ACCOUNTING INFORMATION SYSTEMS - 4103

Snippets
Chapter 01: Accounting Information Systems ................................................................................................... 2
Chapter 02: Overview of Business Process ......................................................................................................... 7
Chapter 04: Data Management .......................................................................................................................... 13
Chapter 06: Database Modeling and Applications ............................................................................................ 20
Chapter 09: Security for Transaction/Information Processing Support Systems .............................................. 29
Chapter 10: Auditing of Information Systems .................................................................................................. 34
Chapter 12: The Revenue Cycle ........................................................................................................................ 40
Chapter 13: The Expenditure Cycle .................................................................................................................. 47
Chapter 14: Systems Development ................................................................................................................... 54

1
 Chapter 01 – Accounting Information Systems
What is an AIS?
A system is a set of two or more interrelated components that interact to achieve a goal. Systems are
almost always composed of smaller subsystems, each performing a specific function supportive of the
larger system.

An Accounting Information System (AIS) consists of 5 components:

• People
• Procedures
• Data
• Software
• Information technology infrastructure

Why Study AIS?

• In Statement of Financial Accounting Concepts No. 2, The FASB defined Accounting as an
Information System. It also stated that the primary objective of accounting is to provide
information useful to decision makers.

• The Accounting Education Change Commission recommended that the accounting curriculum
should provide students with a solid understanding of three essential concepts:
1. The use of information in decision making
2. The nature, design, use and implementation of an AIS
3. Financial information reporting

• To understand how the accounting system works, how to collect data about an organization’s
activities and transactions, how to transform that data into information that management can
use to run the organization, how to ensure the availability, reliability, and accuracy of that
information.

• Auditors need to understand the systems that are used to produce a company’s financial
statements.

• Tax professionals need to understand enough about the client’s AIS to be confident that the
information used for tax planning and compliance work is complete and accurate.

• One of the fastest growing types of consulting services entails the design, selection, and
implementation of new Accounting Information Systems.

• A survey conducted by the Institute of Management Accountants (IMA) indicates that work
relating to accounting systems was the single most important activity performed by corporate
accountants.

2
Information Technology and Corporate Strategy: The same survey conducted by the Institute of
Management Accountants (IMA) also indicates that the second most important job activity of
corporate accountants is long-term strategic planning.
The CITP Designation: Certified Information Technology Professional. It identifies CPAs who
possess a broad range of technological knowledge and the manner in which information technology
(IT) can be used to achieve business objectives. It reflects the AICPA’s recognition of the importance
and interrelationship of IT with accounting.

Ten Most Important Activities Performed by Accountants:

1. Accounting systems and financial reporting
2. Long-term strategic planning
3. Managing the accounting and finance function
4. Internal Consulting
5. Short-term budgeting
6. Financial and economic analyses
7. Process improvement
8. Computer systems and operations
9. Performance evaluation
10. Customer and product profitability analyses

Factors Influencing Design of the AIS: Organizational Culture, Strategy, and IT

The Value Chain

The ultimate goal of any business is to provide value to its customers. A business will be profitable if
the value it creates is greater than the cost of producing its products or services. An organization’s
value chain consists of nine interrelated activities that collectively describe everything it does.
The five primary activities consist of the activities performed in order to create, market, and deliver
products and services to customers and also to provide post-sales services and support:
• Inbound Logistics
• Operations
• Outbound Logistics
• Marketing & Sales
• Service
The four support activities in the value chain make it possible for the primary activities to be
performed efficiently and effectively:
• Infrastructure
• Technology
• Human Resource
• Purchasing

3
The Value System: The value chain concept can be extended by recognizing that organizations
must interact with suppliers, distributors, and customers. An organization’s value chain and the value
chains of its suppliers, distributors, and customers collectively form a value system.

How an AIS can add Value to an Organization

An AIS adds value,
– by providing accurate and timely information so that five primary value chain activities can
be performed more effectively and efficiently.
– by improving the quality and reducing the costs of products or services.
– by improving efficiency.
– by improving decision making capabilities.
– by increasing the sharing of knowledge.
A well-designed AIS can also help an organization profit by improving the efficiency and effectiveness
of its supply chain.

Information and Decision Making

Information: The term data refers to any and all of the facts that are collected, stored, and processed
by an information system. Information is data that has been organized and processed so that it is
meaningful.

Characteristics of Useful Information:

- Relevant
- Timely
- Reliable
- Complete
- Understandable
- Verifiable

4
Decision Making involves the following steps:
1. Identify the problem.
2. Select a method for solving the problem.
3. Collect data needed to execute the decision model.
4. Interpret the outputs of the model.
5. Evaluate the merits of each alternative.
6. Choose and execute the preferred solution.

- Structured decisions are repetitive, routine, and understood well enough that they can be
delegated to lower-level employees in the organization. An example is: Extending credit to
customers.
- Semi-structured decisions are characterized by incomplete rules for making the decision and
the need for subjective assessments and judgments to supplement formal data analysis. An
example is: Setting a marketing budget for a new product.
- Unstructured decisions are nonrecurring and nonroutine. An example is: Choosing the cover
for a magazine.

Decision Scope: Decisions vary in terms of the scope of their effect.

• Operational control is concerned with the effective and efficient performance of specific tasks.
• Management control is concerned with the effective and efficient use of resources for
accomplishing organizational objectives.
• Strategic planning is concerned with establishing organizational objectives and policies for
accomplishing those objectives.

5
What basic requirements are needed to evaluate the costs and benefits of new IT
developments?
– Corporate strategies.
– How IT developments can be used to implement existing organizational strategies.
– How IT developments can be used to create an opportunity to modify existing strategies.

Two Basic Strategies –

• To be a lower-cost producer than competitors
• To differentiate products and services from competitors
Three Basic Strategic Positions –
• Variety-based strategic position
• Need-based strategic position
• Access-based strategic position

What role does the AIS play in helping organizations adopt and maintain a strategic position?
– Data collection about each activity
– Transforming data into information that can be used by management to coordinate those
activities

6
 Chapter 02 – Overview of Business Process
The grand opening of S&S is two weeks away. Scott and Susan recognize that they need qualified accounting
help and have hired a full-time accountant, Ashton Fleming. Ashton is responsible for creating an accounting
information system (AIS).

What questions does Ashton ask himself?

• How am I going to organize things?
• Where do I start?
• What information does S&S need in order to operate effectively?
• How can that information be provided?
• How am I going to collect and process data about all the types of transactions that S&S will engage
in?
• How do I organize all the data that will be collected?
• How should I design the AIS so that the information provided is reliable and accurate?

The Three Basic Functions Performed by an AIS

1. To collect and store data about the organization’s business activities and transactions efficiently and
effectively:
• Capture transaction data on source documents.
• Record transaction data in journals, which present a chronological record of what occurred.
• Post data from journals to ledgers, which sort data by account type.
2. To provide management with information useful for decision making:
• In manual systems, this information is provided in the form of reports that fall into two main
categories:
– Financial Statements
– Managerial Reports
3. To provide adequate internal controls:
• Ensure that the information produced by the system is reliable.
• Ensure that business activities are performed efficiently and in accordance with
management’s objectives.
• Safeguard organizational assets.

Basic Subsystems in the AIS

1. The revenue cycle: involves activities of selling goods or services and collecting payment for those
sales.
2. The expenditure cycle: involves activities of buying and paying for goods or services used by the
organization.
3. The human resources/payroll cycle: involves activities of hiring and paying employees.
4. The production cycle: involves activities converting raw materials and labor into finished goods.
5. The financing cycle: involves activities of obtaining necessary funds to run the organization, repay
creditors, and distribute profits to investors.

7
The Data Processing Cycle
The data processing cycle consists of four steps:
1. Data input
2. Data storage
3. Data processing
4. Information Output

The trigger for data input is usually business activity. Data must be collected about:
1. Each event of interest
2. The resources affected by each event
3. The agents who participate in each event
Historically, most businesses used paper source documents to collect data and then transferred that data into a
computer. Today, most data are recorded directly through data entry screens.

Control over data collection is improved by:

• Prenumbering each source document and using turnaround documents.
• Having the system automatically assign a sequential number to each new transaction.
• Employing source data automation.

Common Source Documents and Functions

REVENUE CYCLE
Source Document Function
Sales order Take customer order.

Delivery ticket Deliver or ship order

Remittance advice Receive cash.

Deposit slip Deposit cash receipts.

Credit memo Adjust customer accounts

EXPENDITURE CYCLE
Source Document Function
Purchase requisition Request items.

Purchase order Order items.

Receiving report Receive items.

Check Pay for items.

8
 HUMAN RESOURCES CYCLE

Source Document Function

W4 forms Collect employee withholding data.

Time cards Record time worked by employees.

Job time tickets Record time spent on specific jobs.

GENERAL LEDGER AND REPORTING SYSTEM

Source Document Function

Journal voucher Record entry posted to general ledger.

Data Processing Cycle

1. Data Processing
• Batch processing is the periodic updating of the data stored about resources and agents.
• On-line, real-time processing is the immediate updating as each transaction occurs.
2. Data Storage
• An entity is something about which information is stored.
• Each entity has attributes or characteristics of interest, which need to be stored.

Record Transaction Data in Journals

• After transaction data have been captured on source documents, the next step is to record the data in a
journal.
• A journal entry is made for each transaction showing the accounts and amounts to be debited and
credited.
• The general journal records infrequent or nonroutine transactions.
• Specialized journals simplify the process of recording large numbers of repetitive transactions.

The four most common types of transactions:

1. Credit sales
2. Cash receipts
3. Purchases on account
4. Cash disbursements

9
Record Transaction Data in Journals
Sales Journal
Date Invoice Account Account Post Ref. Amount
Number Debited Number
Dec.1 201 Lee Co. 120-122 3 800.00
Dec.1 202 May Co. 120-033 3 700.00
Dec.1 203 DLK Co. 120-111 3 900.00
TOTAL: 2,400.00
120/502

Post Transactions to Ledgers

• Ledgers are used to summarize the financial status, including the current balance, of individual
accounts.
• The general ledger contains summary-level data for every asset, liability, equity, revenue, and expense
account of an organization.
• A subsidiary ledger records all the detailed data for any general ledger account that has many
individual subaccounts.
• What are some commonly used subsidiary ledgers?
– accounts receivable
– inventory
– accounts payable
• What is the general ledger account corresponding to a subsidiary ledger called?
– control account

A control account contains the total amount for all individual accounts in the subsidiary ledger.

Post Transactions to Ledgers

10
Chart of Accounts: The chart of accounts is a list of all general ledger accounts used by an organization. It
is important that the chart of accounts contains sufficient detail to meet the information needs of the
organization.

Providing Information for Decision Making

The second function of the AIS is to provide management with information useful for decision making. The
information an AIS provides falls into two main categories:

1. Financial Statements
• Prepare a trial balance.

• Make adjusting entries.

• Prepare the adjusted trial balance.

• Produce the income statement.

• Make closing entries.

• Produce the balance sheet.

• Prepare the statement of cash flows.

2. Managerial Reports: The AIS must also be able to provide managers with detailed operational
information about the organization’s performance. Two important types of managerial reports are
budget and performance reports.
• Budget: A budget is the formal expression of goals in financial terms. One of the most
common types of budget is a cash budget.
• Performance Report: A performance report lists the budgeted and actual amounts of
revenues and expenses and also shows the variances, or differences, between these two
amounts.

Internal Control Considerations: The third function of an AIS is to provide adequate internal
controls to accomplish three basic objectives:

• Ensure that the information is reliable.

• Ensure that business activities are performed efficiently.
• Safeguard organizational assets.

11
What are two important methods for accomplishing these objectives?
1. Provide for adequate documentation of all business activities.
2. Design the AIS for effective segregation of duties.

Adequate Documentation
Documentation allows management to verify that assigned responsibilities were completed correctly. What
did Ashton encounter while working as an auditor that gave him a firsthand glimpse of the types of
problems that can arise from inadequate documentation?
– Failure to bill for repair work

Segregation of duties refers to dividing responsibility for different portions of a transaction among several
people.

What functions should be performed by different people?

– Authorizing transactions
– Recording transactions
– Maintaining custody of assets

12
 Chapter 04 – Data Management
Data: Data may be defined broadly to include two interrelated components:
1. Data Models that provide structure to data
• File Orientation
• Data-base Orientation
2. Data values

A firm’s data resource involves four major functions:

• Record & Repository Creation
• Repository Maintenance through additions and updates
• Data Retrieval
• Data Archival and Removal

Entities
An Entity is an object, person, or event about which a firm wants to collect and maintain data. The
Characteristics of Entities are called Attributes. Each attribute stored in the system is a Data Element

There is usually a one-to-one correspondence between attributes and data elements. A broadly defined attribute
may have several specific attributes and therefore data elements. e.g., Shipping Address, Street Address, City,
State, Zip Code, Country etc.

Data Models

Data Elements
• Every recorded attribute of an entity is a data element
• Field Length: This is the number of contiguous positions required to store a data element
• Data Type: Character, Numeric, Date, Raw, Data Value

13
 Some Specifics

ile ecords

File Classifications (Master Files)

Master files: These contain (semi) permanent data (records) pertaining to entities (people, places, and things).
Accounting related examples include:

General and Subsidiary ledgers

• General ledger master file
• Customer/Accounts Receivable master file
• Vendor/Accounts Payable master file
• Inventory master file
• Employee/Payroll master file
• Open WIP master file
• Standard cost master file

Transaction files: These contain records pertaining to events currently being processed, such as sales, receipts
of goods, etc. Transaction files capture detailed transaction data. They are counterparts to general and special
journals in manual systems. Transaction data are periodically posted to related master file(s) and are then either
purged or archived.
Accounting related transaction files include:

• General/Special journal file (General ledger)

• Sales/Cash receipts file (Accounts receivable)
• Receiving/Purchases file, Cash disbursements file (Inventory, Accounts payable)
• Inventory issuance file/shipment file/sales file/adjustments file (Inventory)
• Payroll/Cash disbursements (Payroll)

Reference files: These contain tables or lists of data needed for making calculations or for checking the
accuracy of input data. e.g., product price tables, customer lists, etc.

History files: These are also called archive files since they contain records pertaining to completed
transactions such as past sales

Open files: These record incomplete transactions. Whereas transaction files are purged or archived at the end
of a given period, open files remain indefinitely open. Only individual records from Open files get purged as
the transaction actually occurs or does not. e.g., Open sales order file – Sales transaction file

Report files: These are derived from records within master or transaction files. e.g., data may be periodically
extracted from the Accounts Receivable master file to construct an aging schedule

14
Backup file: This is a copy of a current file generated so that the original file can be recreated from it.
Suspense file: This is a collection of those records of a transaction file that appear to contain erroneous or
questionable data.

Record-Key
Record keys: These are data elements within records that serve as sort keys. e.g., customer-account number.
Two types of keys often used in master and transaction file records are a primary key and one or more secondary
keys.

• A Primary key (also called a record key) is the attribute that uniquely identifies a specific record. They
are usually of numeric or alphanumeric modes, e.g., customer number.
• A Secondary key is an attribute other than the primary key and represents an alternative way to sort or
access records in a file, e.g., customer last name.

Flags
Flags that are symbols or characters used for control purposes, e.g., end-of-batch flag. Flags are not visible to
the end-user. It is a system-managed field that is transparent to the user.

Logical View Versus Physical Storage of Records

• ile structure pertains either to “logical” file structures or to “physical” file structures.
• The logical file structure defines the user’s perspective of a file. For example, each logical record in a
computerized customer master file pertains to a particular customer.
• Data contained in logical records must necessarily be physically mapped onto storage media.
• File organization refers to the methods by which data in logical records are stored on physical storage
media.
• Files stored on physical media are seen as a collection of physical records.
• Sometimes there may be a one-to-one correspondence between logical and physical records (unusual).
• Sometimes a logical record may occupy more than one physical record - typically on magnetic disks.
• Sometimes two or more logical records may occupy one physical record - typically on magnetic tape.

Design Considerations for Records & Files

Managing files and records requires the answering of questions such as: How should the records be structured,
What type of file organization and access method (e.g., sequential, indexed sequential, random) should be used,
how long should records be retained etc.
The answers to the above questions also depend in part on the requirements of the application being designed.
These requirements, in turn, are affected by issues such as:

• Storage requirements
• Efficiency in file maintenance
• Accessibility of stored data

15
Establishing Record Structures
The structure of a record is defined by its content, arrangement, modes of data fields, lengths of data fields and
keys. Generally, the primary keys are placed to occupy the first fields of the records. Also, generally balance
amounts or amounts of transactions are placed in the last fields. Transaction records are usually arranged
somewhat in accordance with the placement of the elements on the source documents (e.g., sales invoices). The
modes and lengths of the fields depend on the nature of data placed therein, while the keys are expressed as
codes. An important design issue is the extent to which records should be consolidated. This issue is especially
important in relational database normalizations and table designs.

File-Oriented Approach to Data Storage

• In the file-oriented approach to data storage computer applications maintain their own set of files.
• This traditional approach focuses on individual applications, each of which have limited number
of users, who view the data as being “owned” by them.

Deficiencies of the File-Oriented Approach

• Files and data elements used in more than one application must be duplicated, which results in data
redundancy.
• As a result of redundancy, the characteristics of data elements and their values are likely to be
inconsistent.
• Outputs usually consist of preprogrammed reports instead of ad-hoc queries provided upon request.
This results in inaccessibility of data.
• Changes to current file-oriented applications cannot be made easily, nor can new developments be
quickly realized, which results in inflexibility.
• It is difficult to represent complex objects using file processing systems.

The Database Approach to Data Storage

A database is a set of computer files that minimizes data redundancy and is accessed by one or more application
programs for data processing. The database approach to data storage applies whenever a database is established
to serve two or more applications, organizational units, or types of users. A database management system
(DBMS) is a computer program that enables users to create, modify, and utilize database information efficiently.

Documenting Data in Data-Base Systems

The Conceptual Data Model is the logical grouping of data on entities. Two common Conceptual Data
Modeling techniques are:
1. The Data Dictionary
2. Entity-Relationship Diagrams

Data Dictionary: A data dictionary is a computer file that maintains descriptive information about the items
in a database. Each computer record of the data dictionary contains information about a single data item used
in an AIS. Examples of information that might be stored in a data dictionary are source document(s) used to
create the data item, programs that update the data item and classification information about the item’s length
and data type.

16
Entity-Relationship Diagram
• The Entity-Relationship Model is a high-level conceptual data model that specifies the data base
structure independent of any specific DBMS (hierarchical, network, relational, object-oriented).
• It is only after completing the E-R model that a particular DBMS is selected. Then the high-level model
is mapped into schemas using the DDL provided by a given DBMS.
• In order to arrive at a specific E-R model, one must select the entities first, and then define the
relationship between them (cardinalities: one-to-one, one-to-many, many-to-many)
• Rectangle=Entity
• Diamond=Relationship
• Line=Links: attribute to entity, entity to relationship, attribute to relationship
• Sometimes we use ellipses to represent specific attributes of entities, e.g., customer_#,
student_last_name, etc.
• To go from the ER model to a specific conceptual data model (hierarchical, network, relational, object-
oriented), we typically assign attributes to the entities and relationships so as to obtain fully specified
pointers (hierarchical & network), and normalized tables (relational).

Advantages of the Database Approach

1. Efficient use of computerized storage space
2. Each subsystem has access to the other’s information
3. All application programs utilize the same computer files, thereby simplifying operations
4. Fewer backup files for security purposes
5. Relieves some users from data-gathering responsibilities in situations where these users previously
gathered their own data

Disadvantages of the Database Approach

1. Databases can be expensive to implement because of hardware and software costs.
2. Additional software, storage, and network resources must be used
3. A DBMS can only run in certain operating environments, which makes some unsuitable
for certain alternate hardware/operating system configurations
4. Because it is radically different from the file-oriented approach, the database approach may cause
initial inertia, or complications and resistance

Data-Flow Diagrams
A data-flow diagram shows the physical and logical flows of data through a transaction processing system
without regard to the time period when each occur. Physical devices that transform data are not used in the
logical diagrams. Because of the simplified focus, only four symbols are needed:
1. A square represents an external data source or data destination. The latter is also called a sink
2. A circle (or bubble) indicates an entity or a process that changes or transforms data
• A bubble can either be an internal entity in a physical DFD or a process in a logical DFD
3. An open-ended rectangle or a set of parallel lines represents a store or repository of data
• The file may represent a view or a portion of a larger entity-wide data base
4. A line with an arrow indicates the direction of the flow of data

17
Physical DFDs
- A Physical DFD documents the physical structure of an existing system. It answers questions such as
Where an entity works, how an entity works, the work is done by whom, etc.
- Given the very “physical” focus of a physical DFD, it changes whenever the entities, technology used
to implement the system, etc.
- Physical DFDs have no lower levels
• This limitation makes physical DFDs cumbersome to work with, and usually of limited value

Logical DFDs
Logical Data flow diagrams are usually drawn in levels that include increasing amounts of detail. A top level
(or high-level) DFD that provides an overall picture of an application or system is called a context diagram.
A context diagram is then decomposed, or broken down, into successively lower levels of detail

Logical Data flow diagrams document the processes in an existing or proposed system (What tasks). Because
the logic of a system changes infrequently, relative to its physical nature, a logical DFD will remain relatively
constant over time. Logical Data flow diagrams typically have levels below the level-0 diagram.

The Hierarchy of Data Flow Diagrams

Context Diagram

Physical DFD Level-0 logical DFD

No lower levels Lower levels possible

Level 1 diagram(s)

Level 2 diagrams(s), etc.

18
19
 Chapter 06 – Database Modeling and Applications
We use the term Data Base to mean the collected data sets that are organized and stored as an integral part of
a firm’s computer-based information systems. Data Sets are flexible data structures that include groupings of
data that are logically related.

The Database Approach to Data Storage

A Database is a set of computer files that minimizes data redundancy and is accessed by one or more application
programs for data processing. The database approach to data storage applies whenever a database is established
to serve two or more applications, organizational units, or types of users. A Database Management System
(DBMS) is a computer program that enables users to create, modify, and utilize database information efficiently.

Characteristics of the Database Approach

1. Data Independence: The separation of the data from the various application programs and other
accesses by users.
2. Data Standardization: Data elements within a database have standard definitions, thus stored data are
compatible with every application program that accesses the data.
3. One-Time Data Entry and Storage: Individual data values are entered into the database only once;
consequently, redundancy is reduced and inconsistencies between data elements are eliminated.
4. Data Integration - data sets integrate the data, which enables all affected data sets to be updated
simultaneously.
5. Shared Data Ownership - all data within a database are owned in common by the users. The portion
of the database that is of interest to each user is known as the sub-schema.
6. Centralized Data Management - the database management system stands guard over the database and
presents the logical view to users and application programs.

Program-Data Independence

Application
Program A Database
Management Database
Database
Application System
Program B

20
Iterative Phases in Database Development
Planning
• Cost-benefit Analysis
• Effective usage Analysis

Analysis
• Enterprise Diagram
• User Requirements
• Data requirements
– irm’s operations and relationships
• Development of logical design
– Expected output requirements
– Inputs
– Processes
– Appropriate Conceptual Model
– Data Modeling through Entity-Relationship Diagrams
• Specification of logical view(s)
• Designation of Primary and Secondary keys
• Development of Data Dictionary

Detailed Design
Technical Specifications
- Report Layouts
- Data Flows
- Screen Layouts
- DBMS Selection
• Data Definition Language (DDL)
• Data Manipulation language (DML)
• Query language [Structured Query Language (SQL) and/or Query by Example (QBE)]
• Data-base Control System (DBCS)
Database Management Systems
• Many DBMS packages allow users to:
• Analyze Data
• Prepare ad hoc or customized Reports
• Create and Display Graphs
• Create Customized Applications via Programming Languages
• Import and Export Data
• Perform On-line Editing
• Purge or Archive Obsolete Data
• Backup data
• Maintain Security Measures
• Interface with Communication Networks

Post-Design Phases
Implementation
Testing: Unit Testing, System Testing, User Acceptance Test
Maintenance

21
Entity-Relationship Model
- Relative to the detailed nature of Record layouts and data dictionaries, Entity-Relationship (E-R)
Models provide a broader and more conceptual view of the firm’s data.
- A Data Model documents the key entities in a firm and the relationships or associations among those
entities.
- An Entity is an object that exists and is identifiable. e.g., an agent, event, or a resource .

Entity-Relationship Model Conventions

- Rectangles represent entities and diamonds represent relationships.
- Each rectangle is usually denoted by the attributes of the entity.
- E-R Diagrams can easily model the information needs of the entire enterprise or segments of the
enterprise such as divisions or departments, and even detailed data issues such as detailed data
repositories such as records and/or tables.

Database Relationships
In a database, relationships occur among data elements for two reasons:
- Because of the nature of the elements themselves. e.g., the relationship between a customer no. and a
customer name.
- Because of the need to retrieve information from a database in some prescribed manner. e.g.,
customers and invoices.

Kinds of Relationships
• No relationship. e.g., student numbers and physical plant codes
• One-to-one relationship. This occurs least frequently, e.g., reference no. to course description;
product no. to product description; customer no. to customer name
• Directed relationships - 2 views:
- One-to-many relationship. e.g., advisor to students, customer to invoices
- Many-to-one relationship. e.g., invoice lines to invoice
• Many-to-many relationship. e.g., students to courses, customers to products

Relational Databases
In a relational database, data are perceived by users to be structured in the form of simple flat files or tables.
Each table consists of records that are comprised of a key and associated data element. In order to lay claim as
a relational database, it must do the following:
• Present data to users as tables only
• Support the relational algebra functions of Restrict (Select), Project, and Join without requiring any
definitions of access paths to support these operations

22
Relational Algebra Functions in a Relational Database – Select
Select (Restrict): This function produces a new table with only rows from a single source table whose
columns meet prescribed conditions, e.g., Customer_Name=Adam Smith; DOB=2/29/64; Legal
Residence=California, etc.

Relational Algebra Functions in a Relational Database – Project

This function produces a new table with only some columns from a single source table. e.g., Project Student
table on Student_Name and Student_Major

Relational Algebra Functions in a Relational Database - Select & Project

• The combination of Select and Project produces a new table with both fewer columns and rows
than the original table. e.g., Project on Student_Name and Student_Major where Student_Major
= Latin

Select & Project

23
Relational Algebra Functions in a Relational Database – Join
• The Join function produces a new table from two or more source tables that have at least one common
column.
• The new table is wider than either of the two source tables because it contains all the columns from
both source tables.

Query Languages for a Relational Database

• Structured Query Language (SQL)
- SELECT CLIENT_NO, CLIENT_NAME, PROJECT_NAME
- FROM PROJ.TABL
- WHERE CLIENT_NO = 531
• Query-by-Example (QBE): Use of Dynasets

24
 Relational Databases: Advantages & Disadvantages

Hierarchical Database Structure

• The hierarchical data structure (or tree structure) expresses hierarchical relationships among
stored data.
• The root node is at the top and for any two adjacent records, the elder or higher-level record is
called the parent record.
• The younger or lower-level record is called the child record and any two records on the same
level are called sibling records

25
The Network Structure
• Like the Tree structure, the Network structure establishes explicit access paths or links among
data nodes
• Unlike the Tree Structure, however, the Network structure:
- Allows any data node to be linked to any other node
- Permits entry at more points than a single root node
- Requires at least one subordinate data node to have two or more owner nodes
• The network data structure handles complex relationships among records by linking related
records together with “pointer fields”
• Pointer fields are embedded in each record and contain disk addresses of related records
• The pointers maintain the data relationships, thereby enabling an AIS to prepare familiar
reports

Network Conceptual Model

• In this model there is no distinct data hierarchy. This enables network models to handle all
types of relationships
• Along with this ability, though, comes high inherent complexity
• Simple networks contain one-to-many relationships
• Complex networks contain many-to-many relationships. Usually these are reduced to
numerous one-to-many relationships through intersection records
• Pointers are also used to link data elements in network models.
• Micro-computer-based network models are uncommon. These are more common in large
mainframe environments.

26
Object-Oriented Database Structure
• The object-oriented database (OODB) is a new type of database that stores objects with (non-
textual) information in them.
• These unstructured objects may be graphic images, still photographs, animated visual, music
and speeches.
• Objects are grouped into object classes, with each member of the class having the same set of
attributes, which can be manipulated.
• Object Classes feature class hierarchies.
• Super-classes are at the top of the hierarchies, with classes and sub-classes linked below.
• Movement within class hierarchies is downward from super-class to class to subclass.
• Classes may also form sidewise associations, e.g., association of university person with
university; faculty with academic dept.

Characteristics of Objects

27
Object-Oriented Database Structure
OODBs feature:
• Encapsulation: Storing procedures or operations.
called methods with the data to which the methods relate.
• This brings together the data attributes and operations pertaining to objects and object classes.
• Because of encapsulation, the application programs that access the data base can be greatly
simplified, thereby reducing programming errors.
• Inheritance: This allows subclasses to inherit methods and/or data from higher classes within
a class hierarchy.
• The major advantage of inheritance is that programmed instructions (objects) are reusable.
• Libraries of commonly used objects (programs) can be maintained.
• These standardized programs (fully pre-tested and applied) can greatly reduce
reprogramming efforts.

28
 Chapter 09 – Security for Transaction/Information Processing Support Systems

Security for Transaction Processing Systems

• Every firm must define, identify, and isolate frequently occurring hazards that threaten its hardware,
software, data, and human resources.
• Security measures provide day-to-day protection of computer facilities and other physical facilities,
maintain the integrity and privacy of data files, and avoid serious damage or losses.
• Security measures include those that protect physical non-computer resources, computer hardware
facilities, and data/information

Key Issues for Security

• Protection from unauthorized access
• Protection from disasters
• Protection from breakdowns and interruptions
• Protection from undetected access
• Protection from loss or improper alteration
• Recovery and reconstruction of lost data
• Establish a system to monitor the above

Resources in Need of Security Measures

Security for Physical Non-Computer Resources

Access controls, which restrict entry by unauthorized persons, generally to circumvent theft or vandalism,
include security guards, fenced-in areas, reception areas, grounds lighting, burglar and fire exit alarms, motion
detector alarms, locked doors, closed-circuit TV monitors, safes, locked cash registers, locked file cabinets, lock
boxes, non-removable property labels, close supervision of employees, etc.

29
Security for Physical Non-Computer Resources
• Sprinkler systems and fireproof vaults can protect against natural disasters.

• Preventive maintenance can protect against breakdowns and business interruptions.

• Maintaining a corporate-wide security program and developing a written security policy, appointing a
security administrator, and making security a part of the internal audit function can accomplish
control objectives in an efficient and effective manner.

Security for Computer Hardware Facilities

• Physical access should be restricted by the use of security guards, receptionists, electronic ID cards,
surveillance cameras, motion detectors, locked doors, alarms, log-in, log-out, and escorts of all visitors.

• To protect against natural disasters, the computer facilities should be environmentally controlled, fire-
proofed (non-Halon-based fire extinguishers), and should include an uninterruptible power supply.

• Other precautions include constructing water-proof floors, walls, and ceilings, water drainage facilities,
under-floor water detectors, water pumps, and terrain considerations.

• To protect against human violence such as vandalism, rioting, sabotage, etc., computers should be
placed in inconspicuous locations, equipped with antimagnetic tape storage, and guarded with strict
employee conduct policies

• A Disaster Contingency and Recovery Plan:

– identifies all potential threats to the computer system
– specifies the needed preventive security measures
– outlines the steps to be taken if each type of disaster actually strikes

Security over Data and Information

Data/Information resource includes (1) data stored in on-line or off-line files and databases, (2) application
programs, and (3) information, both in hard-copy reports or in computer format.
Security measures provide protection against unauthorized accesses to data and information, undetected
accesses of data and information, losses or improper alterations of data and information.
The measures providing these protections are generally preventive and detective in nature

30
Protection from Unauthorized Access to Data and Information
• Unauthorized access issues encompass questions of all access, and perhaps more importantly, questions
regarding the degree of access for persons with some level of existing or allowable access.
• Data and information that are confidential or critical to a firm’s operations should be physically isolated
to discourage unauthorized access. Isolation includes:
– secured off-line and online program documentation
– secured storage of hard copies
– separate user partitions of direct-access storage media
– database data dictionary always under the control of the DBA
– live program isolation in memory through multiprogramming

• All attempts to access the computer system and all authorized access should be monitored so that
unwarranted activity can be investigated and halted.
• The principle of Least Privilege Access through Access Control Logs, Console Logs and Access
Control Software (Passwords) facilitate the monitoring process.
• Passwords are often tiered and coupled with other identifiers for access to critical applications. These
other identifiers include the hand-shaking method, and the math method.

Three-Level Password Security

User
Codes

File
Access

Data Item
Access

Data
Base

31
Protection from Unauthorized Access to Data and Information
• Automatic log-outs and lockups
• Callback procedures
• Keyboard & Floppy-disk drive locks
• Employing automatic boot and start-up procedures
• Usage limitations through device authorization tables
• Use of encryption: Private key (including PGP) & Public key (RSA Public key encryption
scheme)
*PGP=Pretty Good Privacy
*RSA: Ron Rivest, Adi Shamir, Leonard Adleman

Protection from Undetected Access to Data and Information

Access logs, Console logs, Access control software, Access Control Facility 2, Resource Access Control
Facility, System and Program change logs monitor changes to programs, files, and controls.

Protection from Loss or Improper Alteration of Data and Information

• A Library Log will track the movement of files, programs and documentation, while a
Transaction Log records individual transaction as they are entered into on-line systems.
• Tape File Protection Rings for magnetic tape, Write-Protect Rings for diskettes, and File Labels
(both internal and external) for tape (including internal header labels and internal trailer labels)
or disk can prevent the loss or alteration of data and information.
• ROM-based program instructions.
• Enforced serialized processing.

Recovery and Reconstruction of Lost Data

• All companies should backup their vital documents, files and programs and establish a
recovery procedure to recreate lost data or programs.
• These include: The GPC (the process formerly known as GFS) method for large tape-based
systems, A periodic dump procedure for disk-based systems (disk-based systems engage in
destructive updates, and hence do not lend themselves to the GPC process), Activity logs
showing data element values before and after changes.
*GPC: Grandparent, Parent, Child
*GFS: Grandfather, Father, Son

• Reconstruction involves The Roll-Forward procedure (inclusive of the last dump and images from the
activity log and transaction log), The Roll-Back procedure, Use of Checkpoints, Building-in Fault
Tolerance through methods such as Disk Mirroring and Disk Duplexing.

32
Disaster Contingency and Recovery Planning
– The Emergency Plan
✓ Prepare organization chart.
✓ Determine disasters that trigger the entire DCRP or just parts of it. Conduct a risk analysis.
✓ Determine responsibilities for contacting police, fire, and other agencies.
✓ Determine personnel to remain at headquarters to perform vital duties.
✓ Prepare maps of primary and secondary evacuation routes and post these throughout the
organization.
✓ Develop a method for communicating the “all clear” signal.

– The Backup Plan

✓ Store duplicates of vital software, data, and records in off-premise (and if possible, geographically
distant) locations.
✓ Identify key critical and non-critical full-time and part-time employees and temporary hires.
✓ Cross-train employees.
✓ Select the most appropriate type of backup system: manual backup system, reciprocal arrangements
with other firms, third-party agreements with data-processing service bureaus, cold sites, hot sites,
co-operative hot sites, flying hot sites etc.

– The Recovery Plan

✓ Appoint a recovery manager and second-in-command
✓ Select and off-site facility to store backups and periodically inspect the facility
✓ Maintain liaison with insurance firms to facilitate early assessment of damage
✓ Maintain communication with customers and vendors
✓ Establish a time-table for recovery
✓ Establish a strategy to ensure the strict control of applications processed at the backup site

– The Test Plan

– The Maintenance Plan

Strengthening the DCRP process requires attention to the following issues:

• Broaden recovery plan beyond just computer operations to ensure business continuity.
• Involve the internal audit function in all phases of contingency planning.
• Factor-in the human element.
• Contingency plan should address customer and vendor relations.
• Managers and employees should be made aware of their responsibilities in the event that a disaster
strike.
• Contingency plan should incorporate telecommunications backup.

33
 Chapter 10 – Auditing of Information Systems
Audits are examinations performed to assess and evaluate an activity or object, such as whether the internal
controls implemented into the AIS are working as prescribed by management

Types of Audits
• Operational Audits
• Compliance Audits
• Project Management and Change Control Audits
• Internal Control Audits
• Financial Audits
• Fraud Audits
• Internal Auditors
• External Auditors
• Government Auditors
• Fraud Auditors

Basic Auditing Considerations

Ethics and Auditing Standards
• Need for Ethics
• Content of Standards
• Effect of Automation on Standards
Impact of Computerization on Audit Procedures
Transaction Cycle Approach to Auditing

The Auditing Process

The 5 phases of a financial audit are:
• Planning the Audit
✓ Analytical Procedures
• Preliminary Review & Assessment of the Internal Control Structure
• Completion of the Review
✓ Detailed Evaluation and Testing of Controls
• Analytical and Substantive Review
• Audit Reporting

Preliminary Assessment of the Internal Control Structure

• Review, Document, and Assess the ICS
• Assess and Set the level of Control Risk
✓ Control Risk is the risk that material misstatements in assertions, leading to significant errors in
the financial statements, will fail to be prevented or detected by the internal control structure.
✓ The level of Control Risk may be expressed numerically or subjectively.
✓ An Assertion is an expressed account balance, transaction classification, or disclosure in the
financial statements being examined.
• Cost Effectiveness of Testing Controls

34
Testing of Controls
• Perform Tests of Controls.
• Evaluate the Findings of the Tests of Controls.
• Final Assessment of Control Risk for each transaction cycle.
✓ Determine level of Planned Detection Risk.
✓ The Planned Detection Risk is the risk that a material misstatement in the financial statements
or in individual account balances will fail to be uncovered by substantive testing procedures.
✓ Determine the nature, timing, and extent of substantive testing procedures.
• Develop Final Audit Program.

Substantive Testing
• Choose and Perform Substantive Tests
✓ Perform Final Analytical Procedures
✓ Test Account Balances
✓ Test Details of Transaction Classes
• Evaluate Substantive Tests

Document the Conclusions

1. Writing the Audit Report
• Unqualified Opinion: Financial Statements present fairly, in all material respects, the financial
status, results of operations, and cash flow of the firm being audited
• Qualified Opinion: Issued when a significant condition, such as a departure from GAAP,
prevents the issuance of an unqualified opinion
• Adverse Opinion: Given when the auditor concludes that the overall financial statements are
so materially misleading that they cannot be relied upon
• A Disclaimer of Opinion: The Auditor refuses to express an opinion on the overall financial
statements due to major restrictions placed on the scope of the audit or the failure to collect
sufficient evidence.

2. Letter of Reportable Conditions

Auditing Around the Computer

• Computer is a “black-box.”
• Assumption: If the auditor can show that the actual outputs are the correct results to be expected from
a set of inputs to the processing system, then the computer processing must be functioning in a
reliable manner.
• Involves tracing selected transactions from source documents to summary accounts and records, and
vice-versa.
• A “Non-Processing of Data” Method.
• Suitable only under the following 3 conditions:
– The audit trail is complete and visible
– The processing operations are relatively straightforward, uncomplicated, and low volume
– Complete documentation, such as DFDs and Systems Flowcharts, are available to the auditor
• Best suited for independent periodic processing applications:
– Cash disbursements
– Payroll processing

35
 • Limitations is that it does not allow the auditor to determine exactly how the computer processing
programs handle edit checks and programmed checks

Auditing Around the Computer: An Illustration

Auditing Through the Computer

• Should be applied to all complex automated processing systems
– Periodic direct and real-time processing applications where the audit trail is impaired
• Methods include:
– Test Data
– Integrated Test Facility
– Embedded Audit Module Techniques
– Program Code Checking
– Parallel Processing
– Parallel Simulation
– Controlled Processing
• All auditing-through-the-computer techniques provide evidence concerning the level of control risk.

36
 Auditing Through the Computer: An Illustration

Auditing with the Computer

• Microcomputer Audit Assist Software
✓ The Generalized Audit Software (GAS) Package
✓ The Template
– Prepare trial balances
– Maintain recurring journal entries
– Evaluate sample results
– Schedule and manage auditor time in field audits
– Perform reasonableness tests of expenses
– Estimate expenses
• Audit Software: A collection of program routines, each serving a mechanistic audit function
• GAS (e.g., ACL)
– Attribute Sampling
– Histogram Generation
– Record Aging
– File Comparison
– Duplicate Checking
– File Printing

37
Typical Audit Functions Available in a GAS package
– Extracting Data from Files
– Calculating with Data
– Summarizing Data
– Analyzing Data
– Reorganizing Data
– Selecting Sample Data for Testing
– Gathering Statistical Data
– Printing Confirmation Requests, Analyses, and other outputs

Applications of a GAS Package

Advantages of GAS Packages

• Allow auditors to access computer-readable records for a wide variety of applications and organizations.
• Enable auditors to examine much more data than could be examined through manual means.
• Rapidly and accurately perform a variety of routine audit functions, including the statistical selection
of samples.
• Reduce dependence on non-auditing personnel for performing routine functions like summarizing data,
thereby enabling auditors to maintain better control over the audit…
• Require only minimal computer knowledge on the part of the auditor.

\\

38
Disadvantages of GAS Packages
• They do not directly examine the applications program and programmed checks.

• They cannot replace audit-through-the-computer techniques

Situations Triggering DP Operational Audits

• An apparently excessive cost for computer services

• A major shift in corporate plans

• A proposal for a major hardware or software upgrade or acquisition

• An inability to attract and retain computer DP executives

• A new DP executive’s need for an intensive assessment

• An inordinate amount of personnel turnover within the DP department

• A proposal to consolidate or distribute DP resources

• A major system that appears unresponsive to needs or is difficult to enhance or maintain

• An excessive or increasing number of user complaints

39
 Chapter 12: The Revenue Cycle
• Revenue Cycles tend to be similar for all types of firms.
• Two subsystems perform the processing steps within the revenue cycle:
– The Sales Processing System
– The Cash Receipts Processing System

Objectives of the Revenue Cycle

• To record sales orders promptly and accurately
• To verify that the customers are worthy of credit
• To ship the products or perform the services by agreed dates
• To bill for products or services in a timely and an accurate manner
• To record and classify cash receipts promptly and accurately
• To post sales and cash receipts to proper customers’ accounts in the accounts receivable ledger
• To safeguard products until shipped
• To safeguard cash until deposited

Marketing/Distribution
Marketing Management has the objectives of determining and satisfying the needs of customers, generating
sufficient revenue to cover costs and expenses, replacing assets and providing an adequate return on investment.

Finance/Accounting
With respect to the Revenue Cycle, the objectives are limited to Cash Planning and Control, Data pertaining to
sales and customer accounts, Inventory control and Information pertaining to cash, sales, and customers.

Input Documents Pertaining to the Revenue Cycle

40
Credit Sales Processing System
• Order Entry: Customer Order, Picking List
• Shipping: Bill of Lading
• Billing
• Preparing Analyses & Reports: Invoice Register, Accounts Receivable Summary
• Handling Sales Returns & Allowances: Credit Memos
• Processing Back Orders

Cash Receipts Processing System

• Remittance Entry: Remittance List, Lockbox
• Depositing Receipts: Deposit Slips, Cash Receipts Transaction Listing
• Posting Receipts: Balance Forward Method, Open Invoice Method
• Preparing Analyses & Reports
• Collecting Delinquent Accounts: Write-off Notice

Web-Based Systems
• Electronic commerce
• Larger customer base
• Quicker processing of transactions
• Less paperwork
• Greater efficiency & productivity
• Self-service
• AICPA’s Web-Trust and competing services

Information Output
• Operational Listings & Reports
• Inquiry Display Screens
• Scheduled Managerial Reports
• Demand Managerial Reports

Operational Listings and Reports

• Monthly statement
• Open orders report
• Sales Invoice register
• Shipping register
• Cash receipts journal
• Credit memo register

41
Scheduled Managerial Reports
• Accounts receivable aging schedule
• Reports on critical factors
– Average dollar value per order
– Percentage of orders shipped on time
– Average number of days between the order
date and shipping date
• Sales analyses
– Salesperson
– Sales region
– Product lines
– Customers
– Markets
• Cash flow statements

Demand Managerial Reports: Demand reports are ad hoc non-scheduled reports, and “What-if”
scenarios.

Types of Managerial Decisions Pertaining to the Revenue Cycle

• Marketing decisions
– Which types of markets and customers are to be served?
– Which specific products are to be provided to customers, including new products to be introduced?
– What prices are to be charged, and what discounts are to be allowed?
– What after-sales services are to be offered?
– What channels of distribution are to be employed?
– What advertising media are to be employed, and in what mix?
– What organizational units are to be incorporated within
the marketing function?
– What marketing plans and budgets are to be established for the coming year?

• Financial Decisions
– What criteria are to be employed in granting credit to potential customers?
– What collection methods are to be employed in minimizing bad debts?
– What accounts receivable records are to be maintained concerning amounts owed by customers?
– What sources, other than receipts from sales, are to be employed in obtaining needed funds for
operations?
– What financial plans and cash budgets are to be established for the coming year?

42
Typical Files Associated with the Revenue Cycle
• Master Files
– Customer master file
– Accounts receivable master file
– Merchandise inventory master file

• Transaction & Open Document Files

– Sales order file
– Open sales order file
– Sales invoice transaction file
– Cash receipts transaction file

• Other Files
– Shipping & Price data reference file
– Credit reference file
– Salesperson file
– Sales history file
– Cash receipts history file
– Accounts receivable report file

43
 Risk Exposures in the Revenue Cycle
Risks Exposures
1) Credit sales made to customers who represent poor 1) Losses from bad debts
credit risks
2) Unrecorded or unbilled shipments 2) Losses of revenue; overstatement of inventory and
understatement of accounts receivable in the balance sheet
3) Errors in preparing sales invoices 3) Alienation of customers and possible loss of future
sales; losses of revenue
4) Misplacement of orders from customers or unfilled 4) Losses of revenue and alienation of customers
backorders
5) Incorrect posting of sales to accounts receivable 5) Incorrect balances in accounts receivable and general
records ledger account records
6) Posting of revenues to wrong accounting periods, 6) Overstatement of revenue in one year (year of
such as premature booking of revenues premature booking) and understatement of revenue in the
next
7) Fictitious credit sales to nonexistent customers Overstatement of revenues and accounts receivable
8) Excessive sales returns and allowances with certain 8) Losses in net revenue, with the proceeds from
of the credit memos being for fictitious returns subsequent payments by affected customers being
fraudulently pocketed
9) Theft or misplacement of finished goods in the 9) Losses in revenue; overstatement of inventory on the
warehouse or on the shipping dock balance sheet
10) Fraudulent write-offs of customers’ accounts by 10) Understatement of accounts receivable; losses of cash
unauthorized persons receipts when subsequent collections on written-off
accounts are misappropriated by perpetrators of the fraud
11) Theft (skimming) of cash receipts, especially 11) Losses of cash receipts; overstatement of accounts
currency, by persons involved in the processing; often receivable in the subsidiary ledger and the balance sheet
accompanied by omitted postings to affected
customers’ accounts
12) Lapping of payments from customers when 12) Losses of cash receipts; incorrect account balances for
amounts are posted to accounts receivable records those customers whose records are involved in the lapping
13) Accessing of accounts receivable, merchandise 13) Loss of security over such records, with possibly
inventory, and other records by unauthorized persons detrimental use made of the data accessed
14) Involvement of cash, merchandise inventory, and 14) Losses of or damages to assets
accounts receivable records in natural or human-made
disasters
15) Planting of virus by disgruntled employee to 15) Loss of customer accounts receivable data needed to
destroy data on magnetic media monitor collection of amounts from previous sales
16) Interception of data transmittal between customers 16) Loss of data which may be used to the detriment of
and the web site customers
17) Unauthorized viewing and alteration of other 17) Loss of security over customer records resulting in
customer account data via the Web misstatement of accounts receivable balances
18) Denial by a customer that an online order was 18) Loss of sales revenues
placed after the transaction is processed
19) Use of stolen credit cards to place orders via the 19) Loss of shipped goods for which payments will not be
Web received
20) Breakdown of the web server due to unexpectedly 20) Loss of sales revenues and alienation of customers
high volume of transactions

44
Typical Control Objectives for the Revenue Cycle
1. All customers accepted for credit sales are credit-worthy.
2. All ordered goods are shipped, and all services are performed by dates that are agreeable to all parties.
3. All shipped goods are authorized and accurately billed within the proper accounting period.
4. All sales returns and allowances are authorized and accurately recorded and based on actual return of
goods.
5. All cash receipts are recorded completely and accurately.
6. All credit sales and cash receipts transactions are posted to proper customers’ accounts in the accounts
receivable ledger.
7. All accounting records, merchandise inventory, and cash are safeguarded.

General Controls of the Revenue Cycle

Organizational Controls

• Units with custodial functions should be kept separate from each other
• Custodial functions should furthermore be segregated from record-keeping functions
• For computerized systems, systems development should be kept separate from systems operations
Documentation Controls
Asset Accountability Controls
Management Practice Controls
Data Center Operations Controls
Authorization Controls
Access Controls

• Assigned passwords that authorized clerks must enter to access accounts receivable and other
customer-related files, in order to perform their strictly defined tasks.
• Terminals that are restricted in the functions they allow to be performed with respect to sales and cash
receipts transactions.
• Logging of all sales and cash receipt transactions upon their entry into the system
• Frequent dumping of accounts receivable and merchandise inventory master files onto magnetic tape
backups.
• Physically protected warehouses and safes.
• A lockbox collection system in situations where feasible.

Application Controls of the Revenue Cycle

1) Prepare pre-numbered and well-designed documents relating to sales, shipping, and cash receipts, with each
prepared document being approved by an authorized person.
2) Validate data on sales orders and remittance advices as the data are prepared and entered for processing. In
computer-based systems, validation should be performed by means of programmed edit checks. When data are
keyed into computer-readable medium, key verification is also appropriate.
3) Correct errors that are detected during data entry and before the data are posted to the customer and inventory
records.

45
4) Precompute batch control totals relating to key data on sales invoices (or shipping notices) and remittance
advices. These precomputed batch control totals should be compared with totals computed during postings to
the accounts receivable ledger and during each processing run. In the case of cash receipts, the total on
remittance advices should also be compared with the total on deposit slips.

Application Controls of the Revenue Cycle: Processing

1. Move ordered goods from the finished goods warehouse and ship the goods only on the basis of written
authorizations such as stock request copies
2. Invoice customers only on notification by the shipping department of the quantities that have been
shipped
3. Issue credit memos for sales returns only when evidence (i.e. receiving report) has been received that
the goods were actually returned
4. Verify all computations on sales invoices before mailing and postings to proper customers’ accounts.
Also, compare the sales invoices against shipping notices and open orders, in order to ensure that the
quantities ordered reconcile with the orders shipped and back-ordered
5. Verify that total amounts posted to the accounts receivable accounts from batches of transactions agree
with precomputed batch totals, and post the total amounts to the appropriate general ledger accounts
6. Deposit all cash received intact and with a minimum of delay, thus eliminating the possibility of cash
receipts being used to pay employees or to reimburse petty cash funds
7. Correct errors that are made during processing steps, usually by reversing erroneous postings to
accounts and entry of correct data. The audit trail concerning accounts being corrected should show
the original errors, the reversals, and the corrections

Application Controls of the Revenue Cycle: Output

1. Prepare monthly statements, which should be mailed to all credit customers, especially if the balance
forward approach is employed.
2. File copies of all documents pertaining to sales and cash receipts transactions by number, with the
sequence of numbers in each file being periodically checked to see if gaps exist. If transactions are
not supported by preprinted documents, as often is the case in online computer-based systems, assign
transaction numbers to the transactions.
3. Prepare printed transaction listings and account summaries on a periodic basis in order to provide
audit trail and a basis for review

Web Security Procedures

1. Authentication
2. Authorization: Use of an Access Control List
3. Accountability
4. Data Transmission
5. Disaster Contingency & Recovery Plan

46
 Chapter 13: The Expenditure Cycle
Because this cycle involves the outflow of cash, it is the counterpoint to the revenue cycle. Expenditure cycles
tend to be similar for all types of firms - merchandising to manufacturing to services.

Two subsystems include:

• The purchases processing system
• The cash disbursements processing system

Objectives of the Expenditure Cycle

1. To ensure that all goods and services are ordered as needed
2. To receive all ordered goods and verify that they are in good condition
3. To safeguard goods until needed
4. To ensure that invoices pertaining to goods and services are valid and correct
5. To record and classify the expenditures promptly and accurately
6. To post obligations and cash disbursements to proper suppliers’ accounts in the accounts payable
ledger
7. To ensure that all cash disbursements are related to authorized expenditures
8. To record and classify cash disbursements promptly and accurately

Relationships of Organizational Units to Expenditure Cycle Functions

Documents Pertaining to the Expenditure Cycle

• Purchase Requisition
• Purchase Order
• Receiving Report
• Supplier’s (Vendor’s) Invoice
• Disbursement Voucher
• Disbursement Check
• Debit Memorandum
• New Supplier Form
• Request for Proposal

47
Purchasing & Payables Processing System
• Purchases: Request for Proposals, Inventory Status Reports
• Receiving: Receiving Report
• Payables: Disbursements Voucher File
• Preparing Analyses & Reports
• Handling Purchase Returns & Allowances: Debit Memorandum

Cash Disbursements Processing System

• Processing Petty Cash disbursements: Imprest System
• Disbursing cash for miscellaneous purposes

Managerial Decisions Pertaining to the Expenditure Cycle

Inventory Decisions
1. What levels of merchandise inventory should be stocked?
2. When should particular inventory be reordered?
3. What quantities of particular inventory items should be reordered?
4. When should long term purchase contracts be obtained for particular inventory items?
5. Which suppliers should be established as long-term sources of merchandise and supplies?
6. From which suppliers should particular inventory items be ordered?
7. What procedures should be followed in receiving and storing merchandise inventory?
8. What organizational units are to be included in the inventory management and logistics function?
9. What logistics plans and budgets are to be established for the coming year?
Financial Decisions
1. What policies concerning purchase terms and discounts should be established?
2. What level of service should departments be allowed to inquire?
3. What accounts payable records are to be maintained concerning amounts owed to suppliers?
4. What financial plans and budgets are to be established for the coming year?
5. What sources of funds are to be employed?

Operational Listings & Reports

• Voucher Register
• Check Register
• Open Purchase Order Report
• Open Invoices Report
• Inventory Status Report
• Overdue Deliveries Report

Scheduled Managerial Reports

• A Payables Aging Report
• Purchase Analyses
• Vendor Performance Report
• Cash-flow Statement
• Critical Factors Report

48
 Data Management: File Oriented Approach
1. Master Files
• Supplier/Vendor Master File
• Accounts Payable Master File
• Merchandise Inventory Master File
2. Transaction & Open Document Files
• Purchase Order File
• Open Purchase Order File
• Supplier’s Invoice ile
• Open Vouchers File
• Cash Disbursements File
3. Other Files
• A Supplier Reference & History File
• A Buyer File
• An Accounts Payable Detail File

A Layout of a Supplier (Accounts Payable) Record

Supplier Supplier Mailing Phone number Credit Terms Year-to-date Year-to- Current
Account Name Number Payments in date Account
Number total Payments Number
in total

Control Objectives
1. All purchases are authorized on a timely basis when needed and are based on EOQ calculations.
2. All received goods are verified to determine that the quantities agree with those ordered and that they
are in good condition.
3. All services are authorized before being performed and are monitored to determine that they are
properly performed.
4. All suppliers’ invoices are verified on a timely basis and conform with goods received or services
performed.
5. All available purchase discounts are identified, so that they may be taken if economical to do so.
6. All purchase returns and allowances are authorized and accurately recorded and based on actual return
of goods.
7. All cash disbursements are recorded completely and accurately.
8. All credit purchases and cash disbursements transactions are posted to proper suppliers’ accounts in the
accounts payable ledger.
9. All accounting records and merchandise inventory are safeguarded.

49
Risk Exposures Within the Expenditure Cycle

Risk Exposure(s)
1. Orders placed for unneeded goods or more 1. Excessive inventory and storage costs
goods than needed
2. Receipt of uncoded goods 2. Excessive inventory and storage costs
3. No receipt of order goods 3. Losses due to stockouts
4.Fradulent placement of orders by buyers with 4. Possibility of inferior or overpriced goods or
suppliers to whom they have personal or financial services
attachments

Risk Exposure(s)
5) Creation of fictitious invoices and other 5) Overstatement of inventory; losses of cash
purchasing documents disbursed
6) Lack of vigilance in writing down inventory 6) Overstatement of inventory
that is aged or damaged
7) Omission of liabilities, such as material 7) Understatement of liabilities
contingencies

Risk Exposure(s)
9) Damage to goods enroute to the acquiring firm 9) Possibility of inferior goods for use or sale

10) Errors by suppliers in computing amounts or 10) Possibility of overpayment for goods received
invoices
11) Erroneous or omitted postings of purchases or 11) Incorrect balances in accounts payable and general
purchase returns to supplier’s accounts payable ledger account records
records
12) Errors in charging transaction amounts to 12) Incorrect levels (either high or low) for purchases
purchases and expense accounts and expense accounts

Risk Exposure(s)
13) Lost purchase discounts due to late payments 13) Excessive purchasing costs
14) Duplicate payments of invoices from suppliers 14) Excessive purchasing costs
15) Incorrect disbursements of cash, either to 15) Loss of cash and excessive costs for goods and
improper or fictitious parties or for greater amounts services
than approved

Risk Exposure(s)
16) Improper disbursement of cash for goods or 16) Excessive costs for goods or services
services not received
17) Theft of scrap proceeds 17) Loss of cash

50
18) Disbursement of checks payable to employees for 18) Loss of cash
unauthorized expenses or fraudulent claims
19) Fraudulent alteration and cashing of checks by 19) Loss of cash
employees
20) Kiting of checks by employees 20) Overstatement of back balances; possible losses
of deposited cash

Risk Exposure(s)
21) Accessing of supplier records by unauthorized 21) Loss of security over such records, with possible
persons detrimental use made of data accessed
22) Involvement of cash, merchandise inventory, and 22) Loss of or damage to assets, including possible
accounts payable record in natural or human-made loss of data needed to monitor payments of amounts
disasters due to suppliers within discount periods
23) Interception of data transmitted via the Web 23) Loss of data or unreliable data resulting in
inaccurate purchase orders
24) Unauthorized purchase requisitions and purchase 24) Excessive inventory and storage costs
orders initiated via the Web

Risk Exposure(s)
25) Unauthorized viewing and alteration of a 25) Loss of security over data which can be used to
company’s purchase records via the Web the detriment of the company
26) Breakdown of the Web server due to unexpected 26) Loss of data and delay in processing purchase
events orders

General Controls
• Organizational Controls
• Documentation Controls
• Asset Accountability Controls
• Management Practices Controls
- Training & Bonding of employees
- Systems development & changes subject to prior approvals, testing, and sign-off
- Audits on purchases and cash disbursements
- Periodic review and analyses of account activity and computer-approved transactions
• Data Center Operations Controls
• Authorization Controls
• Access Controls
- Assigned passwords required in order to access accounts payable and other supplier-related
files
- Terminals restricted in their functions with respect to purchases and cash disbursement
transactions
- Logging of all purchases and cash disbursement transactions upon their entry into the system
- Frequent dumping of accounts payable and merchandise inventory master files onto magnetic
tape backup
- Physically protected warehouses
- Logs that monitor all accesses of data stored in files

51
Application Controls Pertaining to the Expenditure Cycle: Input Controls
1. Prepare pre-numbered and well-designed documents relating to purchases, receiving, payables, and
cash disbursements.
2. Validate data on purchase orders and receiving reports and invoices as the data are prepared and
entered for processing.
3. Correct errors that are detected during data entry and before the data are posted to the supplier and
inventory records.
4. Pre-compute batch control totals relating to key data on suppliers’ invoices and vouchers due for
payment.

Application Controls Pertaining to the Expenditure Cycle: Processing Controls

1. Issue purchase requisitions, purchase orders, disbursement vouchers, checks, and debit memoranda on
the basis of valid authorizations.
2. Verify all data elements and computations on purchase requisitions and on purchase orders.
3. Vouch all data elements and computations on suppliers’ invoices.
4. Monitor all open transactions, such as partial deliveries and rejected goods.
5. Issue debit memoranda only on the basis of prior approval of the purchasing or other appropriate
manage.
6. Reconcile amounts in the accounts payable subsidiary ledger and expense ledgers with control accounts
in the general ledger.
7. Verify that total postings to the accounts payable file accounts agree with the total postings to the
general ledger accounts.
8. Monitor discount terms relating to payment.
9. Review evidence supporting the validity of expenditures and the correctness of amounts prior to the
signing of checks.
10. Use check protectors to protect the amounts on checks against alteration before the checks are presented
to be signed.
11. Require that checks over a specified amount be countersigned by a second manager.
12. Verify all inventories on hand by physical counts once yearly, and reconcile the counted quantities with
the quantities shown in the inventory records.
13. Use imprest systems for disbursing currency from petty-cash funds, with the funds being subject to
surprise counts by internal auditors or a designated manager.
14. Establish purchasing policies that require competitive bidding for large and/or non-routine purchases
and that prohibit conflicts of interest.
15. Correct errors that are made during processing steps, usually by reversing erroneous postings to
accounts and entering correct data.

Application Controls Pertaining to the Expenditure Cycle: Output Controls

1. Establish clear-cut receiving and payables cut-off policies, so that inventories and accounts payable are
fairly valued at the end of each accounting period.
2. Establish budgetary control over purchases, with periodic reviews of actual purchase costs and such
key factors as inventory turnover rates.
3. Compare monthly statements from suppliers with the balances appearing in the suppliers’ accounts in
accounts payable.
4. File copies of all documents pertaining to purchases and cash disbursements by number; including
voided documents such as checks.
5. Print transaction listings in order to provide an adequate audit trail.

52
Programmed Edit Checks Useful in validating Transaction Data in the
Expenditure Cycle
Validity check, Self-checking digit, Field check, Limit check, Range check, Relationship check, Sign check,
Completeness check*, Echo checks*

Web Security Procedures

– Authentication
– Authorization
– Accountability
– Data Transmission
– Disaster Contingency & Recovery Plan

53
 Chapter 14: Systems Development
Interaction of Systems Development with Accounting
– Assigning both the controller and the information systems manager to the steering committee
– Assigning accountants to systems project teams
– Assigning persons who are knowledgeable in both accounting and information technology to serve as
coordinators between the accounting and information systems functions
– Establishing an internal audit group, staffed by accountants and systems-oriented auditors
– Establishing data control groups within accounting departments

Approaches to Systems Development

– Top-Down versus Bottom-up
– In-House versus Outsourcing
– Re-engineering
– Prototyping

Objectives of Strategic Systems Planning

– Integrate the information system development with the firm’s overall planning processes
– Ensure orderly development of systems projects, making efficient use of available resources
– Recognize changing priorities and newly arising conditions as well as increasing informational
demands
– Incorporate improvements in information technology as they become relevant to the firm’s needs and
promise greater benefits than the cost outlays

Survey of the Present System

• Scope
• Data Types and Sources
• Behavioral Issues
– Communicate openly with the persons
to be affected by the system project
– Encourage participation by the affected persons throughout the survey
– Emphasize the positive aspects of the project and explain that the resulting system can better meet
the users’ needs
– Reduce the fears of employees and managers by establishing and publicizing fair personnel
policies

54
A Checklist for Analyzing Information Systems
– Are tasks and responsibilities clearly defined and assigned?
– Are tasks and responsibilities distributed effectively among employees and organizational units?
– Are the policies and procedures understood and followed?
– Does the productivity of the clerical employees appear to be satisfactorily high?
– Do the various organizational units cooperate and coordinate well in maintaining smooth flows of
data?
– Does each product achieve its intended objective?
– Are redundant processing operations being performed?
– How necessary is the result accomplished by each operation?
– Do unnecessary delays occur in obtaining and/or processing data?
– Do any operations cause bottlenecks in the flow of data?
– Are the number of errors that occur in each operation minimized?
– Are physical operations adequately planned and controlled?
– Is the capacity of the information system sufficient to handle the average volumes of data without
large backlogs?
– Are the peak volumes of data handled adequately?
– How easily does the system adapt to exceptional occurrences and growth in use?
– How necessary is each document?
– Is each document suitably designed for efficient use?
– Are all copies of documents necessary?
– Can reports be prepared easily from the files and documents?
– Does unnecessary duplication occur in files, records, and reports?
– Are files easily accessible and kept up-to-date?
– Are sound performance standards developed and kept up-to-date?
– Is data processing equipment being used effectively?
– Is the system of internal control adequate?
– Do the informal flows of data and information harmonize with the formal flows?

55
A List of Information Systems Capabilities
– Efficient and hence economical operations
– Adequate capacity for expected growth
– Timeliness in responding to inquiries and providing reports
– Reliability of system hardware and software
– Accurate, up-to-date, and relevant information
– Security of the data and system facilities
– Flexibility and adaptability to changes and new demands
– Simplicity, and hence user-friendliness
– System Design Costs
• Detailed design
• Programming

– System Installation and Conversion Costs

• System and program testing
• File conversion
• Retraining of displaced employees
• Training of newly hired analysts, programmers, and operators
• Inefficiencies caused by learning new equipment and procedures

– System Site Preparation Costs

• Construction of wiring and piping systems
• Construction of electrical power supply
• Construction of air-conditioning system
• Construction of sprinkler system
• Construction of other miscellaneous facilities, such as false flooring, file storage vault, and special
lighting

– System Hardware Costs

• Central processing unit
• Additional processors
• Secondary storage devices
• Input-output devices
• Data communications equipment
• Terminals
• Peripheral equipment, such as key-to-disk devices
• Transportation of equipment

– System Software Costs

• Operating system, utility routines, compilers
• Data communications software
• Application program packages
• Data management software packages
• Decision model software packages
• Outside computer time-sharing rentals

56
Recurring Costs Related to a Computer-Based Information System
1. Computer Operations Costs
– Salaries for computer supervisors, operators, technicians, data-entry clerks, librarians, security
guards, and others
– Supplies, including forms, paper, ribbons, and tape
– Utilities, including power, water, and telephone
– Rentals of computer hardware
– Software purchases and upgrades
– Communications equipment and services
– Backup equipment and services

2. Information System Maintenance Costs

– Salaries for systems analysts, programmers, repair technicians, and others
– Replacement parts and upgrades
– Printing costs for documentation

3. Information System Administration Costs

– Salaries of systems management, data-base administrator, internal auditors, secretaries, and others
– Insurance
– Taxes
– Space and building occupancy costs

Typical Conceptual Design Specifications

System Components
1. Output: Name, Purpose, Distribution to users, Contents, General format, Frequency or trigger,
Timeliness, Output medium
2. Database: File or table name, File or table type, File size, Contents of record or table, Record or table
layout, File organization method, Storage medium, Data characteristics, Updating frequency, Data
structure
3. Data processing: Sequence of steps or runs, Processing modes, cycles, volumes, Modes of data
communication, Processing capabilities at each physical location
4. Data input: Name, Purpose, Source, Method of collecting data, Volume (peak and average), Contents
(data elements), General format, Data entry method
5. Control and security: Type, Purpose, Specific system components affected, Method of correcting error
or establishing security

Systems Acquisition Options

1. Purchasing versus leasing
2. Single vendors versus multiple vendors
3. In-house system versus outsourcing computing services
4. In-house software development versus commercial software packages
5. Types of commercial software
– General accounting systems
– Turnkey software systems

57
Advantages of Commercial Software
1. Products available without lengthy developmental periods.
2. Soundly designed and well-tested and thus efficient and reliable.
3. Reasonable pricing.

Limitations of Commercial Software

1. Generalized in nature.
2. Acquiring firm is dependent on the software vendor for support and maintenance and upgrades.

The Sequence in Designing System Components

A List of Design Principles

– Foster system objectives
– Incorporate reasonable tradeoffs
– Focus on functional requirements
– Serve multiple purposes
– elate to users’ concerns
– Provide a tailored product
– Integrate system modules and components
– Avoid design excesses
– Apply sound methodology

58
A List of Resource Specifications
1. Systems Design Specifications
– Output
– Data-base
– Processing
– Input
– Control & security
2. Hardware Specifications
– Processor speeds and capabilities
– Secondary storage capacities and access capabilities
– Input-output speeds and capabilities
– Compatibility features
– Modularity features
– Error detection and correction techniques
– Data communication capabilities
– Special features, such as multiprogramming and virtual storage
– Maximum allowable downtime as a percentage of total time
3. Software Specifications
– Programming languages and compilers
– Utility packages
– Application packages
– Operating system capabilities
– Data management packages
– System Support Specifications
– Programming assistance
– Training programs
– Test facilities and time available
– Backup facilities
– Maintenance assistance

Techniques for Proposal Evaluation

1. The benchmark problem technique
2. Simulation model technique
3. Weighted-Rating analysis technique

Systems Implementation: Preliminary Actions

1. Establish implementation plans and controls
– Gantt chart
– Network diagrams
2. Recognize behavioral concerns
3. Review the organization of the project team
4. Complete arrangement for selected system resources

59
Implementation Activities
1. Personnel selection and training
2. Physical site preparation
3. Detailed system design
– Output design
– Database design
– Input design
– Processing design
– Controls design
4. Application software development: Coding, Structured programming
5. Software testing: Desk checking, String testing
6. System testing: Acceptance testing
7. Standards development:
– System components
– Performance
– Documentation
8. Documentation
9. File conversion
10. System conversion: cutover
– Direct conversion approach
– Parallel operation approach
– Modular conversion approach
– Phased conversion approach

11. User signoff

Systems Operations
1. Fine tuning
2. Post-implementation evaluation
– To assess the degree to which the objectives of the system project have been met
– To spot any additional modifications that might be needed in the newly designed system
– To evaluate the project team’s performance, both in terms of a quality product and adherence to
the project schedule and work plan
– To serve as the basis for improving future systems developments and accuracy of cost and benefit
estimates

60
A Framework Pertaining to the Control of System-Related Resources

Ishtiaq Mainuddin, Undergraduate Student, University of Dhaka – 1000, Bangladesh

61