbursement period. In practice, a departmental petty cash float of £100 is not uncommon.
557
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 558
Article 11.1
558
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 559
Assets management
Some intellectual property rights for Rover models The directors of Phoenix have been criticized for
were sold to SAIC in a £67 million deal last year, but paying themselves significant salaries and pensions
the Chinese company does not hold the rights to as the company was falling into the red. The so-called
produce the cars in Asia. ‘Phoenix Four’ offered assets of up to £30 million to
German car maker BMW AG has the rights to the assist Rover as it tried to resuscitate talks with SAIC
Rover name, retaining them when it sold the com- in April, but acknowledged that the assets on offer
pany to Phoenix Venture Holdings for a token £10 were subject to attack from creditors.
in 2000. BMW gave MG Rover permission to use the
name indefinitely for free under a licensing agreement Source: 23 July 2005,
and said it would consider letting another company www.chinadaily.com.cn/english/doc/
use the name. BMW sold the rights to the MG name 2005-07/23/content_462703.htm.
to Phoenix in the same deal.
Article 11.2
Assets management
559
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 560
In a broad operational sense, fixed assets are essentially a foundation resource on which all
other company/organisation operations depend. Indeed, inasmuch as such assets are acquired
for retention and use within the company/organisation, and not for resale, they can – depending
on the company/organisation context type – provide:
n a physical business framework – for example, land, office buildings and factory premises,
n the apparatus of production – for example, plant, machinery and related production equipment,
n an administrative infrastructure – for example, fixtures, fittings and other administrative-
related equipment,
n a means of transportation and distribution – for example, motor vehicles,
n a legal right to produce and sell goods and/or provide services – for example, a trademark,
copyright or patent, and/or
n a means of ownership (of another commercial entity) – for example, an investment in another
company/organisation.
However, because the acquisition (and disposal) of such fixed assets can not only have a
significant effect on the flow of funds within a company/organisation but, more crucially, exert
considerable influence on a company’s/organisation’s ability to generate cash flows and profits,
it is important – in a practical context, to:
n establish suitable company/organisation policies and procedures, and
n adopt appropriate company/organisation-wide internal controls,
to ensure that the acquisition, retention and disposal of fixed assets is managed in an efficient
and effective manner.
Fixed assets management is concerned with maintaining a level of fixed assets within the
company/organisation appropriate for and commensurate with its operational activities. The
objectives are to:
n ensure all fixed asset acquisitions and disposals are properly planned, suitably evaluated,
appropriately approved (with supporting documentation) and accurately recorded,
n ensure all fixed asset transactions (including the allocation of depreciation expenses) are
properly recorded, monitored and controlled,
n ensure all fixed assets records (usually contained within a fixed assets register) are securely
maintained and regularly updated,
n ensure all acquired fixed assets are securely maintained and periodically reconciled to fixed
assets records, and
n ensure all appropriate property titles/custody rights to both tangible and intangible fixed
assets are securely stored.
560
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 561
For the remainder of our discussion on fixed assets management, we will assume an allocation
of duties/responsibilities between the following:
n the facilities services director/manager44 (and department),
n the ICT45 director/manager (and department),
n the finance director/manager (and department),
n departmental/location personnel, and
n the internal audit department.
More specifically, the facilities services director/manager would be responsible for:
n the acquisition of non-ICT-related fixed assets,
n the regular inspection and maintenance of non-ICT-related fixed assets,
n the disposal of all redundant non-ICT-related fixed assets,
n the issue of all non-ICT-related fixed assets to company approved locations,
n the issue of guidance on the use of all non-ICT-related fixed assets, and
n the maintenance of a non-ICT fixed assets register.
The IT director/manager would normally be responsible for:
n the acquisition of ICT-related fixed assets,
n the regular inspection and maintenance of ICT-related fixed assets
n the disposal of all redundant ICT-related fixed assets,
n the issue of all ICT-related fixed assets to company approved locations,
n the regular checking of the company’s/organisation’s ICT fixed assets portfolio,
n the issue of guidance and the provision of training on the use of ICT-related fixed assets,
and
n the maintenance of a ICT-related fixed assets register.
Both the facilities services director/manager and the ICT director/manager would also be
responsible for:
n providing estimates of the useful economic life of fixed assets under their control,
n providing information on the impairment of, damage to, and/or the obsolescence of fixed
assets for which they are responsible, and
n obtaining, where necessary, appropriate authorisation for the write off, disposal and sale of
fixed assets for which they are responsible.
The finance director/manager would be responsible for:
n the determination of suitable fixed asset accounting policies,
n the (re)valuation of all fixed assets,
n the maintenance of fixed asset-related financial accounting records,
n the preparation of fixed assets-related financial accounting statements, and
n the authorising of fixed asset write off/disposals and, where appropriate, the determination
of the method of sale.
As a general rule departmental personnel would be responsible for:
n ensuring all fixed assets are used in accordance with company/organisation policy/guidance,
n ensuring all fixed assets are not used without appropriate authorisation and, where necessary,
appropriate training,
n ensuring all fixed assets are safeguarded from theft, loss and damage, and
n ensuring any theft, damage and/or loss is reported immediately.
561
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 562
Although the above stages would apply to the acquisition of all types of fixed assets, for obvious
reasons it is likely that some procedural differences would exist between the acquisition of
tangible fixed assets, the acquisition of intangible fixed assets and the acquisition of long-term
investments.
For the following discussion we will restrict our discussion to the acquisition of tangible
fixed assets only.
Identification stage
The identification stage is, perhaps unsurprisingly, concerned with identifying fixed assets
requirements within the company/organisation and ensuring appropriate approval is under-
taken prior to the acquisition.
So, why would a company/organisation require new and/or additional fixed assets? For a
number of reasons, for example:
n to expand and/or diversify company/organisation business activities,
n to reorganise and/or rationalise company/organisation business activities,
n to improve and/or reorganise the company’s/organisation’s portfolio of fixed assets, and/or
n to replace existing company/organisation fixed assets impaired or damaged by unexpected
events/unpredicted occurrences.
In general, the acquisition of fixed assets can be categorised as either:
n a programmed/replacement cycle acquisition – that is the acquisition of a fixed asset or group
of fixed assets as part of an agreed general fixed assets renewal/replacement programme – as
determined by the company/organisation strategic plan, or
n a non-programmed/non-replacement cycle acquisition – that is the acquisition of a fixed
asset or group of fixed assets as a result of damage caused to existing fixed asset(s) by an
unpredicted event and/or an unexpected occurrence.
Where an acquisition is a programmed acquisition, authorisation would of course be routine –
providing the acquisition request is consistent with the company’s/organisation’s strategic plan.
However, where an acquisition is a non-programmed acquisition, special approval would need
to be obtained. This is because any such non-programmed acquisitions could have a substantial
impact on:
n the capital needs and requirements of a company/organisation – especially where significant
capital rationing46 issues exist within the company/organisation, and
562
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 563
Once approval for the acquisition of the fixed asset is confirmed, the facilities director/manager
or the ICT director/manager would be informed accordingly.
Note: A review of a number of evaluation techniques used to evaluate/review:
Authorisation stage
Once approval for the acquisition of the fixed assets has been obtained, it would be necessary
to identify an appropriate supplier. This would probably mean inviting suppliers to provide a
tender for the supply of the fixed assets.
An open tender is a single stage tendering/bidding process in which all interested suppliers
are invited to submit a tender, usually in response to a company sponsored advertisement.
The advertisement would usually provide:
n details of where, and how interested suppliers can obtain authorised tender documents,47
n details of the tendering process, and
n the last date by which interested suppliers must submit their tenders.
All suppliers submitting an expression of interest are then evaluated by the company and a
short-list of appropriate suppliers invited to submit a tender. Such restricted tendering is often
used where a large number of suppliers are expected to bid.
563
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 564
Acquisition stage
This acquisition stage would of course be part of the company/organisation expenditure cycle,
inasmuch as once an approved supplier had been identified, an authorised company/organisation
purchase order would be issued and despatched. In some circumstances, for example where:
n the acquisition is of a substantial nature, and/or
n the acquisition may occur over a substantial period of time,
the supplier may require a formal legally binding contract of supply to be signed under seal
before the supply of any fixed assets commences.
On the satisfactory receipt of purchased fixed assets a receiving report would be issued.
Where fixed assets are supplied to geographically dispersed company/organisation locations such
a receiving report would of course only be issued when appropriate evidence of satisfactory
delivery has been received.
Once delivery has been completed and an invoice has been received, the payment would be
processed. Again, where the supply is for substantial volume of fixed assets over a substantial
period of time, it is common for interim payments to be made to the supplier either on achieve-
ment of agreed performance targets or at agreed dates over the life of the supply agreement/
contract. On satisfactory completion, where appropriate, any legal titles/deeds of ownership
(e.g. freehold property titles/vehicle ownership documents) for the fixed assets acquired by
the company/organisation would be transferred from the supplier to the purchasing company/
organisation.
On receipt of the invoice, the transaction would be recorded in the general ledger as follows:
n Dr fixed assets account,
n Cr creditor control account.
On payment of the invoice, the transaction would be recorded in the general ledger as follows:
564
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 565
Appropriate creditor memorandum entries for receipt and payment of the invoice would also
be made in the individual creditor’s account in the purchases ledger.
Once the transaction has been complete – that is on the transfer of property ownership and
asset possession, it would be necessary to enter the acquired fixed assets onto the company’s/
organisation’s assets register.
Whilst the precise nature and format of the information to be stored in the fixed assets register
would differ from company to company or organisation to organisation, influenced by:
n the internal reporting requirements of the company/organisation and, perhaps more importantly,
n the external regulatory requirements/disclosure requirements imposed on the company/
organisation by external companies/agencies (e.g. regulatory authorities, insurance companies,
banks and taxation authorities),
such information would, in general, include details on:
n the nature, types and classes of each fixed asset maintained within the company/organisation,
n the acquisition profile of each fixed asset maintained within the company/organisation,48
n the value of each fixed asset49 maintained within the company/organisation,
n the ownership of individual fixed assets maintained within the company/organisation,50
n the geographical location of individual fixed assets,
n the office/department/section responsible for the day-to-day use and management of individual
fixed assets,
n the fixed asset identifier,51 and
n the maintenance requirements/replacement requirements of individual fixed assets.
Access to the fixed assets register should of course be restricted to approved personnel only.
565
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 566
All fixed assets whether they are tangible fixed assets such as buildings, fixtures and fittings,
plant and machinery, and vehicles and equipment, or intangible fixed assets such as patents,
copyrights, trademarks and brand values, have a limited useful life and will either become
uneconomic and unable to generate revenue income over and above the cost of their continued
use, or simply expire. This arises for many reasons, perhaps the most common being:
n physical deterioration (or wear and tear),
n technical obsolescence,
n physical impairment,
n the expiration of a legal right, and/or
n the loss of commercial value.
Where a fixed asset has some residual value, the disposal may of course result in the sale of
the fixed asset to another company/organisation and a net inflow of funds. However, where the
fixed asset has no residual value, the disposal (or perhaps, more appropriately, the write-off)
may result in a net outflow of funds.
For some fixed assets, regulatory requirements may impose very specific conditions on
their disposal, inasmuch as requirements may stipulate specific changes/alterations that must
be made to a fixed asset before it is deemed suitable for disposal. For example, the European
Council Regulation No. 2037/2000 on substances that deplete the ozone layer (October 2001),
requires ‘the removal of ozone depleting substances (including CFCs52 and HCFCs53) from
industrial, commercial and domestic refrigeration equipment/appliances before such equipment/
appliances are scrapped.’
Identification/scheduling stage
For non-ICT-related fixed assets, the responsibility for identifying and scheduling the disposals
would be that of the facilities services director/manager (and department) and for ICT-related
fixed assets it would be the ICT director/manager (and department). We can, however, dis-
tinguish between two types of fixed asset disposals, these being:
566
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 567
Approval stage
As suggested earlier, the responsibility for authorising the disposal/write-off of a fixed asset or
group of fixed assets would be that of the finance director/manager (and department).
Where the disposal is a programmed disposal the authorisation would of course be routine,
providing the disposal request is consistent with the company’s/organisation’s strategic plan.
However, where the disposal is a non-programmed disposal, special approval would need to be
obtained and, where necessary, appropriate funding identified, especially if – as would probably
be the case – the disposal would also need to be matched with the acquisition of a replacement
fixed asset. In addition, if the value of the fixed assets involved is substantial and/or such non-
programmed disposal requests have become a regular occurrence (and their cumulative value
is substantial), it is likely that an independent internal investigation (probably by internal audit)
would also take place – to establish why!
Once approval for the disposal of the asset is confirmed, the facilities director/manager or the
ICT director/manager would be informed accordingly, and the asset disposed of/written-off.
Note: It is also at this stage that the fixed assets register would be updated to reflect the
disposal/write-off.
So, how would such a disposal/write-off be recorded in a company’s/organisation’s account-
ing information systems?
Recording stage
For accounting purposes, the disposal/write-off would be recorded as follows. On approval, the
disposal/write-off would be recorded in the general ledger:
n Dr fixed assets disposal account,
n Cr fixed assets disposal account,
Where a sale is involved, the sale would be recorded in the general ledger as follows:
n Dr debtor account,
n Cr fixed assets disposal account,
and, on receipt, the payment would be recorded in the general ledger as follows:
n Dr bank account,
n Cr debtor account.
If a profit on disposal is realised, the profit would be recorded in the general ledger as follows:
n Dr fixed assets disposal account,
n Cr profit and loss account.
Appropriate debtor memorandum entries for the sale and receipt of payment would also be
made in the individual debtor account in the sales ledger.
567
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 568
If a loss on disposal is realised, the loss would be recorded in the general ledger as follows:
n Dr profit and loss account,
n Cr fixed assets disposal account.
568
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 569
n ensure adequate written policies and procedures exist for the disposal of fixed assets,
n ensure appropriate arrangements are made for the identification, assessment and authoris-
ation of all fixed asset disposals,
n ensure all income receipts from the disposal of fixed assets are correctly accounted for,
n ensure adequate records are maintained of all fixed asset disposals, and
n ensure all authorities and responsibilities related to the disposal of fixed assets are appropri-
ately allocated and adequate segregation of procedures/separation of duties exists between,
for example:
l procedures/personnel involved in identifying fixed assets for disposal and procedures
personnel involved in the authorising of such disposals, and
l procedures/personnel involved in identifying fixed assets for disposal and procedures
personnel involved in maintaining and updating the fixed assets register.
More importantly, any such failure could have a significant impact on the revenue earning
capacity of a company/organisation.
Current assets can be defined as assets acquired by and/or generated by the company/organisation
for the purpose of resale and/or conversion into cash or cash equivalents, the management of
which can, perhaps unsurprisingly, be divided into two categories:
n stock management, and
n debtor management.
Stock management
Stock management is concerned with the insulation and, as far as possible, protection of product/
service-related transaction processes from adverse changes in the external environment. That is
the primary objective of stock management is to ensure that not only are appropriate levels of
569
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 570
Although the selection would of course be dependent on a vast range of interrelated company/
organisation specific business factors, some of which would include, for example:
n the availability of stocks,
n the reliability of suppliers,
n the predictability/certainty of demand for stocks,
n the expectation of possible future price changes, and
n the availability of trade discounts for volume purchasing,
the selection would, perhaps more importantly, be influenced by:
n the costs associated with holding/storing products – stock holding costs, and
n the costs associated with ordering products – stock ordering costs.59
For our purposes we will define stock holding costs as all those costs associated with the holding/
keeping of stock over a period of time and would include, for example:
n the rent and/or depreciation costs associated with maintaining storage facilities,
n the overheads costs associated with such storage facilities – for example heating costs, lighting
costs, insurance costs and possible security costs,
n the administration costs associated with maintaining a stock of products raw materials,
n the opportunity costs associated with possible stock obsolescence and/or stock deterioration, and
n the costs associated with the loss and/or theft of stock.
Furthermore, we will define stock ordering costs as all those costs associated with the ordering
and receiving of stock and would include for example:
n the administration costs associated with the processing of orders,
n the inspection costs associated with the receiving of stock,
n the financial costs associated with the return of poor-quality products,
n stock related transport costs, and
n stock related handling costs.
Whilst retaining large levels of stocks can simplify stock management procedures and ensure –
at least theoretically – the availability of stocks, it can nevertheless unnecessarily tie up working
capital, increase the possibility of stock obsolescence and result in high stock holding costs.
Conversely, retaining very small levels, or indeed, zero stocks can improve efficiency and
flexibility, and of course minimise stock holding costs, but it can be a difficult and complex way
of managing stock as it increases dependability on external suppliers and again results in high
stock ordering costs.
Retaining moderate levels of stocks can – assuming the pre-determined/calculated level of
stock is both adequate and appropriate for the needs of the company/organisation – not only
minimise stock holding costs but also minimise stock ordering costs.
570
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 571
Clearly, it is important, especially where large volumes of relatively low-value stock items/
products are required, that an appropriate stock management model is adopted – as would be
the case for say:
n a retail and distribution company (category type 1(a)),
n a manufacturing and production company (category type 1(b)) or, indeed,
n a company/organisation with a limited flow of commodities (category type 2(a)).
So what alternative stock management models are available? There are a number that can and
indeed are used by companies/organisations not only throughout the UK but throughout the
world, the most common of these being:
n the economic order quantity (EOQ) model,
n the just in time (JIT) model, and
n the materials requirements planning (MRP) model.
Before we look at each of these in a little more detail, it would perhaps be useful to consider who
would be involved in the management of fixed assets.
571
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 572
Q = 2cd/h
where: Q = the quantity to order
d = the number of product units required per annum (annual demand)
c = the cost of placing an order
h = the holding cost per product unit per annum
Note: You may also see the economic order quantity formula expressed as Q = (2cd/h)0.5.
Consider the following.
MJY Ltd, a Manchester-based company, has identified that its demand for product DR35 –
a main component of its best selling product range – is 40,000 units per annum. This demand
is at a constant rate throughout the year. If it costs the company £20 to place an order, and
£0.40 to hold a single unit of DR35 for a year, determine:
n the order size to minimise stock costs,
n the number of orders to be placed each year,
572
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 573
The order size that would minimise stock costs would be:
Q= 2cd/h
= (2 × 20 × 40,000/0.40)
= 2,000 units
40,000/2,000 = 20 orders.
Total costs would be total ordering costs + total holding costs, that is:
So when would MJY Ltd order product DR35? It would be ordered every 2.6 weeks, because
from the information contained in the question there appears to be no lead time. However
suppose that the supplier of product DR35 operated with a lead time of one week. How often
would MJY Ltd now have to order the product?
Assuming MJY Ltd consumes product DR35 evenly throughout the year, it would mean that
the company would need to order the product when a minimum stock level of approximately
770 is reached – that is 40,000/52. It is this minimum level of stock that is often referred
to as buffer stock – the stock that can be consumed whilst the ordered stock is awaiting
delivery.
Note: Whilst the economic order quantity model can of course be used to manage/control both
raw material stocks and finished product stocks – that is it can be used by manufacturing and
production companies/organisations and/or retail and distribution companies/organisations
– in a practical context its application/use can differ substantially from company to company
or organisation to organisation.62 Nevertheless it is perhaps worth noting that the economic
order quantity model is, in essence, a risk-averse stock management model inasmuch as the
most significant implication of its use is it can, and indeed often does, result in companies/
organisations holding significant amounts of stocks. In addition, buffer stocks may also be
introduced to compensate for the uncertainty that often exists in the use of the model/formula
– for example, supplier lead times may be difficult to determine with any degree of certainty.
Why? Put simply, to minimise the possibility of any stock-outs63 occurring which may result in
unfulfilled/unsatisfied transactions and as a consequence the loss of revenue income.
573
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 574
Essentially, within a just-in-time systems the existence of stocks, or more appropriately the
holding of stocks to service a production and/or retail system, is viewed as a sign of sub-
standard management.
Why?
Because the very act of holding stocks is viewed as a drain on the limited resources of a
company’s/organisation’s production and/or retail system, with the holding of such stocks merely
designed to conceal problems and inefficiencies within the production/retail system, such as
an ineffective use of resources, a lack of flexibility in the use of employees and, perhaps most
importantly, an inappropriate level of planning/capacity management.
Put simply, a just-in-time stock management system can – in a practical context – be summed
up as small stocks/frequent deliveries, that is the right material, at the right time, at the right
place, and in the exact amount, with new stock ordered when existing stock reaches its reorder
level. So how does this differ from the economic order quantity model discussed earlier?
If you recall, from our earlier discussion, we suggested that the economic order quantity is
essentially that which minimises total annual cost and is, on cost grounds, the quantity a company/
organisation should order. The economic order quantity is determined by the following formula:
Q = 2cd/h
where: Q = the quantity to order
d = the number of product units required per annum (annual demand)
c = the cost of placing an order
h = the holding cost per product unit per annum
So, what about just-in-time with its underpinning philosophy of small/frequent orders and very
low levels of stock? In the above formula, both c the cost of placing an order, and h the holding
cost per product unit per annum, are fixed. However, if for example we can reduce the cost of
ordering (c), and/or the holding cost per product unit per annum, then the EOQ would also fall.
Consider the following.
NBC Ltd, a York-based company, has identified that the company’s demand for product
BB33 is 1280 units per annum. This demand is at a constant rate throughout the year. If it
costs the company £5 to place an order and the cost of holding a single unit is £0.50, what
order size would minimise total stock costs?
Using the EOQ formula, the order size that would minimise total stock costs would be:
Q= 2cd/h
= (2 × 5 × 1,280/0.50)
= 160 units
Say, for example, we could reduce c – the cost of placing an order – by 75% to £1.25, and
at the same time reduce h – the holding cost per product unit per annum – by 20% to £0.40.
What would the effect be on both the EOQ and the total costs?
The effect would be as follows:
Q= 2cd/h
= (2 × 1.25 × 1,280/0.40)
= 89.44 units (rounded up to 90 units)
574
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 575
Although the frequency of the orders would increase – that is the length of the stock cycle
would fall from 6.5 weeks (52/(1,280/160)), to approximately 3.66 weeks (52/£1,280/90)), the
quantity ordered would fall – resulting in lower stocks – and the total cost would fall.
This is, in fact, one of the main ideas underpinning just-in-time – the continuous reduction
of c and h. As a consequence, if a company/organisation can not only develop close links with
suppliers, but also identify, develop and sustain operational efficiencies within the company/
organisation and thereby reduce the cost of ordering and the cost of holding products/items of
stock, it becomes much more attractive to order small quantities (as we have seen). Indeed, if
c can be reduced to 0 – that is products/items of stock can be ordered free, without external
and/or internal cost – then it becomes beneficial for a company/organisation to order products/
items of stock as required (just-in-time so to speak).
The main benefits/advantages of just-in-time include:
n greater processing efficiency and higher productivity due to reduced product cycle times and
lower production set-up times,
n improved product quality,
n reduced scrap/need for reworking,
n smoother production flow, and
n improved supplier relationships.
The main problems/disadvantages with just-in-time are:
n developing and implementing just-in-time stock management models can – both in manage-
ment time and commitment – be very costly,
n determining reorder levels can be problematic (some companies/organisations now use a
moving average based on the past two or three, months activity),
n establishing a workable/dependable relationship with external suppliers/providers can be
complex, and
n maintaining, monitoring and assessing the efficient and effectiveness of just-in-time stock
management models can be difficult
Note: Whilst many companies/organisations continue to develop and use just-in-time related
stock management models, they nevertheless continue to hold some buffer stocks to compensate
for the uncertainty/unpredictability of suppliers.
575
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 576
Essentially a materials requirements planning system schedules production on the basis of an-
ticipated future demand. A master production schedule is prepared to establish an overall stock
requirement. Existing and available stocks are deducted from the overall stock requirements and
a net purchasing requirement (including any provision for production waste/scrap) established.
Using this net purchasing requirement, purchase order and delivery schedules are established,
and production/manufacturing commencement times/dates determined.
The main benefits/advantages of such systems are:
n they can reduce/eliminate the risk of under/over-stocking, and
n they can minimise the need for the duplication of stock/production data.
576
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 577
Note: Where a company/organisation maintains different types of stock – for example a raw
materials/components stock, an unfinished products (or work-in-progress) stock, a finished
products stock and/or a consumables stock, it is likely that a separate stock register would be
maintained for each type.
577
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 578
Although historically stock register records were maintained using a variety of paper/card-
based systems, the majority of companies/organisations now maintain their stock register(s) in
the form of a secure computer-based database, containing information such as:
n the nature, type and/or the category of stock retained within the company/organisation,
n the acquisition profile of stock receipts – for example date of delivery, location of delivery,
n the value of each item of stock66 retained within the company/organisation,
n the geographical location of each item of stock,
n the office/department/section responsible for the day-to-day use and management of individual
items of stock,
n the stock item identifier,67 and
n the replacement requirements of each item of stock – including its reorder level.
As with the fixed assets register (see above), access to the stock register(s) should be restricted
to approved personnel only.
n stock items are portable, easily resaleable and do not carry/feature a company/organisation
logo/symbol,
n storage facilities are unsecured, regularly left unsupervised and are unmonitored (e.g. no CCTV),
and
n stores personnel are untrained and regularly left unsupervised.
578
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 579
There are of course many alternative types of physical stock counts or stocktakes, the most
common being:
n periodic stocktaking – that is where a physical count of all stock items is undertaken, or
n continuous stocktaking – that is where a physical count of only a selected sample of stock
items is undertaken.
Remember: For valuation purposes, a physical count of all stock items must be undertaken at
the year-end date (or as close as possible).
For accounting purposes, the introduction of closing stock (based on the reconciled
stocktake) into these financial accounts would be recorded as follows:
n Dr (closing) stock account,
n Cr trading account.
Remember: For accounting purposes, the introduction of any opening stock (based on the
previous accounting period’s closing stock – as adjusted) into these financial accounts would
be recorded as follows:
n Dr trading account,
n Cr (opening) stock account.
Whilst the primary responsibility for the stocktake would be that of the store services director/
manager (and department), in some companies/organisations – especially retail companies which
operate at a number of geographical locations – such responsibility may be delegated to the retail
outlet manager, especially where stock ledgers are maintained by the store services department.
Have a look at the following extracts taken from stocktaking instructions (for the year ending
31 March 2006) recently issued to store managers of a UK-based retail company:
n ensuring sufficient trained personnel are available to participate in the stocktake, and
n ensuring all personnel counting stock are issued with a written copy of the company’s
current stocktaking procedures/instructions.
The manager of the store is also responsible for informing the financial department and the
internal audit department of the time and date of the physical stocktake. It is, however, the
responsibility of the finance director/manager and, where appropriate, the internal audit
manager to ensure finance and/or audit personnel are available to supervise/observe the
physical stocktake.
579
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 580
On the day of the stocktake, personnel appointed to conduct the physical stocktake should
be either assigned an area within the storage facility or allocated a type of stock within the
storage facility. Where a manual method of stocktake is used, personnel appointed to conduct
the physical stocktake should be issued with stock count sheets that identify details of the
unit of measurement to be used in the stocktake (e.g. tin, box, carton) but does not include
any data on stock levels. Where a scanner method of stocktake is used – for example where
stock items are bar coded or RFID tagged – personnel appointed to conduct the physical
stocktake should be issued with an authorised scanner. On completion of the stocktake
scanned details should be downloaded (by authorised personnel only) to maintain a record
of areas scanned.68
n ensuring all stocktake sheets are appropriately signed (manual stocktake), and/or all
scanner data is correctly downloaded (automated stocktake),
n assisting financial department personnel in the supervision of the stocktake and the
verification of quantities recorded,
n ensuring all counted stocks are marked to ensure stock items are not double counted,
n investigating discrepancies as directed by the store manager,
n undertaking, where directed by the store manager, the recount of stocks,
n ensuring that all stock items within their assigned area is included in the stocktake, and
n identifying damaged and/or obsolete stock.
n ensuring all personnel appointed to conduct the physical stocktake are properly instructed
in relevant procedures,
n ensuring all stock quantities are recorded in the correct units, and
n investigating stock variances.
Where during a stocktake, obsolete and/or damaged stock is identified, such stock should
be excluded from the physical count and appropriate arrangements made to dispose of the
580
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 581
stock items. Where the value of such write-offs is significant (in excess of 5% of the total
value of stock) such write-offs should be reported to the finance department and internal
audit department for further investigation.
n undertaking sample comparisons of completed manual stock count sheets and/or auto-
matic stock count listings to the physical stock within the store, and
n identifying, investigating and resolving any discrepancies identified.
The reduction in value would be written off as soon as possible – that is in the accounting
period in which it is identified.73
581
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 582
To ensure all stock issues are appropriately approved and correctly accounted for, it is important to:
n ensure adequate written policies and procedures exist for the issue of stocks,
n ensure appropriate authorisation is obtained for all issues of stock, and
n ensure stock records are accurately updated for all issues of stock.
In addition, it is important to ensure that all authorities and responsibilities relating to the move-
ment of stock are appropriately allocated and adequate segregation of procedures/separation of
duties exists between procedures/personnel involved in authorising the movement of stock and
those involved in maintaining and updating the stock register.
582
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 583
583
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 584
For the company/organisation the advantages/benefits associated with the use RFID technologies
include:
n improved data management,
n increased data capacity,
n simplification of stock management processes,
n a reduction in operating costs,
n a reduction in stock management errors and inaccuracies,
n the more accurate and timely tracking of products and assets,
n greater supply chain visibility/supply chain management, and
n a possible reduction in product counterfeiting, fraud and theft.
For the customer/client the advantages/benefits associated with the use RFID technologies include:
n faster and simpler check-out procedures – for example there are no line-of-sight requirements
for RFID tags,
584
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 585
Article 11.3
585
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 586
Another growth area will be in identifying and privacy concerns, but not require the permanent ‘killing’
authenticating people or items for safety or security of stored data, as this would limit users’ ability to opt-
purposes, such as within passports or to verify a in to interesting post-sale applications that benefit
patient’s identity at the operating table. consumers as well as businesses.
Much work remains to be done. For all its promise, ‘RFID is being used successfully in corporate
a range of technical, business and political barriers to supply chains, and there are a range of potentially
RFID’s development still exists. valuable applications in the pipeline,’ said Gareth
Standards bodies and academic institutions need Lofthouse, Director of Custom Research in Europe
to harmonise hardware and software standards glob- at the Economist Intelligence Unit. ‘But for RFID to
ally, while companies should lay out a framework that achieve its potential, the industry must address valid
helps them understand and address the process concerns over customer privacy.’
changes required to get value from the technology. ‘NEIIA commissioned the report to help promote
Privacy can be protected without killing RFID. informed debate about the RFID industry,’ commented
The use of RFID in consumer goods has sparked David Allison, Chairman of The North England Inward
controversy about consumer privacy. Although some Investment Agency. ‘The report provides quality con-
of the concerns raised overstate RFID’s capabilities, tent that we believe will help RFID companies meet
there are genuine issues to be resolved, such as the the broader challenges and opportunities confronting
ability for anyone with an RFID reader to track people this burgeoning industry.’
by the items they wear or carry.
This report concludes that legislators should require Source: 10 March 2006,
that RFID tags be deactivated at point of sale to allay www.electronicstalk.com/news/ecn/ecn100.html.
The costs/risks associated with not holding (or holding low) stocks would include:
n a possible loss of customer goodwill when stock-outs occur,
n the dislocation/fragmentation of production dislocation,
n possible loss of flexibility due to increased dependency on suppliers, and
n possible increase in reorder costs.
The costs/risks associated with holding stock in trade would include:
n a possible lost of interest,
n an increased working capital cycle (see Article 11.4),
n increased storage cost, and
n increased insurance cost.
Debtor management
Debtor management is concerned with ensuring that all debtor-based sales are promptly and
correctly invoiced and all income relating to such debtor-based sales is efficiently collected.
In a practical context, this means establishing effective company/organisation-wide internal
controls to ensure the efficient management and administration of all debtor-related sales.
586
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 587
Article 11.4
587
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 588
It is also important to ensure all authorities and responsibilities relating to the processing
and approval of customer orders are appropriately allocated and adequate segregation of
procedures/separation of duties exists between procedures/personnel involved in determining
credit risk and those involved in authorising the supply of products/provision of services to
customers/clients.
588
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 589
Liabilities management
Gearing is a description of the relationship between the levels of debt and equity within a
company/organisation – a relationship often expressed in the form of a gearing ratio, that is:82
589
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 590
So, if debt increases financial risk, why do companies/organisations borrow? Because compared
to equity, debt has a lower direct cost. It is generally perceived as being less risky to a lender/
investor than equity for two reasons.
Firstly, in the event of a company liquidation and distribution of assets, secured lenders such
as debenture holders will generally take priority over the shareholders of the company. Such
security often results in lenders/investors requiring a rate of return lower than that normally
required by shareholders. Secondly, all legitimate debt-related interest payments take priority
and must be paid before any dividend payments are made, and are (in the UK at least) allow-
able as a tax expense whereas dividend payments to shareholders are not!
However, borrowing does have a number of disadvantages.
Firstly, increasing levels of debt within a company/organisation can increase the possibility
of financial distress83 and the risk of corporate/organisation failure, inasmuch as when combined
with falling revenue incomes and/or high interest rates, excessive levels of debt within a company/
organisation can increase the possibility of debt default – that is a company/organisation being
unable to meet outstanding debt commitments. (See Article 11.5.)
Secondly, and perhaps more importantly, increasing the levels of debt within a company/
organisation can adversely affect shareholder earnings inasmuch as higher levels of debt will
normally require higher levels of interest (although not necessarily higher interest rates, see
below). Such increases in interest – where they exceed any increases in earnings generated by
the use of the additional debt funds within the company/organisation – will of course produce
a reduction in profits available for distribution to shareholders as dividend payments. This,
somewhat unsurprisingly, often results in shareholders demanding a higher rate of return in
compensation and therefore increasing the cost of equity.
Consider the following.
d/r
YHU plc is a UK-based retailer. The company has recently paid a dividend of 20p per share
and the company expects the dividend to remain unchanged for the foreseeable future.
Assuming an expected rate of return of 5%, the value of a YHU plc share would be:
0.20/0.05 = 400p or £4
Suppose the current dividend was increased to 22p, but because of additional debt the
expected rate of return also increased to 6%. Then the value of a YHU plc share would be:
590
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 591
Article 11.5
To maintain a share value of £4, the dividend would have to increase to:
So, how do the changes in the cost of equity affect the company/organisation? There are two
alternative views as to how an increase in the levels of debt affect a company/organisation, in
particular its overall cost of capital – that is its Weighted Average Cost of Capital (WACC),84
these being:
n the traditionalist view, and
n the net operating income view (also known as the Modigliani–Miller theorem).
591
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 592
The traditionalist view suggests that whereas the cost of equity will increase as the levels of debt
increase, the cost of debt will remain unchanged up to a level beyond which the cost of debt will
also increase. This results in a company’s/organisation’s weighted average cost of capital initially
falling as the relative proportion of debt increases, and then increasing as the rising cost of
equity and, perhaps more importantly, the rising cost of debt become increasingly significant.
The traditionalist view therefore suggests that increasing levels of debt have, overall, an adverse
impact on a company’s/organisation’s weighted average cost of capital.
The net operating income view (as proposed by Modigliani and Miller in 1958) suggests that
a company’s/organisation’s weighted average cost of capital remains unchanged regardless
of the level of gearing. They suggest that the cost of debt remains unchanged as the level of
gearing increases, with the cost of equity increasing in such a way as to keep a company’s/
organisation’s weighted average cost of capital constant. Modigliani and Miller later adjusted
their model suggesting that taxation relief on debt-related interest payments will reduce a
company’s/organisation’s weighted average cost of capital which would, they claim, continue
to fall up to a 100% gearing.
The net operating income view (as amended) therefore suggests that increasing levels of debt
have, overall, a favourable impact on a company’s/organisation’s weighted average cost of capital.
So, which is correct? Whilst there can be little doubt that the latter view – the net operating
income view (and its related propositions)85 – has many theoretical merits, and some academic
support, there is nonetheless substantial evidence (albeit much of which is anecdotal) in sup-
port of the traditionalist view.
Clearly, a failure to adequately monitor and control levels of gearing could have severe con-
sequences, inasmuch as:
n a high level of securitisation could impede a company’s/organisation’s ability to generate
revenue, and
n an excessive number of debt covenants could restrict a company’s/organisation’s use of
assets – in particular fixed assets,
both of which could not only have a significant impact on the overall value of a company/organ-
isation but, more importantly, severely affect the company’s/organisation’s future prospects.
Creditor management
Creditor management is concerned with ensuring that all creditor-based purchases are correctly
invoiced and all payments relating to such creditor-based purchases are efficiently disbursed.
In a practical context, this means:
n determining an appropriate company/organisation-wide credit policy, and
n establishing effective company/organisation-wide internal controls,
592
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 593
Creditor management
593
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 594
n ensure that appropriate activity-related reports (including temporal86 and/or cross sectional87
comparative analyses) are produced for senior managers on a regular basis.
We discussed these in Chapter 9.
Within each of the above categories, it is of course important for data protection purposes
(see the Data Protection Act 1998)88 to ensure that access to confidential and/or personal creditor-
related data is monitored and controlled, and restricted to authorised personnel only.
The costs/risks associated with taking trade credit from suppliers/service providers would
include:
n the possible price implications of taking credit,
n the possible loss of product supplier/service provider goodwill,
n the costs associated with creditor management-related administration, and
n the potential restrictions of taking credit on other business-related activities.
The costs/risks associated with not taking trade credit from suppliers/service providers would
include:
n the possible loss of interest,
n the inconvenience associated with not taking credit, and
n published financial statements – that is the external issue of accounting information.
594
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 595
Accruals adjustments
An accruals adjustment is a year-end accounting adjustment where a commitment to pay funds
(an accrued expense) or a right to receive funds (accrued income) exists, but for which no cash
has yet been received or disbursed.
An example of an accrued expense would be employee wages due but as yet unpaid,
whilst an example of accrued income would be outstanding interest and/or dividends to be
received.
595
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 596
Prepayment adjustments
A prepayment adjustment is a year-end accounting adjustment where:
n a payment in advance of the acquisition and custody of a product and/or service has been
made (a prepaid expense), or
n income in advance of the delivery of a product/provision of a service has been received
(prepaid income).
An example of a prepaid expense would be where a company/organisation has paid for energy
supplies for a period which exceeds the accounting year end, whilst an example of accrued income
would be the receipt of an annual membership fee in advance of the year to which the fees relate.
Provision adjustments
A provision adjustment refers to accounting entries that either increase or decrease an existing
provision within a company’s/organisation’s balance sheet. In the UK, such provisions include,
for example:
n the provision for depreciation, and
n the provision for doubtful debts,
although other EU countries (despite the harmonising affects of the fourth company law directive)
still allow provisions to be created for other purposes.
596
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 597
n the revaluation of both tangible and intangible fixed assets – for example increasing asset
values to reflect the current market values of such assets,
n the revaluation of current assets – for example the write-off of stock due to obsolescence
and/or losses identified by a physical stock count,
n the revaluation of current liabilities – for example to reflect an agreed reduction in an out-
standing creditor account following a legal dispute, and
n the revaluation of long-term liabilities – for example the marking to market of a debenture/
bond.
Error corrections
Such entries relate to the correction of errors that have been identified in the general ledger and
would include, for example, the correction of:
n errors of principle,
n errors of commission,
n errors of omission,
n errors of original entry,
n transposition errors, and
n compensating errors.
597
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 598
n turnover/activity reports,
n profitability reports, and
n efficiency analyses.
n a profit and loss account, and a balance sheet, as required by the Companies Act 1985 (see
Schedule 4),
n a statement of changes in equity,
n a cash flow statement (as required FRS1), and
n explanatory notes.
For an example of such year-end financial statements have a look at the following:
598
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 599
Concluding comments
In addition to the above, all UK listed companies are required to produce additional interim
financial statements as required by London Stock Exchange listing rules and FSA regulations/
requirements, with non-mandatory guidance available in IAS 34 Interim Financial Reporting.
Clearly, any failure in the processes and controls associated with the general ledger could have
a significant impact on a company’s/organisation’s ability to accurately record business-related
financial transactions, and could severely impair a company’s/organisation’s ability to produce
financial statements that present a true and fair view of the company’s/organisation’s business
activities for the accounting period/financial year. So, what are the main risks?
The main risks would include:
n errors in updating general ledger accounts – for example, errors of omission, errors of prin-
ciple, errors of calculation/value and/or errors of transposition,
n unauthorised amendment to, and/or loss of, financial data, and
n errors in the generation of financial reports – for example, the incorrect use of year-end
close-down procedures and/or the incorrect transfer of opening balances.
Concluding comments
Whilst not directly involved in any value creating/revenue generating activities, the manage-
ment cycle plays a important coordinating role in the organisation, supervision and control of
all company/organisational resources: a role without which all other business-related activities
would be meaningless.
599
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 600
References
Baumol, W.J. (1952) ‘The Transactions Demand for Cash: An Inventory Theoretic Approach’,
Quarterly Journal of Economics, 66(4), pp. 545–556.
Black, F. and Scholes, M. (1973) ‘The pricing of options and corporate liabilities’, Journal of Political
Economy, 81(3), pp. 637–659.
Garman, M.B. and Kohlhagen, S.W. (1983) ‘Foreign currency option values’, Journal of International
Money and Finance, 2, pp. 231–237.
Harris, F.W. (1915) Operations Cost (Factory Management Series), Shaw Chicago.
Miller, M. and Orr, D. (1966) ‘A model of the demand for money by firms’, Quarterly Journal
of Economics, 80(3), pp. 413–435.
Wilson, R.H. (1934) ‘A Scientific Routine for Stock Control’, Harvard Business Review, 13,
pp. 116 –128.
Bibliography
600
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 601
Self-review questions
Question 1
The management of fixed assets can be divided into three stages:
n the acquisition stage,
n the retention stage, and
n the disposal stage.
Required
Briefly describe the main purpose of each stage and the internal controls you would expect to find in a
medium-sized retail company.
Question 2
You are an internal auditor working for Eketel plc., a UK-based retail company. The company has an in-house
training policy that requires all graduate entrants to the company’s finance department to work within the
internal audit department for the first six months of their training contract. The chief internal auditor of Eketel plc
has asked you to write an induction pack for the graduate entrants, explaining the importance and relevance
of internal controls in the management of current assets.
Required
Prepare a report for the chief internal auditor, explaining the importance and relevance of internal controls in
the management of current assets, and evaluate the types of internal controls you would expect to find in the
management of stock and of debtors.
‘
601
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 602
Question 3
Kiley plc is a UK-based retailer. The company regularly invests surplus funds in seven-day notice short-term
deposits on the UK money market. Currently, such short-term deposits pay an interest of 5% per annum. Also
currently, Kiley plc has cash payments for each month totalling £1,250,000, per month (or £15m pa).
Assume transactions costs are £15.40 per transaction.
Required
Using the Baumol cash management model calculate how much Kiley plc should transfer to its bank account
and briefly explain the main assumptions that are made when using the Baumol cash management model.
Question 4
One of the most important operational resources a company possesses is undoubtedly cash. Often regarded
as the lifeblood of corporate activity, cash systems (especially cash receiving systems) are surrounded by
elaborate internal control procedures, often based on the separation of operational duties between a range of
company employees and the control of cash receiving documentation.
Required
(a) Describe the documentation you would expect to find in an operationally controlled cash receiving system
of a medium-sized retailer and briefly explain the purpose of the documentation you have described.
(b) With the aid of a columnar documentary flowchart illustrate how the separation of duties between com-
pany employees can be used to reduce the potential of cash fraud occurring. (In your flowchart you must
use all the documentation you have described above.)
Question 5
‘In computer-based accounting information systems, the general ledger is no longer required and is, to all
intent and purposes, redundant.’ Discuss.
Assignments
Question 1
You have been appointed to audit GTH Ltd, a local restaurant that has recently opened. The owner and head
chef of the restaurant is Helen Betts. Helen is a wonderful cook but possesses little knowledge of business
and business practices. As a result she has a tendency to trust her employees . . . perhaps a little too much.
At the restaurant the waiters are given a note pad each day on which to take orders. The sheets are turned
over to the kitchen to prepare the orders as instructed. The waiters then deliver the prepared meal to the
customer. When the customers are ready to leave, the waiters merely sum up the total bill and take the cash.
Since there is no cashier, the waiters tender change to the customers from sums they have received. The
restaurant does not accept payment by cheque and/or credit cards.
At the end of the day the waiters tender their net cash receipts to Helen who then banks the cash.
Recently Helen remarked that even though she was always busy in the kitchen, daily sales have not been as
high as expected. Indeed, because of the cash flow problems being experienced by the business, Helen is
now considering closing it down.
602
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 603
Chapter endnotes
Required
Explain to Helen what internal controls need to be implemented over cash sales and offer a possible explana-
tion as to why the business is experiencing cash flow problems.
Question 2
QLP plc is a UK-based delivery company. The company has 26 depots located throughout the UK with a head
office in Birmingham.
At a recent board meeting the company discussed a proposal to replace part of its fleet of delivery vans. The
replacement will entail the acquisition 14 vehicles and the disposal of 16 others of varying age and condition.
Although such vehicle replacements have occurred in the past – the most recent being 18 months ago –
problems have always arisen, in particular regarding the disposal of old vehicles.
Required
As the recently appointed chief internal auditor of QLP plc, the managing director of the company has asked
you to prepare a report for the management board of the company describing the main stages and evaluat-
ing the key internal controls you would expect to find in the acquisition and disposal process.
Chapter endnotes
1
Subject of course to any restrictions imposed by the company’s articles of association.
2
There are a further five classes of preference shares, these being:
n Participating preference shares – entitles the shareholder to a fixed dividend and the right to
participate in any surplus profits after payments of agreed levels of dividends to ordinary
shareholders have been made.
n Zero dividend rate preference shares – the shareholders receive no dividends throughout the
life of the shares.
n Variable dividend rate preference shares – the dividend is either agreed at a fixed percentage
plus, for example, LIBOR (London Interbank Offered Rate), rather than receiving a fixed
level of dividend, or is a variable dividend set at regular intervals to a market rate by means
of an auction process between investors known as AMPS (Auction Market Preferred Stock).
Auction market securities are money market financial instruments, created in 1984, which
reset dividends at a rate that is fixed until the next auction date, when the securities adjust
with a new yield to reflect market conditions.
n Redeemable preference shares – shares issued on terms which require them to be bought
back by the issuer at some future date, in compliance with the conditions of the Companies
Act 1985, either at the discretion of the issuer or of the shareholder.
n Convertible preference shares – shares which have terms and conditions agreed at the out-
set, which provide the shareholder with the option to convert their preference shares into
ordinary shares at a future date.
3
That is only if the public limited company is trading.
4
You may recognise this as a Statement of Sources and Applications of Funds (as was required
by SSAP 10 – now withdrawn).
5
It is for example possible to have a zero coupon bond – that is a bond on which no interest is
payable.
603
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 604
6
Either a fixed charge on specific assets or a floating charge on a group of assets.
7
Sequestration can be defined as the act of removing, separating or seizing property and/or
assets from the possession of its legal owner for the benefit of a lender (creditor) or the state.
8
For example, a lender (creditor) may impose:
n a minimum current ratio or quick ratio for the company/organisation,
n conditions relating to the disposal of fixed assets,
n restrictions on the issue of debt and/or equity,
n conditions regarding the maintenance of a specific level of financial gearing, and/or
n restrictions on amounts of dividends payable by the company/organisation.
9
Note – somewhat confusingly, in the USA (and in many other countries) a debenture is
defined as an unsecured debt with a fixed coupon (interest rate).
10
The debenture trust deed would contain details relating to:
n period of the loan,
n security for the loan,
n power to appoint a receiver,
n interest rate and payment terms,
n financial reporting requirements,
n redemption options/procedures for the repayment of the debentures, and
n any restrictive covenants imposed by the debenture trust deed.
11
A bond with an interest rate fixed to maturity.
12
A bond which pays no interest (coupon) but is priced, at issue, at a discount from its
redemption value. These are attractive to investors seeking capital gains rather than income
from interest.
13
A bond whose interest rate is linked to a specified market rate.
14
A bond whose redemption is funded by a specific fund – a sinking fund – which is merely a
pool of funds set aside by a company/organisation to help repay a bond issue.
15
A bond whose interest rate is linked to another commodity index or interest rate, and
whose interest rate is renegotiated at an agreed interval. For example, a rollover bond could be
three-year bond with a coupon rate of 1/2% above the three-month LIBOR. That is the interest
rate would be renegotiated every three months and set at a rate of 1/2% above.
16
The conversion value of the convertible bond may be calculated as:
Vn = S × (1 + g)n × N
where:
g = the expected annual percentage growth rate of the share price,
N = the number of ordinary shares that will be received on conversion,
S = the estimated ordinary share price at the conversion date.
The current market value of the convertible bond (Vo) may of course be found by calculating
the present value of future annual interest (I) plus the present value of the securities conversion
value after n years (Vn), using the market rate of return on bonds expected by investors (Rd),
that is
Vo = I/(1 + Rd) + I/(1 + Rd)2 + I/(1 + Rd)3 . . . . . . + (I + Vn )/(1 + Rd)n
17
For example:
n an optional convertible security – in which the holder of the convertible security has the
option to convert the debt into shares at a number of agreed futures dates, and/or
604
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 605
Chapter endnotes
n an exchangeable convertible security – in which the shares underlying the debt are in a
company other than the company issuing the convertible security.
18
Such exchanges would include:
n the London International Financial Futures Exchange (LIFFE),
n the Chicago Board of Trade (CBOT),
n the Chicago Mercantile (CME),
n the Tokyo Stock Exchange, and
n the Paris Marche a Terme d’Instrument Financiers (MATIF).
19
A call option is the right (not the obligation) to buy a specified number of securities at a
specified price (the strike price) at or over a specified time.
20
A put option is the right (not the obligation) to sell a specified number of securities at a
specified price (the strike price) at or over a specified time.
21
Option pricing is a complex issue, with the price of an option determined by many inter-
related factors, such as:
n the current price of the security,
n the strike price (exercise price) of the security,
n the unexpired period to exercise date,
n the volatility of the underlying security,
n the risk free rate of return, and
n the exposure of the option writer.
The classic option pricing model is of course the Black-Scholes model (1973), with an adapted
version for pricing currency options by Garman and Kohlhagan (1983) also widely used.
22
Such options are sometimes referred to as swaptions.
23
The intrinsic value of a warrant (Vw) can be calculated as the current price of the ordinary shares
(S), less the exercise price (E), times the number shares (N) provided by each warrant, that is:
Vw = (S − E) × N
24
Such periods can range from a few months up to 15 years.
25
A company seeking a full listing on the London Stock Exchange must comply with a number
of important criteria contained within the so-called ‘Purple Book’ which sets out all the rules
for securities on the Official List, covering both listing approval and continuing obligations. For
example, a company seeking a listing must:
n issue a prospectus that includes financial performance forecasts and other information
required by prospective investors,
n ensure that following the listing a minimum of 25% of the shares must be owned by the public,
n have made sales for at least three years up to the listing date from an independent business
activity,
n have not had any significant changes in directors and senior managers of the business over
the previous three years,
n have a minimum market capitalisation of £700,000, and
n have audited accounts for the previous three years.
26
For cost and control purposes, many companies now outsource all share registrar activities
to external agents/companies, such companies including for example:
n Capita @ www.capitaregistrars.com,
n LloydsTSB @ www.lloydstsb-registrars.co.uk, and
n Computershare Investor Services PLC @ www.computershare.com.
605
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 606
27
Such a risk policy would include:
n the identification and measurement of possible risk exposures,
n the development of an appropriate foreign exchange rate and/or interest rate exposure
strategy, and
n the selection of appropriate exposure techniques, hedging techniques and derivatives.
28
The main risks associated with the use of hard cash as a medium of exchange are its volatility,
its desirability, its usability and its general lack of traceability.
29
Although to an increasingly limited extent.
30
Although some will, in exceptional circumstances, accept payment using transferable pay-
ment documents and/or a tradable financial instrument.
31
The term segregation of procedures refers to the concept of having more than one activity
and/or procedure required to complete the task or process.
32
The term separation of duties refers to the concept of having more than one person required
to complete a procedure or task. Its objective is to ensure that duties (roles) are assigned to
individuals in a manner so that no one person can control a process. It is sometimes referred
to as segregation of duties.
33
Cash holdings incur an opportunity cost in the form of opportunity foregone.
34
Each transaction incurs a fixed and variable cost.
35
The Miller–Orr model assumes that net cash flows are normally distributed.
36
That is the receipt of previously invested surplus funds.
37
Such activities should of course be supervised by personnel not directly involved in any other
fund management activities.
38
Also known as ‘lapping’ this is a type of fraud often used where an individual wants to cover
up a theft. Sometimes known as ‘robbing Peter to pay Paul’ fraud.
39
An audit trail can be defined as a sequence of records and/or documents (both physical or
virtual) which contains evidence directly relating to and/or resulting from the execution of a
commercial transaction, a business process or systems function.
40
That is sequentially numbered documentation whose issue is subject to periodic supervisory
reconciliation and whose use is subject to periodic internal audit reviews.
41
That is a reconciliation using deposit slips and disbursement vouchers.
42
The amount of a petty cash float should be decided by an appropriate senior officer in
accordance with the company’s/organisation’s procedures. The levels of such petty cash floats
should of course be reviewed on a regular basis with any review considering:
n the average amount of petty cash used each week/month over, say, the past year
n the maximum amount required over, say, the past year,
n the minimum amount required over, say, the past year, and
n the difficulties associated with the replenishment of cash.
43
Within larger companies/organisations, such reconciliations are sometimes undertaken as
part of the internal audit of petty cash facilities.
44
Can also be referred to a property services director/manager or estates management director/
manager.
45
The term ICT (Information and Communications Technology) is used in preference to the
term IT (Information Technology) because of the increased blurring between IT assets/facilities
and ICT assets/facilities.
46
Capital rationing exists where a company/organisation has a limit on the amount of funds
available for investment in fixed assets.
606
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 607
Chapter endnotes
47
Such documents would include:
n instructions to the tendering company/organisation detailing administrative procedures
relating to the tender – for example a tendering timetable, details on alternative methods of
tender return and an explanation of the tender evaluation criteria, and
n invitation to tender, including a detailed specification of the company’s/organisation’s supply
requirement and pricing schedule.
48
For example the date of acquisition or the supplier.
49
Including any approved revaluations/devaluations.
50
For example assets acquired under a finance lease (see SSAP 21 Accounting for leases and
hire purchase contracts).
51
For example with the use of an RFID tag. Such an identifier tag can not only be used to verify
the existence and location of a fixed asset, it also assists in the programming/scheduling of fixed
assets maintenance, and provides a communication framework.
52
Chlorofluorocarbons.
53
Hydrochlorofluorocarbons.
54
With all such fixed asset disposals normally matched to or identified with a recent or forth-
coming acquisition.
55
For most companies/organisations depreciation is charged from the month of purchase to
either the month of disposal or the end of the estimated life of the fixed asset, whichever is the
earlier. An example of which would be:
Land 0 0
Building 480 Straight line
Fixtures and fittings 120 Straight line
ICT hardware 36 Reducing balance
ICT software 24 Reducing balance
Non-ICT equipment 180 Straight line
Motor vehicles 60 Straight line
56
Appropriate only where the operating environment is fast-moving but predictable – in which:
n stock development is predictable but rapid,
n the stock are inexpensive to buy (low ordering costs),
n storage costs are high,
n stocks are perishable, and/or
n stock replenishment is simple, quick and easy.
57
Appropriate only where the operating environment is slow-moving and predictable – in which:
n stock development is restricted/limited,
n the stock is expensive to buy (high ordering costs),
n storage costs are low,
n stocks are not perishable, and/or
n stock replenishment is complex, time-consuming and difficult.
58
Appropriate only where the operating environment is unpredictable/uncertain – in which:
n stock development is uncertain,
n the stock is inexpensive to buy (low ordering costs),
607
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 608
n for high cost/high turnover products all applicable stock ordering and stock holding costs
may be included, whereas
n for low cost/low turnover products only a stock ordering and/or stock holding costs may be
included.
63
A stock-out can be defined as a situation where insufficient stock exists to satisfy the demand
for a product/item of stock.
64
The introduction of just-in-time as a recognised work-related technique/philosophy is
generally associated with the Toyota motor company, with Taiichi Ohno of the Toyota motor
company most commonly credited as being the father/originator of the just-in-time philosophy.
65
Although in a conventional sense it is not an accounting ledger but merely a listing of items
of stock.
66
Including any approved revaluations/devaluations.
67
For example with the use of an RFID tag. Such an identifier tag can not only be used to
verify the existence and location of a fixed asset, it also assists in the programming/scheduling
of a fixed asset’s maintenance and provides a communication framework.
68
Obviously where scanners have a limited memory capability such downloading may need to
occur a number of times during a stocktake.
69
As required by the prudence concept (see FRS 18 Accounting policies).
70
For retail companies/organisations, the cost of a product available for sale would be the
purchase price plus the cost of delivery to the retail store.
For manufacturing/production companies/organisations, the cost of any manufactured
product available for sale would be the direct costs of labour, materials and expenses, including
any production overheads absorbed into the product.
71
As required by the accruals concept (see FRS 18 Accounting policies).
72
Such fraudulent manipulation is often incorrectly referred to as creative accounting.
Remember all accounting is creative: it’s not a science but an art!
73
As required by the concept of prudence (see FRS 18 Accounting policies).
74
And his invention of a covert listening device for use by the Russian government during the
late 1940s/early 1950s.
75
An RFID tag is a small object that can be attached to or indeed be incorporated into an object
(e.g. a product), or a subject (e.g. a person or an animal). Such tags generally contain digital
608
.. ..
CORA_C11.qxd 6/1/07 11:08 Page 609
Chapter endnotes
chips and antennas to enable them to receive and respond to radio frequency queries from an
RFID transceiver.
76
Any updating or amendment should of course be approved by appropriate senior managers,
for example the board of directors and/or the senior management team.
77
Increasingly companies/organisations publish such information on their websites as part of
their product/service portfolios.
78
It is of course important – especially where high inflation/high interest rates exist – that the
credit rating of all customers is reviewed on a regular basis.
79
That is between different time periods – for example the current year compared with the
previous year.
80
That is between different companies/organisations.
81
Remember the requirements of the Data Protection Act 1998 do not apply to debtors which
are incorporated organisations such as, for example, limited companies.
82
Alternatively gearing can be calculated as [(Market value of debt/Market value of debt +
Market value of equity) × 100].
83
And the costs associated with managing such financial distress – that is the costs associated
with activities/operations designed to limit the possibility of company/organisation failure, for
example restructuring costs and/or re-financing costs.
84
That is weighted average cost using market values.
85
These propositions being:
n proposition 1 – debt irrelevancy proposition,
n proposition 2 – expected return proposition, and
n proposition 3 – optimal investment proposition.
86
That is between different time periods, for example the current year compared with the
previous year.
87
That is between different companies/organisations.
88
Remember the requirements of the Data Protection Act 1998 do not apply to creditors that
are incorporated organisations such as, for example, limited companies.
89
For example the debtor’s control account and the creditor’s control account.
90
For example the bank account.
91
For example the stock account.
92
Available @ http://www2.marksandspencer.com/thecompany/investorrelations/downloads/
2006/complete_annual_review.pdf.
93
Available @ http://www.tescocorporate.com/images/tesco_review_SFS_2006.pdf.
94
Available @ http://www.bp.com/liveassets/bp_internet/globalbp/globalbp_uk_english/
secret_area/secret_investors/STAGING/local_assets/downloads_pdfs/bp_ara_2005_annual_
report_and_accounts.pdf.
609
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 610
Introduction1
As we saw in Chapter 4, the term e-commerce has, in a contemporary context at least,
become synonymous with web-based commercial activities,2 in particular web-based
activities associated with the sale and/or purchase of goods and/or services, using what
increasingly appears to be an ever-expanding range of information and communication
related technologies.
Although the early 1990s saw the dawn of a corporate realisation of the potential of
the internet and the world wide web (the web), it was not until perhaps the late 1990s that
a number of companies/organisations began to develop simple, effective, albeit rudiment-
ary e-commerce related websites. Indeed, whilst a large number of pure e-commerce
companies disappeared during the dotcom collapse in 2000 and 2001, it was the late
1990s/early 21st century that saw many traditional retailers – many of the so-called bricks
and mortar retailers – beginning to recognise the commercial potential and added value
benefits of e-commerce.
Yet surprisingly, whilst there can be little doubt that the emergence and continuing
development of e-commerce-related technologies from the mid-20th century to date,
and the widespread integration of e-commerce facilities into 21st century corporate
consciousness, has revolutionised (and indeed continues to revolutionise) the nature of
corporate business activities, especially those related to income generation, profit creation
and, of course, wealth management, and have provided the platform for the worldwide
expansion of e-commerce,3 the origins of e-commerce lie in the history of other much
older e-commerce related technologies. A history pre-APRAnet technologies and pre-
internet technologies – in the information and communication technologies associated with
Electronic Data Interchange (EDI) and Electronic Funds Transfer (EFT) used for the transfer
of commercial documents and the secure transfer of funds, which predate the advent of
the internet (as we know it today) by perhaps 15 to 20 years.
Today of course the ongoing development of related e-commerce technologies, and
the continuing relocation by companies and organisations of much of their commercial
610
..
CORA_C12.qxd 6/1/07 11:09 Page 611
operations and business-related activities to online facilities, continues to redefine the very
nature of market competition by creating an ‘omnipotent e-marketspace’ in which companies
and organisations compete for market share in an evermore volatile and unpredictable
self-service economy. Indeed, with many UK, European and US-based companies and organ-
isations now employing an extensive range of information and communication technologies
to provide a wide assortment of so-called information society services4 (including integrated
e-commerce facilities), and facilitate what often appears to be an increasingly unconstrained
flow of goods, services and information, corporate businesses are now overwhelmingly
reliant upon created web-based environments that are no longer constrained by the phys-
icalities of geography and the economic politics of international trade.
Learning outcomes
We are constantly reminded that the world of business and commerce has changed, is changing
or indeed will change! Whatever timeline you may choose to believe, there can be little doubt
that the world of business and commerce of the late 20th century is but a dim and distant memory.
This is owing to:
n the rapid development of evermore powerful information and communication technologies,
n the growing interconnectivity afforded by such technologies, and
611
..
CORA_C12.qxd 6/1/07 11:09 Page 612
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
n the increasing importance of the internet and web in almost all business-related commercial
activities.
This has all – some would say with increasing ease – promoted the development of an increas-
ingly customer-centric, self-service, e-commerce economy. A self-service, e-commerce economy
in which the conservative traditionalisms of contemporary capitalism and the historical con-
ventionalities of wealth accumulation that dominated the world of business and commerce for
more than 150 years continue to be swept away and are replaced by a postmodern, demand
orientated, customer-led, virtual world of business and commerce.
Consider the following.5 During 2004:
n the total value of non-financial business web-based sales in the UK increased by 81% com-
pared to 2003, totalling £71.1bn,
n the total proportion of companies/organisations selling online increased by 24% to 6.7%,
compared with 2003, and
n nearly 34% of companies/organisations possessed and used a website (up by 10% on 2003)
and for companies/organisations with over 1000 employees this percentage was 98%.
Although in total terms web-based sales by non-financial businesses for 2004 represented only
3.4% of the total sales of non-financial businesses, for 2003 this was a little under 2%, and in
2002 this was a little over 1%. This essentially means that from 2002 to 2004, total web-based
sales by non-financial businesses has increased by a little over 200%. See Article 12.1.
Article 12.1
612
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 613
It is perhaps worth noting that sales by non-financial businesses over non-web-based informa-
tion and communication technologies (for example using EDI, automated telephone systems or
e-mail), only fell by a little over 1% in 2004 to £198.1bn (from £200.6bn in 2003). However,
as a percentage of total sales, sales over non-web-based information and communication
technologies fell to 74% in 2004, a reduction of nearly 12% on 2003. Between 2002 and 2003
the percentage reduction was nearly 6%, perhaps a clear indication that customers and users
are migrating in increasing numbers to web-based technologies from the more conventional
non-web-based information and communication technologies.
Whilst there are clearly some critics who consider the ever-increasing migration to web-
based information and communication technologies, and as a consequence the development
of a more self-service e-commerce economy, a less than welcome change – perhaps with good
reason (see Article 12.2) – such a repositioning of retailing activities is, given the current levels
of migration, unlikely to slow down. Indeed, it is as some suggest (see Article 12.3) likely to
increase. Why? Put simply – profit!
Article 12.2
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 614
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
trapped in a series of endless touch-tone menus? – Another objection to self-service is that while it
it can infuriate and alienate customers. In their desire saves companies money, it does not always save their
to cut costs, many companies deliberately make it customers time. In the best cases, it does, of course:
difficult to get through to a human operator; yet their checking yourself in at the airport or tracking your
phone or web-based self-service systems do not own packages on a shipping firm’s website can be
always allow for every eventuality. quicker than queueing or making a phone call. But as
In areas where self-service is only just starting to more and more tasks are unloaded on to customers,
take hold, this is less of a problem: fuming customers they may start to yearn for the (largely mythical) days
can, after all, always take their business elsewhere. of old-fashioned service. Again, this ought to provide
But if every bank were to adopt impenetrable self- an opportunity for specialists (such as travel agents)
service systems, disgruntled customers would no who can offer a convenient, one-stop-shop service.
longer be able to express their discontent by voting All of this suggests that there are limits to how far
with their feet. Such a scenario ought to provide self-service can be taken. Companies that go too
an opportunity for some firms to differentiate them- far down the self-service route or do it ineptly are
selves: some banks, for example, already promise likely to find themselves being punished. Instead, a
that their telephone-banking services always offer the balance between self-service and conventional forms
option of talking to a human operator. But in return of service is required. Companies ought to offer cus-
for guaranteed access to humans, many firms will tomers a choice, and should encourage the use of
simply charge more. self-service, for those customers that want it, through
As a result, people who prefer not to use self- service quality, not coercion. Self-service works best
service systems (such as the elderly) will be forced when customers decide to use a well designed sys-
to pay higher prices. This is already happening: tems of their own volition; it infuriates most when
many travel firms offer discounts to customers who they are forced to use a bad system. Above all, self-
book online. Buy your tickets the old-fashioned service is no substitute for good service.
way and you must pay more. Firms are, in effect,
introducing penalty charges to persuade customers Source: 16 September 2004, The Economist,
to use self-service systems. Some customers might www.economist.com/opinion/
resent this. displayStory.cfm?story_id=3196309.
Article 12.3
614
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 615
Organisation/structure-based factors
Organisation/structure-based factors are those factors that have a direct influence on the business
infrastructure of the company/organisation. Clearly, it is important for a company/organisation
to ensure that there is an adequate level of activity and coordination of activities, and an
appropriate level of resource(s) management within the company to ensure that the demands
of the customer are met in full.
Such factors would include, for example:
n the existence and adequacy of the company’s/organisation’s long-term strategy,
n the appropriateness of the company’s/organisation’s business model and value chain,
n the knowledge/resource capabilities within the company/organisation,
n the use of technologies within the company/organisation, and
n the adaptability/flexibility of the company/organisation.
Function/process-based factors
Function/process based-factors are those factors that influence the functionality of a company’s/
organisation’s website.
Clearly, it is also important for a company/organisation to ensure that the e-commerce pro-
vision must provide an enjoyable and rewarding experience for the customer. It is for example
important for the customer to own the purchasing experience and be able to direct it. In doing so,
it is important that the customer receives not only a responsive, personalised and user friendly
service but, more importantly, a secure, reliable and value-for-money experience – an experience
which the customer may want to repeat in the future. This can be achieved, for example:
n by offering incentives to customers (by providing discount schemes and/or loyalty programmes),
n by creating a sense of community (by developing affinity programmes), and/or
n by providing access to information (by developing/creating social networks).
So, what makes a good website and what a bad one? That’s difficult to say but broadly speaking
a good website would be one in which:
n presentation is clear and consistent,
n navigation is simple,
n navigation tools are easy to use,
n features/page layouts are clearly designed,
n video and audio is used in a relevant and appropriate manner,
n information is grouped/arranged consistently and logically, and
n language options are available where necessary/appropriate,
and a bad website is one in which:
n colours are used in an inconsistent and unhelpful manner,
n audio/video imagery/presentation is poor,
n technology is used in a limited/ineffective manner,
n navigation is difficult and/or navigation tools do not function adequately,
615
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 616
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
So what are the key rules to good website design? Put simply – manageability and functionality.
It is also important to ensure that what is promised on the website is delivered. For example,
if the website indicates/promises that daily updates will be available then it is important to ensure
that such updates are available. It is also vital that the website is useable by customers/users.
Sophisticated state of the art graphics may look good at the development stage, but if a large
proportion of customers/users cannot access them properly they are – to all intent and purpose
– useless.
Categories of e-commerce
616
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 617
Categories of e-commerce
n C2B e-commerce,
n C2C e-commerce, and
n customer to business to consumer (C2B2C) e-commerce.
This depends of course on the e-commerce application type and varies from:
n a static price platform in which the prices of goods, services and facilities are non-negotiable
and determined by the retailer, to
n a dynamic price platform in which the prices of goods, services and facilities are negotiable
using either:
l a bid (or auction-based) facility, or
l a discount (or activity-based) facility.
A bid (or auction-based) facility is a facility in which a customer/user can play a dual role as
either a seller – offering to sell goods and/or services – or a purchaser – bidding to buy goods
and/or services, and the prices of goods, services and facilities are dependent upon the levels of
interest shown (or bids made) by potential purchasers.
A discount (or activity)-based facility is a facility in which the prices of goods, services and
facilities are dependent upon the actions of customer/user – for example price discounting for
large volume purchases or free delivery for large value purchases.
617
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 618
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
Such companies are also referred to as ‘clicks and mortar’ companies, ‘clicks and bricks’ com-
panies or mixed e-tailers.
B2C e-commerce
Business-to-Consumer (B2C) e-commerce (often called online trading or e-tailing) is the
selling of goods, services and/or information by a company/organisation to a single individual
customer. The most common example of such a B2B application is the retail website featuring/
advertising/offering for sale a company’s/organisation’s goods and services which can be
purchased by the consumer, commonly using:
n an imaginary ‘shopping cart’ facility,
n a virtual ‘check-out’ facility, and
n a payment processing facility.
B2B e-commerce
Business-to-Business B2B e-commerce is the selling of goods, services and/or information by
one company/organisation to another and are now common in a wide range of industries from
traditional, so-called, bricks and mortar economy companies (e.g. manufacturing, wholesale
distribution and retailing), to the increasingly important information society services-based
companies. The majority of B2B e-commerce occurs between dotbam companies.
We will discuss B2B e-commerce in more detail later in this chapter.
618
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 619
B2B2C e-commerce
Business-to-Business-to-Consumer (B2B2C) e-commerce is the selling of goods, services or
information by a company/organisation to a single individual customer, using a company/
organisation as an intermediary or a middleman. There are many examples of such e-tailing
websites, from:
n online travel/accommodation agencies (e.g. www.travelocity.co.uk,www.travel4less.com,
www.travelselect.com, all travel-related facilities provided by Last Minute Network Ltd),
n online banking (e.g. www.smile.co.uk, an online banking facility provided by The Co-
operative Bank plc), and
n online insurance (e.g. www.morethan.com, an insurance service provided by Royal and Sun
Alliance Insurance plc).
C2B e-commerce
Consumer-to-Business (C2B) e-commerce is the purchasing of goods and/or services by an
individual customer (or a collective of individual customers acting as a buying cartel) from a
company/organisation (e.g. www.LetsBuyIt.com).
C2C e-commerce
Consumer-to-Consumer (C2C) e-commerce is the selling of goods/services and the commun-
ication/transfer of information by a single individual/customer to another. Such e-commerce
is normally associated with the retail of ‘second-hand’ or ‘nearly new’ products/commodities
(e.g. www.ebay.co.uk).
C2B2C e-commerce
Consumer-to-Business-to-Consumer (C2B2C) e-commerce is the selling of goods/services and/or
the communication or transfer of information by a single individual customer to another, using a
company/organisation as an intermediary. As with the above, such e-commerce is also associated
with the retail of ‘second-hand’ or ‘nearly new’ products/commodities (e.g. www.autotrader.co.uk).
There are of course many other e-business-related e-commerce activities, for which a company/
organisation could use its website, the most common of these being:
n product/service advertising activities,
n prospect generation activities, and
n customer support activities.
619
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 620
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
In the first instance, most customers would find a website by surfing – that is scanning avail-
able websites using a search engine (e.g. www.google.co.uk) until the site is located. Because of
the obvious limitations of such an approach, some companies/organisations use other com-
pany/organisation websites for advertising purposes. For example, it is increasingly common
for a company to advertise its products/services on the website of another company within the
same group (e.g. see www.virgin.com/uk) or indeed on the website of an unrelated company on
a reciprocal quid pro quo12 basis. Indeed, where retail outlets occupy a single or geographical
area it has become increasingly common for such companies/organisations to advertise on
so-called geographical shop front sites. See for example:
n Trafford Centre, Manchester @ www.traffordcentreshopping.co.uk,
n Princes Quay, Hull @ www.princes-quay.co.uk, and
n McArthur Glen, @ www.mcarthurglen.com.
620
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 621
Barriers to e-commerce
The disadvantage of using a website for customer support activities is the potential generic nature
of support service activity made available to customers, for example ‘one service for all enquiries’.
Barriers to e-commerce
Whilst it would be very easy to believe the media rhetoric that now appears to surround almost
every aspect of e-commerce – all is not well! Indeed whilst e-commerce-related activities have
grown substantially over the past few years (as we have seen) in general, consumers continue to
be unwilling to accept the online, self-service, e-commerce business model in numbers greater
than many companies/organisations (and indeed many regulatory authorities) would have liked.
There are perhaps several key reasons that may explain this slow uptake, the main ones being:
n concerns over control,
n concerns over issues of access, and
n concerns over issues of privacy, safety and security.
Control concerns
As we saw in Chapter 4, ICANN (Internet Corporation for Assigned Names and Numbers)
continues to retain firm control over the assignment of unique identifiers on the internet,
including domain names, internet protocol addresses and protocol port numbers. It is also true
to say that there has been, and indeed continues to be, very little (if any) control over what
is available on the internet and the web – an issue which continues to be one of great concern
for many people. Recent years have seen a growing number of attempts (some quite successful)
to control/managed access to and use of the internet, mainly by regional governments (in
collaboration with companies such as Google (www.google.com)), for example:
n the French government continues to restrict access to websites that stir up racial hatred,
n the German government continues to restrict access to websites that deny the Holocaust, and
n the US government continues to restrict access to websites that infringe commercial copy-
right agreements.
So, the issue of control still continues to worry many users of the virtual highway.
More recently, a number of governments have created task forces to actively pursue control
and monitoring policies to enable authorities not only to police and restrict access to but also
identify and locate users of websites containing inappropriate literature and/or images.13 See for
example:
n the Virtual Global Taskforce14 @ www.virtualglobaltaskforce.com, and
n the Internet Content Rating Association @ www.icra.org.
Whilst many politicians, social commentators and media groups have welcomed such moves,
some critics whilst accepting the need for a ‘policing of the virtual highway’ have suggested that
the imposition of excessive restrictions could, in an extreme case/scenario, lead to excessive
political censorship. Many commentators now cite Google’s consent (albeit somewhat reluct-
antly) to requests by the Chinese government to restrict severely internet access to a range of
websites (see Article 12.4).
621
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 622
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
Article 12.4
622
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 623
Barriers to e-commerce
Access concerns
As we saw in Chapter 4, it is of course a fallacy to presume that the internet is a global
phenomenon. There still remain many parts of the world where access to the internet con-
tinues to be severely restricted, not only for social and technological reasons, but increasingly
for political and economic reasons. Indeed, far from creating equality, the internet has, as
Table 12.1 illustrates, assisted in the creation of an even more divided world – a world in which
the structural and technological deficit between those that have access and those that do not (or
have severely restricted access) continues to become greater every day. Perhaps not so much
global integration but rather imposed fragmentation!
Of a world population of approximately 6.5 billion, only 15.7% (a little over 1 billion people)
use the internet, with the greatest concentration of internet users being found in:
n Asia (35.7% – approximately 364 million users),
n Europe (28.5% – approximately 290 million users), and
n North America (22.2% – 226 million users),
which together account for a total of 86.4% (approximately 880 million users) of the world
population using the internet.
623
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 624
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
Perhaps more noticeably (and somewhat unsurprisingly) the lowest concentration of internet
users is found in:
n Africa (2.2% – approximately 23 million users),
n Middle East (1.8% – approximately 18 million users), and
n Oceania/Australia (1.8% – 18 million users).
More importantly, of the top 10 languages used by internet users (see Table 12.2):
n 30.6% use English as the primary language,
n 13.0% use Chinese as a primary language, and
n 8.5% use Japanese as a primary language,
624
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 625
Barriers to e-commerce
despite the fact that in world population terms only 17.3% use English as a primary language.
The most popular language (in world population terms) is Chinese with 20.6%. Japanese (perhaps
unsurprisingly) is used as a primary language by only approximately 2% of the world population.
So, why the dominance of the English language on the internet? There are perhaps three reasons:
n the history/origin of the internet,15
n the management and control of access to the internet (see above), and
n the composition of the current dominant users of the internet.
In terms of the last issue, it is perhaps worth noting that of the top 20 countries in terms of internet
users, a number (e.g. the USA, the UK and Australia) use English as a primary language, with
others (e.g. India and Indonesia) recognising English as a secondary language (see Table 12.3).
625
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 626
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
Article 12.5
UK leads the world in online spending . . . but security fears hold many back
UK consumers spend more online than than their measures to our citizens, a high volume remain bliss-
counterparts in Europe or the US, according to a fully unaware of what identity theft is, leaving them
newly published survey of e-commerce in the US, exposed to potential exploitation.’
UK, Germany and France. The survey did find very low levels of awareness
The study, commissioned by RSA Security (see about online fraud; fewer than half of those questioned
www.rsasecurity.com) found that Britons spent an were aware of what phishing means.
average of A231 during September 2005, compared But it is a lack of confidence in electronic retailers
to the poll’s average of A153. US consumers spent an that is holding many consumers back, the poll reported.
average of A129 per capita. Nearly half of all the Americans questioned
But fears of online crime are still holding back indicated that they had ‘little confidence’ or ‘no
spending. Some 16 per cent of respondents in the confidence’ that their personal information was being
US, and 13 per cent in the UK, said that they are protected, and this also concerned two thirds of the
spending less than they used to, compared to six per French respondents.
cent in Germany and nine per cent in France. Nevertheless the future for e-commerce looks
‘With this year’s ongoing wave of publicity around good. Most people are buying more online than they
US-based data breaches and online fraud, it should did last year, and two thirds of respondents are buy-
not be a surprise to anyone that the understanding ing ‘a few more’ or ‘a lot more’ items than last year.
of these threats is highest in North America,’ said Art
Coviello, president of RSA Security. Source: 18 October 2005, Iain Thomson,
‘What concerns me is that, while the industry is www.vnunet.com./vnunet/news/2144097/
working hard to promote best practice and defence uk-leads-online-spending.
Article 12.6
626
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 627
Article 12.7
With examples such as the Mastercard and Visa security breach (February 2003) in which
5 million credit card details were hacked (see Article 12.7), it is perhaps unsurprising that
customers/users continue to feel apprehensive about providing personal financial information
via a webpage, irrespective of how secure it may appear to be.
Clearly, the above issues of privacy and security and of customer/user unease represent an
enormous problem to companies/organisations engaged in e-commerce-related activities. So,
what has been done to combat such problems?
There are a number of alternative schemes/technologies that have been, and indeed continue
to be, used as a means of improving/enhancing the protection of all users. Such schemes/
technologies include:
n the establishment of a system/network firewall,
n the use of intrusion detection systems (or intrusion detection software),
n the use of data/information encryption facilities,
n the use digital certificates, and
n the use of authentication and authorisation software.
We will look at each of these technologies (and a few others) in detail in Chapter 13.
627
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 628
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
B2C e-commerce
If you recall, we looked at point of service-based EFT for both card-based systems and non-
card-based systems in Chapter 4 and in more detail again in Chapter 8. Briefly, within point of
service-based EFT there are two sub-categories, these being:
In general, the vast majority of private limited companies and perhaps all public limited com-
panies use an internet merchant account facility. The payment processing company facility
and/or the shopping mall facility are typically used by sole traders, small partnerships and/or
very small private limited companies.
To use an internet merchant account facility, a company/organisation must have:
An acquiring bank is a high street bank that offers debit and credit card processing services. The
acquiring bank acquires the money from the customer, processes the transaction and credits
the company/organisation account. If a company/organisation wants to take debit and credit
card payments, it will need a merchant service account (and ID) with an acquiring bank (as we
saw in Chapter 8). In addition, where a company/organisation wants to undertake web-based
online e-commerce, then it will also need an internet merchant account (and ID).
In the UK there are a number of banks that provide both merchant account facilities and
internet merchant account facilities – these banks are often referred to as merchant acquirers or
acquiring banks, and include, for example:
628
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 629
B2C e-commerce
company/organisation) and all the financial networks involved with the transaction. These
will include of course the customer’s debit/credit card issuer and the company’s/organisation’s
merchant account.
If a company/organisation wants to undertake transactions involving the use of online debit
and credit card payments, it will need a payment service provider. Examples of current payment
service providers include:
n SECpay @ www.secpay.com,
n Ogone @ www.ogone.com,
n Universal Gateway Payment @ www.securehosting.com,
n Worldpay @ www.worldpay.com, and
n Protx @ www.protx.com.
Note: Some payment service providers only operate with particular acquiring banks. For
example, SECpay (see above) has operating agreements with Ulster Bank, NatWest Streamline,
Paymentech, LloydsTSB Cardnet, HSBC, Euro Conex, Barclays Merchant Services, Bank of
Scotland, Alliance and Leicester, American Express and Diners; whereas Protx (see above)
has operating agreements with Lloyds TSB Cardnet, the Bank of Scotland, Barclays Merchant
Services, HSBC, NatWest Streamline, American Express and Diners.
As a payment gateway, the payment service provider essentially:
Many UK acquiring banks (including those above) offer PSP services as part of their product
range – that is as part of their internet merchant services account facilities. For example, Worldpay
is part of the Royal Bank of Scotland Group. In addition, where a payment processing company
facility or a shopping mall facility is used, payment service provider-related services would
normally form part of the service provision.
For the following discussion we will use Marks and Spencer plc online shopping facility @
www.marksandspencer.com.
The portal interface used by a company/organisation would provide the customer/user with
information on and access to a range of company/organisation goods, services and facilities.
See Example 12.1.
629
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 630
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
The retailing resource would provide the customer/user with facilities to undertake a range
of commercial transactions – in particular the purchase of products and/or services. Such a
retail resource would normally comprise of:
n an electronic order-taking facility – using for example an imaginary ‘shopping cart/basket’
facility,
n a virtual ‘check-out’ facility, and
n a payment processing facility.
630
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 631
B2C e-commerce
component of the online shopping process. But exactly what is a shopping cart/basket and what
purpose does it actually serve?
In essence, the shopping cart/basket is simply a collection facility. It is an interface between
the customer and the company’s/organisation’s product/services database. That is every time the
customer selects a product/service to purchase the items are added to the shopping cart/basket.
In an information technology context a shopping cart/basket is simply a software program.
However, in an operational e-commerce context a shopping cart/basket merely records the
ongoing results of the customer’s ordering process and is designed to allow the customer to view
the details of all ongoing transactions or purchases – on request and at any time up to check
out. See Example 12.2.
When the customer has completed all their transactions, they are invited to proceed to the
virtual check-out facility to complete the purchasing process. See Example 12.3.
631
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 632
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
632
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 633
B2C e-commerce
Once these credit/debit card payment details have been verified, approved and authorised,
a conformation e-mail (containing an order number) is e-mailed to the customer’s e-mail
address. The transaction (at least the online component of the transaction) is now complete.
All that is required is delivery of the product purchased by the customer.
Although a small number of products and services may be distributed digitally most products
(including those in the above example) will need to be physically delivered. Once a commit-
ment to purchase has been made, some online retailers allow customers to select alternative
delivery modes.
Some retailers offer free delivery of products when the total value of a purchase exceeds
a predetermined limit or where delivery is to within a particular geographical area, but impose
an additional charge where special distibution and delivery mechanisms are requested (e.g. next
day delivery). Other retailers may impose a small nominal charge for all types of delivery
irrespective of the purchase order value (e.g. Example 12.3 above). In reality, however, what-
ever the marketing or advertising rhetoric nothing is for free. The cost of any ‘free’ delivery
is merely absorbed within the cost overheads of the product. The distinction between ‘free’
or ‘unpaid for’ delivery and ‘paid for’ delivery is merely a creative marketing tool designed to
attract the interest of prospective customers/clients. In a marketing/advertising context, think
of the word ‘free’ when used in relation to product delivery as a linguistic metaphor – one used
to signify a concealed and hidden cost.
633
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 634
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
Table 12.4 The cost of an internet merchant account – HSBC Merchant Services
Source: http://www.hsbc.co.uk/1/2/business/cards-payments/card-processing.
In addition, the costs of any fraudulent transactions are borne by the company/organisation
and not the payment processing company. That is if a fraudulent transaction occurs its value is
recovered in full by the payment processing company from the company/organisation account.
634
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 635
B2C e-commerce
it may consider using the facilities of a payment processing company (sometimes referred to as
a payment bureau). Such payment processing companies obtain payment from the customers’
credit and/or debit card issuer on behalf of the company/organisation. The advantages of using
a payment processing company are:
n the reduced technology costs – that is there is no need to invest in a costly secure payment
system,
n the reduced administrative costs – that is the payment procedures are managed by the
payment processing company, and
n reduced application procedures – that is information requirements are less severe than those
for an application for an internet merchant account.
The disadvantages of using a payment processing company are:
n it may hold payment receipts from customers for a minimum settlement period (the period
depends on the payment processing company) before they are transferred to the company/
organisation account, and
n customers are aware that their payments are being directed through a payment processing
company.
In addition (as with an internet merchant account) the costs of any fraudulent transactions are
borne by the company/organisation and not the payment processing company.
In general, payment processing companies offer a useful and relatively cheap alternative
for companies/organisations that have limited debit/credit card transactions or who, for
whatever reason, do not open a merchant account with an acquiring bank. Examples of such
payment processing companies are Paypal @ www.paypal.com. For further examples, see
www.electronic-payments.co.uk, a UK government agency sponsored information website
635
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 636
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
B2B e-commerce
Whilst variants of Business-2-Business (B2B) e-commerce have existed for many years – for
example EDI (electronic data interchange) and more recently EFT (electronic funds transfer)
– such activities were, in a business context, considered peripheral to the main supply chain
activities of a company/organisation, and therefore often existed as fragmented and disjointed
standalone processes/procedures, divorced from key retail and distribution activities. Although
such fragmented processes/procedures did play, and indeed in some instances continue to
play, a key role in retail-related business activities, it was perhaps the emergence of web-based
information and communication technologies and capabilities that enabled the development of
the infrastructure that we now know as B2B e-commerce.
In a contemporary context, B2B e-commerce has become synonymous with supply chain
integration, and the use of extranet-based16 facilities to provide access to a range of supply
chain-based facilities. The aim is to improve the efficiency and effectiveness of business-related
retail and distribution activities, by integrating a customer’s network directly to a supplier’s
network.
Clearly the precise nature of the B2B e-commerce provision will differ from supplier to
supplier but, in broad terms, a B2B e-commerce provision would normally include secure
access to:
636
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 637
Using e-money
Using e-money
Although the term ‘e-money’ is often used interchangeably and somewhat incorrectly with
terms such as electronic cash (e-cash) or digital cash, the term e-money has a specific meaning/
definition. E-money, or an e-money scheme, is a scheme regulated by the FSA (Financial Services
Authority) that involves the creation of digital value-based tokens (in a single currency or
multiple currencies) that are stored on either:
n an electronic device (e.g. a PC and/or computer network), or
n a smart card18 (also known as an e-purse),
that can be transferred from one person/company to another person/company, for example a
consumer/buyer to a retailer/seller.
Consequently, e-money can be defined as monetary value which is stored on an electronic
device, issued on receipt of funds and accepted as a means of payment by persons other than
the issuer,19 and can – as an electronic means of payment – be used to pay for either goods or
services purchased:
n in the high street (e.g. see Article 12.8 below)
n by mail order, or
n via the web.
Identified e-money is e-money in which the identities of the parties to the transaction – in
particular the payer (or consumer/purchaser of the goods/services) – are revealed in the payment
operation. Anonymous e-money is e-money in which the identity of the payer (or consumer/
purchaser of the goods/services) is not revealed in the payment transaction. It is the latter
type of e-money which essentially operates like a cash exchange and can more accurately be
described as e-cash or digital cash.
In addition, each of the above types of e-money exists in two varieties:
n online e-money – that is an e-money transaction in which a transaction can only be com-
pleted between a payer/customer once interaction with the originator of the e-money (or an
appointed authorised institution) has occurred and the validity of the transaction verified
(e.g. sufficient funds are available), and
n offline e-money – that is an e-money transaction that can be completed between a payer/
customer without interaction with the originator of the e-money (or an appointed authorised
institution).
So who can issue e-money? Banks and building societies that are already authorised by the
FSA to provide high street banking services can issue e-money as a component part of their
637
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 638
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
Article 12.8
portfolio of banking-related activities. However, specialist e-money issuers20 have to apply for
FSA authorisation to issue e-money and provide e-money-related services.
At the heart of the regulatory framework lies two EU directives:
n Directive 2000/46/EC (the E-money Directive), relating to the taking up, pursuit of and
prudential supervision of the business of electronic money institutions (September 2000),
and
n Directive 2000/28/EC amending Directive 2000/12/EC (the Banking Co-ordination Directive)
relating to the taking up and pursuit of the business of credit institutions.
The Directives’ objectives are:
n to protect consumers and ensure confidence in e-money schemes through the implementa-
tion of rules for safeguarding the financial integrity and stability of e-money institutions, and
n to facilitate/provide for licensed e-money institutions to offer/provide cross-border services/
facilities.
The above E-money Directive was introduced into the UK regulatory systems through a number
of regulatory provisions/amendments, namely:
n the Financial Services and Markets Act 2000 (Regulated Activities) (Amendment) Order 2002,
n the Electronic Money (Miscellaneous Amendments) Regulations 2002, and
n the Financial Services Authority’s (‘FSA’) Handbook of Rules and Guidance.
Consequently:
n the issuing of e-money is classified as a regulated activity under the Financial Services and
Markets Act 2000 (as amended),21 and
638
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 639
M-commerce
n the issuers of e-money (including specialist issuers who are not an existing bank and/or
building society) are regarded as credit institutions, and are regulated in a similar way to
banks and building societies – although with less stringent requirements.
So who might want to use e-money? There are of course many potential uses for and users of
e-money, for example:
n those who feel more secure using e-money to purchase goods on the web rather than using
debit and/or credit cards,
n those who feel more secure carrying e-money on a plastic smart card rather than a wallet/
purse full of notes and coins,
n those who may need to carry multiple currencies and, perhaps most importantly,
n those who for whatever reason do not have access to a bank account or debit/credit card.
M-commerce
as business and commerce tread warily into the 21st century, m-commerce was still in its
infancy at the start of 2007. Perhaps it is a technology whose time has yet to arrive?
M-commerce applications
The term ‘m-commerce’ was first used in the late 1990s during the so-called dotcom boom – the
idea being to use broadband mobile telephony to provide on-demand services and applications.24
Unfortunately the idea(s) disappeared gently into the twilight zone – along with many of
the dotcom companies. Why? Put simply, the technologies available during the 1990s were
insufficiently evolved to be able to deliver many of the applications and services promised. It
was not therefore a lack of demand from customers/users – it was an inability to supply on
the part of the companies.
In general, m-commerce applications can be categorised as either:
n active m-commerce applications – that is m-commerce in which the customer/user is pro-
active in the initiation of a service/application, or
n passive m-commerce applications – that is m-commerce in which the service/application is
self-initiating and the customer/user is merely a reactive recipient.
639
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 640
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
Digital services/applications
Such services/applications, also known as ‘digital content delivery’, can be categorised as either:
n digital information services – for example receiving weather reports, bus/train timetables,
news reports, sports scores, ticket availability, market prices, or
n digital applications and products – for example games, high resolution video and digital
audio.
Both of these require the recipient to subscribe to and pay for the service, application and/or
product received.
Telemetry applications
Such applications would include, for example, using a mobile wireless device to manage/
control and/or communicate with remote devices and/or a facility.
Whilst the network operator would process/manage all the transaction formalities including
customer authentication, payment processing and response processing, the business retailing
the application/service/product (the point of sale client) would process/manage the payment
authorisation and refund management formalities.
640
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 641
M-commerce
In addition, there are only a limited number of payment methods available to pay for services
used/applications purchased, the main ones being:
641
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 642
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
Benefits of e-commerce
Customer/user-related benefits
For a customer using the e-commerce facility, the main benefits include:
n greater competitive pricing of products and services,
n increased access to a ‘world of stores’,
n increased choice,
n greater availability of a larger and broader selection of products and services,
n increased flexibility,
n greater convenience, increased availability of more in-depth and up-to-date information on
products and services,
n increased speed, and
n increased ease of use.
Problems of e-commerce
Although the benefits of e-commerce are significant, such benefits have not come without con-
sequence – that is without longer-term problems/costs. These can be categorised as follows:
n social costs of e-commerce,
n political consequence of e-commerce, and
n economic costs of e-commerce.
642
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 643
as customers migrate from local retail facilities to online self service shopping.
In addition, such costs could also include the social costs associated with the socio-
economic/socio-demographic division between those that have access to, and are able to
use web-based services, and those that do not have access to and are therefore unable to use
web-based services.
The political consequences of e-commerce would include, for example, the need to:
n monitor and ensure the legality of e-commerce operations,
n regulate the quality and safety of products supplied using e-commerce facilities (e.g. medical
supplies), and
n control the purchase of restricted/banned products using e-commerce facilities (e.g. por-
nography, restricted drugs/narcotics).
The economic costs of e-commerce would include, for example, the costs associated with:
n an increasingly competitive marketplace,
n an increasingly uncertain business environment,
n a continuing reduction in business margins, and
n a continuing change in customer expectations.
Inasmuch as web-based e-commerce has provided and increased access to global markets it
has also increased competition, in particular global competition, resulting in ever-growing
pressures to maintain a low cost base whilst at the same time remaining flexible, adaptable and
open to change.
has not evaded the eagle eyes of European/UK legislators and regulators. Indeed, the past few
years (certainly since 1998) have seen an enormous increase in regulatory pronouncements and
the imposition of rigorous (some would say authoritarian) requirements – more specifically
legislation-based.
So what are the main legislative pronouncements/regulatory requirements? For our purposes
we will restrict our discussion to the following:25
n the Data Protection Act 1998,26
n the Consumer Protection (Distance Selling) Regulations 2000,27
n the Electronic Communications Act 2000,28
n the Electronic Signatures Regulations 2002,29
n the Electronic Commerce (EC Directive) Regulations 200230 and the Electronic Commerce
(EC Directive) (Extension) (No. 2) Regulations 2003
n the Privacy and Electronic Communications (EC Directive) Regulations 2003,31
n the Disability Discrimination Act 199532 and the Code of Practice: Rights of Access to Goods,
Facilities, Services and Premises 2002.33
643
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 644
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
644
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 645
Essentially, the provisions of the 1998 Act require that companies and organisations adopt
appropriate technical and organisational measures to minimise the possibility of:
Such technical and organisational measures would comprise of a range of internal control-based
measures within three main areas
n the reliability of employees who have access to client/customer personal data where personal
data is processed in-house, or,
n the compliance of the data processor with the requirements of the 1998 Act where data pro-
cessing is outsourced.
In general, to comply with the provisions and requirements of the 1998 Act, companies and
organisations should:
645
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 646
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
The DSRs 2000 apply to companies/organisations if they sell goods or services without face-to-
face contact using an organised scheme, for instance via:
n the web (e-commerce),
n text messaging,
n phone calls,
n faxing,
n interactive TV,
n mail order catalogues, and/or
n mail order advertising in newspapers or magazines.
The DSRs 2000 neither apply to B2B transactions – that is non-consumer-based transactions
nor to:
646
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 647
n financial services,
n the sale of land or buildings,
n purchases from a vending machine or automated commercial premises,
n the use of a public pay phone,
n auctions, including internet auctions, and/or
n rental agreements that have to be in writing (e.g. a lease for three years or more).
n the business,
n the goods or services,
n payment arrangements,
n delivery arrangements, and
n the customers’ right to cancel their orders.
Companies/organisations must also provide customers with confirmation of the above details
in writing or where appropriate by some other ‘durable’ medium.41
Prior information
Section 7 of the DSRs 2000 provides that companies/organisations must supply prospective
customers (before they agree to buy) with ‘pre-contract’ or ‘prior’ information. Pre-contract
information is required prior to the conclusion of the commercial contract and must include:
Whilst such information can be provided by any method deemed appropriate by the company/
organisation – in terms of the form of distance communication being used to conclude the
contract – such information must be clear and comprehensible.42
If a company/organisation provides pre-contract information in a form that does not allow
it to be stored and/or reproduced then it must confirm such pre-contract information in writing
647
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 648
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
Written confirmation
When an order has been made the company/organisation selling the goods and/or services must
send to the consumer confirmation of the prior information in writing or another durable
medium, such as fax or e-mail, unless it has already been provided in writing (e.g. in a catalogue
or advertisement). This should include information on:
n when and how the consumer can exercise the right to cancel,
n a postal address where they can contact the company/organisation, and
n details of any after-sales services and guarantees.
The company/organisation selling the goods and/or services must provide this confirmation
at the latest by the time that they are delivered or, in the case of services, before or in good time
during the performance of the contract.
If a company/organisation is providing a service with no specified end date or for a period
of more than one year (e.g. a mobile phone, satellite or cable television or gas and electricity
supply), it must also send details about when and how the consumer can terminate the contract.
Cancellation periods
The DSRs 2000 require a company/organisation to inform customers before any contract is made,
and then confirm in a durable medium that they can cancel their orders and get full refunds.
Consumers may change their minds and cancel their orders at any time from placing the
order:
n for goods – seven working days from the day after either the customer received the goods or
they received the written information, whichever is later, and
n for services – seven working days from the day after either the customer agreed to go ahead
with the order or they received the written information, whichever is later.
If a company/organisation fails to provide consumers with written confirmation of all the
required information, then the cancellation periods can be extended up to a maximum of three
months and seven working days. If the missing information is provided during this time, then
the cancellation period ends seven working days beginning with the day after the full written
confirmation is received by the consumer.
Where a contract is cancelled, the consumer must ensure that reasonable care is taken of any
goods received and ‘restore’ them to the company/organisation. This does not mean that they
have to return them – unless the company/organisation selling the goods stipulates this in the
contract – only that they make them available for the business to collect.
648
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 649
Section 14(3) of the DSRs 2000 provides that a company/organisation must refund the
consumer’s money as soon as possible and, at the latest, within 30 days of receiving the written
notice of cancellation. Where a consumer returns goods at the expense of the supplying company/
organisation, the latter can – subject to the terms of the supply agreement – recover such costs.
If payment for the goods or services is under a related credit agreement, the consumer’s can-
cellation notice also has the effect of cancelling the credit agreement.
The information and cancellation provisions do not apply to contracts for accommodation,
transport, catering and leisure services, including outdoor sporting events, but only where the
supplier agrees to provide these on a specific date or within a specific period.
In addition, the provisions do not apply to package travel, timeshare and contracts for the
supply of food, drinks or other goods for everyday consumption supplied by ‘regular roundsmen’.
Also the right to cancel does not apply to the following, unless agreed otherwise:
n personalised goods or goods made to a consumer’s specification,
n goods that cannot, by their nature, be returned,
n perishable goods,
n unsealed/unopened audio or video recordings or computer software,44
n newspapers, periodicals or magazines,
n betting, gaming or lottery services,
n services that begin, by agreement, before the end of the cancellation period providing the
supplier has informed the consumer before the conclusion of the contract, in writing or another
durable medium, that they will not be able to cancel once performance of the services has
begun with their agreement,
n goods or services the price of which is dependent on fluctuations in the financial market.
Where a customer wants to cancel an order, they must inform the business in writing or another
durable medium, that they want to cancel. This includes by letter, fax or e-mail; a telephone call
is insufficient. As soon as possible after the customer cancels, or within 30 days at the latest, the
company/organisation must refund the customer’s money, even if it has not yet collected the
goods or had them returned to the business.
It is the customer’s responsibility to take reasonable care of the goods.
If a company/organisation requires the customer to return the goods (e.g. at the end of a
contract) it must make that clear in the contract and as part of the ‘durable’ information. If the
customer fails to return the goods, the company/organisation can charge them with the direct
costs of recovery.
If such details are not included in the agreement the company/organisation cannot charge
anything and cannot require a consumer to pay the cost of returning substitute goods.
If the goods are faulty or do not comply with the contract, the company/organisation must
pay for their return.
Contract performance
A company/organisation must deliver goods or provide services within 30 days, beginning with
the day after the consumer sent an order, unless it agrees otherwise with the consumer. If a
company/organisation is unable to meet the deadline, it must inform the consumer before the
deadline expires and, unless a revised date is agreed, the consumer must be refunded within a
further period of 30 days.
The consumer cannot be obliged to agree to a revised date. If they do not want to agree a
revised date, then the contract is cancelled and any money paid must be returned within 30 days.
If the company/organisation wishes to provide substitute goods or services, this must have
been made clear in the prior information received by the consumer before entering the contract.
649
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 650
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
Inertia selling
Although only indirectly relevant, the DSRs 2000 amended the Unsolicited Goods and Services
Act 1971 and removed:
n any rights of a supplier in respect to the supply of unsolicited goods and services, and
n any obligations on the consumer in respect to the receipt of unsolicited goods and services.
As such, consumers can retain unsolicited goods or dispose of them as they wish. They are
under no obligation to:
n keep them safe, or
n return them to the company/organisation from which they were received.
More importantly, s24(5) of the DSRs 2000 makes it an offence for the supplier of such goods
and/or services to demand payment from consumers for unsolicited goods or services.
The complete text of the Consumer Protection (Distance Selling) Regulations 2000 is avail-
able at www.opsi.gov.uk/si/si2000/20002334.htm.
The main purpose of the Electronic Communications Act 2000 (the 2000 Act) is to:
n regulate cryptographic service providers in the UK (Part 1, s1 to s6), and
n to clarify and confirm the legal status of electronic signatures (Part 2, s7 to s10),45
and is part of the legislative framework designed to support e-communications and e-commerce
along with the Electronic Signatures Regulations 2002 and the Electronic Commerce (EC Directive)
Regulations 2002 (see later in this chapter).
Whilst cryptography has been used by banks, financial institutions and government depart-
ments and agencies for many years, there can be little doubt that cryptography and the use of
electronic signatures not only play a core role, but are an essential tool for electronic transactions.
Cryptography46 encrypts documents or messages, and is a means of converting information
from a normal, comprehensible format into an incomprehensible format, rendering it unreadable.
It is a process designed to ensure secrecy and confidentiality in important communications47
that can and indeed often are used as the basis of an electronic signature.
Electronic signature can mean either:
n a signature imputed to a document or a message by electronic means and designed to:
l identify the person that appends the signature, and
l indicate their agreement to the content of a document in the same way as a handwritten
signature, or
n a cryptographic addition designed to add non-repudiation and message integrity features to
a document and or message – often referred to as a digital signature.
Electronic signatures are used to confirm the authenticity and integrity of a document and/or
message, with the owner of an electronic signature usually verified through the possession of a
certificate provided by a cryptography service provider or, as they are commonly known, a trust
service provider (see below).
650
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 651
companies and organisations, and the public. However, the UK government elected – in
accordance with s3 of the 2000 Act – to delegate the approvals and monitoring function to an
industry-led private sector scheme – the tScheme.49 In addition, the Department of Trade and
Industry has indicated that such a statutory scheme will only be introduced if an industry-led
scheme fails.50
shall each be admissible in evidence in relation to any question as to the authenticity of the
communication or data, or as to the integrity of the communication or data.
That is electronic signatures, supporting certificates and the processes associated with the
creation, issue and use of such signatures and certificates can be admitted as evidence in court
– s7(3).
The UK Electronic Signature Regulations 2002 (the 2002 Regulations) impose a duty on the UK
Secretary of State for Trade and Industry to:
n keep under review the carrying on of activities of certification service providers who are
established in the UK and who issue qualified certificates to the public (s3(1)),
n to establish and maintain a register of certification service providers who are established in
the UK and who issue qualified certificates to the public, (s3(2)), and
n record in the register the names and addresses of those certification service providers who
are established in the UK and who issue qualified certificates to the public (s3(3)).
For the purposes of the regulations:
n a certificate is an electronic confirmation that an e-signature belongs to the named indi-
vidual, that is an electronic attestation which links signature-verification data51 to a person
and confirms the identity of that person (s2), and
n a qualified certificate is a certificate which meets the requirements in Schedule 1 of the 2002
Regulations and is provided by a certification service provider who fulfils the requirements
of Schedule 2.
Certification service providers who offer such certificates must ensure adherence to both the
applicable standards for these certificates and those in respect of their own conduct.
Section 4 of the 2002 Regulations imposes a liability on certification service providers
who issue or guarantee qualified certificates to the public for any losses suffered as a result of
reasonably relying on such certificates, even though there is no proof of negligence unless the
certification service provider in question proves they were not negligent. Furthermore, s5 of
the 2002 Regulations imposes a duty on certification service providers to comply with specified
data protection requirements – re the Data Protection Act 1998 – with any breach of duty
of care potentially subject to a claim for damages, possible prosecution and, if successful, the
imposition of a fine.
The Secretary of State is obliged to publicise any failure to meet the standards specified in
Schedule 1 and Schedule 2 of the regulations (s3(5)).
651
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 652
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
Whilst the E-commerce Regulations apply to the provision of an information society service by
a service provider established in the UK irrespective of whether that service is provided in the
UK or in another member state (s4(1)), they specifically exempt the following fields/areas:
n taxation – s3(1)(a),
n information society services regulated by the Data Protection Act 1998 – s3(1)(b),
n information relating to agreements and practices regulated by competition law/cartel law53
– s3(1)(c),
n activities of a public notary or equivalent professions – s3(1)(d)(i),
n activities relating to legal representation of a client in a court of law – s3(1)(d)(ii), and
n betting, gaming or lotteries – s3(1)(d)(iii).
Main provisions
Section 6
This section provides that a service provider must make available to the recipient of the service
and any enforcement authority:54
n the name, registered address and details of the service provider (including company registra-
tion number and VAT registration number where appropriate),
n contact details of the service provider (including e-mail address),
n details of where the service provider is registered in a trade,
n the details of any relevant supervisory authority where the service provided is subject to an
authorisation scheme, and
n where the service provider is a member of a regulated profession:
l details of any professional body or similar institution with which the service provider is
registered,
l the service provider’s professional title and where applicable professional registration
number, and
l details of the professional rules applicable to the service provider.
652
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 653
Section 7
This section imposes a duty on a service provider to ensure that any commercial communications
(including e-mails) which constitute or form part of an information society service:
n identify the communication as a commercial communication, (s7(a)),
n identify the person on whose behalf the commercial communication is made, (s7(b)),
n identify any promotional content/offer and the conditions which must be satisfied to qualify
for the offer (s7(c)), and
n identify any promotional competition or game and ensure that conditions for participation
are accessible and presented clearly and unambiguously (s7(d)).
Section 8
This section imposes a duty on a service provider to ensure that any unsolicited commercial
communication sent to prospective customers and/or clients are clearly and unambiguously
identifiable.
Section 955
This section imposes a duty on a service provider to ensure that unless agreed56 otherwise,
where a contract is, or is to be, concluded by electronic means, the service provider must, prior
to an order being placed by the recipient of a service, provide to that recipient in a clear, com-
prehensible and unambiguous manner the following information:
n the different technical steps required to conclude the contract (s9(1)(a)),
n whether or not the concluded contract will be filed by the service provider and whether it
will be accessible (s9(1)(b)),
n the technical processes for identifying and correcting input errors prior to the placing of the
order (s9(1)(c)), and
n the languages offered for the conclusion of the contract (s9(1)(d)).
Section 1157
This section imposes a requirement on a service provider to ensure that unless agreed otherwise,
where the recipient of the service places their order through technological means, a service
provider must:
n acknowledge receipt of the order to the recipient of the service without undue delay and by
electronic means (s11(1)(a)), and
n make available to the recipient of the service appropriate, effective and accessible technical
means allowing them to identify and correct input errors prior to the placing of the order
(s11(1)(b)).
Furthermore:
n the order and the acknowledgement of receipt will be deemed to be received when the
parties to whom they are addressed are able to access them (s11(2)(a)), and
n the acknowledgement of receipt may take the form of the provision of the service paid for
where that service is an information society service (s11(2)(b)).
653
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 654
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
Section 13
This section provides that failure by a service provider to comply with the E-commerce Regula-
tions could result in:
654
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 655
In addition, the recipient of the service must not act under the authority or the control of the
service provider.
The complete text of the Electronic Commerce (EC Directive) Regulations 2002 is available
at www.opsi.gov.uk/si/si2002/20022013.htm.
Section 3(2) of the Electronic Commerce (EC Directive) Regulations 2002 provides that: ‘these
Regulations shall not apply in relation to any Act passed on or after the date these Regulations
are made,’ that is 30 July 2002.
The 2003 Regulations ensure the Electronic Commerce (EC Directive) Regulations 2002
apply to the legislation that was amended by the Copyright and Related Rights Regulations
2003.
The complete text of The Electronic Commerce (EC Directive) (Extension) (No. 2) Regula-
tions 2003 is available at www.opsi.gov.uk/si/si2003/20032426.htm.
655
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 656
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
Briefly:
n traffic data can be defined as ‘any data processed for the purpose of the conveyance of a
communication on an electronic communications network and includes data relating to
the routing, duration or time of the communication,’ (s2(1)), and
n location data can be defined as ‘any data processed in an electronic communications net-
work indicating the geographical position of the terminal equipment of the user of a public
communications service, including data relating to the latitude, longtitude or altitude of the
terminal equipment, the direction of travel of the user, or the time the location information
was recorded,’ (s2(1)).
The 2003 Regulations provide that unless the user to whom the cookie (or other similar track-
ing device) is served is provided with:
n clear and comprehensive information about the purpose, the storage and access to such
data/information being collected, and
n an opportunity to refuse the storage of, or access to, such data/information,
then the use of cookies or similar devices are specifically prohibited (s7 and s8).
In essence:
Failure to comply
If a company/organisation operates retail/distribution facility using an online presence, and it
collects or stores information from prospective customers, clients and/or other users, then it
must conform to the requirements of the above regulations. Failure to comply with the 2003
Regulations could result in:
The power of the web is in its universality. Access by everyone regardless of disability is an
essential aspect,65 (Tim-Berners-Lee, Director W3C66 and inventor of the web).
n 610 million disabled people worldwide, of which 400 million disabled people live in the world’s
developing countries, and
n 39 million disabled people in Europe (compared to 49 million disabled people in the USA),
of which 8.6 million disabled people68 live in the UK.
In addition, it is estimated that disability affects between 10% and 20% of the population of
every country in the world.
656
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 657
In the UK:
n the Disability Discrimination Act 1995 (DDA 1995) (as amended), and,
n the Disability Discrimination Act 1995 Code of Practice: Rights of Access to Goods, Facilities,
Services and Premises (2002),
provide the broad legislative and regulatory framework in relation to disability issues and web-
based e-commerce.
The DDA 1995, Part III, s19 provides that it is unlawful for a service provider,69 including
providers of ‘access to, and use of information and communication services’,70 to discriminate
against a disabled person:
n in refusing to provide, or deliberately not providing, to the disabled person any service71
which it provides, or is prepared to provide, to members of the public (s19(1)(a)),
n in failing to comply with any duty imposed on it by s21 of the DDA 1995 in circumstances
in which the effect of that failure is to make it impossible or unreasonably difficult for the
disabled person to make use of any such service (s19(1)(b)),
n in the standard of service which the service provider provides to a disabled person or the
manner in which service provider provides it to a disabled person (s19(1)(c)), or
n in the terms on which the service provider provides a service to a disabled person
(s19(1)(d)).
A service provider discriminates against a disabled person if:
n for any reason which relates to the disabled person’s disability, it treats a disabled person (due
to their disability) less favourably than it treats or would treat other members of the public
(s20(1)(a)), and cannot show that the treatment in question is justified (s20(1)(b), and/or
n it uses practices, policies or procedures which makes it impossible or unreasonably difficult
for a disabled person to make use of a service which it provides or is prepared to provide to
other members of the public, and fails to make reasonable adjustments or change to such
practices, policies or procedures so that it no longer has that effect (s21(1)).
Such reasonable changes have been a legal obligation since October 1999 and although the DDA
1995 does not define ‘reasonable’, the Code of Practice: Rights of Access Goods, Facilities,
Services and Premises (2002), s4.21, provides that reasonability72 is dependent upon:
n the type of service provided,
n the nature of company/organisation providing the service,
n the resources available to the service provider, and
n the impact on the disabled person.
As of October 2004, the small company/organisation exemption was removed (as was the police
and fire services exemption)73 imposing a legal obligation on such companies/organisations to
make all their services accessible to the disabled – including websites, intranet sites and extranet
sites.
657
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 658
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
For example:
n a person with a hearing disability may encounter difficulties where:
l audio excerpts are used to provide instructions without appropriate text subtitling, and/or
l video excerpts are used to provide information without appropriate text subtitling,
n a person with a sight disability may encounter difficulties where:
l video excerpts are used without accompanying audio, and/or
l non-contrasting text and background colours are used,
n a person with a physical disability may encounter difficulties where:
l there is an over-reliance on a single navigation device – for example a pointing device
such as a mouse, and/or
l complex navigational commands require above average levels of dexterity, and
n a person with a mental disability may encounter difficulties where:
l the language used is overly complex,
l there is a lack of illustrative non-text-based content,
l the website is relatively complicated to access,
l the website is relatively complicated to use, and/or
l the website uses excessive flashing, flickering or strobe effect designs.
For a service provider, a failure to comply with the provisions of the DDA 1995 and Code
of Practice 2002 – for example a failure to make reasonable amendments to a website (without
appropriate justification) when requested to do so, could result in:
n a claim for damages,
n possible prosecution and, if successful,
n the imposition of a fine and a court order compelling such reasonable amendments to be
made.
It could also result in:
Clearly then, compliance with the provisions of DDA 1995 and Code of Practice 2002 is not
only morally correct, it is also economically and socio-politically expedient!
658
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 659
659
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 660
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
Concluding comments
Disregarding the many myths that continue to surround e-retailing and e-commerce (see
Article 12.9) there is perhaps, as one would expect, a range of opinions regarding the costs, the
consequences and the potential future impact of e-commerce on society.
Article 12.9
Whilst many of these opinions (perhaps unsurprisingly) reach very different conclusions
on the social, political and economic costs and benefits associated with e-commerce and the
emergence of the self-service economy, they all nonetheless agree that as a society – as an
increasingly interrelated and interconnected global marketplace – we are, at the start of the
21st century, in the midst of an ongoing virtual revolution, a revolution whose final outcome
has yet to be determined (or even invented).
Put simply, technologies – especially information and communication technologies
associated with web-based activities – are (contrary to the naivety of popular belief) developed
660
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 661
Bibliography
in a fragmented and often disjointed manner. Whilst we can speculate (perhaps with some degree
of certainty) that future technologies will:
n improve internet security,
n increase user freedom and mobility,
n enhance internet usability and, hopefully,
n improve accessibility,
we have no way of knowing how such future technologies will impact on the demand for, and
use of, e-commerce and m-commerce related services.
Bibliography
661
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 662
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
Websites
Self-review questions
Question 1
‘Despite the rhetoric to the contrary, the internet-based “virtual shop” will never replace the traditional high
street retail outlet.’ Discuss.
Question 2
Companies and organisations are increasingly using a range of alternative schemes/technologies to protect
their information systems and e-commerce facilities.
Such schemes/technologies include the use of:
n system firewalls,
n intrusion detection systems,
n data/information encryption facilities,
n digital certificates, and/or
n authentication and authorisation software.
Required
Describe each of the above schemes/technologies and explain how each of them assists in protecting a com-
pany’s/organisation’s information systems and e-commerce facilities.
662
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 663
Assignments
Question 3
Whilst e-commerce-related activities have grown substantially over the past few years, in general, consumers
are still unwilling and/or unable to accept the online self-service e-commerce business model.
Required
Explain why such a reluctance to accept the online self-service e-commerce business model continues to
exist.
Question 4
Retail companies/organisations increasingly use their websites for a range of activities other than e-commerce-
based retail sales. Such activities include:
n product/service advertising activities,
n prospect generation activities, and
n customer support activities.
Required
Explain what is meant by each of the above activities, and the advantages and disadvantages of using a
website for such activities.
Question 5
‘Although the benefits of e-commerce are undoubtedly significant, such benefits are not without social,
political and economic cost/consequence.’ Discuss.
Assignments
Question 1
BPL Ltd is a small local retail company. The company sells a branded clothing range for 18–30 year olds.
During the last financial year (year ending 31 December 2005) the company had an annual turnover of £1.5m
and an annual net profit of approximately £700,000.
The company has two retail outlets located in Manchester and Oxford, and employs five part-time sales
assistants, one administrator and one manager.
Currently, sales are either over-the-counter sales at either retail location or mail-order sales from the com-
pany’s annual catalogue. Over-the-counter sales can be for cash, credit/debit card payment or payment by
cheque. Mail order sales can be for credit/debit card payment and/or cheque payment only. All mail-order
sales are processed at the company’s Manchester retail outlet. Last year 42% of the company’s turnover was
from mail order sales.
For credit/debit card-related sales, the company operates a chip and PIN-based ePOS.
All over-the-counter sales are processed by the sales assistants. All mail-order sales are recorded by the
administrator.
At a recent management meeting the manager informed the administrator that he had appointed an external
consultant to develop and design a web-based e-commerce facility to replace its catalogue-based mail order
facility. The manager expected the new facility to be operational within the next two months.
‘
663
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 664
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
Required
Critically evaluate the main advantages and disadvantages to the company of using a web-based e-commerce
facility to replace its current mail order catalogue facility.
Question 2
The business environment of the early 21st century continues to change with increased vigour. The growth of
e-commerce and e-retailing, and the use of the internet for the movement of goods, services and information,
has clearly promoted a greater interconnectivity. An interconnectivity that has not only opened up and created
enormous business opportunities, but has also increased the exposure of UK businesses, in particular UK
companies, to previously unknown levels of risks and security threats, the costs and consequences of which
have been and indeed continue to be significant.
Required
With reference to e-commerce, select a company context type (see Chapter 6) and critically evaluate the
type and nature of risk and security threats such a company faces and the control procedures and security
strategy/measures that such a company might employ to protect itself against such risks and threats.
Chapter endnotes
1
This chapter is concerned primarily with distance selling web-based online transactions.
2
Although it also encapsulates non-web-based activities – that is commercial activities under-
taken over a private computer-based network connection, for example EPOS transactions using
EFT. (See Chapter 5 for further details.)
3
Some commentators have referred to this as the ‘global e-revolution’.
4
Information society services means ‘any service normally provided for remuneration, at a
distance, by electronic means and at the individual request of a recipient of services,’ and
includes a wide range of online activities including:
n online information services – for example newspapers, magazines, libraries, electronic
databases, (re)search engines,
n e-commerce-related services,
n online consulting agencies – for example advertising/marketing services,
n online professional services – for example consulting services, translating services, designing
services and IT-related services,
n online validation services – for example services relating to the certification of electronic
signatures, user authentication and data/information recording,
n online services to consumers – for example interactive shopping services,
n online tourist information services, and
n online entertainment services – for example on-demand telecommunications services
(videoconference, internet access, e-mail, newsgroups and discussion forum).
See: www.coe.int/T/E/Legal_affairs/Legal_co-operation/Information_Society_Services.
5
See ‘Information and Communication Technology Activity of UK Businesses 2004
(Amendment)’ published February 2006, National Statistics, London. The publication is available
@ http://www.statistics.gov.uk/downloads/theme_economy/ecommerce_report_2004.pdf.
664
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 665
Chapter endnotes
6
Such products/services would include for example:
n the user does not need to have a bank account to use it, and
n losing an e-money card is equivalent to losing cash.
665
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 666
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
19
Electronic means of payment that:
n can only be used to pay for an issuer’s own goods/services, and
n are only accepted by the issuer in payment for such goods and service,
are not considered to be e-money schemes and are therefore not subject to FSA regulation.
20
Note: Small e-money issuers that satisfy a number of strict criteria are not regulated by
the FSA, but need to apply for an FSA certificate confirming that they meet the criteria. Such
a certificate may be granted to a company/institution (other than a credit institution) with a
UK-based head office if one of the following apply:
n the company/institution only issues e-money with a maximum storage of a150 on its e-money
devices, and the company’s/institution’s total e-money liabilities will not exceed a5m, or
n the company’s/institution’s total liabilities with respect to its e-money scheme will not exceed
a10m and the e-money issued by the firm is accepted as a means of payment only by other
companies/institutions within the issuing company’s/institution’s group, or
n the e-money issued by the company/institution is accepted as a means of payment in the
course of business by not more than 100 persons within a limited local area, all having a close
financial/business relationship with the company/institution. (Such a company/institution is
often referred to as a local e-money issuer.)
21
See Article 9B of the Regulated Activities Order 2002.
22
A Personal Digital Assistant is a hand-held computer device which manages personal infor-
mation and can interact with other information and communication systems.
23
Wireless Application Protocol (WAP) is an international standard for applications that use
wireless communication – for example internet access from a mobile phone. WAP is now the
protocol used by the majority of mobile internet sites, aka WAPsites. The Japanese I-MODE
system is the other major wireless data/application protocol.
24
Indeed, it was the idea that highly profitable m-commerce applications would be possible
though the broadband mobile telephony provided by 3G mobile phone services which resulted
in high licence fees (somewhat willingly) paid by mobile phone operators for 3G licences during
2000 and 2001.
25
We are concerned only with legislative pronouncements/regulatory requirements of relevance
to commerce-based companies/organisations and not with related legislative pronouncements/
regulatory requirements applicable to non-commerce-based companies/organisations, for
example local/public authorities. Consequently, we will not consider, for example, the Freedom
of Information Act 2000, details of which are available @ www.opsi.gov.uk/acts/acts2000/
20000036.htm and the UK Information Commissioner @ www.informationcommissioner.gov.uk.
26
Available @ www.hmso.gov.uk/acts/acts1998/19980029.htm.
27
Available @ www.hmso.gov.uk/si/si2000/20002334.htm. In addition, the DTI Consumer
Protection (Distance Selling) Regulations: Guide for Business is available @ www.dti.gov.uk/
ccp/topics1/pdf1/bus_guide.pdf.
28
Available @ www.hmso.gov.uk/acts/acts2000/20000007.htm.
29
Available @ www.hmso.gov.uk/si/si2002/20020318.htm.
30
Available @ www.legislation.hmso.gov.uk/si/si2002/20022013.htm. In addition the DTI Elec-
tronic Commerce (EC Directive) Regulations: Guide for Business is available @ www.dti.gov.uk/
industry_files/pdf/businessguidance.pdf.
31
Available @ www.opsi.gov.uk/si/si2003/20032426.htm.
32
Available @ www.opsi.gov.uk/acts/acts1995/1995050.htm.
33
Available @ www.drc-gb.org/open4all/law/Code%20of%20Practice.pdf.
666
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 667
Chapter endnotes
34
For further information – see the Information Commissioners’ Data Protection Act 1998
Compliance Advice: Website FAQs, available @ www.informationcommissioner.gov.uk/cms/
DocumentUploads/Website%20FAQ.pdf.
35
A website user/visitor should be given the choice (that is to ‘opt-in’ or ‘to opt-out’) of how
data/information is to be used – in particularly where the intention is to:
n use such data/information for direct marketing purposes, or
n share such data/information with other third parties.
36
Cookies refer to information a web server stores on a user’s computer when the user browses
a particular website. See also note 64.
37
The Consumer Protection (Distance Selling) Regulations (2000) are enforced by:
n the Office of Fair Trading,
n local authority trading standards departments in England, Scotland and Wales, and
n the Department of Trade and Industry.
These bodies are under a duty to consider any complaint received and have powers to apply to
the courts for an injunction against any person, company and/or organisation considered
responsible for a breach of the regulations.
38
The Consumer Protection (Distance Selling) Regulations (2000) defines a distance contract
as: ‘any contract concerning goods and services concluded between a supplier and a customer
under an organised distance sales or service provision scheme run by the supplier who for the
purposes of the contract makes exclusive use of one or more means of distance communication
up to and including the moment that the contract is concluded,’ (s3).
39
The regulations do not apply if a business does not normally sell to consumers in response
to letters, phone calls, faxes or e-mails and/or does not operate an interactive shopping website.
40
This exception does not apply to the growing market for home deliveries by supermarkets.
41
For the purposes of the Distance Selling Regulations 2000 the term ‘durable’ medium
includes e-mail, post and/or fax.
42
Where a company/organisation uses ‘cold calling’ by telephone to sell to consumers, the
caller (as a representative of the company/organisation) must clearly identify:
n the name of the company/organisation the caller represents,
n the address of the company/organisation the caller represents, and
n the commercial purpose of the call,
667
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 668
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
48
Section 6 of the Act defines cryptography support services as: ‘any service which is provided
to the senders or recipients of electronic communications, or to those storing electronic data,
and is designed to facilitate the use of cryptographic techniques for the purpose of:
n securing that such communications or data can be accessed, or can be put into an intelligible
form, only by certain persons (s6(1)(a)), or
n securing that the authenticity or integrity of such communications or data is capable of being
ascertained, (s6(1)(b)).
49
The tScheme is a membership scheme for trust service providers designed to ensure minimum
standards of approval and service. Further information is available @ www.tscheme.org/.
50
See ‘Achieving best practice in your business – Information Security: Guide to the Electronic
Communications Act 2000’ DTI available @ www.dti.gov.uk/bestpractice/assets/security/eca.pdf.
51
Signature verification data means data which are used for the purpose of verifying an elec-
tronic signature – using a signature verification device.
52
The Electronic Commerce (EC Directive) Regulations 2002 define a service provider as:
‘any person providing an information society service’ (s2(1)).
53
The Electronic Commerce (EC Directive) Regulations 2002 define cartel law as: ‘the law
relating to agreements between undertakings, decisions by associations of undertakings, or
concerted practices as relates to agreements to divide the market or fix prices’ (s3(3)).
54
The Electronic Commerce (EC Directive) Regulations 2002 define an enforcement author-
ity as: ‘any person who is authorised, whether by or under an enactment or otherwise, to take
enforcement action’ (s2(1)).
55
The Electronic Commerce (EC Directive) Regulations 2002 (s9(4)) provides that the require-
ments of s9(1) and s9(2) do not apply to contracts concluded exclusively by exchange of e-mail
or by equivalent individual communications.
56
By parties who are not consumers.
57
The Electronic Commerce (EC Directive) Regulations 2002 (s9(4)) provide that the require-
ments of s11(1) do not apply to contracts concluded exclusively by exchange of e-mail or by
equivalent individual communications.
58
A cache can be defined as: ‘a local storage of remote data designed to reduce network trans-
fers and therefore increase speed of download’.
59
And also the Telecommunications (Data Protection and Privacy) (Amendment) Regulations
2003.
60
The regulations specifically require that users of electronic communication be informed
of the possible uses of personal data – in particular, the possible inclusion in publicly available
directories.
61
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (s22) provide
that three criteria must be satisfied, these being
n contact details must have been obtained in the course of business,
n the communication is regarding similar products and/or service, and
n the recipient can at any time – free of charge – refuse further communications.
62
Traffic data means ‘any data processed for the purpose of the conveyance of a communication
on an electronic communications network and includes data relating to the routing, duration
or time of the communication’, the Privacy and Electronic Communications (EC Directive)
Regulations 2003 (s2(1)).
63
Location data means ‘any data processed in an electronic communications network indicat-
ing the geographical position of the terminal equipment of the user of a public communications
service, including data relating to the latitude, longtitude or altitude of the terminal equipment,
668
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 669
Chapter endnotes
the direction of travel of the user or the time the location information was recorded’, the Privacy
and Electronic Communications (EC Directive) Regulations 2003 (s2(1)).
64
The ‘cookie’ information (which can include a vast range of personal information) helps the
web server track the user’s activities and preferences.
65
See: www.w3.org/WAI/.
66
The World Wide Web Consortium (W3C) develops ‘interoperable technologies (specifica-
tions, guidelines, software and tools) to lead the web to its full potential.’ W3C is a forum for
information, commerce, communication and collective understanding.
67
Source: Employers Forum Disability Online Summary Report, available @
www.employers-forum.co.uk/www/pdf/DisabilityOnline.pdf.
68
Aged 16 and over and self-declared as disabled.
69
A person is ‘a provider of services’ if he or she is concerned with the provision in the UK of
services to the public or to a section of the public (Discrimination Act 1995 (s19(2)(b)).
70
Although the provision of web-based information services/facilities is not specifically cited
in the Disability Discrimination Act 1995.
71
The provision of services includes the provision of any goods or facilities (Disability Dis-
crimination Act 1995 (s19(2)(a)). In addition, it is irrelevant whether a service is provided on
payment or without payment (Disability Discrimination Act 1995 (s19(2)(c)).
72
The Code of Practice: Rights of Access to Goods, Facilities, Services and Premises 2002
(s4.22) suggests the following as types of factors which may be taken into account when con-
sidering what is reasonable:
n whether taking any particular steps would be effective in overcoming the difficulty that dis-
abled people face in accessing the services in question,
n the extent to which it is practicable for the service provider to take the steps,
n the financial and other costs of making the adjustment,
n the extent of any disruption which taking the steps would cause,
n the extent of the service provider’s financial and other resources,
n the amount of any resources already spent on making adjustments, and
n the availability of financial or other assistance.
73
The only organisation/service still specifically excluded from the provisions of the Disability
Discrimination Act 1995 is the armed forces.
74
See Dardailler, D. (1997) Briefing package for project Web Accessibility Initiative (WAI), avail-
able @ www.w3.org/WAI/References/access-brief.html.
75
See www.w3.org/WAI/.
76
These working groups include:
n Authoring Tools Working Group (AUWG) – develops guidelines, techniques and support-
ing resources for web ‘authoring tools’ – which are software that create websites,
n Education and Outreach Working Group (EOWG) – develops awareness and training
materials and education resources on web accessibility solutions,
n Evaluation Tools Working Group (ERT WG) – develops techniques and tools for evaluating
accessibility of websites and for retrofitting websites to be more accessible,
n Protocols & Formats Working Group (PFWG) – reviews all W3C technologies for accessibility,
n Research and Development Interest Group (RDIG) – facilitates discussion and discovery of
the accessibility aspects of research and development of future web technologies,
n User Agent Working Group (UAWG) – develops guidelines, techniques and supporting
resources for web ‘user agents’ – which includes web browsers and media players accessibility,
and
669
.. ..
CORA_C12.qxd 6/1/07 11:09 Page 670
Chapter 12 From e-commerce to m-commerce and beyond: ICT and the virtual world
n Web Content Working Group (WCAG WG) – develops guidelines, techniques and sup-
porting resources for web ‘content’ – which is the information in a website, including text,
images, forms and sounds.
77
These include a wide range of public and private sector organsiations – for example companies,
government agencies, education-based research organisations and many more.
78
Indication of conformance can be presented in two alternative forms.
Form 1: Specify on each page claiming conformance:
n the guidelines title: ‘Web Content Accessibility Guidelines 1.0’,
n the guidelines URI: http://www.w3.org/TR/1999/WAI-WEBCONTENT,
n the conformance level satisfied: ‘A’, ‘Double-A’ or ‘Triple-A’,
n the scope covered by the claim (e.g. page, site or defined portion of a site).
An example of which would be: ‘This page conforms to W3C’s “Web Content Accessibility
Guidelines 1.0”, available at http://www.w3.org/TR/1999/WAI-WEBCONTENT, level Double-A’.
Form 2: Include on each page claiming conformance, 1 of 3 icons provided by W3C and
linking the icon to the appropriate W3C explanation of the claim. Information about the WAI
icons and instructions on how to insert them into a webpage is available @ www.w3.org/
WAI/WCAG1-Conformance.html.
79
A user agent is defined as ‘any software that retrieves and renders web content for users’.
Such software may include web browsers, media players, plug-ins and other program including
assistive technologies – for example:
n screen magnifiers,
n screen readers,
n voice recognition software,
n alternative keyboards, and
n alternative pointing devices.
See: www.w3.org/TR/WCAG20/appendixA.html.
80
A baseline is defined as ‘a set of technologies assumed to be supported by, and enabled
in, user agents in order for web content to conform to these guidelines’. See www.w3.org/TR/
WCAG20/appendixA.html.
670
..
CORA_C13.qxd 6/1/07 11:11 Page 671
Part 4
Risk, security, surveillance
and control
..
CORA_C13.qxd 6/1/07 11:11 Page 672
Part overview
Part 4 of this book explores a range of issues associated with risk, security and control.
Chapter 13 explores the social and economic contexts of risk, and considers a range of
issues associated with corporate accounting information systems related fraud and com-
puter crime. Chapter 14 explores the socio-economic contexts of control – in particular
internal control – and considers the implications of such internal control on information
and communication technology enabled transaction processing systems.
Chapter 15 explores the underpinning rationale of audit, and considers the major issues
and problems associated with auditing computer-based corporate accounting information
systems. It also considers a number of alternative contemporary approaches to auditing
computer-based corporate accounting information systems including auditing through,
with and/or around the computer.
Finally, Chapter 16 explores the major stages of the systems development life cycle
and explores the socio-political context of corporate accounting information systems
development.
672
..
CORA_C13.qxd 6/1/07 11:11 Page 673
Introduction
Risk can be defined in many ways. For example:
Whatever way we seek to define or describe risk, assessing its implications and consequences
has, in a business context1 at least, become primarily associated with the determination
and evaluation of outcomes – with the quantification of probabilities.2 The probability that an
event, or series of events, may occur that results in the emergence/expression of socially and
economically harmful consequences – consequences that could have an undesirable impact
on both the present and future stability and financial wellbeing of the company. Indeed,
as suggested by Beck (1994), by quantifying unmanageable uncertainties we (including
companies as created persons) can create manageable risks and in doing so make the
‘incalculable calculable’ (1994: 181),3 and thus make the uncertain certain. Or at least provide
a comforting (if perhaps misleading) perception of certainty that is bounded by a normalis-
ing assumption that all risks are not only discoverable, but more importantly measurable!
The contemporary notion of risk – in particular business risk – and its perceived emergence
into the socio-economic consciousness of the marketplace is now closely related to the
notion of expected future return. More importantly, perhaps, risk is indelibly associated
with the nature and structure of market competition, and is accordingly, regarded by some
as merely a generic product of the increasingly competitive demand-driven mechanism
of capitalism – of global capitalism. Such risk – such expected risk – is an ever-present
phenomenon of contemporary market-based capitalism and its inherent uncertainties –
an ever-present and somewhat controversial phenomenon of increasing significance and
consequence.
673
..
CORA_C13.qxd 6/1/07 11:11 Page 674
Chapter 13 Risk and risk exposure: fraud management and computer crime
it cannot be totally eliminated. Indeed, the significance and implications of risk (in particular
exposure to socio-economic risk) cannot be diluted by the rhetoric of liberal economics,
nor can its consequence be minimised by the merely acknowledging its being. The very
existence of risk – the very existence of business/corporate risk – invites/requires explicit
and unambiguous proactive management, the economisation of uncertainty4 and the
adoption (at least in a contemporary context) of the so-called precautionary principle.
We will return to, and indeed explore in greater detail, the nature and context of the
so-called precautionary principle in the next section of this chapter, but for the moment
it is worth noting that within a corporate context (and indeed an accounting information
systems context) the incidence of risk can only be detected by the use of appropriate
control features, such as:
whereas the occurrence of risk (and its associated consequences) can only be diminished
by the establishment of appropriate control environments, such as:
Clearly then, effective risk management (as guided by the so-called precautionary principle)
relies on:
674
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 675
Learning outcomes
This chapter presents an analysis of the key features of risk, risk exposure and fraud,
and examines issues associated with fraud management and the risks associated with
information systems and information technology – in particular computer crime. By the
end of this chapter, the reader should be able to:
n describe the social and economic contexts of risk,
n distinguish between different types of sources and types of risk and then explain the
control issues associated with minimising risk exposure,
n describe and critically comment on the problem conditions affecting exposure to risk,
and
n evaluate the key issues associated with fraud and computer crime.
As suggested earlier, risk is the chance or possibility of loss or bad consequence. It arises from
a past, present and/or future hazard or group of hazards of which some uncertainty exists about
possible consequences and/or effects. Put simply, whereas a hazard or group of hazards is a
source of danger, risk is the likelihood of such a hazard or group of hazards developing actual
adverse consequences/effects. In this context, uncertainty relates to the measure of variability
in possible outcomes – the variability (whether expressed qualitatively or quantitatively) of the
possible impact and consequence/effect of such hazards. Whilst such uncertainty can clearly
arise as a result of a whole host of complex and often interrelated reasons, it does – in a corporate
context at least – more often than not arise as a result of a lack of knowledge, a lack of infor-
mation and/or a lack of understanding.
As with the never-ending variety that is symptomatic of modernity, there are many types of
risk – many of which overlap in terms of definition and context. Have a look at the following
definitions/examples of risk:
n social risk – the possibility that the intervention (whether socio-cultural, political and/or
institutional) will create, fortify and/or reinforce inequity and promote social conflict,
n political risk – the possibility that changes in government policies will have an adverse
and negative impact on the role and functioning of socio-economic institutions and
arrangements,
n economic risk – the risk that events (both national and international) will impact on a country’s
business environment and adversely affect the profit and other goals of particular companies
and other business-related enterprises,
n market risk – the risk of a decline in the price of a security due to general adverse market
conditions (also called systematic (or systemic risk)), and
n financial risk – the possibility that a given investment or loan will fail to bring a return and
may result in a loss of the original investment or loan, and
n business risk – the risk associated with the uncertainty of realising expected future returns of
the business, (also known as unsystematic (or non-systemic) risk), and/or the uncertainty
associated with the possible profit outcomes of a business venture.
675
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 676
Chapter 13 Risk and risk exposure: fraud management and computer crime
Clearly whilst there are many other definitions/examples of risk – many other categoris-
ations of risk, especially within the context of socio-economic activities (see Figure 13.1) – they
all possess a singular common feature.
Whatever way we seek to perceive or indeed conceptualise risk,5 however we seek to define or
describe it, at the core of any definition – any understanding of risk (including all of the above)
– is the notion of uncertainty and the associated possibility of danger, hazard, harm and/or
of loss. Harm and/or loss results from uncertain future events that may be social, cultural,
economic, political, psychological and/or even physiological in origin.
Indeed, whether risk is viewed primarily in a qualitative context as:
n a social construction,6
n a product of reflexive modernisation,7
n a cultural8 consequence of the growing economisation of society and polity, and/or
n a product of modern society’s increasing interconnectivity but diminishing trust,9
or primarily in a quantitative context as:
n a quantifiable deviation from the norm,
n a statistical probability, or
n a calculable and determined measurement,
issues of uncertainty and of risk (from wherever they originate) now dominate contemporary
understanding of corporate activity and its context and location within the macro economic
framework of the so-called global village. Such issues not only influence and determine all
forms, aspects and levels of corporate decision making, (especially, as we shall see, decisions
related to corporate accounting information systems) but continue to be an authoritative
676
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 677
influence on and pervasive (some would say insidious) feature of many (if not all) aspects of
contemporary economy, society and polity.
Indeed, in today’s evermore risk-averse world – a world bounded by the sociology of com-
modification and constrained only by the politics of marketplace and economics of more social,
economic and political activities are increasingly influenced by and indeed organised around a
singular cautionary notion. A notion that it is better to be safe than sorry or, perhaps more
appropriately, it is better to err on the side of caution.
Enshrined within this cautionary approach (some would say pessimistic approach) is an
assumption of the worst case scenario. That is:
n when the outcomes of present or future actions and events are uncertain or unpredictable,
and/or
n when information, knowledge or understanding is incomplete or uncertain,
a lack of certainty should not be used as a reason – as a justification – for postponing measures
to prevent such damage and/or such harm.
It is this approach – this assumption of worst case scenario – that has in recent years become
known as the precautionary principle. A principle whose origins are clearly linked to the German
vorsorgeprinzip, or foresight principle, it is now increasingly used and is indeed widely embraced
(both formally and informally) at various levels within society, economy and polity (that is
not only at a societal/governmental level but also at a economic/market level), to deal with the
various risks and uncertainties arising from:
n the imposition of new technologies,
n the development of new products, and
n the expansion and growth of new markets.
n Weak form precaution (generic reactive intervention) – intervention only where there is
general positive evidence of risk, the possibility for harm/damage and evidence that such
677
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 678
Chapter 13 Risk and risk exposure: fraud management and computer crime
intervention would be effective and cost-efficient. The underlying presumption is one of risk
management.
n Moderate form precaution (specific reactive intervention) – intervention on a case by case
basis where there is specific positive evidence of risk, the probability of harm/damage and
evidence that such intervention would be effective and where possible cost-efficient. Again
the underlying presumption is one of risk management.
n Strong form precaution (proactive intervention) – intervention where a perceived risk of
potential harm/damage exists and evidence that such intervention would be effective. Cost
efficiency is not a concern. Because of the nature and severity of the risks, the underlying
presumption is one of risk avoidance.
Whilst there is no widely accepted formal rule set (or criteria) by which the application of any
of the above can be determined, in general and very informally, the potential application of
each (separately or in combination) is often determined by:
n the level of uncertainty in the consequences of the particular hazard, and
n the level of uncertainty in the likelihood that the particular hazard will be realised.
678
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 679
Figure 13.3 Activities at each variant form of the precautionary principle (A)
Figure 13.4 Activities at each variant form of the precautionary principle (B)
679
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 680
Chapter 13 Risk and risk exposure: fraud management and computer crime
Each of the above activities would contain a range of different but nonetheless risk-related activities
(sub-systems) that would require different levels of precautionary management. For example:
n information systems/information technology-related activities:
linternal control activities – fraud detection activities
moderate form/strong form precautionary activities
l computer-based virus management
strong form precautionary activities
n accounting and finance-related activities:
l capital investment appraisal
moderate form/strong form precautionary activities
l portfolio/debt management
moderate form precautionary activities
n business/marketing-related activities:
l product development activities
moderate form precautionary activities
n human resources/personnel-related activities:
l appointment of new staff
strong form precautionary activities
l staff development activities/staff training
weak form/moderate form precautionary activities.
Clearly, whilst the precise nature and context of the precautionary activities differs from company
to company and from business activity to business activity, the level of precautionary activities
would nevertheless remain the same, although in a practical context such precautionary activities
may well change over time.
Let’s look at this issue in a little more detail. We live in an ever-changing world. A world
dominated by:
n an ever-changing political landscape,
n an increasingly international flow of goods and services,
n an evermore turbulent and unpredictable global marketplace, and
n an increasing dependency on flows of knowledge and information.
Indeed, we live in an ever-changing world dominated by technologies designed not only to sustain
but also increase the socio-economic need/desire for more of everything. A world founded on highly
integrated interdependencies and interconnections in which even the smallest changes within a
socio-political landscape, the economic marketplace or a company’s resource structure may have
a substantial impact/affect on the nature and source of risk, the type of risk and the degree of risk
exposure a company may face. Such a change may well necessitate a change in the levels of pre-
cautionary activities associated with particular business activities undertaken by a company.
Now we have a broad socio-economic context of risk, we will focus on risk and risk exposure
specifically associated with computer-based/information technology orientated information
systems, in particular, corporate accounting information systems.
Risk exposure
As suggested earlier, risk can be described in many ways, for example, as a hazard, a chance of
bad consequence or exposure to mischance. And for a company, the measurability of such risk
is directly related to the probability of loss.
680
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 681
Risk exposure
Remember, we are now primarily concerned with risk exposure specifically associated with
and/or related to computer-based/information technology orientated information systems – in
particular, corporate accounting information systems.
Source of risk
If you are not sure why we should consider resource/asset-based risk a subsidiary primary source
then consider the following.
The foundation of all contemporary business activity – of contemporary capitalism – is
movement. Capitalism is a socially constructed event-based process. That is all contemporary
business activity is based ultimately on the buying and selling of goods and services, and/
or the transfer of property and ownership in exchange for payment or promise of payment.
Indeed, at the heart of any business transaction is an identifiable event and/or activity, one
which ultimately results in the temporal and/or spatial displacement of assets and/or resources
(the duality of which accountants record using the age old methodology of double-entry
bookkeeping).
Associated with both of the above primary sources of risk are the following secondary sources
of risk:
n authorised internal employee and/or external agent-based risk – for example risk of possible
loss that may result from either unintentional mistake/oversight or premeditated, intentional
or deliberate error, theft and/or acts of violence,
n unauthorised persons-based risk – for example risk of possible loss that may result, possible
breaches of security and/or acts of violence resulting in the theft or misappropriation of
assets, resources, information and/or identity, and
n (act of) nature-based risk – for example risk of possible loss that may result from geograph-
ical disaster, adverse meteorological conditions and/or created human catastrophes.
681
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 682
Chapter 13 Risk and risk exposure: fraud management and computer crime
Types of risk
Clearly, as indicated above, within the secondary sources of risk identified above, there are many
types of risk associated with computer-based/information technology orientated information
systems, in particular corporate accounting information systems. Let’s have a look at these in a
little more detail:
n Unintentional errors – these relate to inadvertent mistakes and/or erroneous actions attribut-
able to bad judgement, ignorance and/or inattention, and are neither deliberate nor malicious
in intent.12
n Deliberate errors – conscious erroneousness and incorrectness whose occurrences are designed
to damage, destroy and/or defraud a person, group of persons and/or organisation. Such
errors are intentional and premeditated.
n Unintentional loss of assets – an undesigned loss whose incidence occurs without deliberate
purpose or intent. Such (accidental) losses may occur due to bad judgement, ignorance
and/or inattention.
n Theft of assets – the wrongful and criminal taking of property from another.
n Breaches of security – the successful defeat and/or violation of controls which could result in
a penetration of a system and allow/facilitate unauthorised access to information, assets
and/or system components whose misuse, disclosure and/or corruption could result in severe
financial loss.
n Acts of violence – intentional, reckless and/or grossly negligent acts that would reasonably be
expected to cause physical injury and/or death to another person, and/or cause the damage
to and/or the destruction of valuable tangible/intangible assets.
n Natural disasters – events with catastrophic consequences whose origins lie beyond human-
kind and human activity. Such events can result in death, injury, damage and/or destruction
to people and/or property and are dependent on many factors which themselves may not be
natural in origin but created by human action/inaction.
682
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 683
The need to identify security risks/threats and ensure the existence of adequate control procedures
is paramount to:
n ensuring the effectiveness and efficiency of corporate operations, the continuity of business
processes and the survival of the company,
n minimising unproductive time and effort, and reducing the cost of downtime and service
outage,
n protecting the corporate brand name, the corporate image, any intellectual property rights
and of course the company’s market share and underlying share value, and
n ensuring compliance with applicable laws and regulations and avoiding any penalties and fines
that may arise from a failure to comply with extant legislative requirements and regulatory
pronouncements.
Consequently, minimising risk is indelibly associated with three aspects central to contem-
porary notions of information security, these being:
n the maintenance of confidentiality – that is protecting information from unauthorised
disclosure,
n the preservation of integrity – that is protecting information from unauthorised modification,
and
n the assurance of availability – that is protecting the availability of information.
Not only in a business context, but more importantly in a corporate context, maintaining con-
fidentiality, preserving integrity and ensuring availability are dependent upon:
n establishing an appropriate control environment,
n undertaking regular risk assessment,
n developing and maintaining structured control activities,
n ensuring the existence of adequate information and communication systems and protocols,
n ensuring monitoring activities are regularly undertaken, and
n maintaining internal control and the separation of administrative functions.
Although we will consider issues of internal control and systems security in greater detail in
Chapter 14, it would perhaps be useful to provide a brief review of the contemporary regulatory
framework of information security management.
British Standard BS 7799 Part 1 provides a code of practice for information security man-
agement. Originally published in 1995 and revised in 1999, Part 1 became ISO/IEC 1779913 in
2000, an international standard (code of practice) for information security management which
provides, amongst other things, a comprehensive set of security controls/practices currently in
use by businesses worldwide.
British Standard BS 7799 Part 2 (currently published as BS 7799-2:2002 Specification for
Information on Security Management)14 provides/defines a management framework for:
n the identification of security requirements, and
n the application of the best practice controls as defined in ISO/IEC 17799,
and specifies in some detail the key requirements of an Information Security Management
System (ISMS).
Both of the above (ISO/IEC 17799 and BS 7799 Part 2) apply to all information regardless
of where it is located, how is processed and/or how or where it is stored. They also outline a
number of key principles15 central to effective information security, these being:
683
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 684
Chapter 13 Risk and risk exposure: fraud management and computer crime
n risk assessment – that is identifying and evaluating risks, and specifying appropriate security
controls to minimise loss or damage associated with these risks,
n periodic review of security and controls – that is assessing and identifying any changes within
the company/business activities that may result in new threats and vulnerabilities, and
n implementation of information security – that is designing, implementing, monitoring,
reviewing and improving information security.
Key to the effective implementation of the above principles is of course the development and
implementation of an information policy – a corporate-wide information security policy.
Although such a policy would clearly vary from business to business and company to company,
in general such an information security policy should include most (if not all) of the following:
n a definition of the nature of ‘corporate’ information security – its scope, objectives and
importance to the company,
n a statement of intent and an explanation of standards, procedures, requirements and objec-
tives of the policy,
n a detailed explanation of the consequences of security policy violation and the legal, regulatory
and possible contractual obligations for compliance,
n a definition of the general and specific roles and responsibilities, in terms of promoting secu-
rity awareness and information security training and education, and ensuring the prevention
and detection of viruses and other malicious software,
n a statement detailing the processes and procedures for reporting/responding to security
incidents, and
n a statement detailing the location and availability of information security supporting
documentation – for example corporate policy, operational procedures and implementation
guidelines.
As indicated earlier, we will return to a more detailed discussion of internal control and systems
security and the importance of information security in Chapter 14.
684
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 685
Fraud
As suggested earlier, there are many sources and types of risk and events/activities whose
occurrences may result in the possibility of danger, hazard, harm and/or loss. In a corporate
accounting information systems context, perhaps the most important problem conditions are:
n fraud, and
n computer crime (or more appropriately computer assisted crime).
Fraud
Originating from the old French word fraude and the Latin fraus meaning deceit and/or injury,
the word fraud is defined16 as ‘criminal deception, the use of false representation to gain unjust
advantage’, or ‘a wrongful or criminal deception intended to result in financial or personal
gain’, or perhaps more appropriately ‘the use of deception with the intention of obtaining an
advantage, avoiding an obligation or causing loss to another party’.
Whilst there exists no single statutory offence of fraud in the UK, the Home Office (2004)
provides examples of offences that would be classified as fraud (or fraudulent):
The term ‘fraud’ clearly encompasses an array of irregularities and illegal acts which include:
685
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 686
Chapter 13 Risk and risk exposure: fraud management and computer crime
n conspiracy – undertaking secret agreement(s) to perform and/or carry out some harmful or
illegal act,
n embezzlement – the fraudulent appropriation of funds or property entrusted to your care
but actually owned by someone else,
n misappropriation – the illegal taking of property (includes embezzlement, theft and fraud),
n false representation – the fraudulent concealment of material facts, and
n collusion – agreeing (with others) to defraud another of property and/or rights, and/or obtain
an object and/or property forbidden by law.
Whilst the more serious of the above illegal acts may be subject to possible Serious Fraud Office
(SFO) investigation17 such illegal acts can loosely be categorised as:
n an intentional perversion of truth, misrepresentation, concealment or omission of material
fact perpetrated with the intention of deceiving another which causes detriment and/or
injury to that person,
n a deceitful practice or device perpetrated with the intent of depriving another of property,
and/or other rights, and/or
n a dishonest act designed to manipulate another person to give something of value.
False billing
These types of fraud are usually aimed at large corporate organisations with large, often automated,
payments systems/sub-systems. They often involve an attempt to obtain funds/payments for
goods and/or services that have never been provided.
686
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 687
Fraud
Article 13.1
687
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 688
Chapter 13 Risk and risk exposure: fraud management and computer crime
n the communication offers to transfer millions of pounds into the company’s bank account
(for a ‘pay-off fee’ which the company will receive on completion of the transfer) normally
claiming that the funds are from over-invoiced projects or unaccounted excess funds from
a previous political regime, or funds relating to property transfers/low-cost oil transfers,
and
n the targeted company (or more appropriately victim company) is nearly always asked to
provide blank company letter-headed paper, bank account details/information, confidential
telephone/fax numbers, and sooner or later the payment of an up-front or advance fee pay-
ment to cover various taxes, legal costs, transaction costs and/or bribes.
A variation of such advance fee frauds is the dead relative variation or the current affairs/
disaster variation. For example the December 2004 Tsunami disaster in South East Asia produced
a plethora of fee fraud e-mails.
Identity theft
Identity theft is the deliberate assumption of another’s identity (either person and/or company),
usually:
n to fraudulently obtain goods and/or services using that identity,
n to gain access to a source of finance and/or credit using that identity,
n to allocate/apportion guilt for a crime and/or fraud to that identity,
n to enable illegal immigration using that identity, and/or
n to facilitate terrorism, espionage, blackmail and/or extortion.
There are clearly many ways in which an identity can be assumed, from scouring local press/
media to ‘web spoofing’ (setting up websites to elicit information as part of a seemingly legitimate
transaction). See Article 13.2.
Article 13.2
688
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 689
Fraud
Phishing
Phishing (and pharming) is the fraudulent acquisition, through deception, of sensitive personal
information such as passwords and credit card/finance details by:
n masquerading as someone (either a person or company) with a legitimate need/requirement
for such information, and/or
n using malicious/invasive software programs (e.g. a trojan horse – see later in this chapter) to
obtain covertly confidential and highly sensitive information.
Phishing is in essence a form of social engineering attack – an attack designed to deceive users
and/or managers/administrators at the target site or location. Historically such social engineer-
ing attacks were typically carried out through conventional telecommunication channels (e.g.
telephoning users and/or operators and pretending to be an authorised user) to gain illicit
access to systems. In terms of contemporary business activity however, in particular in terms
of computer-based information systems and computer security, a social engineering attack can
be defined as the practice of using information technology to deceive people into revealing
sensitive information and/or data on a computer system, that is to gain personal and/or con-
fidential information for the purposes of identity theft and/or funds fraud.
It is perhaps not surprising that the term is often associated with e-mail fraud in which an
e-mail is sent to an end-user with the intent of acquiring personal and/or corporate information.
It is perhaps worth noting that such phishing (and pharming) are no longer the sole domain
of the external hacker/cracker – internal hackers/crackers (see Article 13.3) are increasingly
regarded as a primary threat to corporate information security.
Article 13.3
Internal hackers pose the greatest threat – beware the enemy within
Internal hackers pose the greatest threat to the IT with 75 per cent) and content filtering and monitoring
systems of the world’s largest financial institutions, (76 per cent compared with 60 per cent).
according to the 2005 Global Security Survey released ‘Financial institutions have made great progress
today by the financial services industry practices of in deploying technological solutions to protect them-
Deloitte Touche Tohmatsu. selves from direct external threats,’ said Adel Melek,
Over a third of respondents admitted to having a partner in the Canadian member firm of Deloitte
fallen victim to internal hack attacks during the past Touche Tohmatsu.
12 months (up from 14 per cent in 2004) compared to ‘But the rise and increased sophistication of attacks
26 per cent from external sources (up from 23 per that target customers, and internal attacks, indicate
cent in 2004). that there are new threats that have to be addressed.
Instances of phishing and pharming, in which Strong customer authentication, training and increased
hackers lure people into disclosing sensitive informa- awareness can play a significant role in narrowing this
tion using bogus emails and websites, rocketed during gap.’ However, the survey results show that security
the past year, underscoring the human factor as ‘a training and awareness have yet to top the agenda of
new and growing weakness in the security chain’. The chief information security officers, as less than half of
study noted that the shift in tactics to exploit humans, respondents have training and awareness initiatives
rather than technological loopholes, is explained by scheduled for the next 12 months.
the improved use of IT security systems. Training and awareness was at the bottom of the
This includes the increased deployment of antivirus security initiatives list, far behind regulatory compli-
systems (98 per cent compared with 87 per cent in ance (74 per cent) and reporting and measurement
2004), virtual private networks (79 per cent compared (61 per cent). The findings aligned with financial
‘
689
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 690
Chapter 13 Risk and risk exposure: fraud management and computer crime
institutions’ future investment plans in security, with ability, patch and security event management. These
64 per cent of money set aside for security tools, solutions should be augmented by security training
compared with only 15 per cent for employee aware- and awareness if organisations are to minimise the
ness and training. number of human behavioural threats. Clearly, con-
Ted DeZabala, a principal in the security services tinued vigilance is needed to meet and exceed the
group at Deloitte & Touche LLP, said: ‘With threats requirements and truly protect corporate data from
such as identity theft, phishing and pharming on the security threats.’
rise, organisations should be implementing identity
management solutions encompassing access, vulner- Source: Robert Jaques, 23 June 2005, www.vnunet.com.
There can be little doubt that the 21st century has seen an enormous increase in the number
of frauds and illegal scams directed at both companies and individuals. Whilst the greater
availability of information technology and the increased accessibility and use of the internet
are often cited as the key reasons for this increase, such reasons clearly represent only part of
the answer.
In recognising the increasingly complex threat posed by the use of improved technology by
both national and international criminal elements in:
n modifying and adapting existing corporate frauds – that is supporting traditional crimes with
the use of internet and information technology, crimes such as fraud, blackmail, extortion,
identity theft and cyber-stalking, and
n developing, designing and executing new corporate frauds – that is using the internet and
information technology not only to develop new crimes and further present new opportun-
ities to both national and international criminal elements, but also challenge contemporary
law enforcement – crimes such as hacking, viruse transmission, Denial of Service (DoS)
attacks and spoof websites,19
the UK government – in April 2001 – created the National Hi-Tech Crime Unit (NHTCU)20 to:
n combat national and trans-national serious and organised hi-tech crime which impacts upon
and/or occurs within the UK,
n present sustained leadership and focus (nationally and internationally) in defining and dis-
charging world class standards in the fight against organised crime,21
n provide a comprehensive database of information and advice on a range of technology-based
frauds, and
n bring to justice and/or disrupt the activities of those involved in and/or responsible for serious
and organised hi-tech crime.
There are perhaps a number of key practical steps a company can take to minimise the possible
occurrence of fraud. Firstly, it could seek to identify potential reasons as to why it may/may not
be susceptible to fraud. Possible reasons could for example include:
n a lack of internal control,
n a lack of internal audit,
n inadequate fraud risk management skills,
690
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 691
Computer crime
The Electronic Communications Act 2000 (together with the Electronic Signatures Regulations
2002 and the Electronic Commerce (EC Directive) Regulations 2002) provides a regulatory frame-
work for the use of cryptographic service and clarifies the legal status of electronic signatures.24
Computer crime
Computer crime can be defined as a deliberate action to gain access to, and/or steal, damage or
destroy, computer data without authorisation. It involves:
n the dishonest manipulation of computer programs and/or computer-based data,
n the fraudulent use/abuse of computer access and resources for personal gain, and/or
n the deceitful use of computer-based data/computer-based resources in the perpetration of
fraud.
There are many reasons advanced by both academics and practitioners who seek to explain the
exponential growth in computer crime over the past 10–15 years, perhaps the most common
of these being:
n the increasing access to and concentration of contemporary computer processing in business
(and in society),
691
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 692
Chapter 13 Risk and risk exposure: fraud management and computer crime
n the increasing necessity for and use of highly integrated computer systems/networks in
business and commerce, and
n the increasing dependency on computer-based decision-making processes in both personal
and business/corporate activities.
See Article 13.4 below.
Article 13.4
Nearly every UK business makes use of the internet, with 97% making regular use of the
internet and 81% now possessing a website.25 More importantly:
n 62% of UK businesses (for larger ones the figure was 87%) indicated that a security breach
leading to substantial data corruption would cause significant business disruption, with
n 56% of UK businesses (for larger ones the figure was 74%) indicating that a loss of access to
computer-based information would in itself significantly interrupt business activity.
And yet, in the UK, businesses (in particular corporate businesses), still only spend an average
of 4.5% of their information technology budget on security, with only 40% of medium-sized
UK businesses possessing a formally defined and documented information security policy. (For
large UK businesses the figure was 73%.26
692
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 693
Computer crime
Clearly, the number of UK businesses that possess a security policy has continued to increase
over the past 10 years, with virtually all UK businesses now implementing some form of anti-
virus software. Nevertheless, as long as companies (or more importantly company managers)
fail to recognise the importance of computer systems/networks as a fundamental/core wealth
creating resource in contemporary corporate activity, and fail to invest in:
n better staff education,
n enhanced security protocols,
n improved security and protection procedures,
n better management control systems/security audits, and
n more effective contingency planning,
the army of potential threats that now exist within the socio-economic marketplace, ones
ready to expose and indeed exploit any computer system/network security weakness, will only
continue to grow – as will computer crime!
So, how common is computer crime? Here are some facts. For 2005:27
n 62% of UK businesses suffered a security breach (for larger UK businesses this figure was 87%),
n 29% of UK businesses suffered accidental systems failure and data corruption (for larger UK
businesses this figure was 46%), and
n 52% of UK businesses suffered malicious incidents (for larger UK businesses this figure was
84%),
with the average cost to UK businesses of most serious security breaches being approximately
£12,000. (For large UK businesses this figure was more than £90,000.) See Article 13.5.
Clearly then there can be little doubt that computer crime represents a contemporary and
indeed continuing socio-economic problem not only for business and business organisations in
general but for corporate organisations in particular. But who actually commits this so-called
computer crime (including of course computer assisted fraud), and perhaps more importantly,
why do they do it?
Article 13.5
693
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 694
Chapter 13 Risk and risk exposure: fraud management and computer crime
Whilst any demographic would clearly be an over-generalised and grossly simplified charac-
terisation/depiction of those involved in computer crime – those committing computer crime
(or at least those identified or found guilty of committing computer crime) often (but not
always) tend to present one or more of the following characteristics:28
n they are often white Caucasian male, usually aged between 19–30 years old (computer crime)
and 25–45 years old (fraud),
n they are often intelligent, generally well educated and like a challenge,
n they tend to be first-time offenders with what is often described as a modified Robin Hood
syndrome,
n they identify with technology and are often employed in an information technology role
and/or a financial/accounting role, and
n they generally feel exploited, underpaid and dissatisfied with their employer, but do not
(generally) intend harm, seeing themselves as a borrower and not a thief.
The main reasons perpetrators of computer crime often offer as a defence for their actions/
activities generally fall into one (or more) of the following areas:
n personal financial pressure,
n personal vices (drugs/gambling, etc.),
n personal lifestyle,
n personal grievances, due perhaps to increased stress/pressure relating to employment con-
ditions, and/or
n personal vendetta against the business/company or one or more of its managers/owners.
There are many types and categorisations of computer crime of which the following are perhaps
typical examples of contemporary computer crime (see Table 13.1 below):
n inappropriate use of corporate information technology,
n theft of computer hardware and/or software,
n unauthorised access and information theft,
n fraudulent modification of data/programs,
n sabotage of computing facilities, and
n premeditated virus infection and disruptive software.
Source: Information Security Breaches Survey 2006 Technical Report (April 2006),
PricewaterhouseCoopers and Department of Trade and Industry,
http://www.enisa.eu.int/doc/pdf/studies/dtiisbs2006.pdf.
694
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 695
Computer crime
Source: Information Security Breaches Survey 2006 Technical Report (April 2006),
PricewaterhouseCoopers and Department of Trade and Industry,
http://www.enisa.eu.int/doc/pdf/studies/dtiisbs2006.pdf.
695
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 696
Chapter 13 Risk and risk exposure: fraud management and computer crime
n a potential loss of revenue especially where such abuse and misuse of corporate information
technology results in reduction in overall productivity
n a severe reduction and/or even loss of network bandwidth where significant inappropriate
activities are occurring, and
n an increased risk of liability and legal action where such inappropriate activities result in, for
example:
l racial or sexual discrimination and harassment,
l misuse of personal information in breach of the Data Protection Act 1998,
l the propagation of libellous literature, and/or
l the loss of goods, services and/or information.
696
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 697
Computer crime
Clearly, the prevention of theft of computer hardware and/or software requires a commit-
ment to security and investment in the provision of a wide range of measures and controls,
which can be categorised as follows:
n preventative controls – that is controls designed to minimise and/or prevent opportunities
for theft to occur,
n detective controls – that is controls designed to detect theft attempts, and
n recovery controls – that is controls designed to trace/track down stolen items and facilitate the
recovery of such items and/or the possible prosecution of individual/individuals responsible
for the theft/misappropriation.
Such controls would normally operate on three distinct hierarchical layers:
n physical security control layer,
n technical security control layer, and
n human security control layer.
697
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 698
Chapter 13 Risk and risk exposure: fraud management and computer crime
Clearly, security tagging and, registration and audit are of major importance where computer
assets are sited in remote locations (not necessarily networked), away from the company’s
main computing facilities: for example, where employees are geographically dispersed and use
portable computing facilities as part of their daily activities/duties.
without the express authorisation of the owner of the system, the server and/or the network.
See Table 13.3 below.
698
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 699
Computer crime
Source: Information Security Breaches Survey 2006 Technical Report (April 2006),
PricewaterhouseCoopers and Department of Trade and Industry,
http://www.enisa.eu.int/doc/pdf/studies/dtiisbs2006.pdf.
The DTI Information Security Breaches Survey (2006) also found that:
n 66% of UK businesses who had suffered an unauthorised access breach regarded the un-
authorised access breach as very serious (compared with 34% who regarded the unauthorised
access breach as serious), and
n 16% of UK businesses who had suffered a confidentiality breach regarded the confidentiality
breach as extremely serious (compared with 22% who regarded the confidentiality breach as
very serious, and 49% who regarded the confidentiality breach as serious).
There can be little doubt that 21st century connectivity has clearly proved to be a vivid paradise
not only for the world’s hackers but also the world’s crackers.
Originally, the term hacker was used to describe any amateur computer programmer seeking
to make software programs run more efficiently and computer hardware perform more effectively.
However, in a contemporary context, the term hacker is often used misleadingly (especially by
the media) to describe a person who breaks into a computer system and/or network and destroys
data, steals copyrighted software, and/or performs other destructive or illegal acts. That is a
computer vandal.
This is perhaps unfortunate since such a definition is more appropriate for a person known
as a cracker32 – that is an individual who breaks (or cracks) the security of computer systems in
order to access, steal or destroy sensitive information. In essence a cracker is a malicious hacker
– and contrary to popular belief, the term cracker is not synonymous with the term hacker.
There are many reasons why an individual would attempt to breach a computer system/
network security protocols to gain unauthorised access and the damage caused by such a breach
could include, for example:
n the theft of confidential and sensitive corporate information,
n the theft of protected information,
n the disruption of a corporate service and/or facilities (e.g. payment systems), and/or
n the infestation of a computer system and/or network.
So, how exactly would a hacker/cracker gain access to a computer system? Look at Table 13.4,
an edited version of McClure et al.’s (2005) Anatomy of a Hack.
There are of course a number of prevention strategies that a company can adopt in order
to prevent and/or manage unauthorised access to a computer system/network and/or data,
these being:
n the development and adoption of a corporate defence protocol,
n ensuring user vigilance,
699
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 700
Chapter 13 Risk and risk exposure: fraud management and computer crime
Source: McClure, S., Scambray, J. and Kutz, G. (2005) Hacking exposed: Network Security, Secrets, and Solutions,
McGraw-Hill, San Francisco. Reproduced with permission of The McGraw-Hill Companies.
n the adoption of appropriate training and education and, perhaps most important of all,
n the use of information and communication technologies.
Let’s look at this final issue in more detail. There are many security tools and computer-based
technologies that can be used to manage access, control use and, where appropriate, prevent
unauthorised entry. Such tools and technologies include:
n the use of system/network firewalls,
n the use of information and communication technologies,
n the use of data encryption facilities,
n the use of digital certificates,
n the use of authentication and authorisation software, and
n the use of scanners, patches and hotfixes.
Some of the above were briefly discussed in Chapter 12.
Firewall
Often referred to as border protection device, as we saw in Chapter 12 a firewall is essentially a
system gateway designed to prevent unauthorised access to or from either a personal computer
700
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 701
Computer crime
and/or a private network. They are frequently used to prevent unauthorised internet users from
accessing private networks connected to the internet, especially intranets. They can be in the
form of:
n an hardware appliance and/or network device,
n a feature of another network device – for example a network router,
n a software package installed on a server/host system, and/or
n a combination of some or all of the above.
A firewall is designed to ensure that only approved network traffic of:
n an authorised nature and/or type, or
n from prescribed applications,
The criteria used by a firewall to determine whether traffic should be allowed through it will
depend on:
n the type of firewall,
n the concern of the firewall (e.g. to control/restrict access by traffic type, source address types
or destination address type), and
n the network layer/operational location of the firewall – that is the layer within the OSI and
TCP/IP network model.
Firewalls can broadly be classified into four categories, these being:
n a packet filter,
n a circuit level gateway,
n an application level gateway, and
n a multilayer inspection firewall.
Packet filtering
A packet filter firewall operates at the network layer of the OSI model or the IP layer of TCP/IP,
and is usually part of a router. In a packet filtering firewall each packet is compared to a set of
criteria before it is forwarded. Depending on the packet and the criteria, the firewall can reject
701
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 702
Chapter 13 Risk and risk exposure: fraud management and computer crime
the packet, forward the packet or send a message to the packet originator. Rules can include
source and destination IP address, source and destination port number and protocol used.
Packet filtering firewalls are a low-cost firewall option that tend to have a relatively low
impact on the performance of the system/network on which they are used.
Multilayer inspection firewalls are often referred to as a state-full firewall (as opposed to a
stateless firewall)35. Because such a firewall can:
n monitor/track the state of a system/network connection, and
n distinguish between legitimate packets and illegitimate packets for different types of connections.
they can provide a high level of security and transparency. However such a firewall can be
expensive and insecure if inappropriately managed.
An example of an open source network intrusion and detection system is Snort – this combines
signature-based, protocol-based and anomaly-based inspection methods.37
702
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 703
Computer crime
n network-based systems – where the intrusion detection system monitors traffic, identifies
malicious packets and prevents network intrusion, and reports on suspicious and/or atypical
activity, or
n host-based systems – where the intrusion detection system is installed on network servers to
identify activity and anomalies and report on server specific problems or activity.
n passive detection systems – where the system detects a potential security breach, logs the
information and signals and alert, or
n reactive detection systems – where the system responds to the suspicious activity by either:
l logging off a user to prevent further suspicious activity, or
l reprogramming the firewall to block network traffic from the suspected malicious source.
n misuse detection systems – where the intrusion detection system analyses the infor-
mation gathered and compares it to large database of attack signatures; that is the intrusion
detection system monitors for specific known attacks which have already been docu-
mented, or
n anomaly detection systems – where the intrusion detection system uses a pre-defined base-
line or normal state of a network’s traffic load, breakdown, protocol and typical packet size,
and monitors network segments to compare their state to the normal baseline to detect
anomalies.
Encryption
Cryptography38 is the study of alternative means of converting data/information from a
comprehensible format into an incomprehensible format, the aim being to render the data/
information unreadable to anyone without a special knowledge of the conversion process. It
is this conversion process that is known as encryption – a process designed not only to
ensure secrecy but, in a contemporary context, ensure and maintain security, especially in
the communication of confidential, sensitive and highly valuable data/information where it
is important to be able to verify both the integrity and authenticity of a message.
In a contemporary context, there are two different types of encryption:
In a symmetric key algorithm (or secret key cryptography) both the sender of the message/
communication and the receiver of the message/communication possess a shared secret key – the
same shared secret key. The sender uses the secret key to decrypt the message/communication,
whereas the receiver uses the secret key to decrypt the message/communication. Many of the
703
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 704
Chapter 13 Risk and risk exposure: fraud management and computer crime
early classical ciphers40 used a symmetric key algorithm (or secret key cryptography), examples
of which would include:
n a substitution cipher,41
n a transposition cipher,42
n a product cipher,43
n block cipher44 and/or
n a stream cipher.45
In an asymmetric key algorithm (or public key cryptography) there are two separate keys:
n a public key which is published and available to the public and therefore enables any sender
to encrypt a message/communication, and
n a private key which is kept secret by the receiver and enables only the receiver to decrypt the
message/communication.
Common asymmetric algorithms include:
n RSA (Rivest-Shamir-Adleman) encryption, and
n elliptical curve cryptography.
Examples of the current uses of an asymmetric key algorithm (or public key cryptography) in
e-commerce would include for example:
n Secure Sockets Layer (SSL) encryption, and
n Secure Electronic Transactions (SET) encryption.
Digital certificates
Digital certification is a security technique that encrypts a digital certificate containing a unique
key onto a client computer system/network.
A digital certificate is an electronic file that can be used as a means of identification and
authentication. Such certificates are the digital equivalent of positive identification and are based
on public key cryptography which, as we have seen, uses a pair of keys (private and public) for
encryption and decryption.
In essence, the digital certificate contains ‘the public key linked to the personal identification
(ID) of the certificate holder,’ (Slay and Koronios, 2006: 149). To be valid, such digital certificates
require the digital signature and the endorsement of a certification authority, for example:
n Verisign Ltd @ www.verisign.co.uk, or
n Comodo Group @ www.comodogroup.com.
704
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 705
Computer crime
n knowledge-based – that is authentication based on something the user knows, for example a
password, phrase or a Personal Identification Number (PIN).
Such authentication procedures/systems are increasingly used where it is important to control
user access. For example authentication systems are commonly used for controlling ATM
transactions and/or managing/controlling access to internet banking facilities, with many
authentication systems often involving a combination of attribute/possession/knowledge-based
authentication methods. See Article 13.6.
Article 13.6
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 706
Chapter 13 Risk and risk exposure: fraud management and computer crime
approach of strengthening the front door,’ she said. By technology relies on two things: something you know,
using software to analyse where a customer is phys- such as a password or PIN, and something you
ically logged-in and by identifying behavioural usage have, such as a computer or token. Some 15 million
patterns, banks should be able to detect anomalies Bank of America customers in the US authenticate
and spot criminals trying to access accounts from themselves using the PassMark system adopted
other countries, she says. Timms agrees: ‘The Access by Alliance & Leicester. In Brazil and the Asia-Pacific
Code Device is one part of our overall strategy; region, HSBC has been testing key-ring sized tokens
we are also doing a lot with transaction monitoring that generate a unique code for users to enter when
and that has already been very successful for us.’ they log in. In Sweden, the government is working
But online fraud is still less of a concern to the with the banking industry to develop BankID, a
industry compared with the potential financial losses digital signature system to verify transactions. Thales’
if worried internet customers switch back to more SafeSign technology is currently used by nine banks
costly high-street and telephone banking services. and more than 600,000 people. In the UK, three
So long as this concern remains prevalent, banks are technologies are being explored: Alliance & Leicester
likely to stay focused on high-profile, public-facing is using the computer as the authenticator; Lloyds
security projects, rather than just behind the scenes TSB is testing key-ring sized tokens; and industry
intelligence systems. group Apacs is developing a card reader. In Finland,
Nordea Bank issues customers with sheets of paper
Anti fraud . . . in 30 seconds containing one-off passcodes that consumers
scratch off each time they log on.
How does two-factor authentication work?
Banks are developing two-factor authentication Source: 23 March 2006, Daniel Thomas, Computing,
technology to tackle identity theft and internet fraud. www.computing.co.uk/computing/analysis/
Although approaches vary from bank to bank, the 2152546/banks-double-security.
Vulnerability scanners are software programs designed to test for ‘known’ security defects.
Because such scanners can only test for existing and ‘known’ faults – much like virus scanners
– such vulnerability scanners require constant updating with the latest version. A number of
vulnerability scanners exist, including:
n ISS (Internet Security Scanner) @ http://www.b2net.co.uk,
n Nessus @ http://www.nessus.org, and
n CyberCop @ http://www.cybercop.co.uk.
706
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 707
Computer crime
Issues relating to the unauthorised modification of computer material and the unauthorised
access with intent to commit or facilitate the commission of further offences will be discussed
later.
In relation to unauthorised access to computerised material, s1 of the Act makes it an
offence for any person and/or persons to cause a computer to perform any function with intent
to secure unauthorised access to any program or data file held in a computer. That is the Act
makes it a criminal offence to access a computing system/network unless authorised to do
so. The Act clarifies the term ‘unauthorised access’ as including the altering, erasing, copying
and/or moving of programs and/or data files to another storage medium other than that in
which it is held (s17(2)).
Section 1 of the Act (and following the Computer Misuse Act 1990 (Amendment) Act 2005)
makes the activity of hacking and/or cracking a criminal offence and a person found guilty of
such an offence is liable:
n on summary conviction, to imprisonment for a term not exceeding six months or to a fine
not exceeding the statutory maximum or to both, and
n on conviction on indictment, to imprisonment for a term not exceeding two years or to a
fine or to both.
This offence also covers the introduction of harmful worms and viruses to a computer network/
system.
Section 17(7) of the Act provides that a modification occurs if by the operation of any
function of any program on a computer system/network
n any program or data file held in the computer system/network is altered or erased, or
n any program or data file in the computer system/network is added to.
In addition, s17(8) of the Act provides that a modification is unauthorised if the person and/or
group of persons promoting the modification is:
n not entitled to determine whether the modification should be made, and/or
n does not possess the requisite consent/authority to undertake the modification
707
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 708
Chapter 13 Risk and risk exposure: fraud management and computer crime
In addition, any person and/or persons found guilty of an offence under s3 of the Act is,
following the Computer Misuse Act 1990 (Amendment) Act 2005 liable:
n on summary conviction, to imprisonment for a term not exceeding six months or to a fine
not exceeding the statutory maximum or to both, and
n on conviction on indictment, to imprisonment for a term not exceeding five years or to a
fine or to both.
708
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 709
Computer crime
n companies often believe the potential adverse publicity surrounding the disclosure of such
events/occurrences could have disastrous commercial consequences and harm the future
prospects of the company.
Section 2 of the Computer Misuse Act 1990 makes it a criminal offence for any person and/or
persons to gain unauthorised access to a computer system, network, program and/or data file
held in a computer with the intention of:
n promoting a denial of service, and/or
n committing or facilitating the commission of further offences.
Any person, and/or persons found guilty of an offence under s2 of the Act is, following the
Computer Misuse Act 1990 (Amendment) Act 2005, liable:
n on summary conviction, to imprisonment for a term not exceeding six months or to a fine
not exceeding the statutory maximum or to both, and
n on conviction on indictment, to imprisonment for a term not exceeding two years or to a
fine or to both.
Viruses
A computer virus is a computer program which invades, replicates and/or attaches itself to a
program or data file. It is essentially a software program capable of unsolicited self-reproduction/
self-replication that can disrupt, modify and/or corrupt data files and/or other program files
without human assistance, causing substantial damage to a computer system. The two key
aspects of a virus are self-execution and self-replication.
Although many types of viruses exist they can be categorised into perhaps six main (although
by no means definitive) categories:
n A macro virus – these viruses normally attach themselves to features within standard com-
puting applications to perform unexpected tasks, for example moving data and/or inserting
text and numbers – recent examples include DMV, nuclear and word concept.
n A file virus/program virus – these viruses normally attach themselves to files and affect the
operations of program files. They infect executable program files46 which are stored in the
709
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 710
Chapter 13 Risk and risk exposure: fraud management and computer crime
computer memory during execution. The virus becomes active in memory, making copies
of itself and infecting files in the system memory – recent examples include Sunday and
Cascade.
n A boot sector virus – these virus infections normally lie dormant and become active when a
particular system/computer operation is started – recent examples include form, disk killer,
michelangelo and stone virus.
n A multipartite virus – these are hybrid of program and boot viruses, which initially infect
program files that when executed infect the boot record – recent examples include invader,
flip and tequila.
n A stealth virus – these viruses actively seek to conceal themselves from discovery or pro-
actively defend themselves against attempts to analyse or remove them – recent examples
include frodo, joshi, whale.
n A polymorphic virus47 – these alter their codes to avoid being detected by anti-virus pro-
grams. Such viruses encrypt themselves differently every time they infect a system/network,
making it harder to track and prevent them – recent example include stimulate, cascade,
phoenix, evil, proud, virus 101.
Worms
A worm is a virus-like program that is designed to replicate and spread throughout a com-
puter system/network. Such programs usually hide within application-based files (e.g. Word
documents/Excel files), and can:
n delete and/or amend data,
n migrate rapidly through a computer systems/network, and/or
n incapacitate particular data files and software programs,
Article 13.7
710
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 711
Computer crime
Trojan horses
A trojan horse is a malicious program (often hidden and/or disguised), which when activated
can result in the loss, damage, destruction and/or theft of data. Unlike a worm, (or indeed any
other virus) a trojan horse cannot self-replicate. However, such relative impotence does not
minimise the destructive impact a trojan horse can have on a computer system/network. Some
common features/consequences of trojan horse program infection include:
n amending payments (changing payment values),
n initiating unauthorised payments (causing illicit payments to be activated),
n instigating network/system-wide configuration changes,
n distributing confidential security information to external third parties (e.g. user names and
access passwords), and
n providing unauthorised access pathways to external third parties (usually known as back-
doors and trapdoors).
See Article 13.8.
711
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 712
Chapter 13 Risk and risk exposure: fraud management and computer crime
Article 13.8
Perhaps worthy of note here is the term ‘logic bomb’. This term is derived from the malicious
actions such a program can effect when triggered. A logic bomb is, in effect, a type of trojan
horse, one which is placed within a computer system/network with the intention of it execut-
ing a predetermined set of actions when some triggering condition occurs. Such a triggering
condition could be, for example:
Usually viruses/infections are often disguised as, and/or attached to, something else. For example:
n a software update/release,
n an e-mail and/or e-mail attachment, and/or
n an internet download.
Whilst the impact of any virus and/or infection can and will vary depending on its origin and
nature, the consequences of any infestation can range from:
n mild system irritation – for example computer crashes, unauthorised movement of data
and/or files, and/or overloaded network servers,
712
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 713
Computer crime
n temporary loss of data integrity – for example changing data fields and file content and/or
the unauthorised release of data files,
n complete loss of computing resource – for example loss of systems partitions (organisation
of disc space), to
n significant loss of corporate assets – for example theft of financial resources.
There are many ways a company/organisation can seek to minimise the potential risk of virus
infection. These strategies include:
n promoting environment security and user vigilance, and
n adopting and using appropriate and up-to-date virus defence software and, where appro-
priate, software security patches and/or hotfixes.
It is also important for a company to possess a clear and definitive virus defence strategy detailing:
n the deployment of virus software,48
n procedures/mechanisms for updating virus defence software,49
n isolation procedures/policies if an infection event occurs,
n the post-event recovery procedures.
Whilst the above can represent a substantial cost, there can be little doubt that whatever the cost(s)
incurred for virus prevention, such costs are in the long-term small compared to the possible
costs and associated consequences of dealing with and recovering from a virus infection. They
include costs relating to:
n the eradication of the virus and/or infection,
n the organisation of any clean-up operation, and
n the installation of procedures to ensure no potential re-infestation.
Spyware
Spyware can be defined as any malicious software that covertly gathers user information through
an internet connection without the user’s knowledge and/or consent. It is similar to a trojan
horse inasmuch as it is usually packaged as a hidden component of, for example:
n a downloaded freeware and/or shareware program,50 and/or
n a downloaded peer-to-peer file.
713
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 714
Chapter 13 Risk and risk exposure: fraud management and computer crime
So, can the existence of spyware be detected? Indirectly, yes! For example:
n the frequent malfunction of computer processes – including computer crashes,
n the occurrence of unauthorised changes to a web browser specifications,
n the appearance of extra toolbar facilities,
n the frequent appearance of pop-up advertisements – usually adult-related, and
n the failure of established internet links (hyperlinks),
all suggest (although not conclusively) the existence of a spyware.
Anti-spyware software is now crucial to maintaining the security of a system/computer
network. It searches for evidence of spyware within a computer/computer network and deletes
any spyware detected. A wide range of anti-spyware software is now available, for example:
n Windows anti-spyware – available @ www.microsoft.com/athome/security/spyware/software/
default.mspx, and
n Spybot: search and destroy – available @ http://www.safer-networking.org/en/download.
Adware
Adware (or advertising-supported software) is a software program which automatically plays,
displays or downloads pop-up advertising material to a computer/computer system.
There are essentially two types of adware:
n passive adware – that is adware attached to a legitimate software program, the purpose being
to promote and advertise other legitimate software programs and/or related products, and
n active adware – that is adware which takes the form of either:
l spyware which tracks user activity, often without consent, or
l malware which interferes with the function of other software applications.
As with spyware, the solution is to use anti-adware software, for example Ad-Aware SE available
@ www.lavasoft.de/ms/index.htm.
Concluding comments
There can be little doubt that as businesses (in particular corporate businesses) seek to employ
a growing arsenal of computer-based technologies in the name of corporate efficiency and the
never-ending search for greater profitability and increased competitive advantage, the potential
risk of fraud (especially computer assisted fraud), and the threat of computer crime in terms of:
n the increasing incidence of security breaches, virus infections and disruptive software,
n the growing occurrences of information systems misuse,
n the increasing frequency of unauthorised access attempts,
n the growing incidence of theft and fraud involving computer systems/networks, and
n the increasing levels of systems/network failure/data corruption,
remain both a growing and ever-present danger, whose consequence can range from:
n minor business disruption and damage to business reputation, to
n substantial data corruption, major loss of business capabilities and significant direct financial
loss.
See for example Article 13.9.
714
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 715
Concluding comments
Article 13.9
Perhaps there is no single solution – no single correct strategy – but merely a series of altern-
ative (some would say commonsense) practices and procedures that can be adopted to protect
and secure assets, resources and technologies from abuse and/or misuse.
Clearly, the ever-changing technology demands of the business environment/marketplace
requires/demands:
n an increasing understanding of technology and technology management but, more
importantly,
n a greater awareness of the importance of security and of course willingness to invest in
system/network security.
Implicit in each of the above requirements is the need for businesses, and in particular com-
panies, to ensure that:
n adequate employee training regarding fraud and computer crime is available/undertaken,
n appropriate updated anti-virus software and other hardware and/or software protection
technologies are used,
n appropriate write/protect procedures and protocols are adopted,
n data/file back-ups of all essential data and programs are maintained,
n access to computer systems/networks is appropriately monitored and controlled, and
n Common sense is applied.
Even the most elaborate frauds/business scams have been revealed by nothing more than
employee intuition and basic common sense. See Article 13.10.
715
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 716
Chapter 13 Risk and risk exposure: fraud management and computer crime
Article 13.10
716
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 717
References
References
Abercrombie, N., Hill, T. and Turner, B. (1984) Dictionary of Sociology, Penguin, Harmondsworth.
Audit Commission (2001) yourbusiness@risk: an update on IT abuse 2001, Audit Commission
publications, Wetherby.
Beck, U. (1992) Risk Society – Towards a new modernity, Sage, London.
Beck, U. (1994) ‘The reinvention of politics: towards a theory of reflexive modernization’, in
Beck, U., Giddens, A. and Lash, S. (eds) Reflexive Modernization – Politics, tradition and aesthetics
in the modern social order, Stanford University Press, Stanford.
Beck, U., Bonss, W. and Lau, C. (2003) ‘The Theory of Reflexive Modernization: Problematic,
Hypotheses and Research Programme’, Theory, Culture and Society, 20(2).
Beck, U., Giddens, A. and Lash, S. (1994) Reflexive modernization: Politics, Tradition and Aesthetics in
the Modern Social Order, Stanford University Press, Stanford.
Berger, P.L. and Luckmann, T. (1966) The Social Construction of Reality: A Treatise in the Sociology of
Knowledge, Anchor Books, New York.
Department of Trade and Industry and PricewaterhouseCoopers LLP (2004) Information Security
Breaches Survey 2004 Technical Report, DTI, London.
Home Office (2004) Counting Rules for Recording Crime, HMSO, London.
McClure, S., Scambray, J. and Kutz, G. (2005) Hacking exposed: Network Security, Secrets, and
Solutions, McGraw-Hill, San Francisco.
Slay, J. and Koronios, A. (2006) Information Technology security and risk management, Wiley, Milton,
Queensland.
Weyman, A. and Kelly, C. (1999) Risk Perception and Communication: a review of the literature,
Health and Safety Executive, Research Report 248/99.
717
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 718
Chapter 13 Risk and risk exposure: fraud management and computer crime
Zinn, J. (2004) Working paper 2 Literature Review: Economics and Risk, Social Contexts Responses
to Risk (SCARR) Network, University of Kent, Kent.
Bibliography
Websites
718
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 719
McAfee: www.mcafee.com
Messagelabs: www.messagelabs.com
Mimesweeper: www.mimesweeper.com
Network Associates: www.networkassociates.com
Sophos: www.sophos.com
Symantec: www.symantec.com
TrendMicro: www.trendmicro.com
Vmyths: www.vmyths.com
Microsoft: http://windowsupdate.microsoft.com.
Solaris Fixes: www.sun.com/software/security
Other websites
Other websites on which you may find helpful articles about risk, fraud and computer crime
include:
www.isc.sans.org
Internet storm centre
www.computerweekly.com
Computer Weekly news and reports
www.theregister.co.uk
Computer news
www.ft.com.
The Financial Times
www.guardian.co.uk.
The Guardian
Self-review questions
1. Briefly explain the precautionary principle and distinguish between weak form precaution,
moderate form precaution and strong form precaution.
2. Distinguish between event/activity-based risk and resource/asset-based risk.
3. What are the three main factors that determine the degree of risk exposure a company
may face?
4. What is the purpose of BS7799 Part 1 and IOS/IEC 17799?
5. Define the term ‘fraud’ and describe/explain the illegal acts normally associated with the
term.
6. Briefly explain the main differences between a virus, a worm and a trojan horse.
7. Distinguish between preventative controls, detective controls and recovery controls.
8. What are the main categories of computer crime?
9. What is meant by the term ‘phishing’?
10. Why would a company normally deploy virus defence software at three hierarchical
levels – the internet gateway level, the network server level and the desktop/workstation
level?
719
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 720
Chapter 13 Risk and risk exposure: fraud management and computer crime
Question 1
During a recent computer system/network review of HaTiMu Ltd, the following issues were identified:
n computer staff are allowed unrestricted and unmonitored access to the internet,
n all company staff are allowed free access to the offices in which the main computer facilities are located,
n access to software programs is restricted by the use of a company password which is posted on the
company’s intranet site (for security purposes the password is changed every three months),
n all e-mails are monitored for key words (attachments to e-mails are not monitored).
Required
Identify a risk exposure that each of the above issues present. For each of the above, give an example of the
security procedure/control protocol that should exist and list one or more factors that could cause the risk
exposure to be relatively high.
Question 2
The business environment of the early 21st century continues to change with increasing vigour. The growth
of e-commerce and e-retailing and the use of the internet for the movement of goods, services and infor-
mation has clearly promoted a greater interconnectivity. An interconnectivity that has not only opened up and
created enormous business opportunities, but has also increased the exposure of UK businesses, in particular
UK companies, to previously unknown levels of risks and security threats, the costs and consequences of
which have been and indeed continue to be significant (see DTI (2004)).
Required
For a UK-based retail company, critically evaluate (with specific reference to the company’s accounting
information system (and related systems), the type and nature of risk and security threats such a company
faces and the control procedures and security strategy/measures that such a company might employ to
protect itself against such risks and threats.
Question 3
Sentel plc is a UK financial services company with offices in the south-east and north-west of England. In total
the company has five offices in the south east of England and six in the north-west. It currently employs
97 staff. The company has been trading successfully for 17 years. For the year ending 31 December 2005 the
company’s fee income was £18.4m and its net profit for the year was £10.1m. During 2006, however, Sentel’s
computer system/network was targeted by a number of UK-based groups attempting to gain unauthorised
access to the company’s system/network and steal confidential client information. During May 2006 the
company computer system/network was severely infected by a polymorphic virus and on 6 May 2006 the
computer system/network suffered a complete systems failure resulting in company losses of approximately
£655,000.
Required
Explain the main prevention strategies and technology tools a company like Sentel plc could adopt/use to
prevent or at least manage unauthorised access and virus infection.
Question 4
You have recently been appointed as a trainee chartered accountant at Shuster Whitehouse LLP, a Manchester-
based accounting partnership. Following your induction, a senior partner has asked you to undertake a
720
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 721
Assignments
risk review of the computer-based accounting information system of Bepolo Ltd. The company is a small
local electrical retail company with an annual turnover of £1.2m and an annual net profit of approximately
£700,000.
Required
Describe and explain:
n the primary and secondary sources of risk, and
n the main types of risk,
a small local retail company such as Bepolo Ltd would be subject to.
Question 5
Fraud can be defined as the use of deception with the intention of obtaining an advantage, avoiding an
obligation or causing loss to another party.
Although there are many types of fraud, the following – although not exclusively restricted to technology-
based issues – nevertheless rely heavily on remote communication (often via the internet) to further the aim of
the fraud.
Required
Distinguish between computer assisted fraud and computer related fraud, and describe and explain each of
the following types of fraud:
n false billing,
n financial (funds) fraud,
n advanced fee frauds, and
n identity theft.
Briefly explain the strategies a company could adopt to minimise the potential impact of fraud on its com-
mercial and business-related activities.
Assignments
Question 1
Biloce Ltd is an established retail company located in the south-east of England. The company has been
operating successfully for over 35 years with the late 1980s and early 1990s in particular being a period of
rapid growth and expansion both in market share and profitability. The company is currently in the process
of consolidating its market position and is seeking to enhance its accounting information system by the
introduction of an upgraded computing network and an extensive web-based e-commerce facility.
The managing director of Biloce Ltd is, however, concerned that the proposed accounting information sys-
tem development may introduce an unacceptable level of risk into the company’s operations. His concerns
have been aroused by recent press articles and academic studies that have alluded to a dramatic growth
in computer crime in the retail sector over the past 10 years. He is particularly concerned about potential
exposure to computer virus infection.
‘
721
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 722
Chapter 13 Risk and risk exposure: fraud management and computer crime
Required
Prepare a brief report for the managing director of Biloce Ltd addressing his concerns. In your report you must:
n Clearly define the term ‘computer crime’ and describe the various categories of computer crime.
n Describe the main types of computer virus and describe risks such computer viruses present to a retail
company such as Biloce Ltd.
n Explain the possible courses of action Biloce Ltd could take to minimise risk exposure to computer crime,
in particular risk exposure to computer virus infection.
Question 2
Jessica Leigh and Christopher James were both undergraduate students at the University of Hull studying for
a BSc in Computing. Not only were Jessica and Christopher potential first class honours students, they were
also highly skilled computer hackers, collectively known among their friends as ‘Matrix’.
At a recent high-profile trial, both Jessica and Christopher were found guilty of six offences of corporate
espionage and extortion. In January 2002 they were both sentenced to eight years in prison.
Their illegal activities began shortly after Jessica and Christopher had both completed a six-month under-
graduate work placement during 2001. They were both employed at Dia-gen UK Plc, a computer software
developer. By accident, they both came across confidential information containing software codes for an
advanced computer operating system which Dia-gen Plc was developing with Intec Inc. an American-based
development think tank.
In order to profit from this information, Jessica distributed the stolen software codes on the black market
and Christopher placed a trojan horse, designed to trap and save passwords, in the software code’s log-
on procedure. They also made modified codes available to other hackers by setting up a home page on
the web.
Finally, Christopher inserted the modified code into Dia-gen’s computer system and obtained a range of
passwords relating to sensitive development files, using them to access information in the files, information
which Jessica then sold via the web.
Over a four-month period Jessica and Christopher sold confidential information about Dia-gen Plc and Intec
Inc. products for approximately £1.5m.
Required
(a) Discuss the nature of the risk exposure illustrated by this situation.
(b) What are the similarities and differences between a trojan horse and a computer virus?
(c) Identify in broad terms several control procedures and security measures that a company might employ
to protect itself against such activities.
Chapter endnotes
1
Businesses are concerned with a narrow and somewhat absolutist perception of risk – a
perception bounded by the need for technical assessment and statistical analysis.
2
The term ‘probability’, derived from the Latin word probare (to prove or to test) is used in
preference to possibility or possibilities. Informally, the word probable is one of several words
applied to uncertain events or knowledge, being more or less interchangeable with likely, risky,
hazardous, uncertain and doubtful, depending on the context.
722
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 723
Chapter endnotes
3
See also Beck (1992).
4
The term ‘economisation of uncertainty’ is used here to emphasise how economic literature
presupposes that ‘there is an objective (potentially) measurable risk and assumes that the decision
on how to reduce this risk can be made rationally on the ground of statistical methods . . . (or)
. . . the objective statistical reduction of risk’ (Zinn, 2004: 3).
5
There is a range of approaches used to conceptualise risk. For example whereas the actuarial
approach would seek to use past data to extrapolate and forecast future trends, the epidemio-
logical approach would use modelling to explore causality and attempt to identify and quantify
the relationship between exposure to a hazard and outcome. Likewise where the engineer-
ing approach would seek to use probabilistic analysis to identify cause and consequence, the
economic approach would use cost-benefit analysis and seek to balance possible gains with
possible risks whilst assuming that participants are rational, economic actors interested solely
in maximising gains. And finally, whereas, the psychological approach would use heuristics
(rules of thumb) to focus on personal preferences and seek to identify alternative percep-
tions of risk, the cultural approach would seek to view risk as a social construct and explore
responses to and perceptions of risk as determined by cultural belief patterns and/or social
imposed filters.
6
Social constructionism is an idea/notion that reality is constructed uniquely by each person
and/or group of persons – that reality is an invention or artifact of a particular culture or society
(see Berger and Luckmann (1966)).
7
The theorists of reflexivity suggest that modernity has begun to modernise its own foundations.
It has become directed at itself (see Beck et al. (2003)), thus the term ‘reflexive modernisation’
means ‘the possibility of a creative (self-)destruction for an entire epoch – that of industrial
society . . . (with) . . . the subject of this creative destruction not the revolution, not the crisis,
but the victory of western modernisation,’ (Beck et al., 1994: 2).
8
The term ‘cultural’ is used here to define the symbolic and learned processes which generate and
sustain norms and values between members of a social group (for example see Abercrombie
et al., 1984: 59).
9
In a contemporary context, trust has emerged as an area of major significance in under-
standing risk perceptions and responses and, as suggested by Weyman and Kelly (1999), serves
as a zone of convergence between psychological and socio-cultural approaches to risk.
10
See UNEP (United Nations Environment Programme), Declaration on Environment and
Development, Rio de Janeiro, June 1992.
11
Adapted from Annex 1 Precautionary Principle: Policy and Application, United Kingdom
Interdepartmental Group on Risk Assessment (UK-ILGRA) available @ www.hse.gov.uk/aboutus/
meetings/ilgra/pppa.htm.
12
Where unintentional errors occur regularly then they may well hide a deliberate intention to
defraud and/or cause harm or damage.
13
The full text of ISO/IEC 17799 Code of Practice for Information Security can be obtained @
www.iso.ch.
14
The full text of BS 7799-2: 2002 Specification for Information on Security Management can
be obtained @ www.bsi-global.com.
15
See Information Security: BS 7799 and the Data Protection Act (2004) Department of trade
and Industry – available @ www.dti.gov.uk.
16
Oxford English Dictionary (1991) Edmund S. Weiner, and Simpson, J. (eds), Oxford Univer-
sity Press, Oxford.
17
In the UK the SFO is an independent government department responsible for investigat-
ing and prosecuting serious or complex fraud. The key criterion used by the SFO in deciding
whether to accept a case is that the suspected fraud should appear to be so serious or complex
723
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 724
Chapter 13 Risk and risk exposure: fraud management and computer crime
that its investigation should be carried out by those responsible for its prosecution. The factors
generally considered are:
n Does the value of the alleged fraud exceed £1 million?
n Is there a significant international dimension?
n Is the case likely to be of widespread public concern?
n Does the case require highly specialised knowledge, for example of financial markets?
n Is there a need to use the SFO’s special powers, such as s2 of the Criminal Justice Act?
The SFO does not have jurisdiction over Scotland, the Isle of Man and/or the Channel Islands.
18
Although the distinction is by no means widely accepted, in a broad context, a computer
assisted fraud is a fraud and/or fraudulent act in which the use of a computer and/or a com-
puter system/network is central to the fraud, whereas a computer-related fraud is a fraud
and/or fraudulent act in which the use of a computer and/or a computer system/network is
coincidental.
19
DoS attack is a type of cyber crime – it prevents a target computer, computer systems and/or
computer network from accessing a network resource. See www.mynetsec.com/html/security.htm.
20
The National Hi-Tech Crime Unit, part of the National Crime Squad, was created in April 2001.
The NHTCU works to combat national and transnational serious and organised hi-tech crime
both within, or which impacts upon, the UK. A multi-agency unit, it has staff seconded from:
n the National Crime Squad (NCS),
n the National Criminal Intelligence Service (NCIS),
n Her Majesty’s Customs and Excise Law Enforcement and Investigation (HMC&E),
n the Intelligence Agencies, and
n the military armed forces.
The work of the unit is broadly divided into six key disciplines:
n tactical and technical support,
n intelligence,
n operations,
n digital evidence recovery,
n crime reduction, and
n industry liaison.
Crimes targeted include:
n fraud,
n denial of service attacks,
n blackmail and extortion,
n online child abuse,
n hacking and virus attacks,
n software piracy, and
n class A drug trafficking.
21
See www.nhtcu.org.
22
Cryptography encrypts documents or messages and seeks to ensure they remain confidential
and such encryption can be used as a basis for an electronic signature.
23
An electronic signature is associated with an electronic document and seeks to confirm the
authenticity of the document/communication.
24
See Information Security: Guide to Electronic Communications Act 2000 (2004) Department of
Trade and Industry – available @ www.dti.gov.uk.
724
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 725
Chapter endnotes
25
See Information Security Breaches Survey 2006 Technical Report (April 2006), Pricewaterhouse-
Coopers and Department of Trade and Industry – available @ http://www.enisa.eu.int/doc/pdf/
studies/dtiisbs2006.pdf.
26
The Information Security Breaches Survey 2006 Technical Report (April 2006), categorises UK
businesses as follows:
n a small UK business is a business with 1–49 employees,
n a medium UK business is a business with 50–249 employees, and
n a large UK business is a business with 250+ employees.
Available @ http://www.enisa.eu.int/doc/pdf/studies/dtiisbs2006.pdf.
27
See Information Security Breaches Survey 2006 Technical Report (April 2006), Pricewaterhouse-
Coopers and Department of Trade and Industry – available @ http://www.enisa.eu.int/doc/pdf/
studies/dtiisbs2006.pdf.
28
KPMG Fraud Survey available @ www.us.kpmg.com.
29
A content checker filters incoming and outgoing e-mail messages and attachments for
specific words and phrases to ascertain whether given file types are present. Messages can also
be filtered to limit the size of e-mails.
30
Monitoring staff usage of corporate information technology is a controversial issue with
a fine balance being struck between the corporate need to prevent crime and the employee’s
human rights. The following legislation must be considered where the monitoring of employee
e-mails is being considered:
n the Human Rights Act 1998,
n the Data Protection Act 1998 (specifically the Data Protection Monitoring at Work section
and Part 1 (Vetting & Personnel)),
n the Regulation of Investigatory Powers Act 2000,
n the Telecommunications (Lawful Business Practice) (Interception of Communications)
Regulations 2000.
31
Penetration testing is often characterised by simulating an attack by an unauthorised and
malicious hacker/cracker to identify security weaknesses.
32
Crackers often like to describe themselves as hackers. Cracking normally relies on persistence
and repetition of a handful of fairly well-known tricks to exploit the security weaknesses of
target computer systems/networks. See www.infosec.gov.hk/engtext/general/glossary.htm.
33
For example an external network such as the internet may be regarded as a region of little or
no trust, whereas an internal network may be regarded as a region of high trust.
34
In an information and communication technology context, the principle of minimal privilege
(also known as the principle of least authority) requires that in granting privileges, authority,
and/or access, only that level of privileges, authority and/or access which will permit legitimate
and effective action to occur should be granted. That is, excessive privileges, authority and/or
access should not be granted to an individual, and/or group of individuals where they are not
required for that individual and/or groups of individuals to undertake their duties and activities
effectively and efficiently.
35
A stateless firewall is a firewall that treats each packet in isolation and as such is not able to
determine if a packet is part of an existing connection or part of an attempt to establish a new
connection, or merely an illegitimate rogue packet. Modern firewalls are state-full firewalls
inasmuch as they are connection-aware (or state-aware).
36
See for example Honeynet available @ http://www.activeworx.org/programs/hsc/index.htm.
37
Snort (available @ ww.snort.org is the most widely deployed intrusion detection and pre-
vention technology worldwide and has become the de facto standard for the industry.
725
.. ..
CORA_C13.qxd 6/1/07 11:11 Page 726
Chapter 13 Risk and risk exposure: fraud management and computer crime
38
From Greek kryptós meaning to hide and gráphein meaning to write.
39
An algorithm is a procedure or a finite set of instructions for accomplishing a particular
task/procedure.
40
A cipher is an algorithm for performing the encryption and decryption process – that is the
series of defined procedures that must be followed during the encryption and decryption process.
41
A substitution cipher is a cipher in which data (e.g. a word or character) are replaced with
other data (e.g. another word or character) in a prearranged manner (Slay and Koronios,
2006: 133).
42
A transposition cipher (sometimes known as a route cipher) is a cipher in which plaintext
is first written out in a grid of given dimensions, then read off (or transposed) in a predeter-
mined pattern. Variants include columnar transposition, double transposition and disrupted
transposition.
43
A product cipher is a cipher in which a combination of other kinds/types of ciphers is used.
44
A block cipher is a cipher in which the data is divided into defined blocks each of which is
then encrypted independently of other blocks – although in reality often there is some com-
monality in the encryption of blocks of data.
45
A stream cipher is a cipher in which data items are encrypted as single data items – one data
item at a time. A substitution cipher is an example of a steam cipher.
46
Such as those with extensions like .BIN, .COM, .EXE, .OVL, .DRV (driver) and .SYS (device
driver).
47
See www.antivirus-software.net/glossary.shtml.
48
In a contemporary context the deployment of virus defence software normally occurs at
three distinct levels:
n the internet gateway level,
n the network server level, and
n the desktop/workstation level.
49
There are three common types of virus defence software:
n scanners,
n check-summers, and
n heuristics.
50
Although not all freeware and/or shareware is infected with hidden spyware!
51
A ‘cookie’ is a message given to a web browser by a web server which is then stored by the
web browser as a text file.
726
..
CORA_C14.qxd 6/1/07 11:12 Page 727
Introduction
As with any socially constructed corporate activity, economically designed procedure/
process or politically imposed protocol, internal controls (as a series of processes and pro-
cedures) are neither objective nor neutral. That is all aspects, procedures and processes
associated with the notion of internal control are coloured by an unacknowledged affinity
with the legitimation of what we have previously characterised as the priorities of capital,
whose primary raison d’être1 is sustaining the tradition of economic liberalism as the
dominant regime of truth.
What is internal control? As suggested in Chapter 6, internal control comprises of all
the management processes designed to provide reasonable assurance that the objectives
of reliable financial reporting, effective and efficient operations, and compliance with laws
and regulations are achieved.
Such internal control includes all procedures, processes and protocols – financial and
otherwise – established by the management of a company or indeed any organisation, to
ensure that:
Although we will explore the notion/definition of internal control in more detail later in this
chapter, clearly the term internal control is an enclosing definition. It is a term used to
signify a variety of processes and procedure designed to perpetuate a precept of per-
ceived authority which is actively managed through:
727
..
CORA_C14.qxd 6/1/07 11:12 Page 728
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
n the socio-political issues associated with internal control (and systems security),
n the alternative types/forms of internal control procedures and processes a company
may adopt to minimise systems risk and ensure the physical security of resources,
data/information and system networks,
n the on-going reciprocal relationship between information and communication tech-
nologies on internal control (and system security), and
n the problems and issues associated with information and communication enabled
business processes and procedures.
Learning outcomes
As suggested earlier, internal control comprises the processes and/or procedures within a company
designed to provide reasonable assurances that business objectives – primarily the maximisation
of shareholder wealth – will be achieved and any undesired events, unwelcome occurrences
and/or unfavourable incidences will be prevented and/or detected and corrected.
728
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 729
729
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 730
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
n unauthorised access,
n loss,
n misappropriation, and/or
n improper modification, deletion and/or alteration.
Clearly there is a close symbiotic relationship between a company’s internal control procedures
and the security of a company’s operational systems inasmuch as such system security proce-
dures and processes are designed not only to ensure:
n the security of tangible/non-tangible resources,
n the security of data/information, and
n the security of company/organisational networks,
but also ensure proper and adequate protection from possible systems failures/disasters.
Indeed, as a legitimate and (some would say) necessary corporate expense, system security
procedures should seek to maintain:
n the integrity of corporate operations,
n the confidentiality of corporate data and/or information, and
n the protection of corporate assets and resources.
Perhaps before we explore the more technical issues associated with contemporary internal
control (and systems security), it would be useful to provide a background context – a socio-
economic perspective/framework – to our discussion and, in particular, consider albeit briefly,
the powerful influence of the priorities of capital on the designing and shaping of the operational
aspects of corporate internal control.
In a contemporary context, the increasingly chaotic realities of the global marketplace, the
evermore uncertain realities of corporate activities and the increasing possibility of corporate
failure and financial loss are often upheld as a defence for:
n the imposition of greater regulatory constraints,
n the development of increasingly hierarchical control systems,
n the creation of evermore complex socio-economic boundaries, and
n the imposition of progressively more proactive internal control systems.
There can be little doubt that such increasing regulation and control has also contributed to:
n sustaining the priorities of the marketplace or, more appropriately, the priorities of capital
as the singular dominant socio-economic force,
n preserving the tradition of economic liberalism as the dominant regime of truth, and
n justifying its ever-increasing influence on the very social processes and institutional structures
which not only shape but govern corporate activities.
Indeed, by imposing a way of thinking or understanding, such market orientated priorities
effectively determine the social and institutional nature and context of internal control processes
and procedures as a consequence of:
n the enforcement of a structured series of boundary parameters – that is determining what
can/cannot be done and who can/cannot do it,
n the imposition of a series of what are often called threshold limits – that is establishing what
is/is not material, and
730
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 731
n the establishment of a series of what are often called relevance limits – that is determining
what can/cannot be included and/or omitted.
Such priorities continuously (re)socialise and (re)legitimate the ongoing imposition and
adoption of the internal control processes and procedures onto the operational cartography
of corporate activity – a cartography which in a contemporary context lies at the very heart of
modern societal activities and comprises the very fabric or essence of what we regard as con-
temporary corporate society. How? Through a process we will refer to as context filtering
Context filtering is a complex and often unpredictable filtering process whose outcomes are
contingent upon the interaction of a vast array of interrelated social, political, and economic
factors and characteristics – Macro level factors and characteristics such as:
n international level pressures and characteristics, and
n national (territorial) factors and characteristics,
731
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 732
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
As a consequence internal control processes are imposed – often through the sanctioning and
enforcement of a vast assortment of management procedures and operational protocols. How?
Have a look at Figure 14.3 and consider the following.
Arrow 1 denotes the mechanisms/processes/procedures through which the priorities of
capital continually condition not only macro level factors (e.g. international level and national
(territorial) level factors and characteristics), but also micro level factors (e.g. industry/sector
level, corporate/organisational level and personal/individual level factors and characteristics).
Arrow 2 denotes the processes and procedures through which such macro level and micro
level factors and characteristics shape internal control procedures and processes.
Arrow 3 denotes the formal and informal contexts and mechanisms through which internal
control procedures and processes reflexively infuse or more appropriately act/impose upon
national and international institutional arrangements, and social and cultural values/norms.
Finally, arrow 4 denotes the influence of macro level and micro level factors and character-
istics in identifying and negotiating the contexts/mechanisms through which the influence of
the marketplace – the priorities of capital – will be exercised.
732
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 733
both of which affect all companies within a nation state, geographical region and/or territorial
domain. Such factors are systematic in nature and, whilst in the past the impact of adverse
national (territorial) factors/characteristics on corporate activity may have often been minimised
or even eliminated by geographical/territorial relocation, the effectiveness of such relocation
has, in recent years, become increasingly limited. Why? Mainly because international pressures/
characteristics have – in the name of global capitalism – become evermore invasive and domin-
ant in reinventing, redesigning and reupholstering national (territorial) structural factors and
characteristics – all in the global rush toward homogeneity, singularity and that nirvana a single
global marketplace!!
n in an economic context:
l the increasing mobility of capital and its impact on traditional conceptions of sovereignty,
and
l the growing power of the ‘western’ market ethic and the increasing dominance of the
‘multi-national’ company,
n in a political context:
l the increasing global nature of interstate relations, territorial democracy and global politics,
and
l the continued growth of supra-national organisations such as the UN, WTO, and NATO,
and
n in a social context:
l the growth of global ICT and its continuing impact on local culture, community and
tradition, and
l the increasing global social anxiety over the depletion of ecological resources and environ-
mental sustainability.
Invariably such international factors and characteristics are national (territorial) in origin.3 Their
migration and elevation beyond national territoriality, whether by chance, design or through the
exercise of socio-political/economic power, has of course become the dominant feature of con-
temporary society, and in particular late 20th century/early 21st century society. Not convinced?
Then just consider the power, role and influence of the USA in contemporary global society.
such factors often exist as an agreed, albeit a sometimes imposed, common framework through
which:
n international level factors/pressures/characteristics are interpreted, accommodated and
operationalised, and
n socio-economic activities are authorised, approved and permitted to take place.
733
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 734
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
Such national (territorial) factors and characteristics would, for example, include:
n the nature, power and influence of extant cultural norms and social interrelationships,
n the context and authority of current socio-political arrangements and institutional relationships,
n the sovereignty of law and the requirements of extant legislative/regulatory pronouncements,
n the socio-political importance of environmental/technological issues, and
n the influence of contemporary liberal economic thought and the authority/power of the
marketplace and the market mechanism.
They would of course not only differ from country to country, regional grouping to regional
grouping or federation to federation, but may also differ within a country, regional grouping or
federation of countries. Just consider the variety that still exists not only within the European
Union but, more importantly, within most member state countries – despite the endless years
of social, political and economic change.
Such factors are unsystemsatic in nature and, whilst some characteristics can be eliminated by
inter-industry/sector and/or inter-company/organisation relocation, as with macro level factors
the effectiveness of such relocation has, in recent years, become increasingly limited.
734
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 735
There are of course many who would argue that a company/organisation is merely:
n a collection of tangible and intangible resources,
n an artificial compilation of systems, procedures and protocols, or
n a nexus of social, legal and economic obligations,
with any notion of a company/organisation possessing a personality and/or an identity being mere
sentimental nonsense (see Article 14.1 ). And, of course, there are many others who would argue
that the notion of corporate/organisational personality – a corporate/organisational identity –
is not mere emotive anthropomorphisation.4 They would argue that a company/organisation is
more than a legal construct – more than the sum of its constituent parts. Corporate organis-
ations are sentient entities whose very existence is the foundation of contemporary capitalism.
Indeed whilst a company/organisation may possess no immortal soul, like human beings, they
live and die . . . and whilst they live, their wealth and prosperity (their profitability and com-
mercial success) is founded on a single composite attribute – their corporate personality.
Article 14.1
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 736
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
people; just as the unsuccessful business is less than the company is necessarily amoral, that it has no ethics,
the aggregate of agreements or people. only interests. This is the one nice point made in The
The issue of corporate manslaughter arises pre- Corporation: a personality devoid of moral sense,
cisely because sloppy businesses, such as Railtrack, which is instrumental in its treatment of stakeholders,
have no directing mind: their failures were not the generally would be diagnosed by psychologists as
product of bad people, but of an arrogant and com- psychopathic. Society punishes psychopathic per-
placent corporate culture. In the truly dreadful organ- sonalities, through social ostracism and imprisonment,
isation, everyone has positioned themselves not to be and it punishes psychopathic companies through the
responsible when something goes wrong. The horror market and political action. That was the fate of Enron
of Enron was not just that it was home to some and Andersen, IG Farben and Japanese zaibatsu.
corrupt people but that the environment encouraged Companies have no immortal soul but, like human
their corruption. beings, they live and die. While they live, they prosper
So in both good and bad companies, corporate by the attributes of their personality.
personality is a commercial reality, not just a legal
construct. And if the company has its own distinctive Source: John Kay, 7 December 2004,
character, like an individual, that refutes the claim that The Financial Times, www.ft.com.
Do any of the above companies possess a corporate personality – a corporate identity? Of course
they do!
In an advertising/marketing context such a corporate personality/identity is often associated
with/depicted as the corporate brand or the corporate brand name. Indeed, in a financial
reporting context, some companies actually give this corporate personality, corporate brand or
corporate brand name a value. And it is included on the balance sheet under intangible assets.
736
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 737
So, what is the importance of such personal/individual level characteristics? Although there is
little evidence to:
n support Maslow’s strict hierarchy of needs, and
n support the view that people are indeed driven by the same needs – at the same time,
there are nonetheless some important sociological implications of Maslow’s hierarchy in terms
of the impact of such personal/individual level characteristics on:
n workplace motivation/performance,
n management style and, perhaps most importantly for our purposes,
n the operationalisation and effectiveness of internal control.
If you remember, in Chapter 6 we suggested that the securing of appropriate and effective
internal control required:
n an understanding and appreciation of the control environment,
n an understanding of relevant and appropriate control activities,
737
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 738
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
Control environment
The imposition/identification of a control environment is the foundation for all other com-
ponents of internal control within the company. It provides:
n discipline – within business procedures,
n structure – within business processes.
The term control environment refers to the (imposed) norms and values – or more appropri-
ately the actions, policies and procedures – imposed by the company management and seek to
reflect the overall attitudes of the company management, directors and owners (shareholders)
about control (specifically internal control) and its importance to the company.
The creation/determination of a control environment in effect seeks to impose – within an
operational environment – a control consciousness. A control consciousness imposed by but
derived from the norms and values that form the central character of the company’s organis-
ational culture. Such norms and values would include:
n ethical values enshrined within the company procedures,
n the company management commitment to competence and best practice,
n company management operating philosophy,
n company structure and organisational accountability,
n assignment of authority and responsibility within the company, and
n company human resource policies and procedures.
An effective control environment is an environment within which individuals and participants
are aware of:
n the activities/procedures and/or processes for which they are responsible,
n the limits of their authority and role(s) within the company, and
n the controls imposed upon them and their activities within the company.
It is clearly within the context of the control environment that control activities exist.
Control activities
These are the policies and procedures used by management to meet its objectives – within
the framework of the norms and values imposed by the control environment. They are the
activities and actions which when undertaken in a proper and considered manner and supported
by appropriate and relevant policies and procedures facilitate the management (and hopefully
reduction) of risk.
Such control activities can be categorised into the following groups:
n adequate segregation of duties,
n appropriate separation of administrative procedures,
738
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 739
Article 14.2
British authorities yesterday launched an inquiry into TK Maxx’s US parent company, TJX, revealed the
how computer hackers who targeted the cut-price extent of the ‘unauthorised intrusion’ in its annual
fashion retailer TK Maxx were able to steal infor- report on Thursday, claiming that someone had used
mation from more than 45 million credit and debit sophisticated software to access its data centres
card holders on both sides of the Atlantic. in Watford, Hertfordshire, and in Framingham, near
As the extraordinary scale of the biggest credit Boston, Massachusetts.
card heist unravelled, internet security experts urged Names, card numbers and personal data were
all businesses and banks to tighten up their computer stolen – and in the US, social security numbers –
security systems to protect their customers. over a 17-month period and covering transactions
TK Maxx shoppers were advised to check their dating as far back as December 2002. The firm said
credit and debit transactions for irregularities amid it did not know how many of the cardholders affected
warnings that the criminals involved could even use were shoppers at TK Maxx’s 210 stores in Britain
the data to commit identity theft. Internet fraud is now and Ireland, although more of them were likely to
one of the fastest growing areas of illegal activity in be American. Canadian shoppers have also been
the UK. affected. The company disclosed in January that it
‘
739
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 740
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
had a problem but suggested the volume of infor- as these are less likely to stand out and may go un-
mation stolen was not on a large scale. detected. If people do spot suspect transactions . . .
The government’s information commissioner, they should immediately shut down their accounts
Richard Thomas, was said to be extremely concerned. and any linked accounts and register with a credit
A spokesperson for his office said yesterday: ‘The reference agency.’
information commissioner’s office takes breaches of New legislation coming into force in June will impose
privacy extremely seriously. The Canadian privacy tough penalties and sanctions on companies that fail
commissioner is investigating this matter and is to safeguard their customers’ card information.
working with the federal trade commission in the US. British consumers should ring 0800 779 015 and
We are liaising with them on this. It was brought to those in the Republic of Ireland 0044 800 77915. The
our attention today that information may have been homepage at www.tkmaxx.com has a customer alert
hacked from the company’s data centre in Watford. with updated information.
We are therefore contacting the company in the UK
today. To date we have not received any complaints FAQ: TK Maxx
arising from this breach.’
Crime of this type is common, and £210m was When did this happen?
lost to credit card fraud during the first half of 2006,
According to TK Maxx, the intrusions began in July
according to figures from the payment industry body
2005 and cover credit and debit card purchases
Apacs. But some experts say fraud and hacking is at
stretching back to 2003. The hacking activity ended
far greater levels than realised.
in December 2006, which is likely to be the first time
‘We see a couple of commercial thefts at a very
the company became aware of a problem. It admit-
serious level each week,’ said Dan Hagman of 7 Safe,
ted the breach in January, but it was only this week
which specialises in so-called intrusion forensics.
that the full extent of the problems was revealed.
‘Credit card details are being stolen in huge numbers
– and the problem is that if you’re hacked you don’t Why did the problems last so long?
necessarily know.’
Although it remains unclear how many of TK In most cases, a company discovering a security
Maxx’s customers have been defrauded as a result of breach will act to close down the loophole that lets
the security failure, Mr Hagman said the impact of an hackers in immediately. However, it is quite possible
investigation by the information commissioner would that criminals could have been operating invisibly for
be unprecedented: ‘This is not a little site, it’s a big, almost 18 months before being discovered.
well-respected player and I think this case is going to
Why did they keep details on file?
have a profound effect on how the industry deals with
security.’ There are no strict rules on how long transaction data
David Hill, ID theft specialist at the personal can be held, and guidelines from Britain’s privacy
security company red24, said: ‘People should most watchdog suggest it can be kept for as long as there
definitely be concerned, and if they have shopped is a ‘business use’.
in TK Maxx they should go back through their credit
card and bank statements to make sure no fraudulent Source: Rebecca Smithers and Bobbie Johnson
transactions have taken place. Criminals carrying out 31 March, 2007 The Guardian
credit card fraud will often make small purchases www.guardian.co.uk.
740
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 741
Article 14.3
Article 14.4
741
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 742
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
Article 14.5
The issue of risk analysis and risk exposure was explored in Chapter 13 but such analysis and
assessment is also designed to assist in:
742
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 743
n the formulation of appropriate control strategies/policies that can be incorporated into the
company/organisation control environment, and
n the implementation of relevant procedures and processes that can be incorporated in the
company’s/organisation’s range of control activities.
Appropriate and relevant information, and efficient, cost-effective and well-organised com-
munication channels are essential prerequisite for effecting adequate control. Information
about a company’s:
n strategic plans,
n control environment,
n internal and external risks,
n control activities,
n current operational activities, and
n current performance,
must be communicated up, down and of course across the company’s management structure/
hierarchy.
Clearly relevant information must be:
n appropriately identified,
n captured,
n transmitted, and
n communicated,
not only in an understandable form/context but, more importantly, in a relevant and appro-
priate timeframe to enable recipients to carry out/undertake their activities and associated
responsibilities effectively and efficiently.
Clearly such information (structured and/or unstructured) may be:
Monitoring
Monitoring refers to the collection and analysis of financial and non-financial information
on a regular basis in order to evaluate performance on control activities. It includes regular
management and supervisory activities, and other control associated actions undertaken by
other personnel in the performance of their duties and in the exercising of their responsibilities.
It is, in essence, the assessment of control activities either:
743
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 744
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
Clearly the scope and frequency of separate evaluations will depend primarily on the risks
associated with a particular control activity and the effectiveness of continuous ongoing
monitoring procedures.
Whilst the monitoring of control activities is often seen as an internal activity – that is
such monitoring is normally concerned with inputs, activities and outputs – it can also be an
external activity.
The purpose of monitoring control activities – whether as a continuous process or a series of
separate evaluations – is to assess the quality of such control activities/internal control systems
(usually over time) and:
n ensure the regular collection and analysis of information,
n assist in timely decision making,
n promote accountability, and
n provide the basis for organisation learning.
Finally, the effectiveness of internal controls may be adversely affected by management imposed
resource constraints. Remember – the benefit accrued from the imposition of any internal con-
trol procedure/process must outweigh the cost of imposing that internal control.
744
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 745
Classification of controls
Classification of controls
There are many ways of classifying different types of controls that comprise internal control, the
most commonly used being:
n classification of controls by function, for example:
lpreventative controls,
ldetective controls,
l corrective controls, and
n classification of controls by type/scope, for example:
l general controls, and
l application controls.
Before we look at each of the above in more detail, it would perhaps be useful to note that whether
controls are classified by function or type/scope, there is – perhaps somewhat predictably – a
degree of commonality or overlap between the types of controls included in each of the two
classifications. As illustrated by Figure 14.4:
n application controls essentially comprise of either preventative and detective type controls,
whereas
n general controls essentially comprise of preventative, detective and, in some instances,
corrective type controls.
Classification by function
Preventative controls
Preventative controls are proactive controls designed to prevent and/or deter the occurrence of
adverse events and the loss of assets and/or resources. Examples of such controls would be:
n the segregation of management/administrative duties,
n segregation of transaction processing duties,
n the existence and use of appropriate and adequate formal documentation,
n the existence and use of proper authorisation procedures/processes,
745
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 746
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
Detective controls
Detective controls are passive/reflexive controls or ‘after the event’ controls. They are designed
to detect undesirable consequences of events which may have already occurred. Examples of
such controls would be:
n the duplicate checking of calculations,
n the preparation of monthly accounting trial balances,
n the review of policy procedures and controls,
n periodic physical stock takes,
n periodic reconciliations of balances (e.g. debtors, creditors and bank), and
n periodic internal audits.
Corrective controls
Corrective controls are active controls designed to eliminate and/or remedy the causes of
adverse threats and/or undesirable events.
Examples of such controls would be:
n the creation and retention of backup copies of transaction data/information,
n the creation and retention of backup copies of master files,
n adherence to data protection policies, and
n the existence and use of adequate data processing correction procedures.
Put another way, although there is some overlap, in a control context:
n approvals procedures are generally preventative in nature,
n reconciliation and review processes tend to be detective in nature,
n asset/resources management procedures are typically corrective in nature,
n asset/resource security procedures tend to be both preventative and detective in nature, and
n segregation of management/administrative duties and the segregation of transaction
processing duties are often viewed as preventative in nature although they are sometimes
regarded as corrective.
Classification by type/scope
General controls
General controls relate to all activities involving the company’s/organisation’s resources, assets
and facilities (including accounting information systems resources).
They are designed to:
n ensure that a company’s/organisation’s control environment remains stable and secure,
n maintain the integrity of corporate functions/activities (including accounting information
systems processing functions/activities) and associated systems and networks,
n preserve the on-going reliability of the company’s/organisation’s control environment and
enhance the effectiveness of application controls,
n maintain appropriate levels of physical security practices and environmental protection
measures to minimise the possible risk of vandalism, theft and/or sabotage, and
n ensure the adoption of appropriate disaster planning and recovery protocols to ensure con-
tinuity of systems, networks and processing procedures.
746
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 747
Classification of controls
Organisational controls
Organisational controls usually exhibit a preventative control focus and/or a detective control
focus and comprise of all those controls that are derived from and/or related to the structural com-
position of a company. They are inevitably political in nature and are invariably associated with:
n the hierarchical nature of the company, and
n the structural relationship between company personnel – their duties, activities and
responsibilities.
In a social context, such controls normally manifest themselves in the form of:
n a functional separation of management/administrative processes, procedures and protocols
– a preventative control focus,
n a segregation of duties, activities and responsibilities between company/organisation personnel
– also a preventative control focus, and
n the independent monitoring/reviewing of processes, procedures and protocols – a detective
control focus.
The purpose of organisational controls is to establish organisational autonomy or, more appro-
priately, function/activity independence, with the primary objective being to ensure the complete
separation of incompatible functions and activities. As such organisational controls normally
seek to ensure a separation between:
n procedures concerned with the authorisation of transactions,
n activities associated with the custody of assets/liabilities,
n processes connected to the recording of transactions, and
n functions related to the controlling of assets/liabilities.
Whilst there can be little doubt that the principal activities of the company and its associated
(externally imposed) regulatory requirements, and the internal management/organisational
structure of the company/organisation and its associated internal politics, will clearly influence:
n ‘how’ such a separation of management/administrative processes and procedures is realised, and
n ‘how’ such a segregation of duties and/or activities is implemented,
747
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 748
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
it is the composition and availability of resources within the company that will, perhaps more
importantly, determine the balance between a preventative control focus and a detective con-
trol focus.
Consider first, the issue of a small/medium-sized company. For such a company – a company
with limited financial assets and often limited personnel resources – the existence of organis-
ational controls established upon the separation of management/administrative processes and
procedures, and the segregation of transaction processing duties/functions, may not only be
impractical and unrealistic, but more importantly unfeasible and perhaps inappropriate. Where
resource constraints exist that not only impose limitations on the scope of such organisational
controls but also restrict the effectiveness of such controls, the emphasis of control activities
– as a component of internal control – often migrates from organisational controls with a pre-
ventative control focus (separation of processes and procedures and the segregation of duties/
activities) to organisational controls with a detective control focus (independent management
monitoring/internal audit – usually ‘after the event monitoring’ of processes and procedures).
A short-term resource led solution that is – certainly in the longer term – a particularly risky
internal control strategy.
Consider next the issue of information technology and computer-based transaction processing.
For many large companies – and to an increasing extent also small/medium-sized companies –
computer-based transaction processing has become the norm, with many companies now (as a
matter of general business practice) employing a wide range of information systems technologies.
For example, in 2005 89% of UK businesses used transaction websites that allow customers to
initiate transactions (for larger UK businesses this figure was 93%).8 Within such companies a
number of important transaction processing functions/controls are often integrated/automated,
for example:
More importantly, information systems technologies have become a key controlling feature in an
array of transaction processing system activities – an array of transaction processing activities
in which the apparent complete separation of control activities appears no longer possible! To
maintain/ensure some degree of control – some degree of accountability within such companies
– a separation of administrative responsibilities or segregation of functions and activities must
exist, for example, between:
In other words, within such companies’ transaction processing systems the preventative control focus
remains – integrated within the information systems management, design and implementation.
Documentation controls
Documentation9 controls are all those controls associated with managing the format and
content of all corporate documentation utilised in processes and procedures connected to:
748
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 749
Classification of controls
Such data/information can be permanent in nature – for example data/information relating to:
749
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 750
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
Access controls
Access controls exhibit a preventative control focus and are all those controls associated with
ensuring:
n the security of company/organisation assets and resources,
n the integrity of corporate/organisational operations and activities, and
n the confidentiality of corporate data and/or information,
Indeed, as history has repeatedly revealed, for example with financial scandals concerning
BCCI, Barings Bank, Enron and Parmalat, bad management activities and practices, or perhaps
750
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 751
Classification of controls
more appropriately the activities and practices of bad management, often lie at heart of many
of the most spectacular corporate collapses – certainly many of the major corporate failures
during the latter part of the 20th century and the early part of the 21st century.
Management practice controls comprise of not only the general controls discussed so far but
also include all controls associated with the management, administration and development
of application systems, and include all those controls associated with systems management and
development, in particular:
n amendment/modification controls, and
n development management controls.
Although we will explore the above controls in more detail in Chapter 16 when we discuss issues
relating to systems development and design, such controls would include all those controls
associated with the planning, analysis, design and implementation of new and/or amended
application systems.
Information technology management controls seek to ensure the protected custody of com-
puter hardware and related peripheral equipment, and the security and integrity of software
programs. Such management controls are clearly related to access issues (and related security
issues) and will be discussed later in this chapter.
Information systems administration controls seek to ensure the correct and appropriate pro-
cessing of data and information, through:
n the scheduling of data collection activities,
n the continuous monitoring of data processing activities, and
n the management of data/information output activities.
Application controls
Application controls – sometimes called transaction controls – are controls that relate to specific
aspects of a company’s/organisation’s processes, procedures, resources, assets and/or facilities
(including accounting information systems resources).
They are designed to:
n prevent and detect transaction processing errors,
n identify transaction processing discrepancies, and
n correct transaction processing irregularities.
751
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 752
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
Input controls
Input controls are designed to ensure the validity, appropriateness and correctness of system/
application specific input data, for example:
n payroll input data (e.g. hours worked, hourly pay rates) are processed by the payroll system,
n purchasing input data (e.g. payment of invoices) are processed by the purchasing system,
and
n sales input data (e.g. the issue of sales invoices) are processed by the sales system.
Processing controls
Processing controls are designed to ensure that:
n only authorised system/application specific input/transaction data are processed,
n all authorised transaction data are processed accurately, correctly and completely,
n all appropriate program files/system procedures are used in the processing of transaction
data,
n all processing is validated and verified, and
n an appropriate audit trail of all transaction processing is maintained.
752
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 753
Classification of controls
Output controls
Output controls are designed to ensure that:
n all output is validated, verified and authorised,
n all output is accurate, reliable and complete, and
n all output is distributed to approved and authorised recipients.
753
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 754
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
Systems security is indelibly linked to internal control, the aim of such security measures/
protocols being to provide an appropriate level of protection from:
n unauthorised and/or undetected access to corporate systems,
n unauthorised use and/or acquisition of corporate assets, resources and facilities,
n improper deletion and/or alteration of systems data, information and/or procedures,
n systems breakdown and/or processing interruptions, and
n systems failure.
Such security measures/protocols can be classified into four categories, these being:
n internal control procedures and processes designed to maintain the security of tangible/
non-tangible resources – (see also Chapter 16),
n internal control procedures and processes designed to maintain the security of data/
information – (see also Chapter 6 in particular issues regarding the Data Protection Act
1998),
n internal control procedures and processes designed to maintain the security and integrity
of company/organisational networks (including computer-based networks) – (see also
Chapters 5 and 6), and
n internal control procedures and processes designed to assist in the retrieval, recovery, and/or
reconstruction (where necessary) of any:
l lost assets, resources and/or facilities, and/or
l corrupted data/information,
as a result of an adverse incident/event and/or systems failure. (Such measures are often
referred to as disaster contingency and recovery procedures.)
Such security measures/protocols would normally consist of (internal) controls designed to:
n validate and verify the existence (or otherwise) of all assets and resources,
n monitor and control access to assets and resources, and
n restrict/control the privileges of users who have a legitimate right of access to assets and
resources.
The primary aim of any such security measures being to:
n ensure the accountability/traceability of all assets and resources,
n minimise and/or prevent opportunities for the misappropriation and/or theft of assets and
resources, and
n facilitate the detection and recovery of any misappropriated assets and resources.
754
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 755
n the use and maintenance of appropriate control procedures for the acquisition and/or
disposal of assets,
n the maintenance of appropriate records of, and procedures for, the movement of assets, and
n the use of security tagging of valuable assets.
To minimise and/or prevent opportunities for the misappropriation and/or theft of assets, such
security measures could include:
n the use of access controls (e.g. ID badges, smart cards, security passwords, and/or personalised
biometric measurements) to define/restrict access to assets, and
n the use of surveillance controls (e.g. the use of intrusion detection systems and procedures)
to detect inappropriate use and/or unauthorised access.
Such security measures/protocols would normally consist of (internal) controls designed to:
n validate and verify the existence (or otherwise) of all data and/or information files,
n monitor and control use of, access to and transfer of data and/or information files, and
n restrict/control the privileges of users who have a legitimate right of access to data and/or
information files.
The primary aim of any such security measures being to:
n prevent the dishonest acquisition of data and/or information files,
n prevent the deceitful misuse of data and/or information files,
n restrict the fraudulent variation, alteration and/or adaptation to data and/or information files,
n prevent the deceitful infection and/or destruction of data and/or information files, and
n minimise the deliberate and fraudulent reproduction and transfer of data and/or information
files.
In addition, for companies whose activities require the collection, storage and use of personal
data/information, such security measures should also ensure compliance with the requirements/
provisions of the Data Protection Act 1998 (see also Chapter 6).
Such security measures/protocols would normally consist of (internal) controls (often technology-
based) designed to:
n validate and verify all access to company/organisational networks, and
n monitor and control the use of company/organisational networks.
755
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 756
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
to prevent:
n the unauthorised appropriation of company/organisational network programs,
n the malicious removal (accidental or otherwise) and/or destruction/sabotage of company/
organisational network programs,
n the deliberate and/or malevolent infection of company/organisational networks,
n the misappropriation and misuse of confidential and sensitive corporate information,
n the theft of protected information, and/or
n any other adverse events that could lead to the possible disruption of a corporate service
and/or facilities.
Such security measures will invariably (although not exclusively) comprise of computer-based
technologies used to:
n manage access,
n control permission and, where appropriate,
n monitor use.
The term ‘systems failure’ is a generic term, one that can and often is used to describe the adverse
consequences of a wide range of incidents and events which may affect a company’s ongoing
operational capacity. Such incidents/events could range from:
756
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 757
All of which can be caused by or result from a wide variety of factors including:
n external environment-based factors – such as earthquakes, floods and fire,
n socio-economic-based factors – such as power supply problems, infra-structure failure and
industrial action,
n socio-political factors – such as social unrest, bombings and war, and/or
n internal environment-based factors – such as corporate sabotage and user error.
In today’s highly volatile and decidedly unpredictable environment in which the only certainty
is uncertainty, adverse incidents and events occur all the time. Whilst some of these incidents
and events will be minor in nature and their potential impact limited, some will inevitably be
major in nature and their potential impact both serious and wide-ranging – perhaps in extreme
situations, even fatal. Clearly then, it is important for a company to possess an appropriate and
up-to-date plan of action not only to manage but to limit the impact of such incidents/events.
An appropriate and up-to-date disaster contingency and recovery plan (DCRP) is needed to
provide a cohesive collection of approved procedures, guidelines and protocols. It provides a
formal incident/crisis management framework to assist in:
n minimising the overall impact of any adverse incident/event, and
n ensuring the continuity of business activities and other related operational capabilities.
A comprehensive DCRP would normally consist of two defined (albeit interrelated) protocols:
n a prevention protocol, and
n a recovery protocol.
757
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 758
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
Remember, there is no magic answer, off-the-shelf solution or generic step-by-step reference guide
to managing such adverse incidents/events. The key to a company’s recovery from any adverse
incident/event and/or corporate-wide crisis/disaster is prioritisation – that is the determination
of criticality and the identification of those aspects of the business (its assets, resources, pro-
cesses and services) which are critical to its continuing survival and those which are not.
Put simply, for even the most well-prepared of companies, the ability to recover all affected
assets and resources – to restore all affected business processes, services and facilities –
immediately after a traumatic adverse incident/event, even from a minor isolated event, can
be severely impeded by the ambiguity of past events, the uncertainty of future events and the
irrationality of management!
Criticality is the ascertainment of importance or, perhaps more appropriately, a question
of significance, founded on a determination of how long a company/organisation can survive
without a set of business assets and/or resources, a collection of processes and/or procedures or
a group of essential services and/or facilities. Clearly, whilst some assets and resources, etc. may
require/necessitate immediate recovery, others may not. It is actually quite surprising what a
company/organisation can survive without – at least in the short term!
Prevention
Whether an imposed regulatory requirement, or merely a commercial/financial consideration,
it is important (if not essential) for a company/organisation:
n to identify and prioritise the importance of each of its corporate systems/systems element, and
n to determine the possible consequences of such systems/system elements failing as a result of
an adverse incident/event.
A prevention protocol would seek to determine and review (on a regular basis):
n the existence, relevance and appropriateness of existing systems and procedures,
n the existence of any local/regional threats11 to operational capabilities,
n the existence of any potential single points of failure with the company’s system/procedures,12
and
n the existence of relevant and appropriate licences, warranty agreements and relevant support
contracts.
758
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 759
And as a consequence:
n identify possible adverse changes within the company’s environment,
n assess the possible consequences of such environmental changes,
n eliminate or at least reduce corporate dependency on any single service source, asset and/or
resource,13 and
n minimise the disruption that may be caused by any potential adverse incident/event.
Although prevention is better than cure, unfortunately no matter how well informed the
company/organisation may be – no matter how up-to-date, appropriate and effective its
prevention protocols – adverse incidents/events will still occur.
Recovery
A recovery protocol would normally consist of four key stages:
n qualification of the incident/event,
n containment of the incident/event,
n assessment of the impact of the incident/event, and
n application of countermeasures.
For minor incidents it is probable that recovery, containment and assessment procedures would
take place within the established management hierarchy of the company/organisation. The
approval of countermeasures may well require higher level management approval. For major
incidents however (including company-wide disasters/crises) most companies would assemble
a pre-designated/pre-arranged incident response team which would, for example, include:
n for operational issues – managers from the company areas affected by the incident/event,
n for staffing and employment issues – human resource representatives/managers,
n for asset/resource issues – appropriate facilities/utilities managers and/or representatives,
and
n for Public Relations (PR) issues – PR/corporate communications managers and/or
representatives.
Clearly the size of the incident response team would depend on the nature and impact of the
incident/event.
759
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 760
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
Application of countermeasures
Once the nature of any incident/event has been qualified, once containment procedures have
been introduced and once an appropriate assessment of the impact of the incident/event has
been performed, a determination of appropriate countermeasures needs to be made. This is a
formal active response to:
n alleviate the adverse consequences of an incident/event,
n mitigate any potential undesirable effects of such an incident/event, and
n minimise the possibility of future threats and/or vulnerabilities.
The determination and application of such countermeasures should of course be a collective
decision either by the incident response team (should such a team exists) or by management
in consultation with appropriate managers. More importantly such countermeasures should be
applied in risk priority order and their effectiveness monitored to ensure predicated outcomes
are achieved. Where appropriate – where the incident/event is of a major nature and one
which may adversely affect the company’s/organisation’s future business activities – media and
PR exercises may also be required as part of the countermeasures to alleviate any potential
unfavourable market reactions resulting from possible speculation regarding the future viability
of the company/organisation.
760
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 761
continue to have a major, some would say revolutionary impact, on many of the functional
aspects of corporate finance and accounting information systems.
Indeed, there can be little doubt that in a contemporary business context at least, the relation-
ship between such enabling innovations and developments and accounting information systems
– in particular internal control and systems security – continues to be an intimate if somewhat
volatile and complex relationship. A relationship in which the processing and management
opportunities presented by the evermore creative capabilities of information and communi-
cations technology continues to be tempered by the often overly pessimistic, some would say
conservative, realism of the caretakers of contemporary capitalism – corporate management.
A conservative realism in which the increasingly powerful ‘push effect’ of information and com-
munication technology enabled innovations and developments have been, and indeed continue
to be, frequently countered by the ‘pull effect’ of greater accountability and transparency – of
greater internal control and systems security. See Figure 14.6.
So what are the push and pull effects? Rather than identifiable, cogent, rational and coherent
forces – consider both the push and pull effect as generic terms – as expressions representing
the opposing/balancing sides of a SWOT14 matrix, with:
n the push effect representing the possible strengths and opportunities offered by what some-
times appears to be an almost never-ending progress and advancement in information and
communication technology, and
n the pull effect representing the possible weaknesses and threats posed by information and
communication technology innovations and developments.
Figure 14.6 Push/pull – internal control and information and communication technologies
761
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 762
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
For example:
n the transferring of control processes and procedures to the development stage forces measure-
ment points to be integrated within system processes and procedures and thus obscures the
visibility of such measurement points and the transparency of system processes/procedure, and
n the ever-increasing integration of once diverse technologies and related procedures and pro-
cesses whilst increasing operational capabilities also necessitates the use of a growing arsenal
of control and security measures to mitigate the risks associated with the ever-present threats
from use of information and communication technologies.
Threats that may:
n impair processing capabilities,
n compromise information confidentiality,
n damage information integrity,
n adversely affect control procedures,
n inhibit access to processing facilities,
n corrupt information authenticity, and
n prohibit access to and/or the availability of information.
762
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 763
763
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 764
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
that affect an exchange of value between two parties and includes the transfer of money initiated
through:
n an electronic terminal,
n an automated teller machine,
n a computer (via the internet), and
n a telephone.
EFT also applies to credit card and automated bill payments.
founded not only on a reciprocal trust but more importantly a mutual reliance and under-
standing of security, a failure of which could result in:
n the unauthorised initiation and/or alteration of transactions,
n the potential corruption of transaction files and data, and
n the fraudulent alteration of application procedures, processes and protocols.
764
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 765
Concluding comments
Syntactic controls
Syntactic controls are concerned with ensuring that appropriate outbound translation, com-
munication and inbound translation protocols are effective. Such controls should ensure that:
n there are effective reciprocal acknowledgements confirming the occurrence of an EDI/EFT
transaction, and
n appropriate translation headers and trailers are used during translation to ensure transaction
completeness.
In addition, appropriate integrated test facilities could be used to monitor EDI and EFT trans-
actions continuously.
Security controls
Security controls are concerned with maintaining the physical integrity of the EDI system. Such
controls should ensure that:
n appropriate restrictions on physical access to EDI and EFT facilities are in place,
n appropriate constraints on authorisation exist,
n EDI and EFT backup files are maintained and securely stored,
n appropriate system/network intrusion detection protocols are in place, and
n approved EDI/EFT-related disaster contingency recovery protocols are in place.
Concluding comments
765
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 766
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
have been responsible for promoting the need for more effective corporate governance and
greater corporate accountability. Corporate management needs not only to understand the
relevance of corporate control activities but, more importantly, regulate, monitor and control
corporate procedures processes and activities. The existence of appropriate control processes
and procedures within a company are needed to:
n provide reasonable assurances that business objectives – primarily the maximisation of share-
holder wealth – will be achieved, and
n ensure any undesired events, unwelcome occurrences and/or unfavourable incidences will
be prevented, and/or detected and corrected.
Clearly, whilst internal control and system security measures cannot directly influence the
creative processes of wealth development/maximisation, they nonetheless play an important
role in:
n maximising the utility of corporate processes and procedures,
n optimising the utility of corporate assets and resources, and
n sustaining the operational capability of the company.
References
Maslow, A.H. (1943) ‘A Theory of Human Motivation’, Psychological Review, 50, pp. 370–396.
Maslow, A.H. (1987) Motivation and Personality (3rd edn), HarperCollins, London.
McMlure, S. Scambray, J. and Kutz, G. (2005) Hacking exposed: Network Security, Secrets, and
Solutions, McGraw-Hill, San Francisco.
766
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 767
Self-review questions
1. Describe the five interrelated components that comprise the term ‘internal control’.
2. Distinguished between preventative controls and detective controls.
3. Define the term ‘corrective control’ and describe four examples of such a corrective control
relevant to a computer-based accounting information system.
4. Distinguished between general controls and application controls.
5. Define, describe and evaluate the following general controls:
n organisational controls,
n documentation controls,
n access controls, and
n asset management controls.
6. What are the main purposes of application controls?
7. What are systems security measures designed to ensure?
8. Define and describe the concept of business process re-engineering.
9. Describe the risks associated with:
n EDI, and
n EFT.
10. In relation to information and communication technology innovation and development,
distinguish between:
n the push effect, and
n the pull effect.
Question 1
In January 2006, Jessica Leigh (finance director) and Stephanie Dodsworth (sales director) both resigned
from the management board of Deeport plc, a large UK retail company, following a critical report by the
company’s auditors, Barber LLP. The company’s auditors found that insufficient internal controls and a lack
of systems management had resulted in the fraudulent misuse of funds and resources. For the first time in its
22-year history, the company declared a loss of £26m (for the year ending 31 March 2006).
Required
Distinguish between general controls and application controls, and identify in broad terms only, the general
control procedures and security measures that could be employed by a company such a Freeport plc to
protect against the activities indicated in the above situation.
Question 2
During a recent information systems review of HTM Ltd, the following internal control procedures were identified:
n Assigning different employees to maintain physical stock in the warehouse and the stock records.
n Storing high-value stock items within a secure area with authorised/restricted access.
n Requiring all payments for sales to be made by cheque/credit or debit card.
n Counting stock periodically and comparing the count of each item to the stock records.
n Requiring all returns of sold goods to be listed on a special credit form that is prepared and signed by a
manager.
n E-mailing a monthly statement to each customer, showing the details of all transactions and the balance owed.
‘
767
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 768
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
Required
Identify a risk exposure that each of the following control procedures or practices is intended to prevent or
detect. For each of the above, provide an example of what might occur if the control were not in place and
list one or more factors that could cause the risk exposure to be relatively high:
Question 3
The business environment of the early 21st century continues to change with increasing vigour. The growth of
e-commerce and e-retailing, and the use of the internet for the movement of goods, services and information
has clearly promoted a greater interconnectivity. An interconnectivity that has not only opened up and created
enormous business opportunities, but has also increased the exposure of UK businesses, in particular UK
retail companies, to previously unknown levels of risks and security threats, the costs and consequences of
which have been and indeed continue to be significant.16
Required
Critically evaluate the type and nature of risk and security threats such a company faces and the internal
control procedures and security strategy/measures that it might employ to protect itself.
Question 4
VeTel Ltd is a well-established industrial cleaning company with a turnover of approximately £30m. The
company has 15 regional offices throughout the UK and its head office is in Beverley.
Five days ago, the company’s head office suffered severe fire and the IT services and facilities department is
completely destroyed. The cause of the fire has yet to be determined, but deliberate sabotage is not suspected.
The company has activated its DCRP (last reviewed six months ago) and is currently at the qualification stage
of recovery.
Required
Define and explain the main stages and contents of a DCRP and, making whatever assumptions you believe
necessary, comment on VeTel Ltd’s progress so far in recovering from the severe fire.
Question 5
‘The impact of innovations and developments in information and communication technology on corporate
accounting information systems has removed the need for excessive internal control.’ Discuss.
Assignments
Question 1
SEC Ltd, a small electrical accessories company, wants to design a company-wide computer purchasing
system. To date the company has maintained a semi-manual record system for all its purchases.
For the previous three financial years the company has made average annual purchases of £34m (all purchases
from UK suppliers) and average annual profits of approximately £10.6m. The company has approximately
350 employees working at six locations throughout the UK: Manchester, which is the company’s head office,
Birmingham, Leeds, Swindon, Bristol and Newcastle.
768
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 769
Assignment
You have recently completed an audit of activities within the purchasing department within SEC Ltd. The
department employs 15 buyers, seven supervisors, a manager and clerical personnel. Your audit has dis-
closed the following conditions:
n The company has no formal rules on conflicts of interest. Your analysis produced evidence that one of the
15 buyers in the department owns a substantial interest in a major supplier and that he procures supplies
averaging £150,000 a year from that supplier. The prices charged by the supplier are competitive.
n Buyers select proposed sources without submitting lists of bidders for review. Your tests disclosed no
evidence that higher costs were incurred as a result of that practice.
n Buyers who originate written requests for quotations from suppliers receive the suppliers’ bids directly from
the mail-room. In your test of 100 purchases based on competitive bids, you found that in 55 of 100 cases,
the lower bidders were awarded the purchase order.
n Requests to purchase (requisitions) received in the purchasing departments in the company must be signed
by persons authorised to do so. Your examination of 200 such requests disclosed that three requisitions,
all for small amounts, were not properly signed. The buyer who had issued all three orders honoured the
requests because she misunderstood the applicable procedures. The clerical personnel responsible for
reviewing such requests had given them to the buyer in error.
Required
(a) For each of the above explain the risk, if any, that is incurred if each of the conditions described previously
is permitted to continue and describe the internal control(s), if any, you would recommend to prevent
continuation of the condition described.
(b) Explain the main function of a purchasing system employed by a company such as SEC Ltd, the risks
associated with its failure and the controls that can be installed in order to minimise the impact of such
risks.
Question 2
You have recently been appointed by the management board of Bepelear Ltd, a small electrical accessories
company, to (re)design the company-wide computer purchasing system. To date the company has main-
tained a semi-manual record system for all its purchases. For the previous five financial years the com-
pany has made average annual purchases of £18m (all purchases from UK suppliers) and average annual
profits of approximately £9m. The company has approximately 50 employees working at six locations
throughout the UK: Manchester, which is the company’s head office, Birmingham, Leeds, Swindon, Bristol
and Newcastle. For the year ended 31 March 2006, approximately 95% of the company’s purchases were
on credit. The company is currently reviewing its purchasing system and is considering introducing a fully
computerised purchasing system with the possibility of a web-based purchasing protocol linked to selected
suppliers
Required
Making whatever assumptions you consider necessary, prepare a draft report for the management board of
Bepelear Ltd detailing the following:
(a) the control objectives of a company purchasing system,
(b) the general controls and application controls you would expect to find in a computerised purchasing
system, and
(c) the control issues relevant to a web-based purchasing system.
769
.. ..
CORA_C14.qxd 6/1/07 11:12 Page 770
Chapter 14 Internal control and systems security: minimising loss and preventing disaster
Chapter endnotes
1
Raison d’être is used here to signify motivation, rationale and/or basis of existence.
2
Bounded rationality is used here to signify behaviour that is rational within the parameters
of a simplified model and/or imposed understanding, or a form of behaviour associated with
uncertainty where individuals do not examine every possible option open to them, but simply
consider a number of alternatives which happen to occur to them.
3
Remember we live in a socially constructed world – a world in which all social, political and
economic systems, processes and procedures are invented and/or constructed.
4
To anthropomorphise means to ascribe human features to something and/or to infer humanist
characteristics to an artifical construct.
5
Unlike lower level needs, this need is rarely – if ever – fully satisfied. That is a person rarely
achieves their full potential since as a person matures and grows, psychologically new and
challenging opportunities continually arise. Maslow suggested that self-actualised people tend
to have virtues/values (he called these virtues B-values) such as order, truth, justice and wisdom
. . . and many others.
6
Maslow classified such needs as either internal or external. Internal esteem needs are those
related to self-esteem such as self-respect and achievement, whereas external esteem needs are
those such as social status, recognition and reputation.
7
According to Maslow’s theory, if these fundamental needs are not satisfied then a person will
be motivated to satisfy them. Higher needs such as social needs and esteem/ego needs will not
be recognised by a person until that person has satisfied the needs basic to existence.
8
See ‘Information Security Breaches Survey 2006 Technical Report’ (April 2006), Pricewaterhouse-
Coopers and Department of Trade and Industry – available @ http://www.enisa.eu.int/doc/pdf/
studies/dtiisbs2006.pdf.
9
The term ‘documentation’ does not relate solely to physical documentation but includes all
formatted media (including virtual media, for example computer screen, webpage, database page)
through which data/information can be collected, stored, analysed and communicated.
10
See Appendix B (page 657 of McClure, S., Scambray, J. and Kutz, G. (2005) Hacking exposed:
Network Security, Secrets, and Solutions, McGraw-Hill, San Francisco.
11
Such external threats would include, for example, the existence of:
n adverse environmental conditions,
n neighbouring companies that may be a source of high-risk, or
n neighbouring companies that may be the source of civil unrest.
12
Such single points of failure would include, for example:
n communication links,
n source of accommodation,
n power supply,
n transport links/facilities, and
n computer system/network,
13
Such as using possible alternative service providers/supplementary resources suppliers or
seeking insurance against the failure of such providers/supplies.
14
SWOT – Strengths, Opportunities, Weaknesses and Threats.
15
The word ‘syntax’ originates from the Greek words syn, meaning ‘together’, and taxis, mean-
ing ‘sequence/order’.
16
See note 8.
770
..
CORA_C15.qxd 6/1/07 11:13 Page 771
Introduction
Accounting information is power . . . it’s as simple as that! (Anon)
It thus forms the basis of all business/market-related choice – the basis of all corporate
decision making.
Indeed, the components of contemporary accounting information – not only as ‘created’
figures of thought, but also as politically motivated intellectual constructions – have become
the established story-telling machinery and the accepted image creating technology
through which:
Clearly then, the use of accounting information, whilst offering a landscape of enormous
explanatory power, nonetheless provides avenues for distortion and misrepresentation.
Indeed, in today’s highly competitive, fast moving, ever-changing, technology-based
contemporary global marketplace – a marketplace in which accounting information has
become an essential prerequisite for corporate survival, such a palate for ambiguity and
771
..
CORA_C15.qxd 6/1/07 11:13 Page 772
confusion not only results in the propagation of misleading optimism and disingenuous
certainty, but also promotes the proliferation of false idealism.
More importantly, in a market orientated society increasingly dependent on abstract
visualisation, evermore preoccupied with alternative modes of representation and increas-
ingly absorbed with the reification of often ‘false’ objectivity, the biased politicisation of
accounting information has become (some would say) an invasive and somewhat insidious
aspect of contemporary society – of contemporary capitalism with its ever-growing path-
ology of corporate failure.
It is within this ever-changing and uncertain socio-economic context that:
n the contemporary framework of audit and auditing (in particular the audit of financial
statements and accounting information systems), and
n the ever-increasing role and function of the auditor – in particular the external auditor,
Learning outcomes
This chapter explores a wide range of issues related to the audit of corporate accounting
information systems.
By the end of this chapter, the reader should be able to:
n define the term ‘audit’ and describe the main alternative types of audit a company may
be or choose to be subjected to,
n distinguish between CAAT-based and, non-CAAT-based auditing,
n critically comment on the importance of accounting information systems audits to
contemporary capitalism and the management and shareholders of wealth maximising
organisations, and
n describe and critically evaluate from a system’s perspective the key features and
aspects of a corporate accounting information systems audit.
Like much of contemporary English language, the word ‘audit’ has its roots in Latin – meaning
to hear or to perceive a sound. Consequentially, an auditor is, literally one who hears or some-
one who listens attentively. So, the role of an auditor is quite literally to audit!
772
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 773
Types of auditor
The term ‘audit’ can be defined in many ways. In a broad context, an audit is an inspection,
examination and verification of a company’s financial and accounting systems, supporting
documents, records and financial statements. This rather broad definition can be further
divided (somewhat subjectively) into two separate, albeit highly interrelated, definitions. An
audit is either:
n a review and examination of records and activities to assess the adequacy of system controls to:
lensure compliance with established policies, procedures and pronouncements, and
lrecommend appropriate changes in controls, policies, procedures, or
n a professional assessment and verification of a company’s accounting documents and
supporting data for the purpose of rendering an opinion as to their fairness, consistency
and conformity of the financial statements with UK GAAP.4
The former would normally be associated with the role of an internal auditor, whereas the
latter would normally be associated with the role of an external auditor.
For our purposes – that is from an accounting information systems perspective – we will
define an audit as an independent examination5 that seeks to evaluate the reliability of corporate
accounting information and the efficiency and effectiveness of corporate accounting information
systems. An independent examination by a competent and authorised individual – an auditor,
a qualified accountant6 – whose role – in a contemporary corporate context – can accordingly
be defined as:
n the inspection of the accounting systems, records and practices of a company7 and, where
required, and/or appropriate
n the provision of an independent report to a company’s members as to whether its financial
statements have been properly prepared.8
Types of auditor
So what about the different types of auditors? There are, in essence, two types of auditors:
n an internal auditor, and
n an external auditor.
Internal auditor
An internal auditor is an employee of the company, responsible and accountable to the senior
management within the company and independent of any functional activity/procedure within
the company. The role of an internal auditor in:
n appraising the efficiency of operational activities of the company,
n assessing the effectiveness of internal administrative and accounting controls, and
n evaluating conformance with managerial procedures and policies,
773
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 774
The Institute of Internal Auditors suggests that the primary function of an internal auditor is to:9
n examine and evaluate how organisations are managing their reputational, operational or
strategic risks,
n provide the company (audit committee and/or the board of directors) with information
about whether risks have been identified, and how well such risks are being managed,
n offer an independent opinion on the effectiveness and efficiency of internal controls (extant
operation protocols, policies and procedures),10
n review accounting information system developments to ensure that appropriate internal
control policies and procedures are maintained and, where appropriate,
n provide consultancy services and/or undertake special reviews at the request of management.
External auditor
An external auditor is:
n independent of the company (or organisation),12 and
n appointed /reappointed annually at the company (or organisation) AGM (Annual General
Meeting).13
In a corporate context, the role and duties of an external auditor are – in the UK – regulated by
provisions of UK corporate legislation. The external auditor’s primary functions/duties are pro-
vided in the Companies Act 1985 (s235 and s237). Under these provisions, an external auditor
is – as part of a statutory annual audit – required to report to the company shareholders stating
whether in their opinion:
n the company’s financial statement provides a true and fair view14 of the company’s state
of affairs as at the end of the financial year, and its profit and loss accounting for the year,
and
n that such financial statements have been properly prepared in accordance with the require-
ments of the Companies Act 1985 (as amended).
However as Article 15.1 suggests, even such a long-standing, well-established Anglo-Saxon
notion of ‘true and fair view’ may well be under threat.
An external auditor is required prime facie to ensure that:
n the company has maintained proper underlying accounting records, and
n the financial statements are in agreement with the underlying accounting records.
Specific requirements exist regarding the appointment, removal and/or replacement of an external
auditor.
774
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 775
Types of auditor
Article 15.1
775
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 776
Section 385(2) of the Companies Act 1985 provides for company shareholders to appoint
an external auditor on an annual basis. Similarly, resolutions to remove and/or replace an
external auditor must also be made at a company’s annual general meeting. However, s319A
provides that:
n 28 days’ notice of the resolution to remove and/or replace an external auditor must be
provided to both shareholders and existing auditors, and
n the existing external auditor is provided with an opportunity to make representations to the
shareholders on the intended resolution to remove and/or replace them.
So, how effective are external auditors in discharging their statutory duties? Although the evi-
dence on their effectiveness is contradictory and less than conclusive, it is worth noting that in
2005, in the UK, of the FTSE 100 companies:
n 43 were audited by PwC,
n 22 were audited by KPMG,
n 17 were audited by Deloitte, and
n 17 were audited by Ernst and Young.
And of the FTSE 250 companies:
n 82 were audited by PwC,
n 64 were audited by KPMG,
n 54 were audited by Deloitte, and
n 142 were audited by Ernst and Young.
See Article 15.2.
Article 15.2
Big four bristle at claims that too much power rests in their hands
The creeping global dominance of the ‘big four’ audit- In Britain, the big four audit all but one of the FTSE
ing firms is in danger of compromising the independ- 100 companies and 97% of midcap firms and their
ence of UK regulators and hampering disciplinary dominance of big business auditing is similar in other
actions, according to one of Britain’s most powerful leading markets. Mr Montagnon said: ‘If there are very
shareholder groups. few firms doing audits, they can influence too heavily
The Association of British Insurers, whose mem- the way auditing is organised and implemented.’
bers control almost 20% of the shares on the London His comments echo widespread concern among
stock market, says the four multinational auditing policymakers that too much power rests in the hands
groups – KPMG, PricewaterhouseCoopers, Ernst & of the four accountancy firms. Many fear they are too
Young and Deloitte – have a stranglehold on the big to fail, which makes it difficult to regulate them
market for auditing work and too much influence over strictly.
regulators. It has called for regulators and competition Backed by the Department of Trade and Industry,
authorities to show their teeth. accountancy watchdog the Financial Reporting
Peter Montagnon, head of investment affairs at Council has been conducting a review of the auditor
the ABI, said: ‘The acid test is whether the regulators choices available to British businesses. It is this
feel they have to have a different approach to dis- ongoing review that yesterday prompted the ABI to
ciplinary processes in the case of the big four firms publish its damning assessment of the audit market.
than they do for smaller audit companies. If they do Its views have been submitted to the FRC review but
feel this, there is clearly something seriously wrong.’ its claims that regulators may be compromised by
776
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 777
Types of auditor
the power of multinational audit firms have begun to on the watchdog’s website this week. All are thought
ruffle feathers. Paul Boyle, FRC chief executive, said: to play down suggestions of a crisis. Ernst & Young
‘It is a rather curious suggestion that the FRC, which recognises ‘concentration of auditor choice is an
has embarked on this project looking at the domin- important matter’, but claims ‘the current state of the
ance of the big four firms, could be corrupted by the market is not causing significant problems for most
same big four firms.’ large public companies and there appears to be ample
Peter Wyman, a partner at the largest of the big choice in the market for other companies’.
four, PwC, said: ‘I think the ABI is on a different planet. Mr Wyman puts it more strongly: ‘We don’t think
Our regulator is Sir John Bourn [chairman of an FRC that the market is anything other than fiercely com-
committee]. He is the most independent person you petitive. There are many, many, many markets where
will come across. The suggestion that we have some- four suppliers would be considered an absolute luxury.
how captured him is just nonsense. It is like suggest- I’m sure BA would love to have four plane suppliers.’
ing BT had been able to capture Ofcom.’ Ernst & Young tells the FRC: ‘The salient question
The FRC’s committees, which oversee every ele- in this debate is how to avoid the collapse of a large
ment of accountancy, are well populated by senior firm.’ While all agree this would be calamitous, the ABI
figures from the big four. While Mr Boyle recognises the suggests steps must be taken to prevent auditors
potential conflict, he argues against the US model, using this scenario as a threat. ‘Moral hazard con-
where a ban on audit groups holding regulatory posts siderations must be weighed up against the expecta-
occasionally leaves the watchdog looking out of touch. tions of large audit firms that they will be protected
In its submission to the regulators, the ABI said: by special regulatory treatment because they are too
‘We are not comfortable with a position where important to fail.’
large firms could determine the shape of regulation An FRC meeting, scheduled for next month, is
by threatening to withdraw from the audit market.’ expected to be a lively affair. While some will suggest
Some industry experts said this was a reference to the spectre of Enron should be left to fade in the
the heated debate in recent years over whether audit memory, many others point to a catalogue of recent
firms should have their liability limited in the event of cases that could threaten another blue chip auditor.
a substantial audit failure. Among them is a tax avoidance scheme sold by
The big four – which make only a fifth of their profits KPMG to super-rich individuals in the US in the late
from statutory auditing work – effectively demanded 1990s that resulted in a £250m settlement and the
their liabilities be capped, insisting they were no longer imminent trial of 16 former employees. A dark shadow
prepared to operate under unlimited liability, risking was cast over PwC’s future after its Japanese affiliate
the same fate as Andersen, the auditing firm that signed off the fraudulent accounts of cosmetics group
imploded after the Enron scandal. Kanebo, leading to a £100m fine and string of client
The government is pushing a company law reform defections. Both firms survived, but another Andersen
bill through parliament to provide the four with much may not be far away.
of the comfort demanded.
The four are sending last-minute submissions to Source: Simon Bowers, 8 August 2006, The Guardian,
the FRC before all position documents are published http://business.guardian.co.uk/story/0,,1839332,00.html.
Now we know what types of auditors there are – what types of audit exist? Porter et al. (2003)
have suggested that based on the primary audit objective, three main categories of audits may
be recognised, namely:
n ‘financial statement audit,
n compliance audit, and
n operational audit’ (2003: 4).
777
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 778
n a compliance audit is ‘(designed to) . . . determine whether an individual or entity has acted
(is acting) in accordance with procedures or regulations established by an authority such as
the entity’s management or a regulatory body,’ (2003: 6), and
n an operational audit is ‘the systematic examination and evaluation of an entity’s operations
which is conducted with the view to improving the efficiency and/or effectiveness of the
entity,’ (2003: 6).
Whilst the above does provide an insight into the alternative categories of audit and a basis
on which to distinguish between the role of an internal auditor and the role of an external
auditor (see Figure 15.1), we can – in a more functional context – further subdivide each
category and identify and distinguish between a number of alternative types of audit15 (see
Figure 15.2).
778
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 779
Types of auditor
So what types of audits exist within each category? Types of audit within the financial state-
ment audit would, for example, be:
n a balance sheet audit,
n a profit and loss account audit, and
n a cash flow statement audit.
Types of audit within the compliance audit would, for example, be:
n an internal control audit
n a management audit, and
n a corporate governance audit.
Types of audit within the operational audit would, for example, be:
n a risk audit,
n a social audit,
n an environmental audit, and
n a value for money audit.
Before we have a look at each of these types of audit in more detail, it would perhaps be useful
to note that in the UK, since 1991, it has been the responsibility of the Auditing Practices Board
(APB)16 to issue pronouncements (see Scope and Authority of APB pronouncements (Revised)
2004), that can be categorised as follows:
n Statements of Auditing Standards (SASs),
n practice notes – to assist auditors in applying Auditing Standards of general application, and
n bulletins – to provide auditors with guidance on new emerging issues.
Compliance with the basic principles and essential procedures identified within extant audit-
ing standards (SASs) is mandatory and failure to comply with such auditing standards may
result in disciplinary action by the Recognised Supervisory Body (RSB) with which the auditor
is registered.
In addition, the International Auditing Practices Committee, (IAPC) a committee of the
council of the International Federation of Accountants (IFAC)17 issues:
n International Standards on Auditing (ISAs), and
n International Auditing Practice Statements (IAPSs).
The aim of these is to improve the degree of consistency, uniformity and homogeneity in audit-
ing practices throughout the global marketplace. Whilst the pronouncements of the IFAC are
usually welcome and accepted without to much debate, occasionally such tacit acceptance is not
the case (see Article 15.3).
It should however be noted that whilst member bodies of the IFAC18 – which include the UK
and Irish professional bodies – are required to endeavour to ensure compliance with extant IASs,
where inconsistencies exist between IASs issued by the International Auditing Practices Com-
mittee (IAPC) and national/local SASs issued by the UK Auditing Practices Board (APB), such
IASs do not override local/national SASs. Such inconsistencies are however rare! A list of extant
SASs and IASs is available on the website accompanying this text www.pearsoned.co.uk/boczko.
779
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 780
Article 15.3
Types of audit
780
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 781
Types of audit
As such they are designed to substantiate, validate, verify and/or confirm the information con-
tained within a company’s financial statements and facilitate the formulation of an opinion on
whether the financial statements of a company provide a true and fair view of the company’s
state of affairs as at the end of the financial year, and its profit and loss accounting for the year.
781
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 782
And as a consequence not only improve, but also add value to, the company’s activities and
operations.
Undertaken as part of a company’s on-going internal audit function, such an internal control
audit would:
n be mainly system-based, and
n aim to support the work of the company’s external auditor.
Management audit
A management audit is an evaluation of performance and compliance in relation to regulatory,
process, economic and efficiency-based accountability measures at all management levels. Such
an audit focuses on outputs and results (rather than merely process) and evaluates the effective-
ness and suitability of controls by contesting the validity of extent processes and procedures,
systems and methodologies. A management audit is not designed merely to test and identify
conformity and/or non-conformity with existing system requirements, procedures and protocols.
The key objectives are to:
n validate the need for existing system requirements, procedures and protocols, and
n identify key problems areas – or cause and effect patterns.
Management audits are generally performed internally – by internal auditors – and are essentially
systems-based compliance audits.
782
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 783
Types of audit
Risk audit
A risk audit is an examination of the effectiveness of company processes, procedures and pro-
tocols in:19
n identifying the nature and contexts of risk (risk identification),
n constructing an effective understanding of its origin and nature (risk assessment),
n developing an appreciation of its implications (risk evaluation), and
n designing effective strategies to manage its consequences (risk management).
Such a risk audit may relate to:20
n a category/group/subset of companies possessing common characteristics and/or sharing
common attributes,
n a company and/or business type/sub-type within a category/group/subset,
n a cycle of operation within the company and/or business type/sub-type, and
n a system within a company’s cycle of operations.
Social audit
A social audit is an examination of the extent to which the operations of a company have
contributed to social goals of the wider community. Social audits are concerned more with
effectiveness rather than efficiency and can be seen as a means of assigning some influence over
corporate activities to relevant external stakeholder groups such as employees, consumers and
the local community. They provide a framework through which a company can:
n identify and qualitatively measure its social performance,
n account for its impact on the community, and
n report on that performance to its key stakeholder groups.
In a corporate context, social audits remain at a very early stage of development and remain
difficult to perform because there exists no generally accepted measure of social performance.
Environmental audit
An environmental audit is an independent assessment of the current status of a company’s
compliance with applicable environmental requirements and/or an evaluation of a company’s
environmental policies, procedures, practices and controls.
In essence, an environmental audit is an examination of a company’s environmental ‘friend-
liness’ and is concerned primarily with a company’s environmental management systems. Such
an audit would review the company’s:
n environmental policies,
n objectives and targets,
783
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 784
Where a company is registered with the European Eco-Management and Audit Scheme (EMAS)21
it is required to appoint an external verifier . . . (usually an external auditor) . . . and to publish,
annually, an externally verified (or audited) environmental statement (Porter et al, 2003: 541).
For a company, the benefits of EMAS registration22 and of course an environmental audit
may include:
n the possible development of marketing opportunities by demonstrating corporate awareness
of environmental issues and concerns,
n possible access to new markets by demonstrating greater internal efficiencies through the
active management of environmental risks, and
n the enhanced use (where the company (or organisation) is registered) of ISO 14001.23
As we have for the previous chapters of this text, we will continue to adopt what some may well
consider an alternative view of a company’s accounting information systems.24 That is a holistic
contextualisation of a company’s accounting information systems that prima facie considers them
to be an all-encompassing collection of politically constructed socio-economic networks.
As we have seen, there can be little doubt that in a contemporary context, accounting
information systems and, more importantly, computer-based accounting information systems
now play a central role in:
n portraying, evaluating and governing the extensive and expanding domains of economic and
social life, and
784
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 785
785
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 786
It is, however, worth noting that for some academics and practitioners – often constrained
by an over-reliance on hard system positivism – such a view of a company’s accounting infor-
mation systems as an all-encompassing contextualisation of a company’s processes, procedures
and protocols is not widely accepted. Indeed, for some – albeit mostly those of a positivistic25
proclivity/functionalistic inclination clearly influenced by the evermore powerful priorities of
capital – an accounting information systems audit does not, at least in an empirical context, exist!
It is a delusional fallacy, an erroneous fabrication, a misleading constructed notion and a created
terminology that is no more than merely another abstract description of or for a compliance
audit. More specifically an internal control/systems type audit whose key aspects/objectives (as
we have seen earlier) are very often concerned primarily with:
n the mechanistic, the technical and the functional aspects of accountability and internal
control, and
n the quantification and measurement of hard systemic processes, procedures and protocols.
in which:
n compliance type audits are viewed as primarily concerned with data/information relating to
procedures and protocols associated with input/process activities and events,
n operational type audits are viewed as primarily concerned with data/information relating to
procedures and protocols associated with process activities and events, and
n financial statement type audits are viewed as primarily concerned with data/information
relating to procedures and protocols associated with process/output activities and events.
This continues to necessitate not only a very specific imposed structure to analysis and under-
standing, but also a particular politicisation of knowledge – a professional technocracy of
protectionist fragmentation and guarded over-compartmentalisation.
See Figure 15.4.
786
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 787
Purpose of an audit
So, what about the audit of computer-based accounting information systems? Before we
continue it would perhaps be useful to consider:
n the purpose of the audit, and
n the audit techniques we can use.
Or, put more simply, what are we trying to do, how are we going to do it and exactly why do
we audit?
Always remember the audit axiom: ‘In God we trust. Everyone else we audit!’
Purpose of an audit
In this context:
n sufficiency is the measure of the quantity of audit evidence,
n appropriateness is the measure of the quality or reliability and relevance of audit evidence,
and
n audit evidence is ‘any perceived object, action or condition relevant to the formation of a
knowledgeable opinion,’ (Anderson, 1977: 251) or ‘all the facts and impressions auditors acquire
which help them form an opinion,’ (Porter et al., 2003: 52).
Sufficiency of audit evidence – the quantity of audit information required – will be both
influenced and determined by, for example:
n the consequences, risk and materiality of any potential error and/or misstatement,
n the nature of existing internal control systems, and
n the source and reliability of evidence.
787
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 788
Appropriateness and dependability of audit evidence – the quality or reliability and relevance
of audit evidence – will be determined by the origin/basis/foundation of the audit evidence. For
example, whether such audit evidence has been obtained from:
n the inspecting of financial and accounting systems, supporting documents, records and
financial statements,
n the undertaking of appropriate computational analysis,
n the making of enquiries and the obtaining of confirmation of the existence, ownership and
valuation of assets/liabilities, and/or
n the observing of company procedures and processes, and the determining of the existence
and effectiveness of internal controls.
Clearly, whilst such audit evidence needs to be:
n relevant,
n reliable,
n appropriate,
n timely, and
n cost effective,
from an (all encompassing) accounting information systems audit context, such audit evidence
should seek to ensure the existence of adequate/efficient/effective internal controls inter alia:
n appropriate levels of segregation of duties in company procedures and processes,
n adequate physical controls in the acquisition, management and disposal of assets and liabilities,
n relevant and proper authorisation procedures in the acquisition, management and disposal
of assets and liabilities,
n adequate management and supervision procedures in the acquisition, management and
disposal of assets and liabilities,
n established and defined organisational/management/control structures,
n adequate arithmetic and accounting procedures in company procedure and processes, and
n approved personnel procedures for the recruitment, appointment, promotion, management
and dismissal of staff members.
Auditing techniques
There are of course a range of auditing techniques that auditors (both internal and external)
regularly employ, to:
n gather data/information,
n obtain audit evidence,
n communicate findings and, of course,
n formulate and develop an opinion,
on:
n a system (or sub-systems),
n a group of procedures,
n a cluster of processes,
n a collection of regulations/protocol/controls, and/or
n a set of financial statements,
788
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 789
Auditing techniques
to determine the existence, adequacy, efficiency and effectiveness of internal controls – internal
controls which are, in many cases, now IT-based.
Such auditing techniques would (within the context of an audit plan/programme)28 include
inter alia, for example:
n the use of narrative reports/descriptions,
n the use of flowcharts (including systems, program and document flowcharts),
n the use of Internal Control Questionnaires (ICQs),
n the use of statistical sampling, and
n the use of Computer Aided Audit Techniques (CAATs) (including the use of test transaction
data and/or audit software/programs).
Narrative reports/descriptions
Primarily used as a descriptive tool, an auditor’s narrative description is essentially a detailed
description of how a system/sub-system operates. It would include a detailed explanation and/or
review of:
n all the documentation (physical and/or virtual) used in the system/sub-system under review,
n all the processes, procedure and protocols that exist as part of the system/sub-system under
review, and
n all the internal control procedures and processes that are present within the system/sub-
system under review, including details of relevant segregation of duties, physical controls
and authorisation, management and supervision/control procedures.
EoNio Ltd is a small manufacturing company located in York. The company purchasing
systems operates with the following departments:
n a requisitioning department,
n a purchasing department,
n a receiving department,
n a stores department,
n a purchasing ledger (accounts) department, and
n a treasury department.
Prior to delivery the supplier is requested to send one copy of the purchase order back to
the purchasing department as acknowledgement of the purchase order receipt. When the
goods are delivered a Goods Received Note (GRN) (three copies) is received. One copy is
789
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 790
filed in the receiving department, one is kept by the stores department and one is sent to
purchase ledger (accounting department), where it is matched and filed with the appropriate
purchase order.
The supplier retains a delivery note, authorised (signed) by an appropriate member of staff
from the receiving department. When the invoice is received from the supplier the purchas-
ing department matches the purchase order, GRN and invoice, and authorises payment.
All payments are made by BACS and require authorisation from the company cashier.
Remember flowcharts? We discussed system, program and document flowcharts in some detail
in Chapter 7.
A flowchart is merely a diagrammatic representation, a picture, of a system, a (computer)
program and/or a document flow.
The main advantages of flowcharting for an auditor are:
790
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 791
Auditing techniques
Physical/environment control
n Are stock item adequately safeguarded against damage from the weather, other accidental
damage, unrecorded movement and/or unauthorised removal?
n Are stock items stored in a secure, controlled environment?
n Are stock items stored in an organised manner?
n Is adequate insurance cover relating to stock items available?
n How often is the stock insurance policy reviewed?
n Are all issues and receipts of stock recorded through the use of pre-numbered documents?
n Are the stock records up-to-date?
n Are detailed records kept for all stock items showing quantities/type, location, value, usage
and selling price?
Accounting
n Are general ledger control accounts reconciled with the stock records?
n Is the reconciliation independently reviewed?
n Are differences promptly investigated and corrective action taken?
n Are detailed accounting controls maintained?
791
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 792
n Are stocks reviewed periodically and a determination made of slow-moving items, obsolete
items and excess stock items?
n Does the organisation monitor stock turnover?
n Is the disposal of written-off stock items adequately controlled and accounted for?
Statistical sampling
In an audit context, sampling means:
the application of audit procedures to less than 100% of the items . . . to obtain and evaluate
audit evidence about some characteristic of the items selected in order to form or assist in
forming a conclusion concerning the population. Audit sampling can be used as part of a test
of control or as part of a substantive procedure (SAS 43029 para 4).
This has occurred in an unprecedented, unpredictable and often chaotic way – sweeping way
and replacing years of established custom, convention and tradition with little more than pass-
ing concern.
In terms of audit procedures/processes, the invasion of computer-based information tech-
nology has been seen in areas such as:
n the creation/amendment/storage of audit working papers,
n the scheduling/monitoring of audit investigations/activities,
n data collection (e.g. computer-based ICQs/ICEs),
n information analysis/interpretation (e.g. computer-based flowcharting and narrative report
writers), and
n audit report generation.
In terms of audit techniques, the invasion of computer-based information technology has been
seen in areas such as:
792
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 793
Auditing techniques
Utility software
Utility software/programs are provided by computer hardware/software manufacturers and/or
retailers. They are usually add-on programs often utilised in the operational functioning of the
computer system/network.
Such utility programs can be used to:
n examine processing activity,
n test programme activities,
n test system activities and operational procedures,
n evaluate data file activity, and
n analyse file data.
793
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 794
Although these utility programs are not specifically designed for auditing purposes, they can,
and indeed often are, used in pre-processing procedures – that is manipulating record data into
an auditable format by:
n extracting specific data items from a database, and/or
n sorting, merging or joining files, and/or specific data records within them.
Test data
Test data can be:
n live test data – that used during normal computer-based processing cycles, and/or
n dead test data – that used outside normal computer-based processing cycles.
794
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 795
As we have discussed earlier (see Chapter 4), there can be little doubt that the new world order
of the mid-20th century and early 21st century in which the search for:
n sustainable profitability,
n wealth creating opportunities,
n greater flexibility and adaptability, and
n long-term commercial competitive advantage,
has become central to the turbulent global priorities of market-based corporate capitalism and
its desire to forge institutional interdependencies consistent with its continued survival and
expansion. A search that itself has become:
n increasingly dependent on evermore complex symbolic forms of knowledge,
n evermore reliant on ephemeral technologies and knowledge-based systems, and
n evermore dependent on transferable forms of information.
Founded on:
n the complex flows of increasingly fictitious capital,
n the temporal and spatial displacement of resources, and
n the transferability of knowledge and information,
there can be little doubt that whilst the continued rise of contemporary corporate capitalism was
clearly facilitated by the expansion, development and increasing sophistication of information
technology products, services and capabilities, the information revolution has nonetheless con-
tinued to remain a product of the increasing controversial priorities of global market-based
capitalism.
Remember, information technology is just another increasingly competitive business within
just another increasingly turbulent industry, within just another ever-expanding and ever-
more chaotic marketplace. Imagine what would have happened to Microsoft Inc. if Microsoft
Windows-based software platform had not been commercially successful in the 1980s? Would
Microsoft have still survived to become the same commercially successful company that it is
today? Probably not!
It was the increasing pressures to:
n provide both internal and external users with more relevant/accurate information,
n support management decision-making/control processes, and
n facilitate external regulation and control,
795
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 796
It is therefore common for auditors to adopt what we will regard as a bi-lateral audit approach,
as follows:
n a content (or application) audit – assessing the functional/operational processes, procedures
and protocols of the computer-based accounting information systems, and
n a context (or environment) audit – assessing the general controls/environment aspects of a
company’s accounting information systems architecture (see also Chapter 5), for example:
l organisational controls,
l development and maintenance controls,
l access controls, and
l sundry controls.
However, this classification – whilst still enjoying some popularity (for whatever reason) in
a number of contemporary accounting information systems texts, and indeed some auditing
texts, is rather dated and in a contemporary context perhaps somewhat naïve, since it fails to
recognise how current advances in information technologies have not only changed the nature,
analytical ability and processing capability of many CAATs, but also increasingly distorted the
boundaries between what were historically well-defined, independent and discrete CAATs.
For our purposes, we will adopt a more contemporary classification, as follows:
n non-CAAT-based auditing (auditing around the computer), and
n CAAT-based auditing (auditing through and/or with the computer using a range of computer
assisted audit techniques).
Both of these are very relevant and extremely important to the effective and efficient auditing
of computer-based/information technology orientated accounting information systems.
796
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 797
797
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 798
n comparing the content of two or more files/records (that should not match) for content
equivalency and/or similarity,
n analysing, categorising and/or merging files/records for further audit testing, and
n summarising file/record content (including preparing control totals, etc.).
Whilst the use of generic audit software for data file/record interrogation is efficient and
effective in terms of time and reliability, and generally easy to use, there is a need to ensure the
compatibility of the generic audit software with the target system/sub-system and of course
the computer system/network.
In the former an embedded audit module/facility essentially monitors and examines all trans-
actions that enter a processing system/sub-system. When a transaction arises that satisfies
a pre-selected criteria/parameter, a record (an audit file) of the transaction details is created
before the transaction is permitted to continue for further processing.
In the latter, specified records are merely tagged – an extra field is added to each specified/
pre-selected data record – to facilitate/enable identification for future audit analysis. Again
798
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 799
a summary audit file would be created recording the details of all data records tagged and
processed.
Embedded audit modules/facilities are clearly a very powerful and potent audit technology.
However it is important to ensure that:
n the interception of transactions occurs at the most appropriate processing stage within a
system/sub-system stage,
n the operation of the embedded audit module/facility does not degrade system/sub-system
performance,
n the audit selection criteria/parameters and created audit files are protected against unauthorised
alteration.
Test data
Test data can be used to test and assess:
n any single, group and/or cluster of programs/procedures,
n any system/network component, and/or
n any system/network in entirety.
They can be used to examine/assess the processing logic of programs and authenticate:
n input protocols,
n processing procedures,
n output routines, and
n error detection facilities.
Such test data can also be used to assess any associated non-computer-based processes, procedures
and protocols.
799
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 800
800
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 801
Whilst there are clearly limited operational costs involved (once a test facility has been designed,
developed and implemented), the main advantages of using an integrated test facility are:
n it provides comprehensive testing of a live system,
n it facilitates unscheduled, undisclosed and anonymous testing, and
n it provides prima facie and authenticable evidence of correct and proper program functions/
operations.
More importantly, once such an integrated test facility is operational it can not only be used for
program testing but also for user training, etc.
However, there are significant risks involved in using such test facilities. Where an integrated
test facility is created – whether for auditing purposes and/or training purposes – it is import-
ant that any test data created during an audit is not allowed to corrupt the live accounting
information system.
Baseline evaluation
A baseline (systems and/or security) evaluation is the assessment, selection and implementation
of systems procedures and/or security measures within a computer-based system based upon
systems procedures and/or security measures and protocols used in similar computer-based
systems in companies that are generally accepted to be well-run.
Such evaluations can take many forms including the use of test data to validate selected systems
procedures/security protocols.
Parallel simulation
Parallel simulation is the generation of an independent program to simulate/imitate part of an
existing application program (see Figure 15.7). It is designed to test the validity and verify the
accuracy of an existing program/cluster of programs.
The main advantage of using parallel simulation is that since any simulation program will
normally be concerned with only a few discrete aspects of a live operational program within the
accounting information system, such a simulation program will generally:
n be simple to operate,
n be not very complex,
801
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 802
However as with test data (see above) the main disadvantage/problem with using parallel
simulation is that its use as a test, will only confirm/authenticate the program(s) tested at the
time they are tested.
For existing live programs, such utility programs are often used as part of an authorisation
audit – to assess all variations between a definitive version of a live program and the amended
currently-used version of a live program to determine an authorisation audit trail.
Alternatively, for newly installed developed and/or procured programs, such utility pro-
grams can be used as part of a configuration audit – to assess the validity of implementation
control protocols and procedures by comparing the current version of a live program to its
predecessor development and/or procured program to identify any unauthorised configuration
changes that may have been made.
There is little doubt that the use of CAATs in both auditing and non-auditing (accounting
information systems related)-investigations/activities has grown enormously over the past 10 years.
Although this list is by no means exhaustive, some of the most popular areas are:
n financial statement audit – substantive testing,
n financial statement audit – compliance testing,
n financial statement audit – analytical review and predictive analysis,
n compliance audit – internal control audit,
n compliance audit – management audit/efficiency analysis,
n operational audit – value for money audit.
802
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 803
Although CAATs can be used for a wide variety of audit purposes (and indeed some non-audit
purposes), there is perhaps, not unsurprisingly, no clear definitive guide on how to use CAATs.
This is because their use and application will vary depending on:
n the nature of client company being audited,
n the nature and structure of the target system/sub-system being tested,
n the structure and content of the files/data records being tested, and
n the CAAT application(s) being used.
However, in determining whether to use CAATs, the main decision factors that would influence
using or not using CAATs include:
n the computer knowledge, expertise and experience of the auditor/audit team,
n the availability of suitable CAATs and information technology facilities,
n the cost effectiveness of using CAATs,
n the resource implications of using CAATs,
n the possible time constraints imposed on the audit and/or the use of CAATs,
n the integrity of the client’s information system and information technology environment, and
n the level of audit risk associated with the audit.
In a general context, the following can be regarded as a broad guide:
n define aim and objective of the test(s),
n agree file/data retention protocols with the client company,
n analyse the client company’s target system/sub-systems program operations,
n identify relevant file(s) and data records required,
n confirm the structure and location of relevant file(s) and data records,
803
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 804
n determine the criteria for selecting files and data records required,
n determine a sampling routine (if required),
n determine the level of file/data record interrogation required,
n identify the position within the processing cycle at which file/data record interrogation will
be performed,
n specify the format of the data file and method of storage,
n ensure/confirm the correct version of live files are interrogated and, where appropriate,
arrange for copies of these to be taken for use in the interrogation,
n present interrogation findings/evidence and determine an opinion.
The following are seven rules of best practice when using CAATs.
Rule 1
Ensure background research is adequate and up-to-date and any deficiencies in knowledge
and/or understanding are addressed, and information in the client company’s target system/
sub-system, its relevant programs, files and data records, and the company’s coding system/
structure is appropriate and relevant.
Rule 2
Ensure all audit work is recorded and appropriately documented, including:
n audit objectives,
n the system (and programs) under audit,
n specifications of the files and/or data records being tested,
n information on relevant data records/types and recognition characteristics,
n the audit software (CAAT) being used, and
n the names of contacts and their designations within the company.
Rule 3
Ensure all data retrieval programs, embedded facilities, test data, integrated test facilities and/or
simulations are reviewed, assessed (independently if possible) and up-to-date – reflecting any
changes that may have occurred in the client company’s operation procedures, processes, pro-
tocols and programs.
Rule 4
During the testing procedures ensure appropriate control records are created and reconciled to
the client company’s accounting information systems records. It is also important to validate and
confirm that all specified data records have been identified, processed and appropriately tested.
Rule 5
Accounting information systems are highly structured dynamic constructs whose evolution/
change for the better is inevitable – nothing stays the same. Changes imposed by external
environmental factors and/or internal management decisions (usually prompted by external
environment factors) often have significant impact not only on the structure and content of
transaction file and/or data records but, more importantly, on the content and organisation
of permanent files and associated data records.
A client company’s target system/sub-system and associated programs rarely remain unchanged
for very long. If a CAAT associated test is repeated, either as part of:
n an ongoing audit test, or
n a specific assessment test,
804
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 805
Where such confirmation is not forthcoming or unavailable, or where identified (and confirmed)
changes have occurred that have affected:
n the system’s/sub-systems’ programs, procedures, processes and/or protocols,
n the structure and content of transaction/permanent files, and/or
n the content and structure of data records,
of any data retrieval programs, embedded facilities, test data, integrated test facilities and/or
simulations that may be used.
Rule 6
Always ensure written authorisation is obtained from appropriate client company personnel before
any CAAT that requires interfacing with the company’s operation computer system and/or live
accounting information systems. Where connection to an online system is necessary ensure files
and/or data records are accessed in read only mode to prevent possible data corruption.
Rule 7
Ensure that the use of any CAAT is:
n time efficient, and
n cost effective.
We will now look at the context (or environmental) audit and, in particular, review the general
environmental controls that should exist within a company’s accounting information systems
environment to ensure its secure and efficient operations.
805
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 806
Organisational controls
As we discussed in Chapter 14, the cornerstone of a company’s internal control procedures is the
existence of an adequate and well-defined hierarchical separation of duties. Within a company’s
computer environment, at a minimum, there should be a distinct separation/division between:
n operational processes and procedures, and
n systems/network management, analysis and design.
806
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 807
n managing events – that is procedures involved in the supervision and administration of data
processing activities, and
n safeguarding events – that is procedures involved with the protection and security of phys-
ical assets and non-physical resources (e.g. data files, data records and structured output
information).
In essence, separation of duties should exist between:
n data capture procedures,
n data entry procedures,
n data processing procedures, and
n processing authorisation protocols.
More importantly, sufficient internal controls should exist to ensure that:
n computer operations staff are not involved in, or responsible for:
ldata capture procedures, and/or
lsystems analysis and programming procedures,
n systems analysis and programming staff are not involved in or responsible for:
l data capture procedures, and/or
l computer operational procedures (data entry and data processing).
Indeed, from a functional/operational aspect such internal controls should ensure that:
n within a computer operations department adequate separation of duties exists between:
ldata administration processes,
lcomputer operations procedures,
l data control activities,
l file library maintenance procedures, and
l network control processes and protocols,
n within the systems analysis department adequate separation of duties exists between:
l systems analysis procedures,
l systems design processes,
l systems maintenance and management activities, and
l programming procedures.
807
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 808
Access controls
In Chapter 14, we explored three distinct hierarchical layers of control:
n physical security control layer,
n technical security control layer, and
n human security control layer.
It is these three layers of control that collectively comprise what are commonly referred to as
access controls – inasmuch as:
n physical security controls are designed to prevent/restrict resource access and asset movement,
n technical security controls are designed to restrict/control user privileges, and
n human security controls are designed to enforce an approved control culture.
Such internal controls should ensure the active use of appropriate authorisation procedures to:
n control access to computer hardware/resources to authorised and approved personnel only,
n restrict access to software/programs to appropriately authorised personnel/users and control
authorised personnel/user rights and privileges, and
n manage/control access to data files and data records.
Sundry controls
Sundry internal controls relate to:
n the safeguarding of assets and resources, and
n the secure protection of data and information.
808
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 809
They should ensure that appropriate systems and procedures exist for:
n the secure protection of data files, transaction data and programs (including protection from
theft, breaches of security, acts of violence and/or the impact of natural disasters),
n the regular backup (secure copying) of data files, transaction data and programs, and
n the secure off-site storage of backup data files, transaction data and programs.
A key aspect of such sundry controls would of course be a disaster contingency recovery protocol
to be used in the unlikely event of a significant and widespread disaster befalling the company
(see also Chapter 14).
There can be little doubt that for the auditing of computer-based accounting information systems,
20th and 21st century advances in technology – in particular information technology – have
metaphorically speaking been a double-edged sword. Whilst such advances have revolutionised
the modus operandi34 of many aspects of corporate accounting information systems, most
noticeably by:
n fundamentally revolutionising data capture/data entry procedures,
n radically transforming data processing procedures,
n drastically expanding data/information storage capacities, and
n significantly enhancing information analysis and data/information transfer/communication,
they have also:
n transformed many of the traditional techniques used in auditing corporate accounting
information systems – for example, IT-related/computer-based:
l data collection (ICQs/ICEs),
l data analysis (flowcharting and narrative report writers), and
l narrative report writers, and
n introduced a vast portfolio of new computer assisted auditing techniques – for example, IT-
related/computer-based:
l generic software testing programs,
l computer-based statistical sampling techniques,
l IT-related analytical review procedures, and
l computer-based decision support systems.
Such advances have nonetheless created a number of significant issues for auditors in the audit-
ing of computer systems – in particular computer-based accounting information systems – of
which the most important relate to:
n databases,
n online networks, and
n real-time (online 3 stage) systems.
Databases
As an organised body of information or an information set with a regular structure or a
collection of related information organised to facilitate complex interpretation and analysis,
809
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 810
databases – in particular relational databases – are now a central feature of all computer-based
accounting information systems.
Problems associated with the use of databases relate to:
n the recognition of inappropriate use,
n the identification of unauthorised access,
n the detection and prevention of unapproved content changes, and
n the detection and correction of improper database processing.
Clearly a failure to detect/identify inappropriate use, unauthorised access, unapproved content
changes and improper processing would compromise:
n the security of the database,
n the integrity of the data contents,
n the validity of data records, and
n where personal data is recorded, processed and/or stored the confidentiality of data elements.
This is especially relevant in cases where a company’s databases can be accessed remotely, either
via a private and/or public network (e.g. over the internet).
Remember, a company has a legal duty under the Data Protection Act 1998 to ensure that
any personal data is appropriately processed and securely maintained.
Appropriate internal controls should exist to ensure:
n the use of encryption facilities to protect highly sensitive database contents,
n the use of authorisation keys/passwords to restrict access to authorised personnel/users only,
n the use of appropriate separation of duties between database administration and database
security management, and
n the use of access/performance logs to monitor/record database access/changes, and, where
appropriate, prevent unauthorised access/changes to sensitive data elements.
(Online) networks
A network is essentially a data communications system – a system enabling an organisation
and/or company to share information and programs (see Wilkinson et al., 2001), whilst an
online35 network is a computer system/network and/or facility/service that is accessed remotely
via a dial-up connection through a public and/or private network.
Such communication networks can vary in terms of:
n network architecture,
n network topology (see Chapter 5), and
n network interconnection.
Whilst historically such communication networks were – indeed some continue to be – hard-
wired networks (using copper and/or fibre optic cabling between network devices/facilities), the
move toward wireless networking (WLAN) and the reliance on radio waves and/or microwaves to:
n establish network connections,
n maintain communication channels, and
n transmit/transfer data and information,
has become the major feature of early 21st century information technology development.
Wireless networking offers:
n greater networking mobility, and
n increasingly flexible connectivity.
810
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 811
Clearly, for all communication networks (both hard-wired and indeed wireless networks), in
particular (for our purposes) network facilities which:
n capture (input) financial-related data and information,
n process/record/convert financial data and/or information, and/or
n transmit (output) financial-related data and information,
Using the speed of response, a system can be categorised as either a fast real-time system or
a slow real-time system. Although there is no clear boundary/distinction between either type,
generally:
n a system with a response time measured in seconds (or less) can be considered fast, and
n a system with a response time measured in minutes (or more) can be considered slow.
Clearly, this leaves an indeterminate area/period of response times in which a system could
theoretically be categorised as either fast or slow! Using criticality of response, a system can be
categorised as a hard real-time system and/or a soft real-time system.
A hard real-time system is a system where the response time is specified as an absolute
value with the response time normally dictated/imposed by the external environment. In such
811
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 812
systems, where a response is not generated, the system will be considered to be in error and will
invariably require the performance of some form of error recovery procedure, whilst operating
at either:
A soft real-time system is a system where the response time is normally specified as an average
value, with the response time normally dictated by the company and/or the business/industry
within which the company operates. For any single response an acceptable range/time period
for a response is defined. Where a response is not generated within such a defined range/period
the system may be considered in error.
In essence, real-time systems can be categorised into four system types as follows:
n ATM systems,
n EPOS systems,
n PIN and CHIP payment systems, and
n data streaming and/or online network communication systems.
Clearly, testing for the existence of appropriate segregation of duties, system administration and
management processes, and security and control protocols within a real-time system will not
only depend on:
but will also require the use of a range of content (application) audit techniques – probably
CAATs-based – and a range of context (environment) audit techniques.
812
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 813
Concluding comments
Whilst there can little doubt that the nature of the company audit as an independent inspection
and examination of a company’s accounting information systems has remained more or less
unchanged certainly over the past 50 years, there can also be little doubt that:
n the ever-increasing and very often public demise of many highly respected, long-established
and once enormously profitable companies, and perhaps as a consequence,
n the increasingly risk averse attitude of many market participants,
A revolution that has catapulted auditors and auditing into a postmodern IT-dominated brave
new world!
813
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 814
References
Anderson, R.J. (1977) The External Audit, Croop Clark Pitman, Toronto.
Davies, T. and Boczko, T. (2005) Business Accounting and Finance, McGraw Hill, London.
Habermas, J. (1984), The Theory of Communicative Action, volume 1 and volume 2, (Trans.
McCarthy, T.), Beacon Press, Boston.
Habermas, J. (1987) ‘Excursus on Luhmann’s Appropriation of the Philosophy of the Subject
through Systems Theory,’ in The philosophical Discourse of Modernity: Twelve Lectures, pp. 68–85,
MIT Press, Cambridge.
Morris, J. (1977) Domesday Book 20 Bedfordshire, Philimore, Chichester.
Porter, B., Simon, J. and Hatherley, D. (2003) Principles of External Audit, Wiley, Chichester.
Wilkinson, J.W., Cerullo, M.L., Raval, V. and Wong-On-Wing, B. (2001) Accounting Information
Systems, Wiley, New York.
Bibliography
Bodnar, G.H. and Hopwood, W.S. (2001) Accounting Information Systems, Prentice Hall, London.
Gelina, U.J., Sutton, S.G. and Oram, A.E. (1999) Accounting Information Systems, South Western,
Cincinnati, Ohio.
Hall, J.A. (1998) Accounting Information Systems, South Western, Cincinnati, Ohio.
Mosgrove, S.A., Simkin, M.G. and Bagranoff, N.A. (2001) Core Concepts of Accounting Information
Systems, Wiley, New York.
Vaassen, E. (2002) Accounting Information Systems – A Managerial Approach, Wiley, Chichester.
Woolfe, E. (1997) Auditing Today, FT/Prentice Hall, London.
Websites
814
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 815
Self-review questions
1. Briefly explain the role of an auditor and distinguish between the role of an internal auditor
and the role of an external auditor.
2. Distinguish between a financial statement audit, a compliance audit and an operational
audit.
3. Define and explain the purpose of a content (application) audit.
4. Define and explain the possible use of a non-CAAT-based audit.
5. What factors should an auditor consider before using a CAAT?
6. Define and explain a context (environmental) audit.
7. Identify and describe five alternative auditing techniques.
8. Define and distinguish between each of the following terms:
n generic audit software,
n utility software, and
n expert audit software.
9. Distinguish between a hard real-time system and a soft real-time system.
10. Briefly explain the main types of controls often used by companies to minimise the risks
and problems associated with the use of EDI.
Question 1
Describe and evaluate the primary role and function of an internal auditor, and explain how and why the role
of an internal auditor has changed over recent years.
Question 2
‘The external auditor is a bloodhound whose sole purpose is the detection of fraud.’ Discuss.
Question 3
Real-time transaction processing systems are now far from unusual.
Required
(a) Explain what additional problems real-time transaction processing systems cause the auditor compared
with a batch environment.
(b) Explain what steps the auditor needs to take to solve the problems identified above.
(c) Explain with reasons which CAATs could be used in this real-time environment.
Question 4
(This question also requires knowledge and understanding of issues addressed in Chapters 4 and 14.)
The use of EDI is now common in a wide range of industries.
‘
815
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 816
Required
Explain:
n the main uses of EDI,
n the risks and problems associated with its use, and
n the main controls an auditor would expect in a large service company using EDI as part of its operational
activities.
Question 5
The business environment of the early 21st century continues to change with increasing vigour. The growth of
e-commerce and e-retailing, and the use of the internet for the movement of goods, services and infor-
mation has clearly promoted a greater interconnectivity. An interconnectivity that has not only opened up and
created enormous business opportunities, but has also increased the exposure of UK businesses, in particular
UK companies, to previously unknown levels of risks and security threats, the costs and consequences of
which have been and indeed continue to be significant.36
Required
Explain how such change has affected the role of external auditors in undertaking their duties as required by
the Companies Act 1985.
Assignments
Question 1
You have recently been appointed internal (systems) auditor for NiTolm Ltd, an established FMCG company
located in the north-east of England. The company has retail outlets in Hull, York, Scarborough, Newcastle and
Durham. NiTolm Ltd has been operating successfully for many years and operates a networked computer-
based accounting information system with a growing percentage of its transactions occurring through its
web-based e-commerce facility.
Required
Describe the alternative types of audit a company such as NiTolm Ltd could be subject to and distinguish
between the following alternatives:
n non-CAAT-based auditing, and
n CAAT-based auditing.
Question 2
(This question also requires knowledge and understanding of issues addressed in Chapters 9 and 15.)
You have recently been appointed as auditor for Bepelear Ltd, a small electrical accessories company. The
company operates both an internet-based sales system and a retail outlet-based sales system.
For the previous five financial years the company has made average annual purchases of £18m (all purchases
from UK suppliers), and average annual profits of approximately £9m. The company has approximately
50 employees working at six locations throughout the UK: Manchester, which is the company’s head office,
Birmingham, Leeds, Swindon, Bristol and Newcastle.
816
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 817
Chapter endnotes
For the year ended 31 March 2006, approximately 75% of the company’s sales were made through its internet-
based sales system.
Required
Making whatever assumptions you consider necessary:
(a) Describe the control objectives of a company sales system and the general controls and application
controls you would expect to find in an internet-based sales system.
(b) Describe the compliance tests you would undertake during the audit of Bepelear’s internet-based sales
system.
Note: You are not required to provide comment and/or discussion on Bepelear’s retail outlet-based sales
system.
Chapter endnotes
1
The term ‘life-world’ is used in the Habermasian context – meaning the shared common
understandings – including values – that develop through contact over time within social
groupings (see Habermas, 1984, 1987).
2
The balance sheet and profit and loss account as defined in Schedule 4 Companies Act 1985,
and cash flow statement as defined in FRS 1.
3
The history of auditing – the heritage of auditing – is indisputably international. The need
and desire for accountability for financial and business transactions undoubtedly has its roots in
antiquity, and can perhaps be traced back to the ancient civilisations of Babylonia, Mesopotamia,
Egypt and Central America, and indeed India.
In a UK context the contemporary role/function/context of audit whilst perhaps traceable
back to the Domesday Book 1085 (see Morris, 1977) was more an emergent creation of chang-
ing socio-economic circumstances of the latter part of the 18th century and the early part of the
19th century (see Porter et al., 2003).
4
UK GAAP (United Kingdom Generally Accepted Accounting Principles) is the overall body
of regulation establishing how company accounts must be prepared in the UK. This includes
not only extant accounting standards, but also applicable UK company law.
5
Undertaken in accordance with extant UK Auditing Standards.
6
In the UK, for auditing purposes, the term ‘qualified accountant’ means an individual or
firm that has a current audit-practising certificate and is a member of one of the five Recognised
Supervisory Bodies (RSB) (as defined and recognised by the Secretary of State), these being:
n the Institute of Chartered Accountants in England and Wales,
n the Institute of Chartered Accountants of Scotland,
n the Institute of Chartered Accountants in Ireland,
n the Association of Chartered Certified Accountants, and
n the Association of Authorised Public Accountants.
Details of the requirements for recognition as an RSB are detailed in the Companies Act 1989,
Schedule 11, Part 11.
7
Not all companies are required to have an annual audit. If a company qualifies for exemption
and chooses to take advantage of such an exemption (e.g. dormant companies and certain small
companies) then they do not have to have their accounts audited.
817
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 818
To qualify for total audit exemption, a company (other than a dormant company) must:
To qualify for dormant company audit exemption, a limited company (together with a series of
other criteria) must not have traded during the financial year.
8
The term ‘prepared properly’ means in accordance with the Companies Act 1985.
9
Available @ www.iia.org.uk/about/internalaudit.
10
By ensuring:
n all assets of the company (or organisation) are being securely safeguarded,
n all corporate operations are conducted effectively, efficiently and economically in accordance
with internal protocols, policies and procedure,
n all laws and regulations are complied with, and
n all records and reports are reliable and accurate.
11
In May 2000 the original Cadbury Code (1992) and subsequent reports (including the 1998
Hampel Committee update of the Cadbury Code and the 1999 Turnbull Committee report
Internal Control: Guidance for Directors on the Combined Code (published by the Institute of
Chartered Accountants in England and Wales) were all consolidated by the Committee on
Corporate Governance. (See Davies and Boczko, 2005)
12
Following the EU Eighth Directive, the Companies Act 1989 introduced a framework for
regulating the appointment of external auditors, to ensure that only appropriately qualified and
properly supervised people are appointed as company auditors.
13
Companies Act 1985, s385. Also note that where no external auditor is appointed, the Secretary
of State may appoint an auditor (Companies Act 1985, s385, s387, s388).
14
‘The financial statements must present a true and fair view of the company’s state of affairs
as at the end of the financial year and its profit or loss for the financial year, and must also
comply with the form and content requirements of Schedule 4 of the Companies Act 1985
(CA 1985, s226)’ (Porter et al., 2003: 100).
15
This list is by no means exhaustive and many other alternative industry, sector and/or com-
pany specific types of audit/definitions of audits may exist.
16
See www.apb.org.uk/apb.
17
See www.ifac.org.
18
A list of IFAC member bodies is available @ www.ifac.org/About/MemberBodies.tmpl.
19
See also the discussion on the precautionary principle in Chapter 14.
20
See also the discussion on contemporary transaction processing in Chapters 8, 9, 10, and 11.
21
EMAS (Eco-Management and Audit Scheme) is a voluntary initiative designed to improve
corporate environmental performance and was established by EU Regulation 1836/93 (subse-
quently replaced by EU Council Regulation 761/01).
The aim of the scheme is to recognise and reward those companies (and organisations) that go
beyond minimum legal compliance and continuously improve their environmental performance.
In addition, it is a requirement of the scheme that participating companies (and organisations)
regularly produce a public (and externally verified/audited) environmental statement that reports
on their environmental performance. For further information see www.emas.org.uk/aboutemas/
mainframe.htm.
22
See www.emas.org.uk/why%20register/mainframe.htm.
818
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 819
Chapter endnotes
23
ISO 14001 was first published in 1996 and specifies the actual requirements for an environ-
mental management system. It applies to those environmental aspects over which the organis-
ation has control and can be expected to have an influence.
The standard is applicable to any company (and organisation) that wishes to:
n implement, maintain and improve an environmental management system,
n demonstrate conformance with extant internal environmental policies, procedures and
protocols,
n ensure compliance with environmental laws and regulations, and
n seek certification of its environmental management system by an external third party.
See www.iso14000-iso14001-environmental-management.com/iso14001.htm.
24
Remember that an accounting information system is:
n a cohesive organisational structure – a set of directly and indirectly interrelated processes
and procedures, objects and elements, events and activities,
n an interconnected set/collection of information resources that share a common purpose and
functionality,
n an interconnected set of systems and/or sub-systems whose purpose is the acquisition,
capture, storage, manipulation, movement, interchange, transmission, management, control
and analysis of data (and information) through which the (financial) consequences and the
(financial) causes and effects – of not only social, but political and economic inputs/outputs
– can be identified, processed, managed and controlled.
25
That is someone who emphasises observable facts and excludes any notion of the
metaphysical.
26
Whilst not specifically required to search for fraud, external auditors undertaking a financial
statement audit must have a duty of care to plan and perform their audits to obtain reasonable
assurance that such financial statements are free from material misstatement, and to report to
the company any evidence that they suspect may result in fraud (SAS 82 Consideration of fraud
in a financial statement audit (1997)).
27
SAS 400 Audit evidence.
28
An audit programme is a procedural framework, a list and/or plan of audit procedures
required to be followed during an audit. It is a series of structured steps necessary to achieve the
audit objective. It is, in effect, the functional context of the audit itself.
29
SAS 430 Audit Sampling.
30
The most common approaches being:
n sampling for attributes (measuring the frequency with which a particular characteristic is or
is not present), and
n sampling for variables (measuring/estimating the total value/number within a population/
universe).
31
These CAATs can also be used to select, analyse/examine and summarise data held/stored
in non-accounting files/records – for example processing logs and/or access/security logs, which
may be created when computer-based files and records are accessed and accounting data is
processed.
32
Whilst the auditors should not – in any way – be considered part of any system/sub-system,
any process and/or any procedure, since that would seriously jeopardise the auditors’ inde-
pendence, they should nonetheless be consulted (as should end-users) when significant new
developments/alterations are being considered.
819
.. ..
CORA_C15.qxd 6/1/07 11:13 Page 820
33
Simple integral internal controls should always be preferred – essentially because they
minimise bureaucracy and are therefore time efficient and cost effective. Such integrated inter-
nal controls should be part of a general strategy to detect and prevent fraud.
34
Meaning mode and/or method of operation.
35
Historically the term online referred to a system that allowed the computer systems/IT facilities
to work interactively with its users. Clearly, not anymore!
36
Information Security Breaches Survey (2006), PricewaterhouseCoopers/DTI – see Chapters 13
and 14.
820
..
CORA_C16.qxd 6/1/07 11:14 Page 821
Introduction
For a company/organisation trading in today’s business environment – an environment
increasingly dominated by the politics of global competition and the volatile economics
of the marketplace – an environment in which companies/organisations are increasingly
preoccupied not only with the inevitability of change, but also the consequences such
change may produce, the importance of knowledge and information – the importance
of an adequate information system, in particular, an up-to-date and relevant accounting
information system – cannot be underestimated.
Indeed, in today’s evermore uncertain business environment – an environment in which
companies/organisations are constantly engaged in a never-ending battle for new markets,
new customers and new products, and a search for greater revenue – for increased pro-
fitability and greater shareholder wealth – the:
has become a prerequisite not only for competitive stability and long-term commercial
success but, more importantly – for corporate survival.
This chapter examines the importance of accounting information systems development,
in particular:
821
..
CORA_C16.qxd 6/1/07 11:14 Page 822
n the processes and problems associated with the following key stages of the corporate
accounting information system development life cycle:
l systems planning,
l systems analysis,
l systems design,
l systems selection,
l systems implementation, and
l systems review.
Learning outcomes
As we have seen in previous chapters, whether they operate as simple paper-based manual systems
or as highly complex, highly integrated internet enabled computer-based systems, accounting
information systems are essentially socio-political constructs. They exist as imposed unifying
structures, employing both tangible and intangible resources to:
n collect, store, process, and transform selected transaction data into accounting information
(see Wilkinson et al., 2001), and
n provide constructed representations for decision-making purposes to both internal and
external stakeholders (see Vaassen, 2002).
And yet, as semi-open, output orientated2 systems, accounting information systems are neither
permanent nor stable. They are, like many (if not all) artificially constructed organisational
systems (including business and accounting information systems) – subject to almost constant
change. This process of change is conditioned by the ever-chaotic interaction of an increasingly
complex array of environmental factors.3
And yet, as suggested by Strebal (1996):
(whilst). . . change may be a constant, . . . it is not always the same (1996: 5).
Why? All organisational systems – both accounting and non-accounting – operate within a multi-
dimensional environment – an environment comprising of many different interrelated layers.4
822
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 823
It is the interaction of the various macro and micro factors and characteristics that comprise each
layer which creates what is often referred to as ‘environmental turbulence’. And, it is this environ-
mental turbulence that is the source/cause or the trigger for change within a system – whether
that system is a company or organisation, or a sub-system within the company/organisation, for
example an accounting information system. More importantly, it is the unique combining of
these macro and micro factors and characteristics within the layers that comprise an environment
which determines the nature and scope of any reaction to such environmental turbulence.
Broadly speaking, in a systems context, we can classify external environments into three
categories5 – based on the level/scale of environmental turbulence within the environment:
n a stable environment (also known as a closed change environment)6 – that is a steady state
environment in which there is little or no change, or an environment in which change is
cyclical, repetitive and expected,
n a predictable environment (also known as a contained change environment)7 – that is
a dynamic environment in which change is intermittent, and whilst neither cyclical nor
repetitive is nonetheless predictable and manageable, and
n an unpredictable environment (also known as a open ended change environment)8 –
that is a volatile environment in which change is turbulent, fast-moving, frequent and
unpredictable.
In addition, Grundy (1993) suggested that within an organisational context (and remember
accounting information systems are constructed organisational systems), there exist three varieties
of change, these being:
n smooth incremental change – that is change which is slow, systemic, predictable and planned,
n rough incremental change – that is change which occurs periodically, or as described by
Senior (1997): ‘periods of tranquillity punctuated by acceleration in the pace of change,’ that are
concerned more with realignment and readjustment rather than substantial change, and
n discontinuous change – that is change which occurs rapidly, sometimes unpredictably, and
causes substantial change as a result of, for example, a new discovery and/or new development.
Within a stable environment change would generally be smoothly incremental with occasional
periods of rough incremental change and with very few periods of discontinuous change. Within
a predictable environment change would generally be smoothly incremental with increasing
periods of rough incremental change and fragmented periods of discontinuous change. Within an
unpredictable environment change would generally be roughly incremental (with limited periods
or no periods of smooth incremental change) and extensive periods of discontinuous change.
See Figure 16.1.
There can be little doubt that the latter part of the 20th century and the (very) early part of
the 21st century have – certainly in a business context – witnessed two key developments:
n a growing integration of social, political and economic systems – that is a movement towards
a single global society . . . or single global marketplace, and
n an increasing use of and dependency on information and communications technologies –
that is a movement towards a technology-based information society.
It is these two developments that have, above all else, acted, and indeed continue to act, as
the main catalysts for the ongoing commercial development of the internet (and the web), the
increasing use of which has, in a reciprocal context, further accelerated:
823
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 824
Perhaps therein lies the problem. Closer integration produces greater volatility. Greater volatility
produces greater uncertainty. And, greater uncertainty produces a demand for even-greater
integration, . . . which produces greater volatility and even greater uncertainty, . . . which pro-
duces an even-greater demand for even-greater integration, etc.
In essence, as systems become more unpredictable, they become increasingly uncertain – an
unpredictability that is constantly fuelled by, for example:
n the changing needs and demands of users/stakeholders,
n the changing structure and content of finance-related regulations,
n the continuing impact of information and communication technology, and
n the increasing consequences of an evermore globally competitive business environment.
Indeed, as suggested by Stacey (1996):
n a stable environment (or closed change environment) has a tendency to be close to certainty,
with change often being linear and planned, whereas
n an unpredictable environment (or open ended change environment) has a tendency to be far
from certainty with change often being discontinuous and unplanned.
Types of change
In an accounting information systems context, change can be defined as any amendment,
alteration and/or modification to the structure and/or operation of a system or a component
sub-system, and includes amendments, alternations and/or modifications to:
n data input procedures,
n data capture and filtering processes,
n data management protocols,
n internal documentation and control procedures,
n data processing procedures,
n information output procedures, and
n feedback/feedforward control procedures.
Change can be classified by:
n type (or nature), and/or
n level (or scale).
824
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 825
In terms of type (or nature), change can be divided into two sub-categories, as follows:
n hard change – that is change emerging from the introduction/integration of new infor-
mation and communications technologies, and/or
n soft change – that is change resulting from organisations restructuring and/or procedural
adaptations.
In terms of level (or scale) change can be divided into two sub-categories, as follows:
n minor change – that is change which has only a limited impact on a small number of
components, procedures, processes and/or sub-systems within a system, and is commonly
referred to as ‘fine tuning’ and/or ‘incremental adjusting’, and
n major change – that is change which has a substantial impact on a significant part of a system
and/or number of systems and is also referred to as ‘systems adaptation,’ and/or ‘process
transformation’.
Have a look at the four quadrant matrix in Figure 16.2.
Using the four quadrant matrix (see Figure 16.2), we can classify change (within an account-
ing information systems context) into four different categories:
n soft-minor change,
n hard-minor change,
n soft-major change, and
n hard-major change.
Soft-minor change
Soft-minor change can be defined as component, procedure and/or process change(s) resulting
from organisational restructuring/procedural adaptation, and would include for example:
n the consolidation of data input procedures,
n the introduction of new documentation, or
n the introduction of minor software amendments/updates.
825
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 826
Hard-minor change
Hard-minor change can be defined as substantial technological change(s) resulting from organ-
isational restructuring, and would include for example:
n the introduction/addition of new network facilities, or
n the extending of existing capabilities.
Soft-major change
Soft-major change can be defined as a substantial modification/reorganisation of systems pro-
cedures, process and practices, and would include for example:
n the introduction of new, wide-ranging internal control procedures, or
n a change in company-wide data processing procedures – from batch to online/real-time
processing.
Hard-major change
Hard-major change can be defined as the widespread introduction of new information and
communications technologies, and would include for example:
n the development of web-based transaction processing facilities,
n the introduction of chip and PIN payment systems, or
n the introduction of new RFID9 technologies.
Change management
It is perhaps unsurprising therefore that given the nature, scope and possible impact/consequences
of any information systems development (including accounting information systems development),
that a range of company/organisational staff will often be involved, including staff from, for
example:
n the company’s/organisation’s information systems function,
n the company’s/organisation’s management and/or administration function,
n the company’s/organisation’s human resource management function,
826
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 827
827
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 828
Applications management
Applications management is concerned with the provision and management of information
systems applications, including the provision of appropriately licensed software and up-to-date
intrusion detection/security software.
Management/administration function
The management/administration function is relevant where a systems development has a wider
business context and/or a significant strategic implication on the company/organisation.
The management/administrative function can be divided into four key functions:
n administrative management,
n operations management,
n information management/data administration, and
n internal (systems) audit.
See Figure 16.4.
Administrative management
Administrative management is concerned with providing overall strategic encouragement and
support to:
n ensure alignment with existing strategies,
n establish systems goal/objectives,
828
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 829
n review performance,
n establish policies.
Operations management
Operations management is concerned with the processes and procedures that create goods
and/or provide services, including the implementation of organisational policies and protocols
to ensure the satisfaction of company objectives.
829
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 830
and requires the determination of end user requirements – that is an understanding of what
end users want from the system/technology. We will look at this prototyping approach later
in this chapter.
There can be little doubt that in a modern, commercially active company/organisation, a well-
designed, user orientated information system(s) can contribute to/assist in:
n increasing operational revenues,
n reducing operational costs,
n eliminating non-value added activities,
n improving the coordination of organisational activities,
n improving customer-related services, and
n improving management decision making.
It is therefore perhaps unsurprising that information processing systems – in particular accounting
information systems, are regarded as one of the most valuable assets a company/organisation
can possess.
In essence, the systems development life cycle is a practical framework – a sequential multi-stage
framework which provides a broad context for the pre-development stages, development stages
and post-development stages of an information system – or for our purposes, an accounting
information system.
The systems development life cycle involves six critical stages,10 these being:
n systems planning and the identification of systems and/or sub-systems within an (accounting)
information system that requires further development, amendment, improvement, renewal
or replacement,
n systems analysis and the assessment of existing system or sub-system problems,
n systems design and the development/formation of a blueprint/conceptual design or range of
alternative blueprints/conceptual designs for a completed system or sub-system,
n systems selection and the determination of how the system will be acquired/developed,
n systems implementation/conversion and the implementation of the selected design and/or
conversion of an existing system,
n systems review and the operational maintenance, monitoring and evaluation of the selected
system/sub-system performance.
See Figure 16.5.
830
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 831
The first four stages (systems planning, systems analysis, systems design and systems selection)
are often referred to as the front end development stages since they are mainly concerned with
‘what’ the system(s) will do, whereas the last two stages (systems implementation and systems
review) are often referred to as the back end development stages since they are mainly concerned
with ‘how’ the system(s) will accomplish its objectives.
Before we look at the systems development life cycle it would perhaps be useful to define
what the term ‘systems development’ means?
For our purposes we will define the term systems development as the development of an
information systems or systems (including an accounting information system) by a process
of investigation, analysis, design, implementation and maintenance, the primary objectives of
such a systems development being to ensure that:
n all company/organisation systems/sub-systems function effectively,
n all company/organisation systems/sub-systems resources are used efficiently,
n all company/organisation systems/sub-systems objectives are consistent and comparable,
n all company/organisation systems/sub-systems are adaptable, and
n all possible systems/sub-systems duplication is minimised.
A systems development project can involve for example:
n the construction of a new system or sub-system,
n an amendment to an existing system, or sub-system (e.g. a reduction in, addition to, and/or
the redesign of a system’s internal procedures/processes),
831
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 832
Secondly, (as suggested earlier) the wide ranging impact of many systems developments often
necessitates the creation of a systems development team containing a wide selection of skills
and capabilities from both inside and, where appropriate, outside the company/organisation.
Although the responsibilities of such a systems development team would of course vary from
company to company or organisation to organisation, they would include, for example:
Invariably, given:
n the eclectic nature of the individuals that comprise the systems development team, and
n the wide-ranging portfolio of responsibilities of such a systems development team,
it is not surprising that in some instances the systems development process can become fragmented,
disjointed and highly politicised, especially where development team members feel personally
and professionally threatened by proposed development(s).
Thirdly, because of the increasing complexity of the marketplace and indeed the increasing
variety of pressures faced by many companies/organisations, it is probable that a company/
organisation may have a number of systems development projects in progress simultaneously –
all at different stages of the development life cycle.
Fourthly, the complex and interrelated nature of business information systems – in particular
accounting information systems – often means that changes to one system or sub-system
may necessitate changes/amendments to another related system or sub-system: the so-called
indirect development consequence. Clearly, it is important for a systems development team not
only to possess a clear understanding of both how systems and sub-systems are interrelated/
interconnected but how changes in a system/sub-system may affect other interrelated/
interconnected systems/sub-systems.
Remember, while looking at each of the systems development life cycle stages in more detail
we are primarily concerned with systems developments concerning accounting information
systems.
832
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 833
Systems planning
Systems planning
The purpose of the strategic planning stage is to provide a framework or context for any
planned systems developments – a reference framework which for our purposes we will con-
sider as comprising of three interrelated strategies, these being:
Note: Although strictly speaking the strategic planning stage is not really part of the systems
development life cycle – because the systems development life cycle is concerned primarily
with the development of specific systems and applications, whereas the strategic planning stage
is concerned primarily with the corporate/organisational context of such developments – it
nonetheless provides an important ‘starting point’ for all systems developments, whether such
developments are:
n formal developments – that is developments which are timetabled and resourced as part of
a company’s/organisation’s cyclical strategic review programme, and/or
n informal developments – that is developments which emerge as a result of:
l an ad hoc request from a departmental manager, and/or
l the identification of error/problems by a system(s)/sub-system(s) user.
The purpose of the systems developing planning sub-stage is to ensure that any planned sys-
tems developments are appropriately identified, suitably defined, accurately evaluated, correctly
prioritised and consistent with the company’s/organisation’s strategic mission. This stage is often
referred as the systems development planning stage, which for our purposes we will consider as
comprising of four interrelated phases:
n an evaluation phase in which the rationale for and feasibility of a systems development project
is assessed,
n a development phase in which a systems development project proposal is prepared,
n a prioritisation phase in which systems development projects are prioritised, and
n a design phase in which a preliminary systems design for selected/accepted systems develop-
ment projects is produced.
833
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 834
834
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 835
Systems planning
So how is a corporate strategy developed? Although there are many variations, there are essentially
two alternative approaches:
n a reactive opportunistic approach, (sometimes referred to as freewheeling opportunism), or
n a proactive structured approach.
Whereas, the reactive opportunistic approach is often regarded as the ‘high-risk strategy’ strategy
and, therefore, uncertain, hazardous and potentially very risky, the proactive structured approach
is often described as the ‘low-risk strategy’ strategy. The latter is a formal and highly structured
approach which would normally consist of the following stages:
n a strategic analysis stage – concerned with the environment of company/organisation resources
and of stakeholder expectations,
n a strategic choice stage – concerned with the generation, evaluation and selection of alternative
strategies, and
n a strategic implementation stage – concerned with a consideration of both resource and
information requirements, and the practical implementation of the selected strategy and/or
strategies.
Whilst most companies/organisations would prefer to pursue the proactive, structured approach
and be seen as ‘in control’, strategically speaking, invariably in some instances the reactive
opportunistic approach will have to be used, especially where excessive environmental turbu-
lence exists.
Secondly, for management control purposes to ensure that appropriate levels of information are
made available to the appropriate management/operational levels to ensure that the company/
organisation:
835
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 836
Thirdly, for wealth maximisation purposes to ensure that the company/organisation derives the
greatest net benefit from acquisition, possession and use of information.
In a broad sense, an information policy can be divided into five levels:
n an operational level – concerned with the identification of information provision issues and
information flow problems,
n a planning level – concerned with the designing of improved information provision/
information flow within a company/organisation to minimise the impact of information
provision issues and information flow problems,
n a development level – concerned with the development and implementation of improved
information provision/information flow within a company/organisation to minimise the
impact of information provision/information flow problems,
n an structural support level – concerned with the overall architecture/framework of informa-
tion flow within a company/organisation and the management of information provision/
information flow within the different levels of a company/organisation, and
n a strategic level – concerned with the identification of strategic information needs and require-
ments of the company/organisation.
Note: It is at the planning level and the development level that the information policy of a
company/organisation has a direct influence on systems development and the systems develop-
ment life cycle.
Clearly, the nature, structure and complexity of an information policy would differ from
company to company or organisation to organisation. Issues/factors such as:
would all influence a company’s/organisation’s information policy (see for example Vaassen,
2002). More importantly, such issues/factors would have a significant impact on the practical
application of a company’s/organisation’s information policy, in particular the processes and
procedures it uses to identify and determine information needs and requirements.
Evaluation
The evaluation phase is concerned with appraising the feasibility of a proposed system(s)/sub-
system(s) development project and would consider three key issues:
n economic feasibility – for example: What are the estimated potential costs12 of the systems
development and what estimated tangible13/intangible14 benefits will accrue for the system
once it is implemented?
836
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 837
Systems planning
n technical viability – for example: What information and communication technologies will be
required to realise the systems development, and are such information and communication
technologies currently available?
n operational/implementation capability – for example: What resources will be required to
realise the systems development, and are such resources currently available – in particular
human resources?
In addition to the above, it may also be necessary to assess the legal/regulatory aspects/conse-
quences of a systems development – especially if additional costs may need to be incurred to
satisfy legal/regulatory requirements (e.g. the Data Protection Act 1998).
Clearly, any evaluation/feasibility study would invariably be quantitative in nature and
may involve the use of a wide selection of financial management/financial planning and
analysis techniques, in particular investment appraisal/capital budgeting techniques including
for example:
n discounted cash flow – that is net present value and/or internal rate of return,
n accounting rate of return – for example return on investment, and
n payback – including discounted payback.
So, which investment appraisal/capital budgeting technique is the most used? Whilst most
companies/organisations will use a discounted cash flow variant/measure and consider the
longer-term net present value of a systems development, invariably liquidity and the conversion
of any net benefits into actual cash flows will be a major concern. It is therefore uncommon
for a company/organisation to use a return on investment variant and/or payback variant as
primary evaluation measurements.
Development
The development phase is concerned with the preparing of a systems development project
proposal.
Following the completion of the systems development project evaluation, such a project pro-
posal would provide a basis on which the systems development team can decide as to whether
to proceed with the systems development project or abandon it, and would in general seek to:
n establish a rationale for the systems development project and explain its relevance in terms
of current operations and the company/organisation,
n illustrate the potential contribution the systems development project (if accepted and imple-
mented) would make to the overall strategic objectives of the company/organisation, and
n summarise the net benefit/net cost of the systems development project.
Prioritisation
The prioritisation phase is concerned with the prioritising of system(s)/sub-system(s) development
projects, the key assessment criteria being an assessment of the potential strategic contribution
of the proposed system to the company/organisation in terms of:
n increased wealth creation,
n improved resource utilisation,
n improved information provision, and
n enhanced decision making.
Whilst there are a number of alternative approaches that may be used to prioritise systems
development projects – many of which would be company/organisation unique – it is likely that
the majority of such approaches would seek to quantify any strategic contribution, possibly
837
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 838
using a predetermined weighted scoring system in which a selected range of factors and issues
would be considered.
Systems analysis
The systems analysis stage seeks to formally assess the functional attributes of current/existing
system(s)/sub-system(s), the aim being:
n to identify any operational problems within the current/existing system(s)/sub-system(s),
and
n to determine the precise nature of such operational problems.
Such an analysis is required because to solve a problem, it is important first to understand what
the problem is and second to understand where the problem is!
The systems analysis stage involves the following phases:
n a survey of the current/existing system,
n an analysis of system requirements,
n an identification of user information needs and requirements, and
n the development and documentation of a systems requirement report.
See Figure 16.7.
However this survey approach is not without its advantages and disadvantages.
838
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 839
Systems analysis
839
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 840
For example:
n What are the main sources of data – for example are the data internally or externally generated?
n What is the nature and structure of the data – for example are the data narrative-based,
numeric-based or a combination?
n What types of data are processed – for example is the data subject to disclosure requirements
and/or processing restrictions (see for example the Data Protection Act 1998)?
n Who processes the data – for example is the data processing in-house or is it outsourced to
an external service provider?
n What data input controls exist – for example what type of application controls are used to
ensure the security and integrity of the data?
n How are the data stored – for example are data stored via manual documentation or
computer-based documentation?
n Where are the data stored – for example are data stored on-site or off-site?
n How are the data processed – for example is data processing manual or computer-based, and
if computer-based, are data processed in batches or online?
n What are the data flow trends – for example are data processing transaction levels seasonal
significant and are any trends linked to any other identifiable activity?
n What data processing controls exist – for example what type of application controls are used
to ensure data are processed accurately and securely?
n What are the data processing transaction levels – for example is the current/existing system(s)/
sub-system(s) operating at capacity or is spare processing capacity available?
n How efficient is the data processing systems – for example what are the current error levels
within current data processing procedures and are such levels acceptable?
n How effective are data processing system – for example are there excessive delays in data
processing procedures and are such delays acceptable?
n What are the current resource costs – for example are costs excessive when compared to
other similar systems and if so are such costs justifiable?
n Do any redundant operations/processes exist – for example are all systems processes and
procedures in use?
n Does any redundant documentation exist – for example is all system/processing documenta-
tion appropriate?
n What data output controls exist – for example what type of application controls are used to
ensure data are output correctly, timely, accurately and securely?
n Who are the system(s)/sub-system(s) users – for example are users internal and/or external?
Such facts can be gathered in many ways, perhaps the most common being:
n by questionnaires,
n by personal interview,
n by observation,
n by participation, and
n by documentation review.
840
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 841
Systems analysis
Questionnaires
Questionnaires are a valuable method for the collection of data and information during the
systems analysis stage. They can be used to obtain specific, detailed information about:
n the sources and nature of data collected and processed,
n the type and nature of specific procedures/process,
n the volume of transactions processed,
n the process control procedures, and
n the output destination of processed data.
It is however important that the questionnaire is constructed correctly, since:
n the inclusion of inappropriate questions,
n the improper ordering of questions (see the sandwich theory below),
n the inaccurate scaling of answers, and/or
n the incorrect formatting of a questionnaire,
could make the survey results valueless.
There are many types of questions that can be used, some of the most common being:
n closed-ended questions – that is questions where there are a limited and fixed set of answers,
n open-ended questions – that is questions where there is no predefined suggested answers,
n dichotomous questions – that is questions where there is a ‘yes’ or a ‘no’ answer,
n multiple choice – that is questions where there are several answers from which to choose,
n contingency questions – that is questions that are answered only if a particular answer was
given to a previous question, and
n scaled questions – that is questions where answers are graded on a weighted scale for statistical
analysis purposes.
There are no generic predetermined criteria for the use of the above types of questions or indeed
any other types of questions. In general, their use is activity specific – that is it will depend on:
n the nature of the survey,
n the target audience of the questionnaire, and
n the type of data to be collected.
In general, however, there are three commonsense rules to the construction and use of ques-
tionnaires, these being:
n keep the questionnaire simple,
n keep the questionnaire short, and
n keep the questionnaire clear.
841
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 842
Personal interviews
Personal interviews are a useful method for obtaining data/facts concerning:
n the operations of the current/existing systems, and
n user perceptions of the current/existing system.
The selection of interview type depends again (as with questionnaires) on:
n the nature of the survey,
n the target group of the questionnaire, and
n the type of data to be collected.
Observation
Observation can be defined as the passive and informal monitoring of a physical event, activity
and/or procedure, and invariably involves appropriate forms of surveillance, inspection and/or
examination.
Such passive observation allows the development team to determine directly:
n what processes and procedures take place,
n how the processes and procedures are managed/monitored,
n who is involved in the each of the processes and procedures, and
n how long each processing cycle/procedure takes.
An example of such passive observation would be where a member of the systems development
team reviewing a company’s/organisation’s sales procedures observes the activities of members
of the sales support team.
Where appropriate, such observations should not be limited to a single observation but should,
where possible, occur over a number days/weeks. More importantly, such observations should
if at all possible be undertaken unannounced, and/or at the very least without excessive notice,
to ensure that representative activities and not a pre-manufactured version are observed.
The advantages of using observation are:
n it can produce an in-depth understanding of the system(s)/sub-system(s), and
n it can verify not only what system(s)/sub-system(s) functions occur, but more importantly
how such system(s)/sub-system(s) functions occur.
842
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 843
Systems analysis
Participation
Participation can be defined as the active involvement in a physical event, activity and/or pro-
cedure, and occurs where a development team is keen to obtain a working knowledge of a set
of processes and/or procedures within a system(s)/sub-system(s).
Such active participation allows the development team to directly determine:
n whether current documentations is efficiently designed,
n what processing/procedural problems exist,
n what types of data processing errors occur,
n why such data processing errors occur, and
n whether any redundant processes/procedures still exist.
An example of such active participation would be (using the example above) where a mem-
ber of the systems development team reviewing a company’s/organisation’s sales procedures
participates in the activities of members of the sales support team.
The advantages of using participation is it can produce an in-depth understanding of the
system(s)/sub-system(s) and the problems associated with its procedures and activities
The disadvantages of using participation are:
n it can be time consuming, and
n it can be very expensive.
Documentation review
Company/organisation documentation is of course an important source of information for
a systems development team, and reviewing such documentation can provide an insight into
not only what documents exist but, more importantly, where such documents are used and by
whom.
Such documentation can be categorised as either:
n company/organisation generic documentation, or
n application specific (or system(s)/sub-system(s) specific) documentation.
843
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 844
to determine:
n the appropriateness of such user information needs and requirements, and
n their continued relevance.
844
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 845
Systems design
description should not seek to provide details of how the new system(s)/sub-system(s) should
function – that is the systems analysis report should not specify a detailed design(s) for the new
proposed system(s)/sub-system(s) by recommending for example specific processing method-
ologies, particular data storage media/facilities and/or data file structures.
Why? Because it is important that the systems analysis report remains impartial, unbiased,
objective and, where at all possible, avoids influencing the design stage of the systems develop-
ment life cycle.
Although the structure of such a systems analysis report would vary from company to
company or organisation to organisation, in a broad sense it would contain some, if not all,
of the following detail:
n a rationale for the study – explaining the background to the systems analysis,
n the scope of the analysis – detailing the parameters of the systems analysis,
n a description of overall problem/issues identified – detailing the results of the survey,
n a summary of system requirements and a specification of user requirements – detailing what
the new system(s)/sub-system(s) should do,
n a summary of resource implications – net cost/net benefit (and proposed timescale) of the
development, and
n recommendations – for example whether the development should continue and if so what
priority should be assigned to it.
Systems design
Both could be undertaken by a sub-group of the systems development team. The conceptual
design phase is concerned with developing a design (or a range of alternative designs) for
the completed system(s)/sub-system(s) – that is an schematic outline or blueprint for how the
system(s)/sub-system(s) will work. The physical design phase is concerned with establishing
the physical design of the completed system(s)/sub-system(s) – that is what the system(s)/
sub-system(s) will look like. See Figure 16.8.
845
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 846
proposed system/process – that is the primary or context level – which is then separated/divided
into its constituent sub-systems/sub-processes – that is the transitional level – which are then
separated/divided into their constituent sub-systems/sub-processes – that is the foundation level
– until the basic data components of each of the sub-systems/sub-processes within the proposed
system/process are identified.
The advantages of the function orientated approach are:
Despite such disadvantages, the function orientated design approach is still widely used for
information systems design – especially for accounting information systems.
846
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 847
Systems design
n it can lead to problem inheritance – problems may be replicated for one system/process to
another system/process, and
n it can limit innovation – using existing components/modules may limit design possibilities,
suppress creativity and restrain originality.
So, what design considerations would the conceptual design phase address?
It would consider for example:
Once a broad palate of design alternatives has been determined and agreed by the sub-group, it
would be necessary to prepare a conceptual design specification for the systems development
team, detailing the range of possible input, process, storage and output alternatives considered
suitable/appropriate for the new system(s)/sub-system(s), the purpose being to provide the
systems development team with a design template/design guide for the physical design phase of
the systems development.
847
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 848
is often considered to be the most important design consideration of any physical design. This
is especially important where it is likely that a number of alternative data input format/medium
may be used in the new system(s)/sub-system(s).
Why? Primarily, to minimise the possibility of data input errors, but also to ensure:
n the cost effectiveness of each data input format/medium,
n the accuracy and uniformity of all data input(s),
n the appropriateness and relevance of all data input(s),
n the integrity and security17 of all data input(s), and
n the compatibility of all data input(s).
Clearly issues of data source, data type and input volumes and frequencies will have a major
influence on determining the medium used to collect/input data – that is for example, whether
data is collected and/or input using:
n a hard document-based input (usually a physical paper document),
n a virtual document-based input (usually a computer-based input screen), or
n a combination of both.
For example a high-frequency, low-value data input such as customer-based ATM transactions18
would of course be suited to a virtual document-based input procedure. However, low-frequency,
high-value, high-risk data input would be more suited to a hard document-based input procedure.
848
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 849
Systems design
the selection of the precise design nature of the system(s)/sub-system(s) processing procedure
would normally be determined by the 5Ws criteria. These are:
n For whom is the data to be processed – for example, who are the users/stakeholders and what
are their needs and requirements?
n What data is to be processed – for example is it predominantly quantitative or qualitative?
n When is the data to be processed – for example is it at a single scheduled time or at number
of scheduled times?
n Where is the data to be processed – for example is it at a single location or a number of geo-
graphically separate locations?
n Why is the data to be processed – for example is the data processing for data collection/storage
purposes or is it for data analysis purposes, for example for making decisions.
Answers to the above should not only provide an indication of:
n the overall complexity of the data processing procedures,
n the repetitiveness of the data processing procedures,
n the uniformity of the data processing procedures, and
n the frequency of the data processing procedures,
but also an indication of the possible limitations/restrictions that may exist – for example
limitations of current processing abilities, communication capabilities and/or even techno-
logical resources.
849
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 850
waste of money! We will look at both these alternatives in more detail later in this chapter but
for now assume that the program (software system) is developed in-house. How would that
process be undertaken?
There are, as you would probably expect, a number of alternative program (software system)
development processes, some of the more common being:
n the waterfall approach,
n the prototyping approach,
n the synchronise/stabilise approach, and
n the spiral approach.
The waterfall approach is a sequential development approach which establishes goals and
assessment targets for each development phase. The advantage of the waterfall model is that it
simplifies the development process because there is no iteration, but the main disadvantage
is that it does not allow for revision to take place.
The prototyping approach is one in which a prototype (or early approximation of a final
program) is constructed, tested and reworked as necessary until an acceptable workable program
is achieved.
The synchronise and stabilise approach is one in which a program is divided into indi-
vidual application modules on which separate specialist teams work in parallel. The key to
this approach is to ensure that the separate programming teams frequently synchronise their
programming activities/coding activities to ensure that a stable final product/program will be
produced.
The spiral approach is an approach in which the programme development combines the
features of the prototyping model and the waterfall model. The advantage of the spiral approach
is that there is/can be continuous revision/reviewing of development progress to date. The main
disadvantages are that such an approach can be costly, resource intensive and time consuming.
Nevertheless the spiral approach is an approach that is often used in large, complex, company/
organisation-wide program (software system) developments.
In addition to the above, there are also the following:
n the Rapid Application Development (RAD) approach in which program developments are
undertaken using workshops or focus groups to gather system requirements – the aim being
to speed up the program development process, and
n the Joint Application Development (JAD) approach in which users/stakeholders are directly
involved in the program (software) development usually through the use of collaborative
workshops/development sessions.
Assuming that the spiral approach is adopted for the program (software system) development,
what stages would be included in the development process? The main stages would be:
n functionality,
n accuracy,
850
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 851
Systems design
n integrity,
n security,
n compatibility,
n usability,
n appropriateness, and
n relevance.
851
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 852
So, what types of internal control could be used? Such internal controls could comprise of:
n documentation checks (preventative internal controls),
n authorisation checks (preventative internal controls),
n validity assessments (preventative/detective internal controls),
n accuracy assessments (detective internal controls),
n security checks (detective internal controls),
n integrity checks (detective/corrective internal controls), and
n audit checks (detective/corrective controls).
Systems selection
Once the blueprint/conceptual design specification of the system(s)/sub-system(s) has been com-
pleted, approved and adopted, and the underlying physical/operational design has been agreed,
the systems selection stage – that is the process of selecting how the system(s)/sub-system(s) will
be put together – can start.
There are essentially three possible alternative selection approaches, these being:
n an acquisition approach in which hardware/software components are purchased from an
external supplier/developer – also known as an out-house acquisition,
n a development approach in which hardware/software components are developed internally
– also known as an in-house development, and/or
n a combined approach in which some hardware/software components are purchased from an
external supplier/developer and some are developed internally.
Within each approach there are of course a number of subsidiary issues that would need to be
considered, for example:
n If the system(s)/sub-system(s) is to be purchased as a complete system:
l how will the purchase be financed/arranged? and perhaps more importantly,
l how will the supplier/developer be chosen?
n If the system(s)/sub-system(s) is to be developed in-house:
l what resources and competencies will be required? and
l how will the development be managed?
n If the system(s)/sub-system(s) is to be partly developed in-house and partly purchased from
an external supplier/developer:
l what hardware/software components will be developed internally? and
l what hardware/software components will be acquired externally?
852
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 853
Systems selection
Although it is difficult to say with any degree of certainty which of the above approaches is the
most common, it is often the case that in large developments and/or projects involving company/
organisation-wide systems/sub-system(s), that the combined approach is used.
So what are the main phases within the systems selection stage? The selection stage would
involve the following phases:
n the determination of alternative selection options,
n the determination of supplier/developer options,
n the acquisition/development system components – hardware,
n the acquisition/development system components – software,
n the review/evaluation of alternative tenders/proposals, and
n the selection of successful tenders/proposals.
See Figure 16.9.
853
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 854
of the components and (as we have already seen) the extant capabilities of the company/organ-
isation, in general there are perhaps three alternative acquisition options available, these being:
n purchase,
n lease, or
n outsource.
In addition, within each of the above, the company/organisation could use either:
n a single supplier/developer, or
n multiple suppliers/developers.
Purchase
In a broad sense, a purchase can be defined as an agreed transfer of property and/or property
rights from one person to another in exchange for a valuable consideration, and is a method
of acquisition that has historically dominated the commercial activities of many companies/
organisations. Whilst in a contemporary context such a method continues to form the commercial
foundation of many revenue-based transactions, purchasing has – certainly since the late 1970s/
early 1980s – become less popular for specific categories of capital assets, especially those capital
assets which are subject to high levels of value depreciation due to rapid technological obsolescence.
The advantages of purchasing are:
n there is an immediate transfer of legal title and ownership,
n the purchaser can claim immediate tax (capital) allowances – sometimes up to 100% of the
cost, and
n in the longer term, there is overall a smaller cash outlay.
Clearly, purchasing high-value capital assets which may need/require regular servicing and main-
tenance, constant upgrading and frequent replacing – in particular, capital assets (including
both hardware and in some instances related software) relating to the provision of information
and communication technology facilities/capabilities could place an excessively heavy strain not
only on a company’s/organisation’s longer-term borrowing (if the acquisition is to be financed
by debt), but perhaps more importantly, a company’s/organisation’s working capital.
An alternative to the purchasing of such a capital assets is, of course, to lease.
Lease
A lease can be defined as a legal contract between the owner of the asset(s) (the lessor) and another
party (the lessee), and relates to the transfer of possession and use of an asset(s) for valuable
consideration for a specified period of time.
Whilst there are many named variations, in an accounting/finance context, there are essen-
tially two types of leases:
n a finance (or capital) lease which involves a series of payments over the majority of the
expected life of the asset(s) and for the majority of the cost of the asset(s), and in which the
lessee acquires all the economic benefits and risks of ownership, and
854
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 855
Systems selection
n an operating lease21 which involves a series of payments over a period (usually one to
five years) that is less than the expected life of the asset(s), and in which the lessor remains
responsible for all servicing and maintenance.
Mainly for fiscal reasons, the popularity of leasing grew enormously in the late 1970s/early
1980s for a wide range of assets. And, whilst during the latter part of the 1990s and the early part
of 21st century leasing has become a much more asset focused industry, in a contemporary con-
text, it is not uncommon for companies/organisations to lease a range of assets, for example:
n premises and buildings,
n plant, machinery and equipment,
n vehicles, and
n information and communication technology hardware/software.
The advantages of leasing are:
n there is a small initial cash outlay – it avoids large capital outlay,
n it can reduce/eliminate risks of ownership and can lessen the impact of technological
obsolescence,
n it can help to conserve working capital and minimise cash outflows,
n it minimises the need for borrowing, and
n lease payments are a tax deductible expense.
Outsource
We will look at the issue of outsourcing in detail later in this chapter.
Selecting a supplier/developer
There are many factors/issues a company/organisation should consider when selecting/approving
a supplier/developer. Questions to consider would include, for example:
n Is the supplier/developer well established?
n Is the supplier/developer experienced in information and communications technology?
n Is the supplier/developer industry recognised/approved?
n Is the supplier/developer reliable?
n Are external third-party references available?
n Does the supplier/developer offer guarantees and/or warranties on the products/services it
supplies/provides?
n Is the supplier/developer’s products/services up to date?
n Does the supplier/developer provide finance for the purchase/development of hardware/
software systems? If not does it provide alternative acquisition means (e.g. leasing)?
n Does the supplier/developer provide implementation and installation support/maintenance?
n Does the supplier/developer provide post-implementation and installation training and support?
855
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 856
Single supplier/developer
The advantages of using a single supplier/developer are:
n it can simplify the acquisition/supply process,
n it may ensure compatibility, and
n it may be a more reliable service.
Multiple suppliers/developers
The advantages of using multiple suppliers/developers are:
n it may result in cheaper prices (due to competition),
n it may result in increased product range, and
n it can spread risk (supplier/developer stops trading, etc.).
856
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 857
Systems selection
n Expandability – can the hardware system be expanded to include external facilities (e.g.
external data storage)?
n Affordability – is financing available and/or are specific discounts available?
There are two alternative approaches to the acquisition of software (where it is not developed
in-house), these being:
n the acquisition of generic software, or
n the acquisition of commissioned software.
857
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 858
858
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 859
Systems selection
859
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 860
lhigh-level design issues – for example what specific programs (software system) will be
required, what will the inputs and outputs be, and what will the relationship and/or inter-
action between the program (software system) and existing programs (software systems)
be (including for example existing/current operating systems),
l low-level design issues – for example how will the program (software system) function
and what modular components will be used/required, and
l data design – for example what will be the structure of data inputs and outputs,
n coding/programming of the program (software system) – that is once the design is complete
they are translated into a functional program – that is the program (software system) code
needs to be created,
n testing the program (software system) – that is once the coding/programming is complete,
the complete program (software system) will require testing to ensure that it functions as
intended/required and on the intended platform(s), and
n maintenance of the program (software system) – that is once the program (software system)
has been tested, authorised as complete and delivered to the users, it will inevitably require
regular maintenance and/or updating.
860
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 861
Systems selection
Open tendering is essentially a single-tier bidding process, in which all interested suppliers/
developers can submit a tender in response to a tender notice issued by the company/organisation.
Normally such a tender notice would stipulate:
n the conditions that apply to the tender process,
n how the tender process will work,
n where tender documents can be obtained, and
n the last date by which tenders will be accepted.
Restricted tendering is a multi-tier bidding process in which suppliers/developers are initially
requested to submit an ‘expression of interest’. These expressions of interest are evaluated and
a shortlist of appropriate suppliers/developers is then created. Those on the shortlist would then
be invited to submit a formal tender, which would then follow the open tendering procedure
discussed above. This restricted tendering procedure is most likely to be used where a large
number of suppliers/developers are expected to submit tenders.
Negotiated tendering occurs where a company/organisation negotiates a tender with one
or more approved suppliers following a pre-qualification process (see earlier). This negotiated
tendering procedure is most likely to be used where:
n specialist services and/or components are required,
n where compatibility with existing services/components is crucial, or
n as a means of reducing the numbers of tenders – for example as part of the restricted tender-
ing process.
Whatever tender process/procedure is used, once all tenders have been submitted and received,
they need to be objectively reviewed and evaluated – and of course a selection made.
During this review and evaluation process, it is of course important that the integrity of the
tender process as a competitive procedure is maintained, and essential that the evaluation of
submitted tenders is undertaken fairly, objectively and impartially.
The review process would primarily consider how well the submitted tenders comply with
all the requested criteria, and would usually be reviewed and evaluated using:
n a pre-determined set of criteria, and
n a pre-agreed scoring and weighting system,
to evaluate individual aspects/components of the tender. This would perhaps also incorporate
benchmark performance measures and/or test simulation scores and evaluations for specific
aspects/components of the tender.
Such pre-determined criteria could include for example:
n the price of the tender,
n the financial viability of the tender submission,
861
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 862
862
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 863
Systems implementation
863
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 864
In essence, the critical path of an implementation schedule is the longest sequence of dependent
activities and events, that lead to the eventual completion of the implementation plan inasmuch
as any delay of any event/activity on the critical path will delay the system(s)/sub-system(s)
implementation – unless the duration of future sequential events and/or activities can be reduced.
There are two main ways in which the critical path can be presented, using either:
n a scheduling chart – for example a Gantt chart, and/or
n a PERT (Project Evaluation and Review Technique) chart.
Both are equally useful and the selection of the most effective form of presentation is essentially
a matter of choice, circumstance and, of course, personal taste.
Scheduling chart
Scheduling charts are often used in the planning, development and implementation of a system.
The most popular, and indeed the most widely used, scheduling chart is the Gantt chart. The
Gantt chart is extremely useful in:
n assessing the maximum period of a development project,
n determining and prioritising resource requirements during a development project,
n establishing an order/timetable for development events/activities within a development
project,
n identifying and managing interdependencies between development events/activities, and
n monitoring the progress of a development project.
Whilst it is possible to develop/draw a Gantt chart manually, most (if not all) development
managers/systems development teams would use a charting software program (e.g. Microsoft
Project available @ www.microsoft.com) to build, develop, amend and manage Gantt charts.
PERT charts
PERT is a variation on critical path analysis that takes a slightly more sceptical view of time
estimates made for each event/activity of the development project. For each event/activity time
estimate, PERT uses a weighted average of:
864
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 865
It then calculates the weighted average time for each event/activity using the following:
Shortest time + (4 × Likely time) + Longest time/6
will need to take place. This is because often when a new system(s)/sub-system(s) is developed
and introduced, duties and responsibilities, for example, for:
n data capture procedures,
n data security,
n data processing procedures,
n data storage facilities, and
n system(s)/sub-system(s) management
will invariably cut across a range of company/organisation departments. It is therefore import-
ant that a suitable allocation occurs in order to ensure that sufficient separation of duties and
responsibilities will exist post-implementation and ensure the existence of:
n adequate internal control within the new system(s)/sub-system(s), and
n appropriate security within the new system(s)/sub-system(s).
865
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 866
and nature of the new system(s)/sub-system(s). It will therefore be a simple, if somewhat formal,
routine exercise – an objective and apolitical systems development allocation/assignment exercise.
In some cases, however, this process can become very political, divisive and disruptive, especially
where:
n the nature, scope and impact of the new system(s)/sub-system(s) on the company/organisation
(or a large segment of the company/organisation) will be significant,
n the manner in which the new system(s)/sub-system(s) is to be implemented is unclear and/or
uncertain, and/or
n the impact and/or effect of the new system(s)/sub-system(s) on employees and/or groups of
employees within the company/organisation will be substantial.
Clearly, it is in the best interests of the company/organisation to minimise any attempt at
politicising the development and/or implementation process. Why? Because such politicisation
(whatever its origin or cause) may provoke unwarranted resistance – resistance to the develop-
ment and implementation of the new system(s)/sub-system(s) and the adoption/use of related
information and communication technologies. A resistance which can, if left unresolved, become
extremely costly in both a financial and business context.
We will look at the politics of accounting information systems development and the manage-
ment of resistance later in this chapter.
866
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 867
A development narrative
This would normally include:
n a description of the development process,
n a description of the system(s)/sub-system(s) input, process and output procedures,
n a description of the system(s)/sub-system(s) data management procedures,
867
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 868
It would also include, where appropriate, relevant flowchart charts and dataflow diagrams and,
where necessary, example copies of systems documents. The purpose of such a development
narrative is to provide a detailed technical specification of system(s)/sub-system(s).
An operational guide
This would include for example:
n details of system(s)/sub-system(s) operating schedules/timetables
n details of system(s)/sub-system(s) hardware and software components,
n a description of the system(s)/sub-system(s) files and databases, and
n a description of system(s)/sub-system(s) users.
The purpose of such an operational guide is to provide detailed information on how to operate
the system(s)/sub-system(s).
Note: For system(s)/sub-system(s) security purposes, it is important that the operational guide
does not contain information such as systems flowcharts and program code because a system(s)/
sub-system(s) operator should not, under any circumstances, have access to data/information
that may reveal the system(s)/sub-system(s) internal logic.
A user/stakeholder manual
This would include:
n a system(s)/sub-system(s) reference guide,
n an overview of the system(s)/sub-system(s) and its major functions,
n examples of data input procedures and data analysis tools,
n a comprehensive guide to error messages, errors codes and error descriptions,
n a tutorial guide,
n a training programme – usually task or topic orientated, and
n a help/problem referral guide.
The purpose of such a user/stakeholder manual is to describe how to use the system(s)/sub-
system(s) and it is likely that much of the above would be provided as an online facility.
868
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 869
A final testing of the system(s)/sub-system(s), often called an acceptance or transfer test, would
involve users providing data (preferably actual data) for the final test phase of the new system(s)/
sub-system(s). Such end-user-related testing is designed to confirm to the users the credibility
and integrity of the new system(s)/sub-system(s).
Systems conversion
Systems conversion can be defined as the process of changing/moving from an existing oper-
ational system to a new one.
There are essentially four approaches to systems conversion, these being:
The main advantage of the direct (or immediate) conversion is that the conversion process is
immediate and inexpensive. The disadvantage is that the process can be very risky, especially
where conversion problems occur. Such a failure could result in for example the incorrect process-
ing and/or incorrect management of data as a consequence of a loss of system(s)/sub-system(s)
integrity, and/or a failure of system(s)/sub-system(s) security.
If tests prove successful, then the new system is gradually introduced throughout the old
system(s)/sub-system(s). Such a conversion process (also known as the localised transition
approach) is suitable where both the old system(s)/sub-system(s) and the new replacement
system(s)/sub-system(s) are crucial to the ongoing survival of the company/organisation.
869
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 870
The main advantage of the pilot (or modular) conversion is that such a conversion process
allows for the testing of and training on a new system(s)/sub-system(s) in a live functioning
environment, resulting in the identification, and correction of operational procedure/process
errors (sometimes referred to as debugging).23
The main disadvantage of the pilot (or module) conversion is that such a staged/segmented
introduction can extend substantially the time period of the conversion process and as a
consequence increase the overall cost of conversion.
Phased conversion
Phased conversion occurs when a new system(s)/sub-system(s) is gradually introduced and
the old one(s) gradually removed. Such a conversion process (also known as the incrementalist
approach) is suitable where:
n the new system(s)/sub-system(s) is very different (operationally and/or technically) from the
existing one(s), and/or
n both the old system(s)/sub-system(s) and the new replacement one(s) are crucial to the ongoing
survival of the company/organisation.
The main advantage of a phased conversion is there is a greatly reduced risk of systems/sub-systems
failure because the transition is gradual, with resources and capabilities introduced/transferred
in a programmed, coordinated and managed approach. However, the disadvantages of phased
conversion are:
Parallel conversion
Parallel conversion occurs when both the new system(s)/sub-system(s) and the old one(s) are
operated simultaneously for a period of time (e.g. days, weeks or months). Obviously, the longer
the period, the greater the overall cost.
Such a conversion process (also known as the dual approach) is suitable where:
n the data processed and the information produced by system(s)/sub-system(s) being replaced
is of substantial value to the company/organisation, and/or
n both the old system(s)/sub-system(s) and the new replacement one(s) are critical to the
ongoing survival of the company/organisation.
The main advantage of a parallel conversion is there is a greatly reduced risk of conversion failure
because the transition to the new system(s)/sub-system(s) only takes place once the parallel
running has indicated no procedural/processing problems exist with the new system(s)/sub-
system(s). However, the disadvantages of phased conversion are:
n the conversion process to the new system(s)/sub-system(s) may take considerable time,
n additional costs may be incurred as a result of parallel running of the two system(s), and
n operational problems may occur (e.g. employee resistance) as a result of the need to maintain
two different system(s)/sub-system(s) simultaneously.
Finally we also consider data conversion.
870
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 871
Systems review
Data conversion
Where there is a system(s)/sub-system(s) conversion from the old to the new, there will invariably
be a need to convert data from one to the other. This happens for a number of reasons, for example:
n the data structure used within the new system(s)/sub-system(s) may differ substantially from
the old one(s),
n data file content used within the new system(s)/sub-system(s) may be significantly different
from the old one(s), and/or
n the data storage medium used within the new system(s)/sub-system(s) may differ from the
old one(s).
Such a conversion process can of course be time consuming, extremely repetitive, very tedious and
enormously expensive, especially where a substantial amount of data and a substantial number
of data files exist. So, it is not uncommon for a company/organisation facing a substantial data
conversion task/activity to consider outsourcing it to an external company/organisation.
There are essentially three stages to the data conversion process, these being:
n data file selection,
n data file conversion, and
n data file validation.
Systems review
Systems review involves the monitoring and evaluation of the selected system(s)/sub-system(s)
performance, the primary aim of such a review being to determine the success (or otherwise) of
the company/organisation systems development process.
871
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 872
Post-implementation assessments
The post-implementation assessments will normally occur sometime after system(s) imple-
mentation – the period and the frequency of the assessments obviously depending on the
importance/criticality of the system(s) developed.
The aim of the post implementation assessment is to measure/assess the success or otherwise
of the system(s) development process and determine whether the objectives of the system(s)
development have been achieved. Often undertaken by the systems development team, such a
post-implementation assessment would ask questions such as:
n Are users satisfied with the system(s) operations – if not why not?
n Are system(s) procedures functioning reliably and effectively?
n Are data input/capture procedures functioning correctly?
872
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 873
Systems review
873
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 874
874
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 875
875
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 876
the prototype system may be discarded and the system development pursued using the tra-
ditional systems development life cycle approach. This type of prototype is often referred to
as a non-operational prototype.
In general prototyping is used for developments that involve management-related and/or
decision support-related systems. That is systems developments where there is or may be:
n a high level of ambiguity about the systems development,
n substantial uncertainty regarding the nature and/or structure of the system(s) processes,
n considerable problems and/or difficulties in defining system(s) requirements,
n significant uncertainty about the outcome of the systems development,
n a considerable number of alternative system(s) designs.
Prototyping is also ideal for system(s) developments which involve:
n experimental system(s)/investigational system(s),
n high-risk system(s),
n infrequently used system(s), and/or
n continual changing system(s).
876
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 877
especially system(s) that have limited design alternatives, well-defined system(s) requirements,
and/or predictable processing procedures. For example, developments involving:
n a company’s/organisation’s debtor management system(s), and/or
n a company’s/organisation’s purchasing system(s).
There is nothing more difficult to carry out, nor more doubtful of success, nor more dangerous
to handle than to initiate a new order of things (Niccolo Machiavelli, The Prince, 1532).
877
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 878
practices and procedures. For others, such change may be seen as good: that is its consequences
may be seen as beneficial and constructive – the intention being to break down traditional
barriers, remove outdated and inappropriate practices and procedures, and engage with the
‘brave new world’.
But how can such a diverse range of alternative understandings arise? Put simply, they arise
because change (certainly within a corporate/organisational context) whilst motivated by an
increasingly vast array of interconnected factors and issues, is invariably political in nature, with
its consequences affecting different socio-economic groupings within a company/organisation in
different ways. For example the introduction of ‘Chip and PIN’ technologies in many high street
retail stores during 2003/04 affected lower-level operational employees differently to tactical-level
junior/middle managers, who in turn were affected differently to strategic-level senior managers.
For example:
n lower-level operational employees, for example retail assistants, required an understanding
of the operational aspects of the new technologies and the use of the new customer payment
procedures,
n junior/middle managers, for example store managers, required an understanding of the
control requirements and reconciliation aspects of the new technologies, and
n senior managers required an understanding of the longer-term cost–benefit impact of such
technologies.
It is the potential impact of change (especially information and communication technology
orientated change) on different socio-economic groupings within a company/organisation –
the social and economic consequences on an individual and/or groups of individuals within the
company/organisation – that will, if sufficiently negative and/or adverse, stimulate an agenda of
defiance, opposition and non-cooperation from an individual and/or groups of individuals.
Sources of resistance
Clearly, how an individual and/or a group of individuals perceive or understand a change/
proposed change – whether it involves:
n the adoption of information and communication technologies, and/or
n the introduction of new/revised processes, procedures and/or protocols,
will of course determine their reaction to such change – in particular the level of opposition/
resistance that may arise.
But why does such resistance emerge? Indeed, what are the sources of such opposition?
Resistance to change – whether in the form of defiant opposition or merely non-cooperation
from an individual and/or groups of individuals – will often emerge when:
n the nature, scope and context of the change/proposed change is ambiguous,
n the manner in which the change/proposed change is to be introduced and coordinated is
unclear,
n the possible impact/affect of the change/proposed change on individuals/groups of indi-
viduals is uncertain, and/or
n the level of support (and reassurance) offered by those coordinating the change, to those
affected by the change/proposed change (e.g. regarding training) is limited and/or vague.
That is resistance and opposition emerges where there exists:
n considerable bias/ambiguity, and
n significant fear and uncertainty,
878
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 879
regarding the change/proposed change. The intensity of any resistance and opposition offered
is influenced by:
n the individual/personal characteristics/profile of those affected by the change/proposed change,
and
n the level of personal loss that an individual and/or groups of individuals may incur as a result
of the change/proposed change.24
Types of resistance
Hostile aggression
Hostile aggression can be defined as an unprovoked violent act and/or hostile action designed
to damage and/or possibly inflict injury. Examples of hostile aggression would be:
n the deliberate impairment of information processing hardware, for example the wilful
destruction of input/output devices,
n the intentional sabotage and/or theft of data storage facilities,
n the theft of data and/or data storage facilities,
n the deliberate introduction of software viruses, and
n the intentional removal of control procedures and protocols.
Defiant opposition
Defiant opposition can be defined as a deliberate act of avoidance and the wilful resisting of
procedures and protocols. Examples of defiant opposition would be:
n the deliberate failure to follow appropriate internal control procedures,
n the intentional processing of transactions using incorrect/inappropriate documentation, and
n the purposeful (perhaps even fraudulent) omission of authorisation procedures.
Defiant opposition differs from hostile aggression inasmuch as there is no intention and/or
deliberate act to damage, destroy and/or inflict injury or harm.
Negative projection
Negative projection can be defined as the transference and/or allocation of blame or respons-
ibility. It occurs when:
n the introduction of a new system or sub-system,
n the development of new procedures and processes, and/or
n the integration of new information and communication technologies,
879
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 880
Clearly, no matter how resistance emerges – no matter what its source or indeed what form such
resistance takes – it needs to be effectively managed. Why? Because continued resistance to
change, in particular continued opposition to change from different socio-economic groupings
within a company/organisation may create unrest and escalate into internal conflict, which
could if significant be politically and economically damaging for the company/organisation.
Indeed, in managing change, it is important that those assigned with planning, developing and
implementing any change, succeed in:25
n establishing a sense of importance and urgency about the change/change process,
n developing an acceptable rationale for any proposed change,
n creating a sufficiently powerful coalition to support any change/proposed change, and
n resolving any obstacles/hindrances to any proposed change at an earlier stage in the change
process.
There are of course many strategies which can be adopted to assist in minimising resistance –
although perhaps not fully eliminating such opposition. It is for example important to ensure:
n open communication and discussion takes place during the planning, development and
implementation stage of any change/proposed change,
n adequate support (and reassurance) is offered to those affected by the change/proposed
change,
n open and honest feedback is available at all stages during the planning, development and
implementation stages of any change/proposed change, and
n user participation is encouraged during the planning, development and implementation
stage of any change/proposed change.
So resistance is futile?
Well not really! Indeed, not all resistance is bad. Whilst there can be little doubt that in some
instances resistance to change, especially unprovoked and unwarranted hostile and aggressive
resistance, can not only be socially harmful but more importantly economically damaging to a
company/organisation, some resistance – whilst perhaps initially unwelcome and inconvenient
– can be politically constructive and economically beneficial.
For example, such resistance may help to:
n focus attention on critical issues which may have been overlooked by the systems develop-
ment team,
n identify operational faults within a proposal which the systems development team may have
failed to recognise, and/or
n identify technical issues which may have a detrimental impact on operational control
procedures.
As a consequence resistance could result in a more cost effective and operationally efficient
system(s)/sub-system(s).
880
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 881
There are of course a number of ways in which information systems and information and
communication technologies can be used in developing and sustaining competitive advantage,
for example:
n creating linkages between a company/organisation and its customers and/or suppliers – for
example the use of electronic data interchange (EDI) facilities, and/or internet-based extranet
facilities,
n integrating the use of information and communication technologies into the company/
organisation value chain – for example the use of enterprise resource planning applications,
data mining27 and/or data warehousing28 facilities, and
n enabling the development of new distribution channels/new retail services – for example the
use of internet based e-commerce applications.
All of these would have an accounting information systems impact.
881
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 882
Some of which may well be spent wisely and some carelessly, if not negligently. Foolish irrespons-
ibly can be costly and disastrous.
In a financial context, the key to developing an intelligent information and communication
technology strategy is a simple cost–benefit analysis – a balancing of the costs associated with
an investment and the benefits that may accrue from any such investment. Put simply, it is not
how much is spent that matters but how well it is spent.
So what are the costs and benefits associated with information and communications tech-
nology strategy?
882
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 883
systems (further details on an Information and Communication Technology Audit Grid are
available on the website accompanying this text www.pearsoned.co.uk/boczko) – especially account-
ing information systems – can be developed, perhaps the most obvious and traditional starting
point being to use a simplified form of gap analysis30 or position analysis, to address two key
questions:
n What is the company’s/organisation’s current information and communication technologies
usage/requirement – that is what information and communication technologies do we need/
use now?31
n What is the company’s/organisation’s future information and communication technologies
requirement – that is what information and communication technologies will we need/use
in the future?32
In essence, the first question is essentially a spatial assessment of information and communications
technology within a company/organisation. That is a determination of what the current position
of information and communication technologies within a company/organisation actually is.
The second question is essentially a temporal assessment of information and communications
technology within a company/organisation. That is it is concerned with the future position of
information and communications technology within a company/organisation.
With the quality of the provision – that is the technical specification of the provision –
often limited. More importantly, future developments in information and communications
technologies are seen as having only a limited impact on the company’s/organisation’s overall
commercial competitiveness.
883
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 884
For a company/organisation within the former sub-category (maintenance role), information and
communications technologies whilst currently a major factor in the company/organisation would
not be expected to play a significant role in the future activities of the company/organisation.
Whilst there is a current heavy dependency on information and communications technologies,
technologies under development are unlikely to have a major/significant impact on the company’s/
organisation’s future strategies and/or its overall commercial competitiveness.
For a company/organisation within the latter sub-category (development role), information and
communication technologies, whilst not currently a major factor, are expected to play a significant
role in the future activities of the company/organisation, with applications and technologies under
development likely to produce a high potential contribution to the company’s/organisation’s
future strategies, and have a major impact on its overall commercial competitiveness.
play a major role in providing, developing and enhancing a wide range of core value creating
activities within the company/organisation. Such technologies are seen as:
n possessing a high and significant business value, and
n providing substantial added value to the overall commercial activities of the company/
organisation.
More importantly future developments in such technologies are seen as having a substantial
and significant impact on the commercial activities of the company/organisation, with their
expanded use being seen as a critical factor in the future development and success of its overall
commercial activities.
884
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 885
Position consolidation
In an information and communication technology context, a position consolidation strategy
is a maintenance strategy, and can be defined as a strategy designed to preserve current cap-
abilities. Such a strategy would consist of renewing and/or updating existing information and
communication technologies to sustain current capabilities, and is characterised by a reactive
movement since it results from the pull effect of changes in, and/or enhancements to, informa-
tion and communication technology applications and capabilities.
A position consolidation strategy would normally be associated with a minimal investment
approach.
Provision enhancement
In an information and communication technology context a provision enhancement strategy
is a development strategy and can be defined as a strategy designed to maximise capabilities
by enhancing the use and knowledge of information and communication technology-based
applications. Such a strategy would consist of elevating the importance of existing information
and communication technologies by, for example:
n providing additional training and education, and/or
n increasing or improving accessibility to information and communication technologies,
Technology improvement
In an information and communication technology context, a technology improvement strategy is
an acquisition strategy, and can be defined as a strategy designed to improve – through acquisition
– the technical quality/technical specification of existing information and communication
technologies.
Such a strategy would consist of replacing and/or updating information and communication
technologies (including hardware and software) by, for example:
n the acquisition and installation of new network communication facilities, and/or
n the development/introduction of new improved software operating systems,
to improve current capabilities and is characterised by proactive movement resulting from the
push effect of changes in and/or amendments to:
n the company’s/organisation’s objectives, and/or
n the company’s/organisation’s operational procedures, processes and activities.
885
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 886
a company/organisation will not on its own increase the business value of such technologies. A
company/organisation is unlikely to invest in information and communications technologies
where such technologies are unlikely to produce any identifiable net benefit and/or competitive
advantage, or, positively impact on the overall business value of the company/organisation.
Thus it is likely that:
Each of the above strategies would produce what is often called ‘intra-role migration’. That is
migration which can be defined as movement within the boundaries of a single functional role.
Such migration occurs when the organisational context of information and communication
technologies within a company/organisation is marginally modified, but nevertheless continues
to play the same role.
So what about changes in the role information and communications technologies play
within a company/organisation? Is it possible that their role will change from being peripheral
(or supplementary) to being companion (or intermediary), or from being companion (or inter-
mediary) to being substantive (or principal).
Such a change is often called ‘inter-role migration’ and can be defined as cross migration
to a different functional role. Such migration would occur when the organisational context of
information and communication technology within a company/organisation is substantially
modified.
Outsourcing
Outsourcing (or contracting out) can be defined as the provision and management of internal
company functions by an external company/organisation and consists of the delegation of
non-core internal activities within a company/organisation (the client user) to an external agent
(the service provider). It involves – perhaps unsurprisingly – a considerable degree of two-way
information exchange, coordination and trust.
There are essentially two categories of outsourcing, these being:
n resource outsourcing in which a service provider agrees to provide and manage a set of
organisational resources including, where appropriate, staff resources, a set of resources
which comprise an organisational segment, and
n functional outsourcing in which a service provider agrees to provide a discrete service or
facility, for example customer/client support services and/or customer/client call centre
functions.
886
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 887
Outsourcing
So what facilities, activities or indeed services are normally outsourced? Although outsourcing
(as a contracting-out business process) has a long history dating back to the early 19th century33
such outsourcing was normally related to production/manufacture-related facilities/activities
either directly (e.g. product manufacture) or indirectly (e.g. raw material supply). In a contem-
porary context, outsourcing is now used in a vast range of company/organisational facilities/
activities including:
n manufacturing and engineering facilities,
n human resources management,
n facilities and real estate management activities,
n accounting and internal audit functions and, of course,
n information and communications technology facilities.
It is perhaps worth noting that whilst many service orientated companies/organisations (e.g.
banks and insurance companies) have relocated support services and/or call centre facilities,
and many manufacturing companies/organisations have relocated production activities and/or
distribution facilities, to other countries or geographical locations, such relocation is not neces-
sarily outsourcing – it is off-shoring. Indeed, outsourcing and off-shoring, whilst often used
interchangeably, are in fact very different.
Put simply outsourcing involves the transfer of an organisational function/activity to an
external agent/third party, and means sharing company/organisational control with another
company and/or organisation, located either in the UK or in another country. Off-shoring involves
the transfer of an organisational function/activity to another country and represents a relocation
of an organisational function/activity to a foreign country, and does not necessarily involve the
transfer, sharing or control of an asset, function and/or activity.
887
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 888
So how does outsourcing work? There are essentially three outsourcing models normally used
in the outsourcing of information and communications technology related activities/facilities,
these being:
n an on-site outsourcing model,
n an off-site outsourcing model, and
n blended outsourcing.
On-site outsourcing
On-site outsourcing occurs when outsourced resources/facilities are provided by the service
provider on site – that is at the outsourcing company’s/organisation’s location.
This type of outsourcing is often used where:
n specific resources are required for the outsourced activity,
n the outsourced activity requires high levels of security/confidentiality and constant monitoring,
n the outsourced activity is not for a defined period, and/or
n the outsourced activity is highly iterative.
Off-site outsourcing
Off-site outsourcing occurs when outsourced resources/facilities are provided by the service
provider off site – that is from a location other than the client user’s location. This type of out-
sourcing is often used where:
n the requirements and specifications of the outsourced activity can be defined and agreed in
advance,
n the client user’s on-site resources/facilities are limited, and
n the service provider can provide a more efficient and effective service from a remote location.
888
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 889
Outsourcing
Blended outsourcing
Blended outsourcing occurs where a service provider provides resources/facilities using a com-
bination of on-site outsourcing and off-site outsourcing for example:
n the provision of front office support services on-site, and
n the provision of back office technical facilities off-site (and/or off-shore).
This is an increasingly popular outsourcing model, especially in for example network support/
management, where a service provider can/will monitor network infrastructure from a remote
location, but will – at regular intervals – undertake a network health check35 on-site at the client
user’s location.
889
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 890
Although all service level agreements will contain some requirements/conditions specific to:
it is nonetheless important – for both the service provider and the client user that any service
level agreement clarifies three key issues:
n the procedures for the monitoring, tracking and reviewing of the service provider’s perform-
ance, and determining the service provider’s compliance with the conditions/requirements
of the service level agreement,
n the processes and procedures for resolving disputes, problems and issues arising out of the
service provider’s and/or client user’s failure to comply with the requirements of the service
level agreement, and
n the levels of compensation to be paid as a consequence of any breach of service level
agreement obligations resulting in a failure by the service provider and/or the client user to
comply with the requirements of the service level agreement.
Breach of agreement
Unless specifically agreed within the service level agreement, determining not only the existence
of a breach, but more importantly, level of a breach or failure to comply with the require-
ments of a service level agreement can be problematic. It is perhaps not surprising, that many
information and communication technology-related service level agreements provide for the
use of some mutually agreed performance metric, for example:
n a positive assessment metric such as a performance scorecard system in which points are
awarded for targets achieved, and/or requirements complied with, or
n a negative assessment metric such as a failure points system in which points are awarded
when targets are not achieved, and/or requirements not complied with,
890
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 891
Outsourcing
Article 16.1
Minor breach
Sometimes a failure/breach of service level agreement is not considered a fundamental breach
(as defined in the service level agreement and/or measured by the pre-agreed performance
metrics), that is the breach is considered to be of a minor nature and no more than a limited
infringement either by the service provider and/or the client user, for example:
n the service provider:
l fails to adhere to a predetermined data processing timetable,
l fails to provide prearranged support facilities, and/or
l refuses to comply with specific security procedure, or
n the client user:
l fails to adhere to a predetermined payment/remuneration schedule, and/or
l fails to provide appropriate access to assets and facilities,
an appropriate claim for compensation for losses incurred, and/or losses to be incurred as a result
of a failure by the service provider and/or the client user to comply with the requirements of the
service level agreement, would normally be agreed as stipulated in the service level agreement.
891
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 892
Major breach
If a failure/breach of service level agreement is considered fundamental (as defined in the service
level agreement and/or measured by the pre-agreed performance metrics) – that is the breach
is considered to be a major nature, and representing a substantial failure, for example:
then termination of the service level agreement by the party not in breach of the service level
agreement results. Where appropriate, a legal claim for damages and compensation for losses
incurred and/or to be incurred as a result of the breach could follow.
Force majeure37
It is perhaps worth noting that most information and communication technology service level
agreements contain a force majeure clause – a clause which exempts both the service provider
and the client user from any liability arising from a compliance failure and/or performance
delay arising from events/occurrences beyond their reasonable control.
Such events/occurrences would include for example:
n acts of war,
n acts of God,
n acts of nature – including earthquakes, hurricanes and floods,
n civil riots, and
n government imposed trade embargos.
Put simply, such a force majeure clause provides explicit exemption from any liability for com-
pensation where such liability has arisen from a failure/breach of agreement caused by one or
more of the above events/occurrences.
Problem resolution
Most information and communication technology-related service level agreements will con-
tain a predefined and pre-agreed problem resolution protocol/clause containing details of the
processes and procedures to be employed by either the service provider and/or client user in
the event of a failure by the other party to comply with the conditions and requirements of a
service level agreement.
Depending on the nature and seriousness of the alleged failure/breach of agreement, the
problem resolution procedures could comprise of up to five interrelated stages, these being:
n an identification stage,
n an assessment stage,
n an escalation stage,
n an arbitration stage and, where necessary,
n a litigation stage.
892
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 893
Outsourcing
Identification stage
The identification stage is designed to ascertain the nature of the breach of agreement, that is
for example:
n the type of failure(s) that has/have occurred,
n the time, date and location of each failure and, where possible,
n the cause of each of the failure,
Assessment stage
The assessment stage is designed to clarify the level of breach of agreement – for example, whether
the breach constitutes a minor infringement or major failure. Indeed, it is at the assessment stage
that any mutually agreed performance metric (as defined in the service level agreement) will be
used to determine the level of the breach. As with the identification stage, the assessment stage
will also normally be part of the service level agreement monitoring and reviewing procedures
and processes.
Where a breach of agreement (by either the service provider and/or the client user) is
deemed to be of a minor nature and agreed by both parties to have taken place, then com-
pensation will be made by the party in breach of agreement to the other party – usually at an
agreed tariff.
See Example 16.1.
Escalation stage
Where agreement cannot be reached at the assessment stage – a stage which usually occurs at
an operational/tactical management level – then escalation to a higher management level may
be required. The escalation stage is designed to move an unresolved problem up to a higher tier
of management, both at the service provider and the client user, and is usually used where:
n a breach of service level agreement is deemed by either the service provider or the client
user to be a major breach, and/or
n a mutually agreed level of compensation for a minor breach of service level agreement
cannot be reached.
The aim of the escalation stage is to elevate discussion to a more strategic level and consider
the strategic context of the alleged breach of agreement and the potential consequences of a
failure to achieve a mutually acceptable resolution.
In many cases, where alleged breach does reach this stage, it is usual that after minor political
manoeuvring, discussion and a lot of negotiation, a resolution will normally be found – whether
that resolution entails:
n making a financial payment at an agreed level as compensation for the breach of agreement,
n issuing a letter of apology or, even
n mutually agreeing to terminate the service level agreement.
Arbitration stage
It is of course possible that a resolution may not be found – especially where a significant
difference of opinion exists between the service provider and the client user regarding the nature
and level of the breach of agreement. In such cases arbitration may be the final option.
893
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 894
Backup Direct™ (On Direct Business Services Ltd) is the UK based online data backup service
provider for UK business. See www.backupdirect.net
The following is a copy of Backup Direct™ service level agreement (Business Users) available @
www.backupdirect.net/library-service-level-agreement.htm.
894
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 895
Outsourcing
Compensation Payments
In case of non-performance under this Agreement, the client will be compensated as follows:
System Availability Guarantee – if an outage exceeds 43.2 minutes, we will refund 5% (five percent) of the
Client’s base monthly recurring fee per hour of downtime, up to 100% (one hundred percent) of the base
monthly recurring fee.
File Restore Guarantee – if a file or set of files is not recoverable within 4 hours of the initial request, we
will refund the client 5% (five percent) of the Client’s base monthly recurring fee for each MB (Megabyte)
of non-restorable data, up to 100% (one hundred percent) of the base monthly recurring fee.
Application/Database Recovery Guarantee – if system and or database files or set of files are not
recoverable within 24 hours of the initial request, we will refund the client 5% (five percent) of the Client’s
base monthly recurring fee for each MB (Megabyte) of non-restorable data, up to 100% (one hundred
percent) of the base monthly recurring fee.
In all cases these Compensation Payments are non-cumulative and the highest amount for each category
will be paid. In all cases the maximum payment in anyone month will not exceed 100% of the Client’s
base monthly recurring fee.
Scheduled Maintenance
Scheduled Maintenance means any maintenance at the Backup Direct™ Data Centres, where the
Customer is notified 48 hours in advance by telephone, email, fax and that is performed during a
standard maintenance window Mondays through to Thursdays from 03:00 hours to 07:00 hours GMT.
Force Majeure
Except in respect of payment liabilities, neither party to this agreement will be liable for failure or delay
in performance of its obligations under this SLA due to reasons beyond its reasonable control including:
acts of war, acts of God, earthquake, flood, riot, embargo, government act or failure of the Internet,
provided that the delayed party gives the other party prompt notice for such cause.
n an industry regulator,
n an independent company, or
n a government sponsored agency.
Litigation stage
Where arbitration fails to provide a resolution agreeable to both parties, litigation may be the
only remaining course of action. Clearly, where litigation is considered as a course of action,
expert legal advice must be obtained prior to the commencement of any action – no matter how
extensive the alleged failure/breach of contract. Litigation as a final course of action is not only
very expensive in financial terms, it can also be very time consuming in business management
terms and, potentially, very damaging to the name and market reputation of the company
and/or organisation.
895
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 896
Compensation
At any of the above stages, where an alleged failure/breach of agreement has been proven and
agreed to have occurred by both the service provider and the client user, compensation may be
awarded. In a broad sense, such compensation can be defined as financial reparation for loss
or injury suffered as a consequence of the alleged failure/breach of agreement, with the level of
compensation paid dependent on the nature of the alleged failure/breach of agreement and the
extent of the loss/injury suffered as a result.
Whilst compensation for minor infringements/breaches of agreement will normally be based
on a mutually agreed tariff, compensation for a major failure/breach of agreement can be much
more difficult to establish/quantify. However it is perhaps worth noting that claims for excessive
compensation – however justifiable they may appear – will generally be legally unenforceable,
since they will be regarded as a penalty and not payment of compensation.
Termination
Service level agreements do not last forever, especially those related to information and com-
munication technology-related activities/facilities. Although some service level agreements
may exist for many years, invariably a time will come when a service level agreement between
a service provider and a client user will need to be renegotiated – a renegotiation which may or
may not result in the appointment of a new service provider.
Whether such a decision is financially motivated – that is based on cost – or technology
motivated – that is based on service quality/service delivery – when such a decision is made, it
is important that:
n an orderly termination of service provision from the current service provider occurs and,
where necessary,
n an organised migration from the current service provider system(s) to the newly appointed
service provider system(s) occurs.
For information and communication technology-related activities/facilities, especially facilities-
related service level agreements (e.g. network support and/or data storage), organised migration
(often over an extended period) is critically important in order to minimise possible service
disruption and/or possible data loss.
Whilst it is not unknown for such migration to take place over periods of up to 12 or 18 months,
especially where the outsourced information and communication technology-related activity/
facility is a major core activity with the client user’s company/organisation, in general average
migration periods of up to six months tend to be the norm. Clearly, in any migration it is
important for the current service provider to provide all reasonable assistance to the client user
in the migration to the newly appointed service provider’s system, and whilst in the majority
of transfers that will be the case, in a minority of cases problems can occur. Problems often
result from a deterioration in the relationship between the current service provider and the
client user once the appointment of a new service provider has been announced. Such problems
can range from:
n the purposeful obstruction of transfer/migration activities,
n the deliberate distribution of confidential (and/or commercially sensitive) information,
n the premeditated corruption and/or infection of data/files, to
n the intentional destruction of network hardware.
Whilst most information and communication technology-related service level agreements
contain specific conditions on and detailed requirements for the termination of a service
provision and the migration to another service provider, such problems may, nevertheless,
896
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 897
References
still occur. Where they do, and negotiation fails to resolve the situation, then litigation may be
the only solution.
Concluding comments
References
Ansoff, I.H. and McDonnell, E.J. (1990) Implanting Strategic Management, Prentice Hall, New Jersey.
Aseervatham, A. and Anandarajah, D. (2003) Accounting Information and Reporting Systems, McGraw
Hill, Sydney.
Bagranoff, N.A., Simkin, M.G. and, Strand N.C. (2004) Core Concepts of Accounting Information
Systems, Wiley, New York.
897
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 898
Cadbury, A. (2000) Global Corporate Governance Forum, World Bank, New York.
Earl, M.J. (1989) Management Strategies for Information Technology, Prentice Hall, London.
Emery, J.C. (1987) Management Information Systems: The Critical Resource, Oxford University Press,
Oxford.
Grundy, T. (1993) Managing Strategic Change, Kogan Page, London.
Kotter, J.P. (1996) Leading Change, Harvard Business School Press, Cambridge, USA.
Kotter, J.P. and Cohen, D.S. (2002) The Heart of Change: Real Life Stories of How People Change Their
Organizations, Harvard Business School Press, Cambridge, USA.
Machiavelli, N. (1532) The Prince, Translated by Marriot, W.K. (1916) Macmillan, London.
McFarlan, F.W. and McKenney, J.L. (1983) Corporate Information Systems Management: the Issues
Facing Senior Executives, Dow Jones Irwin, Homewood, IL.
Romney, M. and Steinbart, P. (2006) Accounting Information Systems, Pearson Education Inc., New
Jersey.
Senior, B. (1997) Organisational Change, Pitman, London.
Stacy, R. (1996) Strategic Management and Organisational Dynamics, Pitman, London.
Strebal, P. (1996) ‘Choosing the right path’, Mastering Management, Part 14, Financial Times, London.
Vaassen, E. (2002) Accounting Information Systems – A Managerial Approach, Wiley, Chichester.
Wilkinson, J.W., Cerullo, M.L., Raval, V. and Wong-On-Wing, B. (2001) Accounting Information
Systems, Wiley, New York.
Bibliography
Self-review questions
1. Describe the six main stages of the systems development life cycle.
2. According to Grundy (1993) there are three varieties of change. Distinguish between the
following:
n smooth incremental change,
n rough incremental change, and
n discontinuous change.
3. Distinguish between the following:
n soft-minor change,
n hard-minor change,
n soft-major change, and
n hard-major change.
4. Explain the key stages you would expect to find in the systems analysis stage of the systems
development life cycle.
5. Describe the four main stages of the prototyping approach to systems development.
6. Distinguish between the following types of resistance
n hostile aggression,
n defiant opposition, and
n negative projection.
898
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 899
Question 1
Borlan plc is a UK listed and UK-based retail company. Because of significant data processing problems
encountered during the 2004/05 and 2005/06 financial years, the managing director of the company launched
a company-wide development review of its accounting information systems in late 2006.
Required
Assuming the company-wide development review recommends the introduction of a new accounting infor-
mation system, describe and evaluate the key stages you would expect to find during the systems development
process.
Question 2
Learn-a-lot Ltd is a small but expanding Leeds-based retail company that provides computer-based educa-
tional facilities and equipment for a range of public and private sector colleges and universities specialising in
post-graduate professional IT courses. As a result of a recent increase in demand for the courses offered by
universities and colleges, the company is considering expanding its current retail facilities.
The company is seeking to establish a presence in both Hull and York in order to benefit from the high
number of undergraduates studying IT and computer science-related degrees at the local universities.
The company is, however, aware that such an expansion would require not only a substantial capital invest-
ment, but also a significant change in the company’s accounting information systems procedures, especially
those concerned with the recording of sales income.
Required
As their recently appointed systems accountant, prepare a report for the management of Learn-a-lot Ltd
on the importance for a company like Learn-a-lot Ltd to possessing a cohesive strategy for the develop-
ment and implementation of information and communication technologies within its accounting information
systems.
Question 3
Describe and evaluate the main costs/benefits associated with information and communication technologies,
and explain why it is important for a company to develop an effective information and communication tech-
nology strategy.
‘
899
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 900
Question 4
During the systems development life cycle, it is not uncommon for a systems development team seeking to
introduce new systems and procedures to face/encounter significant resistance.
Required
Explain why such resistance may emerge, what forms such resistance can take and how such resistance can
be managed and minimised.
Question 5
Where an alleged breach of a service level agreement occurs, it is important that any such alleged breach of
agreement is resolved as soon as possible. Depending on the nature and seriousness of the alleged breach,
the problem resolution procedures could comprise of up to five interrelated stages, these being:
n an identification stage,
n an assessment stage,
n an escalation stage,
n an arbitration stage, and
n a litigation stage.
Required
Describe and critically evaluate each of the above stages main stages.
Assignment
Question 1
In January 2006, Richard Houghton was appointed as group systems accountant for FIRST plc a UK-based
retail company. Currently, the company has 18 retail outlets located throughout the UK. The company’s head
office is in Manchester. The company currently operates three alternative sales facilities; web-based sales,
mail-order sales and over-the-counter sales.
All web-based and mail-order sales are processed at the company’s head office in Manchester and
despatched from its main distribution centre in Wigan. All over-the-counter sales are processed at each
individual retail outlet. For the year ending 31 March 2006 the company retail sales were £87m and its net
profits were £28m.
At a recent meeting with the company management board, Richard suggested that the company should
explore the possibility of reviewing its over-the-counter sales procedures by introducing a new range of ‘Pay
by Touch technologies’ to replace the existing chip and PIN technologies. Although many of the management
board were not clear on exactly what ‘Pay by Touch technologies’ were, they were sufficiently intrigued by
the idea of using biometrics as part of the company’s revenue cycle that they suggested a feasibility study be
undertaken on the possible advantages and disadvantages of introducing such technologies.
Required
Making what ever assumptions are necessary prepare a feasibility report for the management board of FIRST
plc detailing the possible advantages and disadvantages of introducing ‘Pay by Touch technologies’.
900
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 901
Chapter endnotes
Question 2
In August 2006, following extensive discussion, the management board of FIRST plc, a UK-based retail
company, approved the introduction of ‘Pay by Touch technologies’ in all its 18 retail outlets, and appointed
Richard Houghton (group systems accountant) as chair of the project development team.
Required
Describe and critically evaluate the main stages that would be involved in successfully introducing such tech-
nologies into the company’s revenue cycle, and the problems that may be faced by the systems development
team in their introduction.
Chapter endnotes
1
Heraclitus of Ephesus (approximately 535–475 BC) was known as ‘The Obscure’ and was a
pre-Socratic Greek philosopher in Ephesus in Asia Minor.
2
A demand/output orientated system is a system in which the functioning of the system
and its sub-systems are primarily conditioned by external environmental pressures, whereas
a supply/input orientated system is a system in which the functioning of the system and its
sub-systems are primarily conditioned by internal management pressures.
3
The term ‘environmental factors’ is used to describe all those factors which exist outside the
system’s boundary.
4
If you recall, in Chapter 14 we considered this multi-dimensional layering when we explored
the issue of context filtering – the process through which the priorities of capital (or the market-
place and its component institutions) impose their requirements though a complex hierarchy
of macro and micro factors and characteristics.
5
This is an adaptation of Ansoff and McDonnell’s (1990) five level typology of environmental
turbulence.
6
See Stacy (1996).
7
Ibid.
8
Ibid.
9
Radio Frequency IDentification (RFID) refers to the technologies that can be attached to
an object (e.g. a retail commodity) that can be used to transmit data to an RFID receiver. In a
commercial context RFID is often viewed as an alternative to bar coding.
10
Some academics suggest that the systems development life cycle contains only four stages:
systems planning, systems analysis, systems design and systems implementation (e.g. see Bagranoff
et al. (2004)), whilst others suggest that the systems development life cycle contains only five
stages: systems planning, systems analysis, systems design, systems implementation and systems
review (e.g. see Aseervatham and Anandarajah (2003) and Romney and Steinbart (2006)), and
yet others suggest that the systems development life cycle contain six stages: systems planning,
systems analysis, systems design, systems selection, systems implementation and systems review
(e.g. Wilkinson et al. (2001)).
11
See Cadbury (2000).
12
Such costs would include for example hardware/software acquisition costs, design costs, pro-
gramming and testing costs, data conversion costs, training and education costs and hardware/
software maintenance costs.
901
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 902
13
Such tangible benefits would potentially include, for example, increased sales incomes, reduce
payroll costs and better working capital management.
14
Such intangible benefits would potentially include, for example, improved decision making,
more efficient operations, improved communications and greater stakeholder satisfaction.
15
It may be that the root problem of a system(s)/sub-system(s) is not a design issue but a man-
agement and/or employee issue which can perhaps be resolved without the need for expensive
redesign.
16
Where an current/existing system(s)/sub-system(s) is to be replaced, it is important to assess
how such a replacement will occur – for example:
n what system(s)/sub-system(s) processes will be phased in,
n what system(s)/sub-system(s) processes will be phased out,
n what data/information will be transferred,
n how will the data/information be transferred, and
n what training and education requirements will be needed to ensure the new systems function
correctly.
17
Such security would also include restricting/confirming user access.
18
Individual ATM withdrawals are normally limited by the account holding institution/bank.
Although the precise nature of the restriction will differ from bank to bank or institution to
institution, it is not uncommon for a restriction/limit of £200–£250 per day to apply to ATM
withdrawals from an individual personal current account.
19
Such security would also include restricting/confirming user access.
20
See Chapter 14.
21
Sometimes (somewhat incorrectly) referred to as a service lease or contract hire.
22
A variable is data which change over time, whereas a process is an activity which in an infor-
mation and communications technology context transforms data.
23
Debugging can be defined as a process of detecting, locating and removing mistakes, defects
and/or imperfections, in a system(s)/sub-system(s). Debugging tends to be harder when various
sub-systems are tightly coupled, as changes in one may cause bugs to emerge in another.
24
For example:
n a loss of financial rewards,
n a loss of power base, and/or
n a loss of utility.
25
For an organisational context see Kotter (1996) and Kotter and Cohen (2002).
26
See Earl (1989).
27
Data mining can be defined as the process of analysing data to identify patterns or relation-
ships, and refers to the use of information and communication technologies in either:
n generating new hypotheses (bottom-up data mining), or
n confirming existing hypothesis (top-down data mining).
28
The term data warehouse refers to a collection of data gathered and organised so that it can
easily be analysed and used for the purposes of further understanding the data.
29
Although given the speed of change within information and communication technologies,
such saving are likely to be very small.
30
There are many definitions of the term ‘gap analysis’ but for our purpose we will use the term
to mean a deficiency assessment. That is a process of determining and evaluating the difference
between what is needed and what is available. Put simply, the difference between where ‘we’ are
and where ‘we’ want to be.
902
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 903
Chapter endnotes
31
For example using Earls’s (1989) quality/value map – see the website accompanying this text
www.pearsoned.co.uk/boczko for further details.
32
For example using McFarlan and McKenney’s (1983) strategic grid of information systems
– see Appendix 16.1 for further details.
33
For example, in the USA during the early 1800s the production of wagon covers and clipper
ships’ sails was outsourced to factories in Scotland, with raw material imported from India. See
http://www.globalenvision.org/library/3/702.
34
For example see www.intrasource.co.uk.
35
A network health check can be defined as an assessment of the efficiency of the physical
network in its active form as well as an assessment of the logical network connections.
36
Software management agreements, facilities management agreements, network management
agreements and server support agreements are all examples of service level agreements.
37
Force majeure is French for greater force and can be defined as a force which cannot be con-
trolled by the parties to a contract/agreement and which may prevent either party complying
with the provisions and requirements of the contract/agreement.
38
Sometimes referred to as the arbitrator(s) or the arbiter(s).
903
.. ..
CORA_C16.qxd 6/1/07 11:14 Page 904
..
CORA_Z01.qxd 6/1/07 11:16 Page 905
Index
ABI Research 585 and payroll 463–4, 471 alpha testing 493
absenteeism records 474 politics of development of 877–80 alphabetic codes 309
absorption costing 512–14 problems with 23–4 alpha-numeric codes 309
access code devices 705–6 procedural context for 16–17 ‘American’ options 545
access controls 409, 458–9, 526, 750, and risk 674 – 6, 681–2, 685 analytical review by auditors 803
808 socio-political nature of 25 ANSI-SPARC architecture 314
access to information, un-authorised thematic content of 25 Apple Inc. 491
698–700 and transaction processing 251–5 application auditing 797–805
access protocols 218 underlying theory of 25 application controls 459, 751–2
accessibility of data 279 users of 21–3 application layer
account codes 310–11 viewed as hard systems 48 in OSI reference model 211
accounting entries 253–5 accounting software 149–55 in TCP/IP reference model 213
accounting information systems Accounting Standards Board Statement application level gateways 702
alternative approaches to of Principles 25 applications management 828
development of 830 accruals adjustments 595 appropriateness checks 410
architecture of 806–9 ACID rules 319–20 approved supplier/providers 441–4
audit of 784–7, 792–6, 809–12 Actinic (software developer) 614 registers of 429–30
and capitalism 40 activity-based costing (ABC) 155–6, arbitration 893–5
complexity of 15 515 –17 archive files 274
constructed nature of 25 activity information and activity ARPAnet 118–19, 122, 146
and the conversion cycle 489 analysis information 413–14, Arthur Andersen (firm) 736, 777
and cost management 511–21 461–2, 529 –30 Asda plc 404, 406
and data processing 288 activity-related processes 162 asset management controls 409–10,
definition of 13 adaptive manufacturing 499 527, 750; see also current assets
and the expenditure cycle 423 adhocracy 183 management; fixed assets
external influences of 21 Administration of Justice Act (1970) management
fallacies about 24 390 asset revaluation adjustments 596–7
functional context for 19–20 administrative management 828–9 Association of British Insurers
functions of 15–17 advance fee frauds 687–8 776 –7
and general ledger functions 594–5 advertising 619–20 Association of Chartered Accountants
historical nature of 24 adware 714 775
integrated nature of 14–15 affinity computing 197 Association for Payment and Clearing
internal influences of 21 Aiken, Howard 116 Services 406–7
and the management cycle 536 Akdeniz, Yaman 126 associative entities 303
nature, context and purpose of Allen, Paul 117 asymmetric key algorithms 703–4
11–15 Alliance & Leicester 705–6 attendance data on employees 469
need for change in 822–9 Allied Irish Bank (IAB) 741 attributes associated with entities 303
organisational context for 17–21 Allison, David 586 auction facilities for customers 617
905
..
CORA_Z01.qxd 6/1/07 11:16 Page 906
Index
906
.. ..
CORA_Z01.qxd 6/1/07 11:16 Page 907
Index
cheques, use of 387, 404–7, 450 computer-integrated manufacture control account entries 597
child entities 304 (CIM) 160 control activities 738–9
China 622–3 Computer Misuse Act (1990) 706–9 control cycle 91–2
circuit level gateways 702 computer software control environments 738
CitiFinancial 688 acquisition or development of control systems 92–9
Citigroup 742 857– 60 problems with 98–9
Clarke, Arthur C. 34 commissioned 860 control theory 80–1, 87
Clearing House Automatic Payments generic 860 and corporate control 99
System see CHAPS see also accounting software; ‘controlled’ stationery 435
client accounts see customer accounts audit software; management- conversion control tests 411
client-server networks 195 related software conversion cycle 247–50, 488–530
Close Brothers 591 computer workstations 187, 194, data input 500–5
Cluley, Graham 710 196 data management 510–11
coaxial cabling 190 computers, development of 116–17 data processing 505–10
Codd, Edgar F. 312, 324 Computing (magazine) 144, 692, 706 definition of 488
codes and coding systems 309–11 conceptual level schemas 315–16 disruption to 524
Cohen, Jack 34 concurrency control 320 information requirements
collaborative computing 197 confidential data, loss of 525 529 –30
Collier, Paul 43 configuration audits 802 internal controls and systems
collision-avoidance protocols 201 conflict resolution 880 security 525–9
commitment accounting 436 connecting components in networks objectives 488
Companies Act (1985) 774–6 186 –92 risks 521–5
company status, definition of 54–5 connectivity of entity relationships conversion of systems 869–71;
comparison checks on data 280 303 see also data conversion
compensation for breaches of consistency of data 278 convertible securities 542–3, 546–7
agreements 896 constraint checks on data 280 copyright 124–6, 494
Competition Act (1998) 426 Consumer Protection (Distance corporate funding cycle 233–5
Competition Commission 426 Selling) Regulations (DSRs) corporate governance 9, 88, 105
competitive advantage 7–8, 881 (2000) 646–50 audit of 782
competitive rivalry 360–1 consumer-to-business (C2B) corporate personality or character
completion payments 444 e-commerce 619 734 – 6
complexity consumer-to-business-to-consumer corrective controls 746
levels of 51 (C2B2C) e-commerce 619 cost advantages 237
theory of 34–5 consumer-to-consumer (C2C) cost assessment 512
compliance testing and compliance e-commerce 619 cost-benefit analysis 882
audits 781–2, 802–3 containment of adverse events or cost centre managers 438
compound keys 303 incidents 760 cost collection 512
computer-aided audit techniques content audits 797–805 cost management 489, 500
(CAATs) 793–805 context audits 805–6 link to accounting information
appropriate use of 802 context filtering 731–7 systems 511–21
used in data analysis 797–8 continuous manufacturing 496 costing procedures 511–19
used in verification of control contracting out see outsourcing countermeasures to adverse events
systems 799–802 contracts or incidents 760
computer-aided design (CAD) 159 for distance selling transactions Coviello, Art 626
computer-aided engineering (CAE) 649 crackers 699
159 with suppliers 431 Cramer, Aron 42–3
computer-aided manufacturing (CAM) control credit see expenditure cycle:
159 corporate context for 90–1 creditor-based
computer crime 691–714, 740 definition of 89 credit cards 450, 456
perpetrators of 694 physical 791 and fraud 627, 688
types of 694 purpose of 89–90 credit purchases and sales 253–4,
computer hardware, selection of systemic 92–3 426
856–7 see also internal controls credit status 368–9
907
.. ..
CORA_Z01.qxd 6/1/07 11:16 Page 908
Index
908
.. ..
CORA_Z01.qxd 6/1/07 11:16 Page 909
Index
direct debits and direct credits 143 Economist Intelligence Unit 585 EPOS see electronic point of service
‘directing mind’ concept 735 efficiency analysis by auditors 803 equifinality, principle of 52, 58
DirecTV 741 Eisenhofer, Jay 742 equipment requisitions 503–4
Disability Discrimination Act (1995) Electronic Commerce (EC Directive) equity financing 538–41, 546
and Code of Practice (2002) Regulations (2002) 652–5 issued 538–9
656–9 Electronic Commerce (EC Directive) non-issued 539–41
disaster contingency and recovery (Extension) (No. 2) Regulations equity swaps 544–5
planning (DCRP) 756–60 (2003) 655 Ernst & Young 591, 776–7
disbursement vouchers 470 Electronic Communications Act (2000) errors
discount facilities 617 650 –1 correction of 597
disembedding mechanisms 84 electronic data interchange (EDI) in provision, pricing or payment
disorganised capital thesis 43 136 –9, 636 451–2
distance contracts 398 risks and controls 764–5 risk of 682
distance selling 646–50 electronic funds transfer (EFT) eurobonds 542
and contract performance 649 139 – 45, 450, 628, 634, 636 European Convention on Human
distributed computing 197, 286–8, card-based and non-card based Rights 256
312 386 –7 ‘European’ options 545
distribution systems 370–1, 374–6 risks and controls 764–5 European Union (EU) 121, 129,
failure of 394 electronic mail see e-mail 133 – 4, 311, 379, 426, 641, 775
document flow analysis 292 electronic point of service (EPOS) Banking Co-ordination Directive
document flowcharts 299 systems 395–407 (2000) 638
documentation advantages and disadvantages of Transparency Directive (2004)
electronic 366–8, 377, 384 402 599
of production data 507 card-based 395–9 evaluation phase of systems planning
reviews of 843–4 non-card-based 399–400 836 –7
of systems and sub-systems terminals for 404–5 Excel spreadsheets 163–4
867–8 electronic signatures 650–1 exception, verification by 453
documentation controls 409, 458, e-mail 123, 146 – 8 exit points in accounting systems
526, 748–50 disadvantages of 148 253 – 4
dot.com companies 134–5, 610, and fraud 689 expected future return 673
617–18, 639 embedded audit modules 798–9 expenditure cycle 246–9, 426–79
double-entry bookkeeping 253 e-money 637–41 capital-related 422
doubtful debts 389–90 employees, ‘sale’ of 462–3 creditor-based 426–55
Dresdner Kleinwort Wasserstein 587 encoding 309–10 definition of 422
duties and responsibilities, encryption 309, 703 information requirements 461–2
allocation of 865–6 Engardio, Pete 43 internal control and systems security
DVD technology 128 English language 625 457– 60
Dylan, Bob 218 Enron 736, 750 –1, 775 link to conversion cycle 488
enterprise resource planning software non-creditor-based 426–7, 456–7
e-business see e-commerce 160 –2 revenue-related 422–7
Eckert, J. Presper 116 entities 302–4 expenditure transactions, cash-based
e-commerce 38, 133–7, 219, 402, entity-related processes 162 549
610–61 entity relationship diagrams 305–6 external level schemas 315–16
barriers to 621–7 entity relationship modelling 334–8 extranets 216 –19, 636
benefits of 642 entity relationships 303–6
categories of 616–19 entry barriers 881 factoring of debts 392
customer protection schemes 627 entry points in accounting systems false billing 686–7
myths of 660 254 –5 Farrell, Nick 741
problems with 642–3 environment-related events 523 feedback, types of 96–7
regulation of 643–59 environmental audits 783–4, 805–6 feedback loops 92–4, 97
economic order quantity (EOQ) environmental turbulence 823 feedforward loops 95–7
model 571–3 environments, predictable and fibre-optic cabling 191
The Economist 613–14 unpredictable 823 – 4 Fickling, David 126
909
.. ..
CORA_Z01.qxd 6/1/07 11:16 Page 910
Index
file servers 187, 195 France 310 hacking 398, 688 –9, 692–3,
file-sharing 123–7 Frankson, Bob 163 699 –700, 740
peer-to-peer 197–8 fraud 399, 403, 406 –7, 626 –7, 634, hard change 825–6
problems with 198 685 –91, 705 –7, 715, 741–2 hard systems positivism 786
files, primary and secondary 273–4 computer-assisted 686 Harris, F.W. 572
film downloads 128 by modification of data or programs Harry, M. 12
filtering see context filtering; packet 707 HBOS plc 241
filtering online 687 Heath, Thomas 63–4
financial accounting departments, using e-mail 689 Help the Aged 406
responsibilities of 466 see also computer crime Hendon, David 121
financial environment 54–5 fraud management 690–1 Henry, Joseph 116
financial management 537–58, 829 Fulani people 35 Herbert, Liz 891
Financial Reporting Council (FRC) full costing 512 hierarchical data model for databases
776–7 functionalism 47 313
Financial Services Authority (FSA) fund management 548–58 hierarchy of needs 736–7
599, 637–8, 641 audit trail documentation on 556 history files 274
Financial Services and Markets Act disbursements 555–6 Hobson, Andrew 125
(2000) 638 operational 551 Hollerith, Herman 116
financial statements 780–1 receipts 554–5 Holloway, Neil 38–9
audit of 802–3 risks of 557–8 Hood, Nick 591
and the EU Transparency Directive strategic 554 Hopper, Grace 116
599 tactical 551–2 hostile aggression 879
interim 598 futures 543 hotfixes 706
year-end 598 hours worked by employees 469
fingerprint recognition 399 gamma testing 493 HSBC plc 85, 705–6
firewalls 700–2, 712, 740 Gartner (company) 614, 687 hubs 188
Fischer, Tom 401 Gates, Bill 117 Hughes, Austin 741
Fisher, Anthony 100–3 Gavrilenkov, Yevgeny 41 human resources management
fixed assets management 461, 560–9 gearing management 589–92 (HRM) 462–3, 829, 867
software for 153 Gelinas, U.J. 13 software for 154–5
fixed costs 514 General Electric 735 Hutchinson, Mike 144
flat data model for databases 313 general ledger management 594–9 Hutchinson, Raymond 559
flat files 270 as a control mechanism 597 Hutton, Will 39
flexibility of data 279 generation of financial information hybrid topology 204–5
flexible accumulation theory 43–4 597–9 HyperText Markup Language
flexible budgeting 519–21 risks of 599 (HTML) 131–2
flexible manufacturing 498–9 software for 153 HyperText Transfer Protocol
flexible specialisation 43–4 general systems theory 62, 73 (HTTP) 131–2
flow of funds 232–3 Gilbreth, Frank Bunker 497
flowcharts 294–302, 306 Gillette plc 585 IBM Inc. 313, 324
advantages and disadvantages of Global Crossing 742 identification technologies,
302 Global Security Survey 689 automatic 583
assessment of flows in 302 globalisation 4–7, 40–3, 232 identifying relationships between
for audit purposes 790 ‘engines’ of 6 entities 304
drawing of 299–302 Golden Wonder crisps 559 identity theft 688, 690
footballers, sale of 462–3 Google 132, 622–3 IG Farben 736
force majeure 892 Grant, Paul 780 implementation timetables
Ford, Henry 497 Gregory, Stephen 716 863 – 4
foreign keys 303, 322–3, 338 Grokster 126 imprest systems 557
Forrester Research 891 Gross, David 121 income, classification of 359
forwards 543 Grundy, T. 823 income tax deductions 471
‘419 schemes’ 687 The Guardian 34 –5, 38 –9, 463, 623 independent entities 302
Fourtou, Jean-Rene 128 Gutenberg, Johann 116 Industrial Society 38–9
910
.. ..
CORA_Z01.qxd 6/1/07 11:16 Page 911
Index
industry-level characteristics affecting integration internet, the 118 –24, 129 –33, 181,
firms 734 between service providers 896–7 192, 214 –16, 610 –25, 739 – 40
inertia selling 650 of data 278 problems with 132–3
information of test facilities 800–1 restrictions on access to 621–2
definition of 10 integrity of data 279–80 usage of 623 –5, 692
provision to users 13–14 intellectual property 494 Internet Corporation for Assigned
quantity versus quality 24 interconnection of systems 59–60, Names and Numbers (ICANN)
uses of 8–11 87 120 –1, 621
see also management information interconnectivity, socio-political Internet Engineering Task Force 122
information administration 829 179 Internet Governance Forum 121
information and communication interest rate swaps 543–4 internet merchant accounts 628,
technology interim financial statements 598 635 – 6
and the conversion cycle 510, 530 interim payments 444 Internet Protocol (IP) 216
corporate strategy for 836, 881–6 internal control questionnaires internet relay chat 129–30, 197
costs and benefits of 882 (ICQs) 791 internet service providers (ISPs)
and e-commerce 611 internal controls 214 –15, 244, 635, 693
facilitating role of 884 audit of 781–2, 803 (inter)network layer in TCP/IP
future impact of 37–9 classification of 745–53 reference model 212
history of 115–17 on conversion cycle 525–9 interpretivism 47
inappropriate use of 695–6 on creditor management 593–4 inter-role integration 886
innovations enabled by 114, on debtor management 587–9 interviews, use of 842
148–65, 760–5 on expenditure cycle 457–60 intranets 216–19
and manufacturing operations invoicing-related 588, 593 intrusion detection systems (IDSs)
499 order-related 588 702–3
outsourcing of activities and facilities payment-related 588, 593 inventory management 154, 158, 439;
887–8 pricing-related 587 see also stock management
supporting role played by 883 and priorities of capital 730–2 investment in production resources
Information Commissioner 257 on revenue cycle 407–12 or assets 523
information management, internal and security of data and invoice-less payment processing 453
controls on 589, 593–4 information 755 invoices
information policy, corporate and security of resources (tangible electronic 384, 453
835–6 or non-tangible) 754–5 manual verification by exception
information requirements on stock management 581–3 453
for conversion cycle 529–30 and systems design 851–2 payment of 450–1
for expenditure cycle 461–2 and systems security 727–30, 754, processing of 449–50
for revenue cycle 412–14 760 –5 receipting of 445
for systems analysis 844 on transaction processing 234, verification/validation of 445–7
Information Security Breaches Survey 255 – 6 invoicing process 380–4
(2004) 699, 708–9 internal level schemas 316 before or after delivery 381
information society services 652–5 internal management reports 598 internal controls related to 588,
information systems controls 410, International Audit Assurance 593
459, 527, 751–2 Standards Board 775 on-demand 381
information systems management International Auditing Practices phased cycles in 381–2
827 Committee (IAPC) 779 purpose of 382–4
innovation, technological 113–14, international factors affecting firms iPod development 491–2
148–65, 760 733 irrecoverable debts 391–2
input controls International Federation of ISO/IEC code 683
on conversion cycle 527–8 Accountants 779–80 IT Week (magazine) 891
on expenditure cycle 459–60 international financial reporting
on revenue cycle 410 standards (IFRSs) 311 Jacquard, Joseph Marie 116
inspection reports 505 International Labor Organisation 43 James, David 558
instant messaging 197 International Monetary Fund (IMF) Jaques, Robert 219, 690
Institute of Internal Auditors 774 41–2 Jehar, Salim 42
911
.. ..
CORA_Z01.qxd 6/1/07 11:16 Page 912
Index
joint application development (JAD) Lloyds TSB 705–6 market testing 493
approach to systems design loans, short-term 542 marketing systems 364–5
850 local area networks (LANs) 192, 194 failure of 394
Jones, Keith 775 location resources, preparation of Marks and Spencer plc 359, 404,
Jones, Teresa 891 866 –7 629 –33
journal vouchers 595 Lofthouse, Gareth 586 Marx, Karl 183
journalised entries in accounts 255 logic bombs 712 Maslow, A. 736–7
just-in-time models 573–6 Lomas, Tony 558 Massboxx 126
software for 157 London Stock Exchange 599 MasterCard 688
‘long wave’ theories 44 Matalan plc 587
Kanebo group 777 loop systems 92–7 material requirements planning
Kaplan, R. 515–16 closed 96 model 575–6
Kapor, Mitchell David 163 Lorenz, Edward 34 software 158
Kay, John 735–6 losses materials requisitions 502–4
Kazaa program 125 of confidential data 525 Mattel plc 42
Kerr, James 559 of raw materials, work-in-progress Mauchly, John 116
keywords (in SQL) 324–9 and/or finished products 524 m-commerce 639–43
Khan, Massod 121 Lotus 1-2-3 164 advantages and disadvantages of
Kilburn, Tom 116 Lu, M. 132 641
knowledge-based companies 244 Lynch, R. 8–9 future prospects for 641–2
KPMG 776 regulation of 641
McCarthy, Kieren 121 media streaming 126–7
labour disputes 523 McCarthy, W.E. 339 Meek, James 34
labour work records 504 McClure, S. 699–700 Melek, Adel 689
LaHara, Brianna 125 macro-based marketing 364–5 mesh topology 199, 203–4
Laird, Bill 401 macro level factors affecting firms MessageLabs 693
Large, Louise 716 732–3 metropolitan area networks (MANs)
Lash, S. 44 McCue, Andy 638 193
lattice structure for databases 313 management accounting departments, MG Rover Group Ltd 558–9
launching of products 494 responsibilities of 466 micro-based marketing 366
Laura Ashley (company) 716 management audits 782, 803 micro level factors affecting companies
layers in OSI reference model management cycle 248–50, 536–99 or individuals 734
207–12 definition of 536 Microsoft Inc. 38, 117, 130, 231,
lean manufacturing 497–8 management information, benefits of 622, 710 –11, 740, 795
leasing 854–5 9 –10 Midcounties Co-operative Society
ledger management software 152–3 management practice controls 410, 400 –1, 493
legal action to recover outstanding 459, 527, 750 –1 Millar, Stuart 38–9
debts 390; see also litigation management-related events 523 Miller-Orr cash management model
Legal and General plc 241 management-related software 151, 553 – 4
Leibniz, Gottfried Wilhelm von 116 155 – 65 Mills, Henry 116
leverage 589–92 manufacturing 496–500 Milmo, Dan 125
Levi Strauss (company) 42 push-based and pull-based 496 – 8 mobile commerce see m-commerce
liabilities management 589–94 world-class 530 mobile phones 639–40
controls on 459 manufacturing companies 242–3 modernity 32–3, 53
liberalism, economic 5, 41, 87, 179, manufacturing resource planning modes of regulation 44
240, 674, 727 software 158–9 Modigliani-Miller theorem
Lightman-White, John 100–3 many-to-many relationships 591–2
Lilley, Peter 627 303 – 4 modular conversion of systems
link layer in TCP/IP reference model mapping between schemas 316 869 –70
212 Marconi, Guglielmo 116 monitoring of control activities
Litan, Avivah 687 marginal costing 514 743 – 4
litigation 895, 897; see also legal market-led capitalism 36, 39–40, monopoly 425
action 44 – 6, 82, 84, 87, 105, 673, 795 Monsoon plc 404
912
.. ..
CORA_Z01.qxd 6/1/07 11:16 Page 913
Index
913
.. ..
CORA_Z01.qxd 6/1/07 11:16 Page 914
Index
payroll 462–78 pilot conversion of systems 869–70 production order requests 370,
consequences of failure of controls piracy, online 128 373 – 4
475 –6 point-of-service-based electronic production planning and scheduling
departments involved in 464–6 funds transfer 139–40 495, 502
efficiency and effectiveness of cycle portals 617, 629 –30 profession-based services 376–7
474–5 Porteous, Andrew 35 professional employee organisations
procedures 466–71 Porter, B. 777–8 (PEOs) 477–8
provision of information for Porter, M.E. 236–7 profit and loss accounts 311, 781
decision-making purposes position consolidation strategy 885 prospect generation activities 620
473–5 positive feedback 96–7 protocol management controls 765
safeguarding of assets and positivism 786 protocol stacks 207
information 471–3 post-implementation assessments protocol suites 207
payroll budgets 468–9 872–3 protocols
payroll bureau services 476–8 post-invoicing 381 nature and definition of 206–7
payroll deductions 470–1 precautionary principle 674, 677–80 proprietary and generic 207
payroll departments, responsibilities of predictable and unpredictable see also access protocols; network
465 environments 823–4 protocols; prevention protocols;
payroll master files 468–70 preference shares 538 recovery protocols
payroll registers 470 pre-invoicing 381 prototyping 850, 875–7
payroll software 154–5 presentation layer in OSI reference advantages and disadvantages of
peer-to-peer file-sharing, index-based model 211 877
and non-index-based 197–8 prevention protocols 758–9 provision adjustments 596
peer-to-peer networks 194–9 preventive controls 745–6 provision enhancement strategy 885
pension contributions 471 PricewaterhouseCoopers 558, 776–7 proxies 702
percentage rule in variance analysis pricing-related internal controls 587 purchases acquisition 433–4
521 primary files 273–4 purchase ledger management software
performance assessment of employees primary keys 303, 322–3, 337– 8 152–3
474 Printoff (company) 37 purchase orders 436–40, 443
performance criteria, corporate 866 prior information for customers 647 computer-based systems 438, 443
performance data, inaccuracies in prioritisation phase of systems paper-based systems 439, 443
524–5 planning 837–8 single-use or multi-use 439
performance information, Pritchard, Stephen 740 system software for 153
period-based 413, 462, 529 Privacy and Electronic purchase requisition 434–6
performance measurement 519–21 Communications and commitment accounting 436
period-based activity and performance (EC Directive) Regulations computer-based systems 435
information 413, 461–2, 529 (2003) 655–6 paper-based systems 435–6
personal area networks (PANs) 194 problem resolution procedures purchasing as a method of acquisition,
personal characteristics of individuals 892–3 advantages and disadvantages of
736 process costing software 155–6 854
personal data, protection of 256–7 processing controls 411, 460, 528, Putin, Vladimir 41–2
personnel cycle 462 752–3
personnel departments, responsibilities product costing 511 quality control 429
of 465 software for 155–6 The Queen 34
personnel records for employees 468 product development 490–4 questionnaires, use of 841–2; see also
PERT charts 864–5 definition of 490 internal control questionnaires
PEST analysis 33 quality of 522 Quinn, Sandra 407
Peters, G. 12–13 product testing 493
petty cash 456, 556–7 production budgets 501 radical humanism 47
phased conversion of systems 870 production completion documents radical structuralism 47
phishing 689–93, 739 505 radio frequency identification (RFID)
Phoenix Venture Holdings 559 production management 500 technologies 583–6
physical layer in OSI reference model production order cost assessment Railtrack 736
209 reports 505 range checks 280
914
.. ..
CORA_Z01.qxd 6/1/07 11:16 Page 915
Index
915
.. ..
CORA_Z01.qxd 6/1/07 11:16 Page 916
Index
service provision requests and orders stable environments 823–4 Supply Management (magazine) 431
70–1, 374, 376 Stacey, R. 824 supra-nationality 5
services, acquisition of 433–4, standard costs 519 surveillance, corporate 89
443 –4 star topology 199, 202–3 swaps 543–5
session layer in OSI reference model Starreveld, R.W. 240 switching hubs 188
210–11 star-ring topology 205–6 Symantec 739–40
set constructs 313 star-to-bus topology 205 symmetric key algorithms 703–4
Shanghai Automobile Industry Corp. statements of auditing standards synchronise and stabilise approach to
(SAIC) 558–9 (SASs) 779 systems design 850
shareholder value 237–8 statistical sampling for audit purposes syntactic controls 765
shares 538–9 792 system development and maintenance
issue of 546 statistical significance rule for variance controls 808
Sharman Networks 126 analysis 521 system flowcharts 298
Shell plc 42, 231, 406 statutory audits 780 system requirements 840
Shevchenko, Andriy 463 Sterling, Greg 219 systems
Shingo, Shigeo 498 Stewart, Ian 34 adaptability of 58–9
shopping cart/basket functionality Stiglitz, Joseph E. 42 constraints on 62
631 stock control 791–2 decoupling of 60–1
shopping malls, online 635 stock-counts 578–81 dependence on and trust in 45
sickness records 474 stock management 433, 569–86, multiple and conflicting objectives of
skill-based companies 244 791–2 61
skill-based services 377 costs and risks of 586 nature and definition of 11–12,
skimming of card details 398 internal controls on 581–3 48 –52
Skin Culture (company) 37 models of 571–6 open and closed 50, 58 –9
Skype 126 see also inventory management semi-open and semi-closed 52–5,
small and medium-sized companies stock registers 577–8 58 –9, 86
748 stockholding 570–1 shared and overlapping 59 – 60
smart cards 638 organisational context of static and dynamic 50
Smith, Lewis 716 576 –7 trust in 83–6
social audits 783 physical verification of 578–81 systems analysis 838–45
social change, causes of 36 secure maintenance of 578 reports on 844–5
social construction of systems 11, valuation of 581 systems design 845–52
681, 785 stores issue requests 370–3 data inputs 848
social markets 44 stores records 577–8 data outputs 851
social networks 181–2 strategic planning 473, 833–5 files 849
social systems 52 streaming of media 126–7 function-oriented 845–6
socio-political networks 180 Strebal, P. 822 internal controls on 851–2
soft change 825–6 structured query language see SQL object-oriented 846–7
software development, in-house 857 stub networks 214 physical design phase of 848
source files 273 sub-optimality of systems 62 processing procedures 848–9
space-based companies 243–4 sub-processes 292–3 programs 849–50
Spain 310 substitute products and services systems development (life) cycle
spamming 199 361, 413 830 –2, 874 –5
spiral approach to systems design supplier-managed inventory (SMI) systems development management
850 system 439 827
spreadsheets 163–4 supplier selection systems 428–31, systems failure 756
spyware 198, 713–14 855 – 6 systems implementation conversion
SQL (structured query language) risks in 455 862–71
319, 323–9 suppliers systems planning 833–8
data control in 325–6 contracts with 431 systems reports 844, 871–4
data definition in 326 levels of relationship with 430–1 systems security 754, 760–5
data interrogation in 329 power of 361 systems selection 852–62
data manipulation in 327–9 supply chain failure 524 systems surveys 838–9
916
.. ..
CORA_Z01.qxd 6/1/07 11:16 Page 917
Index
systems thinking 45–8, 52–62, 239 Toyota production system 498 Unsolicited Goods Act (1971) 650
application of 53–5 trade marks 494 URLs (uniform resource locators)
benefits and limitations of 73 trade unions 523 131
and the environment 52–3 ‘traditional three-document’ Urry, J. 44
and general systems theory 62, 73 verification process 447 Usenet 130–1
hard and soft 47–8 training programmes 473 user manuals for systems 868
transaction controls 751 user needs and requirements,
Taj-a-jac Ltd 62–73 transaction event documents 595 specification of 876
target costing 517–19 transaction files 273
Taylor, Paul 716 transaction processing cycles 245–8 validation of data files 871
Taylor, Frederick Winslow 497 transaction processing systems validity checks 411
Tayto crisps 559 230 –58 value chain 236–7
TCP/IP reference model 212–13 and accounting information systems value cycle 233, 237–9
Teather, David 126 251–5 value-driven approach to business 24
technical services management 828 characteristics of 233–4 value-for-money audits 784, 803
technological innovation 113–14, classification of 239–45 variable costing 514–15
148–65, 760 and control 255–6 variance analysis 519–21
technology, ‘social paradox’ of 113 and the Data Protection Act 256–7 variances in stock-takes 580
technology improvement strategy 885 and the funding cycle 235 Vassen, E. 13, 238, 240
telemetry 640 and the value chain 236–9 Veitch, Martin 891
tendering procedures 429, 861–2 transactional finance, operational VeriSign (company) 120
Tesco plc 241, 244–5, 359, 404, 406, context of 549–50 views of database records, logical and
585, 715 transferable warrants 545–8 physical 315
test data for audit 794, 799–800 Transmission Control Protocol (TCP) violence as a source of risk 682
testing 216 viruses 198, 693, 709 –10, 713, 740
of products 493 transmission tests 411 scanning for 706
of systems and sub-systems 868–9 Transparency Directive (EU, 2004) Visa 627
theft 599 Voice-over IP (VoIP) 127–9
of assets 682 Transport for London (TfL) 638 voucher systems 449–50, 470;
of computer hardware and software transport layer see also journal vouchers
696–8 in OSI reference model 210
of information 698–700 in TCP/IP reference model 213 wages and salaries, payment of
of raw materials, work-in-progress transportation scheduling 375–6 469 –70
and/or finished products 524 treasury departments, responsibilities Walder, Jay 638
Theremin, Leon 583 of 466, 470 Wal-Mart 585
Theriault, Carole 712 tree topology 199, 205 Ward, Graham 780
Thomas, Daniel 692, 706 trend analysis by auditors 803 warehousing facilities 443
Thomas, Neill 591 tri-channel companies 618 warrants 545–8
Thomson, Iain 626, 687, 693 trojan horses 711–13 ‘Washington consensus’ 41
time-based companies 243–4 ‘true and fair’ assessment 775 waterfall approach to systems design
Time Warner Inc. 85, 231 trust in systems 83–6 850
Timms, Matthew 705–6 twisted-pair cabling 189–90 Watson, James 144
Timms, Stephen 37 Twomey, Paul 121 Watts, Jonathan 623
token-passing networks 206 Wayle, Alun 101–3
Tootill, Geoff 116 UK Online for Business 37–8 wealth maximization 7–8, 99, 106,
topologies 199–206 under-production 522 236, 677, 728, 835 – 6
bus type 200–1 United Nations Web Accessibility Initiative (WAI)
hybrid 204–5 Children’s Fund (UNICEF) 43 658 –9
physical and logical 199 Global Compact 43 Web Content Accessibility Guidelines
ring type 201–2 United States (WCAG) 659
star, tree and mesh types 199, Congress 41, 43 Weber, Max 183
202–5 Supreme Court 126, 735 webpages 131–2
see also network topologies Treasury 41 Websense (company) 739
917
.. ..
CORA_Z01.qxd 6/1/07 11:16 Page 918
Index
websites 135–6, 612–16, 619–21, 692 Wood, Charles 63–4 Wright, Bob 128
quality of 615–16 Wood, Paul 693, 710 write-off
weighted average cost of capital Woodley, Tony 558 of bad debts 391–2
(WACC) 591–2 workstations 187, 194, 196 of stock 580–1
Welch, Jack 735 World Bank 40–2 Wyman, Peter 777
Westelle Ltd 100–5 World Summit on the Information
Wheatstone, Charles 116 Society 120–1 XML databases 312
Whitney, Elias 497 World Trade Organisation 41–2
wide area networks 192–3 world wide web (WWW) 131–2, 610 Yahoo! 622
Wilkes, Maurice 116 World Wide Web Consortium (W3C) year-end audits 780
Wilkinson, J.W. 13, 240 658 year-end financial statements 598
Wilson, R.H. 572 world-class manufacturing 530 Yeltsin, Boris 42
Windows XP operating system 740 world-views 24, 55
Winnick, Gary 742 worms 710 –11 Zadornov, Mikhail 42
wired connections in networks 189 Worrall, John 626 zaibatsu 736
wireless connections 191–2 worst case scenarios 677 Zennström, Niklas 126
Withers, Steve 712 Wren, D.A. 50 Zworykin, Vladimir Kosma 116
918
..