Ringkasan SIA

Disusun oleh : Muhammad Firman (Akuntansi FE UI 2012)
SISTEM INFORMASI AKUNTANSI

Tax professionals need to understand enough about the
client’s AIS to be confident that the information used for
CHAPTER 1 tax planning and compliance work is complete and
accurate.
ACCOUNTING INFORMATIONS SYSTEMS : AN
One of the fastest growing types of consulting services
OVERVIEW entails the design, selection, and implementation of new
Accounting Information Systems.
What Is An AIS? A survey conducted by the Institute of Management

A system is a set of two or more interrelated components Accountants (IMA) indicates that work relating to
that interact to achieve a goal. Systems are almost always accounting systems was the single most important activity
composed of smaller subsystems, each performing a performed by corporate accountants.
specific function supportive of the larger system.
Information Technology and Corporate Strategy
An accounting information system (AIS) consists of: The same survey conducted by the Institute of
People Management
Procedures Accountants (IMA) also indicates that the second most
Data important job activity of corporate accountants is longterm
Software strategic planning.
Information technology infrastructure
The CITP Designation
What important functions does the AIS perform in an CITP: certified information technology professional
organization?
1. It collects and stores data about activities and Identifies CPAs who possess a broad range of technological
transactions. knowledge and the manner in which information
2. It processes data into information that is useful for technology (IT) can be used to achieve business objectives
making decisions. Reflects the AICPA’s recognition of the importance and
3. It provides adequate controls to safeguard the interrelationship of IT with accounting
organization’s assets.
Ten Most Important Activities Performed By Accountants
In Statement of Financial Accounting Concepts No. 2, The 1.Accounting systems and financial reporting
FASB. 2.Long-term strategic planning
–defined accounting as an information system. 3.Managing the accounting and finance function
–stated that the primary objective of accounting is to 4.Internal Consulting
provide information useful to decision makers. 5.Short-term budgeting
6.Financial and economic analyses
The Accounting Education Change Commission 7.Process improvement
recommended that the accounting curriculum should 8.Computer systems and operations
provide students with a solid understanding of three 9.Performance evaluation
essential concepts: 10.Customer and product profitability analyses
1.The use of information in decision making Factors Influencing Design of the AIS
2.The nature, design, use and implementation of an AIS
3.Financial information reporting
Why Study AIS?
To understand how the accounting system works.
How to collect data about an organization’s activities and
transactions
How to transform that data into information that
management can use to run the organization
How to ensure the availability, reliability, and accuracy of
that information
Auditors need to understand the systems that are used to The Value Chain
produce a company’s financial statements.
M a t a k u l i a h l a i n y a n g b e l u m a d a d i P D F i n i a k a n s a y a u p d a t e d i www. a k u n t a n s i d a n b i s n i s . wo rd p re s s . c o m
Contac t me : muhammad.f irman177@gmail.com /@f irmanmhmd (Line) 1552
PE1
The ultimate goal of any business is to provide value to its

customers. A business will be profitable if the value it Data Needs For Activities
creates is greater than the cost of producing its products or
services. An organization’s value chain consists of nine
interrelated activities that collectively describe everything
it does.
The five primary activities consist of the activities
performed in order to create, market, and deliver products
and services to customers and also to provide post-sales
services and support.
The Value Chain Primary Activities
Characteristics of Useful Information

 Understandable
 Verifiable
 Timely
The four support activities in the value chain make it  Relevant
possible for the primary activities to be performed  Reliable
efficiently and effectively.  Complete
What is decision making?
Decision making involves the following steps:
1.Identify the problem.
2.Select a method for solving the problem.
3.Collect data needed to execute the decision model.
4.Interpret the outputs of the model.
5.Evaluate the merits of each alternative.
6.Choose and execute the preferred solution.
Decisions can be categorized as follows:
The value chain concept can be extended by recognizing –in terms of the degree of structure that exists
that organizations must interact with suppliers, –by the scope of the decision
distributors, and customers. An organization’s value chain
and the value chains of its suppliers, distributors, and Decision Structure
customers collectively form a value system. Structured decisions
repetitive, routine, and understood well enough that they
How An AIS Can Add Value To An Organization can be delegated to lower-level employees in the
An AIS adds value : organization.
– by providing accurate and timely information so that five An example is:
primary value chain activities can be performed more Extending credit to customers.
effectively and efficiently.
–improving the quality and reducing the costs of products Semistructured decisions
or services. characterized by incomplete rules for making the decision
–improving efficiency. and the need for subjective assessments and judgments to
–Improving decision making capabilities. supplement formal data analysis.
–increasing the sharing of knowledge. An example is:
Setting a marketing budget for a new product.
A well-designed AIS can also help an organization profit by
improving the efficiency and effectiveness of its supply Unstructured decision
chain. nonrecurring and nonroutine.
An example is:
Information and Decision Making Choosing thecover for a magazine.
What is information?
The term data refers to any and all of the facts that are Decision Scope
collected, stored, and processed by an information system. Decisions vary in terms of the scope of their effect.
Information is data that has been. organized and Operational controlis concerned with the effective and
processed so that it is meaningful. efficient performance of specific tasks. Management
controlis concerned with the effective and efficient use of
resources for accomplishing organizational objectives.
PE1
Strategic planningis concerned with establishing In manual systems, this information is provided in the
organizational objectives and policies for accomplishing form of reports that fall into two main categories:
thoseobjectives. –financial statements
–managerial reports
Information Technology and Corporate Strategy
New developments in IT affect the design of an AIS. 3 To provide adequate internal controls:
Develop a basic understanding of :
–corporate strategies. Ensure that the information produced by the system is
–how IT developments can be used to implement existing reliable.
organizational strategies. Ensure that business activities are performed efficiently
–how IT developments can be used to create an and in accordance with management’s objectives.
opportunity to modify existing strategies. Safeguard organizational assets.
Because an AIS functions within an organization, it should Basic Subsystems in the AIS
be designed to reflect the values of that organizational
culture.
Strategy and Strategic Positions
Two Basic Strategies
 To be a lower-cost producer than competitors
 To differentiate products and services from
competitors
Three Basic Strategic Positions
 Variety-based strategic position
 Need-based strategic position
 Access-based strategic position
What role does the AIS play in helping organizations 1.The revenue cycle: involves activities of selling goods or
adopt and maintain a strategic position? services and collecting payment for those sales.
–Data collection about each activity 2.The expenditure cycle: involves activities of buying and
–Transforming data into information that can be used by paying for goods or services used by the organization.
management to coordinate those activities 3.The human resources/payroll cycle:involves activities of
hiring and paying employees.
What is the Value of Information? 4.The production cycle:involves activities converting raw
The value of information is the benefit produced by the materials and labor into finished goods.
information minus the cost of producing it. 5.The financing cycle:involves activities of obtaining
necessary funds to run the organization, repay creditors,
The Role of the AIS and distribute profits to investors.
The Internet makes strategy more important than ever.
Enterprise resource planning (ERP) systems integrate all The Data Processing Cycle
aspects of a company’s operations with its traditional AIS. The data processing cycle consists of four steps:
The key feature of ERP systems is the integration of 1.Data input
financial data and other nonfinancial operating data. 2.Data storage
3.Data processing
4.Information Output
CHAPTER 2
The trigger for data input is usually business activity. Data
OVERVIEW OF BUSINESS PROCESSES must be collected about:
1.Each event of interest
2.The resources affected by each event
3.The agents who participate in each event
The Three Basic Functions Performed by an AIS Data Processing Cycle: Data Input
1. To collect and store data about the organization’s Historically, most businesses used paper source
business activities and transactions efficiently and documentsto collect data and then transferred that data
effectively: into a computer. Today, most data are recorded directly
through data entry screens.Control over data collection is
Capture transaction data on source documents. improved by:
Record transaction data in journals, which present a
chronological record of what occurred. prenumbering each source document and using
Post data from journals to ledgers, which sort data by turnaround documents
account type. having the system automatically assign a sequential
number to each new transaction
2. To provide management with information useful for employing source data automation
decision making:
PE1
Common Source Documents and Functions Record Transaction Datain Journals

After transaction data have been captured on source
documents, the next step is to record the data in a journal.
A journal entry is made for each transaction showing the
accounts and amounts to be debited and credited.
Record Transaction Datain Journals
The general journal records infrequent or nonroutine
transactions. Specialized journals simplify the process of
recording large numbers of repetitive transactions.
What are the four most common types of transactions?
Record Transaction Datain Journals
1. Credit sales
2. Cash receipts
3. Purchases on account
4. Cash disbursements
Post Transactions to Ledgers
Ledgers are used to summarize the financial status,
including the current balance, of individual accounts. The
general ledger contains summary-level data for every
asset, liability, equity, revenue, and expense account of an
organization.
A subsidiary ledger records all the detailed data for any
general ledger account that has many individual
subaccounts.
What are some commonly used subsidiary ledgers?
–accounts receivable
–inventory
–accounts payable
What is the general ledger account corresponding to a
subsidiary ledger called?
–control account
A control account contains the total amount for all
individual accounts in the subsidiary ledger.
Post Transactions to Ledgers
Data Processing Cycle: Data Processing

Batch processingis the periodic updating of the data stored
about resources and agents
On-line, real-time processingis the immediate updating as
each transaction occurs
Data Processing Cycle: Data Storage
An entityis something about which information is stored.
Each entity has attributesor characteristics of interest, What is the Chart of Accounts?
which need to be stored. The chart of accounts is a list of all general ledger accounts
used by an organization. It is important that the chart of
accounts contains sufficient detail to meet the information
needs of the organization.
PE1
Providing Information for Decision Making firsthand glimpse of the types of problems that can arise
The second function of the AIS is to provide management from inadequate documentation?
with information useful for decision making. The –failure to bill for repair work
information an AIS provides falls into two main categories:
What is Segregation of Duties?
Financial Statements Segregation of duties refers to dividing responsibility for
Managerial Reports different portions of a transaction among several people.
What functions should be performed by different people?
Financial Statements –authorizing transactions
 Prepare a trial balance. –recording transactions
 Make adjusting entries. –maintaining custody of assets
 Prepare the adjusted trial balance.
 Produce the income statement. CHAPTER 3
 Make closing entries.
 Produce the balance sheet.
 Prepare the statement of cash flows. INTRODUCTION TO E-BUSINESS
Managerial Reports
The AIS must also be able to provide managers with
detailed operational information about the organization’s Introduction: E-Business
performance. Two important types of managerial E-business refers to all uses of advances in information
reports are : technology (IT), particularly networking and
– budget communications technology, to improve the ways in which
– performance reports an organization performs all of its business processes.
What is a budget? E-business encompasses an organization’s external

A budget is the formal expression of goals in financial interactions with its:
terms. Suppliers
One of the most common types of budget is a cash budget. Customers
Managerial Reports Investors
Creditors
What is a performance report? The government
A performance report lists the budgeted and actual Media
amounts of revenues and expenses and also shows the
variances, or differences, between these two amounts. E-business includes the use of IT to redesign its internal
processes. For organizations in many industries, engaging
in e-business is a necessity. Engaging in e-business in and
of itself does not provide a competitive advantage.
However, e-business can be used to more effectively
implement its basic strategy and enhance the effectiveness
and efficiency of its value-chain activities.
E-Business Models
 Business to Consumers (B2C): Interactions
between individuals and organizations.
 Business to Business (B2B): Interorganizational e-
business.
Internal Control Considerations
The third functionof an AIS is to provide adequate internal Categories of E-Business
controls to accomplish three basic objectives:
1. Ensure that the information is reliable.
2. Ensure that business activities are performed efficiently.
3. Safeguard organizational assets.
Internal Control Considerations
What are two important methods for accomplishing these
objectives?
1. Provide for adequate documentation of all business
activities.
2. Design the AIS for effective segregation of duties.
Adequate Documentation
Documentation allows management to verify that assigned
responsibilities were completed correctly.What did Ashton
encounter while working as an auditor that gave him a
E-Business Effects on Business Processes
PE1
Electronic Data Interchange (EDI): Standard protocol,

available since the 1970s, for electronically transferring
information between organizations and across business
processes. Purchasing and Inbound Logistics
The Internet improves the purchasing activity by making it
EDI: easier for a business to identify potential suppliers and to
Improves accuracy compare prices.
Cuts costs
Purchase data from different organizational subunits can
Recent EDI Facilitators be centralized.
Traditional EDI was expensive. New developments that •This information can be used to negotiate better prices.
have removed this cost barrier are: •Number of suppliers can be reduced.
•Reverse auctions can be held
 The Internet: Eliminates the need for special
proprietary third-party networks. For products that can be entirely digitized, the entire
 XML: Extensible Markup Language –Set of inbound logistics function can be performed electronically.
standards for defining the content of data on Web Internal Operations, Human Resources, and Infrastructure
pages.
Advanced communications technology can significantly
Recent EDI Facilitators improve:
ebXML:
The efficiency of internal operations.
Defines standards for coding common business Planning.
documents. The efficiency and effectiveness of the human resource
Eliminates need for complex software to translate support activity.
documents created by different companies. The efficiencyand effectiveness of customer payments.
Integrated Electronic Data Interchange (EDI) Information Flows in Electronic Commerce

Reaping the full benefits of EDI requires that it be fully
integrated with the company’s AIS.
E-Business Effects on Value Chain Activities
Financial Electronic Data Interchange (FEDI)

The use of EDI to exchange information is only part of the
buyer-seller relationship in business-to-business electronic
commerce. Electronic funds transfer (EFT) refers to making
cash payments electronically, rather than by check. EFT is
usually accomplished through the banking system’s
Automated Clearing House (ACH) network.
An ACH creditis an instruction to your bank to transfer
E-Business Effects on Value Chain Activities funds from your account to another account. An ACH
debitis an instruction to your bank to transfer funds from
another account into yours.
ASPs
An Application Service Provider (ASP) is a company that
provides access to and use of application programs via the
Internet. The ASP owns and hosts the software; the
PE1
contracting organization accesses the software via the guarantee that e-business processes satisfy the three key
Internet. characteristics of any business transaction
Financial Electronic Data Interchange (FEDI) Validity
Integrity
Privacy
Encryption
There are two principal types of encryption systems:
 Single-key systems: Same key is used to encrypt and
decrypt the message
•Simple, fast, and efficient
•Example: the Data Encryption Standard (DES)
algorithm
Public KeyInfrastructure (PKI): Uses two keys:
Factors to Consider When Evaluating ASPs •Public key is publicly available and usually used to
encode message
•Private key is kept secret and known only by the
owner of that pair of keys. Usually used to decode
message
Advantages & Disadvantages of PKI
Advantages
No sharing of key necessary
More secure than single-key systems
Disadvantages
Much slower than single-key systems
Digital Signatures and Digests
Digital signature: An electronic message that uniquely
Factors to Include in Service Level Agreements identifies the sender of that message.
Detailed specification of expected ASP performance
Uptime Digest: The message that is used to create a digital
Frequency of backups signature or digital summary.
Use of encryption
Data access controls If any individual character in the original document
Remedies for failure of ASP to meet contracted service changes, the value of the digest also changes. This ensures
levels that the contents of a business document have not been
Ownership of data stored at ASP altered or garbled during transmission
Outbound Logistics Digital Certificates & Certificate Authorities
E-Business can improve the efficiency and effectiveness of Digital Certificate: Used to verify the identity of the public
sellers’ outbound logistical activities. key’s owner.
Timely and accurate access to detailed shipment A digital certificate identifies the owner of a particular
information. private key and the corresponding public key, and the time
Inventory optimization. period during which the certificate is valid.
For goods and services that can be digitized, the
outbound logistics function can be performed entirely Digital certificates are issued by a reliable third party,
electronically. called a Certificate Authority, such as:
Sales and Marketing Verisign
 Companies can create electronic catalogs to Entrust
automate sales order entry. Digital Signature Trust
 Significantly reduce staffing needs.
 Customization of advertisements The certificate authority’s digital signature is also included
on the digital certificate so that the validity of the
Post-Sale Support and Service certificate can also be verified.
Consistent information to customers.
Provide answers to frequently asked questions (FAQs). Types of Networks
The global networks used by many companies to conduct
E-Business Success Factors electronic commerce and to manage internal operations
The degree to which e-business activities fit and support consist of two components:
the organization’s overall business strategy. The ability to
1. Private portion owned or leased by the company
PE1
2. The Internet Interface Devices

There are six basic communication interface devices that
Types of Networks are used in most networks:
The private portion can be further divided into two 1. Network interface cards
subsets: 2. Modems
1. Local area network(LAN) —a system of computers and 3. Remote access devices
other devices, such as printers, that are located in close 4 Hubs
proximity to each other. 5. Switches
2. Wide area network(WAN) —covers a wide geographic 6. Routers
area.
Interface Devices Company
Types of Networks
Companies typically own all the equipment that makes up
their local area network (LAN). They usually do not own
the long-distance data communications connections of
their wide area network (WAN). They either contract to
use a value-added network (VAN) or use the Internet.
The Internet is an international network of computers (and
smaller networks) all linked together.
What is the Internet’s backbone?
–the connections that link those computers together
Portions of the backbone are owned by the major Internet
service providers (ISPs).
What is an Intranet? Interface Devices
The term Intranet refers to internal networks that connect
to the main Internet. They can be navigated with the same
browser software, but are closed off from the general
public.
What are Extranets?
Extranets link the intranets of two or more companies.
Either the Internet or a VAN can be used to connect the
companies forming the extranet. Value-added networks
(VAN) are more reliable and secure than the Internet, but
they are also expensive.
Communications Software
Communications software manages the flow of data across
a network. It performs the following functions:
–access control
–network management
–data and file transmission
Companies build a virtual private network (VPN) to –error detection and control
improve reliability and security, while still taking advantage –data security
of the Internet.
Communications Channels
Data Communications System Components A communications channel is the medium that connects
There are five basic components in any data the sender and the receiver.
communication network (whether it is the Internet, a LAN, –standard telephone lines
a WAN, or a VAN): –coaxial cables
–fiber optics
1.The sending device –microwave systems
2.The communications interface device –communications satellites
3.The communications channel –cellular radios and telephones
4.The receiving device
5.Communication software Communications Channels
Data Communications System Components
The following are components of the data communications
model:
–interface devices
–communications software
–communications channel
PE1
In a centralized WAN, all terminals and other devices are

connected to a central corporate computer.
In a decentralized WAN, each departmental unit has its

own computer and LAN. Decentralized systems usually are
better able to meet individual department and user needs
Network Configuration Options than are centralized systems.
Local area networks (LANs) can be configured in one of
three basic ways:
1. Star configuration
2. Ring configuration
3. Bus configuration A distributed data processing system WAN is essentially a
hybrid of the centralized and decentralized approaches.
A star configuration is a LAN configured as a star; each Many WANs, and most LANs, are set up as client/server
device is directly connected to the central server. All systems.
communications between devices are controlled by and
routed through the central server. Typically, the server
polls each device to see if it wants to send a message. The
star configuration is the most expensive way to set up a
LAN, because it requires the greatest amount of wiring.
Each desktop computer is referred to as a client. The client

sends requests for data to the servers. The servers perform
preprocessing on the database and send only the relevant
subset of data to the client for local processing.
CHAPTER 4
In a LAN configured as a ring, each node is directly linked
to two other nodes
RELATIONAL DATABASES
Types of Files
Two basic types of files are used to store data.
1. The master file, which is conceptually similar to a ledger
in a manual system.
2. The transaction file, which is conceptually similar to a
In a LAN configured as a bus, each device is connected to journal in a manual system.
the main channel, or bus. Communication control is
decentralized on bus networks File Approach
For many years, companies created new files and programs
each time an information need arose. This proliferation of
master files created problems:
1. Often the same data was stored in two or more separate
files.
2. The specific data values stored in the different files were
not always consistent.
File-Oriented Approach
Wide area networks (WANs) can be configured in one of
three basic ways:
1. Centralized system
2. Decentralized system
3. Distributed data processing
PE1
The DBMS controls the database so that users can access,

query, or update it without reference to how or where the
data are physically stored. Program-data independenceis
the separation of the logical and physical views of data.
Schemas
A schema describes the logical structure of a database.
There are three levels of schemas:
1. Conceptual-level schema
2. External-level schema
3. Internal-level schema
The conceptual-level schema is an organization-wide view
Databases of the entire database. The external-level schema consists
The database approach views data as an organizational of a set of individual user views of portions of the
resource that should be used by, and managed for, the database, also referred to as a subschema. The internal-
entire organization, not just the originating department or level schema provides a low-level view of the database.
function. Its focus is data integration and data sharing.
Integration is achieved by combining master files into
larger pools of data that can be accessed by many
application programs.
Database management system(DBMS) is the program that
manages and controls access to the database. Database
systemis the combination of the database, the DBMS, and
the application program that uses the database. Database
administrator(DBA) is the person responsible for the
database.
Database Approach
Mapping conceptual level facts to internal level

descriptions
Inventory
The Data Dictionary
The data dictionarycontains information about the
structure of the database. For each data element stored in
Relational Databases the database, such as the customer number, there is a
A data modelis an abstract representation of the contents corresponding record in the data dictionary describing it.
of a database. The relational data modelrepresents The data dictionary is often one of the first applications of
everything in the database as being stored in the form of a newly implemented database system.
tables. Technically, these tables are called relations.Each
row in a relation, called a tuple, contains data about a What are some inputs to the data dictionary?
specific occurrence of the type of entity represented by –records of any new or deleted data elements
that table. –changes in names, descriptions, or uses of existing data
elements
Logical and Physical Views of Data
A major advantage of database systems over file-oriented What are some outputs of the data dictionary?
systems is that the database systems separate the logical –reports useful to programmers, database designers, and
and physical view of data. users of the information system
What is the logical view? What are some sample reports?
It is how the user or programmer conceptually organizes –lists of programs in which a data item is used
and understands the data. –lists of all synonyms for the data elements in a particular
It refers to how and where the data are physically file
arranged and stored on disk, tape, CD-ROM, or other
media.
PE1
DBMS Languages In the text, if a particular Inventory item were

Every DBMS must provide a means of performing the three discontinued and hence removed from the database table,
basic functions: we would lose information on the customer associated
1. Creating the database with that inventory item as well.
2. Changing the database
3. Querying the database Approaches to Database Design
Normalization
The sets of commands used to perform these functions are Starts with the assumption that all data is initially stored
referred to as the data definition, data manipulation, and in a large non-normalized table.
data query languages. This table is then decomposed using a set of
normalization rules to create a set of tables in the Third
DDL Language Normal Form.
The data definition language (DDL) is used to...
–build the data dictionary. Semantic Data Modeling
–initialize or create the database. The database designer uses his/her knowledge about the
–describe the logical views for each individual user or business structure to create a set of relational tables.
programmer.
–specify any limitations or constraints on security imposed Database Systems and theFuture of Accounting
on database record or fields. Database systems have the potential to significantly alter
the nature of external reporting. Perhaps the most
DML Language significant effect of database systems will be in the way
The data manipulation language (DML) is used for data that accounting information is used in decision making.
maintenance.
What does it include?
–updating portions of the database CHAPTER 5
–inserting portions of the database
–deleting portions of the database DATA MODELLING AND DATABASE DESIGN
DQL Language
The data query language (DQL) is used to interrogate the
database. The DQL retrieves, sorts, orders, and presents Six basic steps in designing and implementing a database
subsets of the database in response to user queries. system:
1.Initial planning to determine the need for and feasibility
Basic Requirements of the Relational Data Model of developing a new system (planning stage).
1.Each column in a row must be single valued. 2.Identifying user needs (requirements analysis stage).
2.Primary keys cannot be null. 3.Developing the contextual-, external-and internal-level
3.Foreign keys, if not null, must have values that schemas (design stage).
correspond to the value of a primary key in an other Designing and Implementing a Database System
relation. 4.Translating the internal-level schema into the actual
4.All non-key attributes in a table should describe a database structures that will be implemented in the new
characteristic about the object identified by the primary system (coding stage).
key. 5.Transferring all data from the existing system to the new
database (implementation stage).
Anomalies That May Occur in Non-Normalized Relational 6.Using and maintaining the new system (operation and
Tables maintenance stage).
Update Anomaly: When changes (updates) to data values
are not correctly recorded. The REA Data Model
Data modeling is the process of defining a database so
Instead of having to update once, each record ni the that it faithfully represents all aspects of the organization,
single table has to be updated individually in order to avoid including its interactions with the external environment.
inconsistencies in the database. The REA (Resources, Data, Events) data model is a
conceptual modeling tool that focuses on the business
Insert Anomaly: There is no way to store information about semantics underlying an organization’s value chain
one entity in the database without it being associated with activities.
another entity
The REA Data Model
In the text, we would not be able to store information on
new customers without their being associated with
transactions first!
Delete Anomaly: Unintended results arising from deleting a
row of data pertaining to one entity and resulting in the
deletion of data regarding another entity as well.
PE1
The REA data model provides structure in two ways:

1. By identifying what entities should be included in the AIS
database
2. By prescribing how to structure relationships among the
entities in the AIS database
Types of Entities
An entity is any class of objects about which data is
collected. The REAdata model classifies entities into three
distinct categories:
1. Resources acquired and used by an organization
2. Events engaged in by the organization
3. Agents participating in these events
Resources are defined as those things that have economic
value to the organization. What are some examples?
–cash
–inventory
–equipment
Events are the various business activities about which
management wants to collect information for planning or
control purposes. REA Diagram, Step 1: Identify Economic Exchange Events
What are some examples? In drawing an REA diagram for an individual cycle, it is
useful to divide the paper into three columns, one for each
–sales events type of entity.
–taking customer orders Left column should be used for resources.
Middle column shouldbe used for events.
Agents are the third type of entity in the REA model. Right column should be used for agents.
Agents are the people and organizations that participate in
events and about whom information is desired. The basic economic exchange in the revenue cycle involves
the sale of goods or services and the subsequent receipt of
What are some examples? cash in payment for those sales. The REA diagram for S&S’s
–employees revenue cycle shows the drawing of sales and cash receipts
–customers events entities as rectangles and the relationship between
Developing an REA Diagram them as a diamond.
Developing an REA diagram for a specific transaction cycle REA Diagram, Step 2: Identify Resources and Agents
consists of four steps: Once the events of interest have been specified, the
1. Identify the pair of events that represent the basic give- resources that are affected by those events need to be
to-get economic duality relationship in that cycle. identified. The sales event involves the disposal of
2. Identify the resources affected by each event and the inventory. The cash receipts event involves the acquisition
agents who participate in those events. of cash. After specifying the resources affected by each
3.Analyze each economic exchange event to determine event, the next step is to identify the agents who
whether it should be decomposed into a combination of participate in those events. There will always be at least
one or more commitment events and an economic one internal agent (employee) and, in most cases, an
exchange event. If necessary, replace the original external agent (customer).
economic exchange event with the resulting set of
commitment and economic exchange events. REA Diagram, Step 3: Include Commitment Events
4.Determine the cardinalities of each relationship. The third step in drawing an REA diagram is analyzing each
economic exchange event to determine whether it can be
Basic REA template decomposed into a combination of one or more
commitment exchange events.
PE1
Example: The sales event may be decomposed into the

take order‖ commitment event and the ―deliver order‖
economic exchange event
The maximum cardinalityof a relationship indicates
whether each row in that entity CAN be linked to more
than one row in the entity on the other side of the
relationship. Maximum cardinalities can be either 1 or N. A
minimum cardinality of 1 means that each row in that
table can be linked to at most only 1 row in the other
table. A maximum cardinality of N means that each row in
that table MAY be linked to more than one row in the
other table.
The maximum cardinality of N in the (0, N) cardinality pair
to the left of the customer entity in the customer-sales
relationship indicates that a given customer MAY be linked
to many sales events.
The maximum cardinality of 1 in the (1, 1) cardinality pair

to the right of the sales entity in the customer-sales
relationship indicates that a given sales transaction can
only be linked to one customer.(1,1)
Cardinalities are not arbitrarily chosen by the database

designer. They reflect facts about the organization being
modeled and its business practices obtained during the
requirements analysis stage of the database design
process.
REA Diagram, Step 4: Determine Cardinalities Relationships between Entities Three basic types of
Cardinalities indicate how many instances of one entity can relationships between entities are possible, depending on
be linked to one specific instance of another entity. the maximumcardinality associated with each entity. They
Cardinalities are often expressed as a pair of numbers. The are:
first number is the minimum, and the second number is 1.A one-to-one relationship (1:1)
the maximum.
The minimum cardinalityof a relationship indicates
whether each row in that entity MUST be linked to a row in
the entity on the other side of the relationship. Minimum
cardinalities can be either 0 or 1. A minimum cardinality of
zero means that a new row can be added to that table 2.A one-to-many relationship (1:N)
without being linked to any rows in the other table. A
minimum cardinality of 1 means that each row in that
table MUST be linked to at least one row in the other table
The minimum cardinality of zero in the (0, N) cardinality
pair to the left of the customer entity in the customer-sales
relationship indicates that a new customer may be added
to the database without being linked to any sales events.
3.A many-to-many relationship (M:N)

The minimum cardinality of 1 in the (1, 1) cardinality pair
to the right of the sales entity in the customer-sales
relationship indicates that a new sales transaction CAN
ONLY be added if it is linked to a customer.(1,1)
PE1
Entity-Relationship Diagram
An Entity-Relationship (E-R) diagram is one method for
portraying a database schema. It is called an E-R diagram
because it shows the various entitiesbeing modeled and
the important relationshipsamong them. In an E-R
diagram, entities appear as rectangles, and relationships
between entities are represented as diamonds.
Implementing an REA Diagram in a Relational Database
An REA diagram can be used to design a well-structured
relational database. A well-structured relational database
is one that is not subject to update, insert, and delete
anomaly problems.
Implementing an REA diagram in a relational database is a
three-step process:
1.Create a table for each distinct entityand for each many-
to many relationship
2.Assign attributes to appropriate tables
3.Use foreign keys to implement one-to-one and one-to-
many relationships
Create Tables
From the previously discussed REA diagram, nine tables
would be created: one for each of the seven entities and
one for each of the many-to-many relationships.
1.Inventory
2.Purchases
3.Employees
4.Vendors
5.Cashier
6.Cash disbursements
7.Cash
8.Purchases-inventory
9.Purchases-cash disbursements
Implement One-to-One and One-to-Many Relationships
Assign Attributesfor Each Table One-to-One Relationships: In a relational database, one-to-
Primary keys: Usually, the primary key of a table one relationships between entities can be implemented by
representing an entity is a single attribute. including the primary key of one entity as a foreign key in
the table representing the other entity.
Other Attributes: Additional attributes are included in each
table to satisfy transaction processing requirements. No examples of 1:1 relationships in the sample diagram
Sample E-R Diagram based on REA One-to-Many Relationships: In a relational database, one-
to-many relationships can be also implemented in relation
to databases by means of foreign keys. The primary key of
the entity with the maximum cardinality of N becomes a
foreign key in the entity with a maximum cardinality of 1
Examples: Employee number and vendor number are
foreign keys in the purchases event and in the cash
disbursement event
Documentation of Business Practices
REA diagrams are especially useful for documenting an
advanced AIS built using databases. REA diagrams provide
information about the organization’s business practices.
The zero minimum for the sales event indicates that credit
sales are made . The N maximum for the sales event means
that customers may make installment payments
PE1
CHAPTER 6
SYSTEMS DEVELOPMENT AND

DOCUMENTATION TECHNIQUES
Documentation of Business Practices
The one minimum for the cash receipts event indicates
that cash is not received prior to delivering the DATA FLOW DIAGRAMS
merchandise. The N maximum for the cash receipts event A data flow diagram (DFD) graphically describes the flow of
means that customers may pay for several sales with one data within an organization. It is used to:
check Document existing systems
Plan and design new systems
There is no black-and-white approach to developing a DFD.
Due to the fact that S&S sells mass-produced goods, its

REA diagram models the relationship between sales and
inventory as being many-to-many. An REA diagram for a
rare art dealer would depict the relationship between sales
and inventory as being one-to-many.
Extracting Information From the AIS
A complete REA diagram serves as a useful guide for
querying an AIS database. Queries can be used to generate
journals and ledgers from a relational database built on the
REA model.
Each sales transaction is paid in full by a cash collection

event. Each customer payment may be for more than one A data flow diagram consists of four basic elements:
sale. What is the query logic? Total accounts receivable is Data sources and destinations
the sum of all sales for which there is no remittance Data flows
number. Transformation processes
Data stores
Data sources and destinations
Appear as squares
 Represent organizations or individuals that send or
Each sales transaction can be paid in installments. Each receive data used or produced by the system
customer payment is for just one sale. An item can be both a source and a destination
What is the query logic?
(1) sum all sales;
(2) sum cash collections; then A/R = (1)-(2)
Data flows
Appear as arrows
 Represent the flow of data between sources and
Each sales transaction is paid in full by a cash collection destinations, processes, and data stores
event. Each customer payment is for one sale. What is the
query logic? Total accounts receivable is the sum of all
sales for which there is no remittance number.
As you probably surmised from the previously, if a data
flow is two-way, use a bi-directional arrow.
PE1
If two data elements flow together, then the use of one

data flow line is appropriate.Customer
If the data elements do not always flow together, then

multiple lines will be needed.
Transformation processes
Appear as circles
Represent the transformation of data
Data stores
Appear as two horizontal lines
Represent a temporary or permanent repository of data
Data dictionary:
Data flows and data stores are typically collections of data
elements. EXAMPLE: A data flow labeled student
informationmight contain elements such as student name,
date of birth, ID number, address, phone number, and
major.
The data dictionary contains a description of all data
elements, data stores, and data flows in a system.
Subdividing the DFD:
Few systems can be fully diagrammed on one sheet of
paper, and users have needs for differing levels of detail.
Consequently, DFDs are subdivided into successively
lower levels to provide increasing amounts of detail.
The highest level of DFD is called a context diagram.
It provides a summary-level view of the system.
It depicts a data processing system and the external
entities that are:
•Sources of its input
•Destinations of its output
PE1
DATA FLOW DIAGRAMS

We’re going to go through a partial example of how the
first level of detail was created. But before we do, let’s
step through some guidelines on how to create a DFD.
RULE 1: Understand the system. Observe the flow of
information and interview people involved to gain that
understanding.
RULE 2: Ignore control processes and control actions (e.g.,
error corrections). Only very critical error paths should be
included.
You may wish to create a table with the following headings
RULE 3: Determine the system boundaries—where it starts to organize your information:
and stops. If you’re not sure about a process, include it for Data Inputs
the time being. Processes
Data Outputs
RULE 4: Draw the context diagram first, and then draw
successively greater levels of detail. The first paragraph of the narrative for the payroll
process reads as follows:
RULE 5: Identify and label all data flows. The only ones that When employees are hired, they complete a new
do not have to be labeled are those that go into or come employee form. When a change to an employee’s payroll
out of data stores. status occurs, such as a raise or a change in the number of
exemptions, human resources completes an employee
RULE 6: Data flows that always flow together should be change form. A copy of these forms is sent to payroll.
grouped together. Those that do not flow together should
be shown on separate lines. These forms are used to create or update the records in the
employee/payroll file and are then stored in the file.
RULE 7: Show a process (circle) wherever a data flow is Employee records are stored alphabetically.
converted from one form to another. Likewise, every
process should have at least one incoming data flow and at The portion first paragraph relates to activities that go on
least one outgoing data flow. outside the boundaries of the payroll system.
Consequently, these activities will not be included on the
RULE 8: Transformation processes that are logically related DFD.
or occur simultaneously can be grouped in one bubble.
The portion marked underline suggests two data flows
RULE 9: Number each process sequentially. A process coming into the payroll process (new employee forms and
labeled 5.0 would be exploded at the next level into employee change forms). The source of the inflows is the
processes numbered 5.1, 5.2, etc. A process labeled 5.2 human resources department.
would be exploded into 5.21, 5.22, etc.
RULE 10: Process names should include action verbs, such
as update, prepare, etc.
RULE 11: Identify and label all data stores, whether
temporary or permanent.
RULE 12: Identify and label all sources and destinations. An
entity can be both a source and destination. You may wish
to include such items twice on the diagram, if needed, to
avoid excessive or crossing lines.
RULE 13: As much as possible, organize the flow from top The sentence marked in italic suggests a process (update
to bottom and left to right. employee records) with the data outflow going to a data
store (the employee/payroll file). The final sentence
RULE 14: You’re not likely to get it beautiful the first time, (Employee records are stored alphabetically ) provides
so plan to go through several iterations of refinements. information about the physical storage of the data.
Physical information is utilized in flowcharts but not in data
RULE 15: On the final copy, lines should not cross. On each flow diagrams.We will not do the entire DFD, however, you
page, include: could finish this table by reading the remainder of the
The name of the DFD narrative in Table 3-1 in your textbook.
The date prepared
The preparer’s name Keep the following in mind as you develop your DFD:
Now that we’ve been through the guidelines for  Remember to ignore control activities, such as error
developing DFDs, let’s go back to the chapter example and correction processes.
see if we can re-create a part of it.
PE1
Some data inputs and outputs will not appear on the first Unnecessarily complex document flows
level of the DFD but appear as the processes are exploded Procedures that cause wasteful delays
into greater levels of detail.
The data flow diagram focuses on the logical flow of data.
FLOWCHARTS
A flowchart is an analytical technique that describes some
aspect of an information system in a clear, concise, and
logical manner. Flowcharts use a set of standard symbols
to depict processing procedures and the flow of data.
Flowcharting History:
–Introduced in 1950s by industrial engineers to document
business processes and document flows for process
improvement.
–Sarbanes-Oxley 2002 increased importance by requiring
companies to document business processes and internal
controls procedures.
Every shape on a flowchart depicts a unique operation,
input, processing activity, or storage medium. In the days
of yore, flowcharts were manually created using plastic
templates. Most flowcharts are now drawn using a
software program such as Visio.
Microsoft and Power Point are also used.
The software uses pre-drawn shapes, and the developer
drags the shapes into the drawing.
There are four types of flowcharting symbols:
Input/output symbols
Input/output symbols indicate the type of device or media
that provides input to or records output from a process.
Processing symbols
Processing symbols indicate the type of device used to
process the data or whether the data is processed
manually.
Storage symbols
Storage symbols indicate the type of device used to store
data while the system is not using it.
Flow and miscellaneous symbols
Flow and miscellaneous symbols may indicate:
–The flow of data and goods
–The beginning or end of the flowchart
–The location of a decision
–An explanatory note
DOCUMENT FLOWCHARTS
A document flowchart shows the flow of documents and
information among areas of responsibility in an
organization. These flowcharts trace a document from
cradle to grave and show:
Where a document comes from
Where it’s distributed
How it’s used
It’s ultimate disposition
Everything that happens as it flows through the system
Internal control flowcharts are document flowcharts used
to evaluate the adequacy of internal controls, such as
segregation of duties or internal checks.They can reveal
weaknesses or inefficiencies such as:
Inadequate communication flows
PE1
One approach you can use is to read through the

narrative and for each step define:
•What was (were) the input(s)
•What process was carried out
•What was (were) the output(s)
Every manual process should have at least one input and

at least one output.
Show all data entered into or retrieved from a computer
file as passing through a process first.
Do not show process symbols for:
•Forwarding a document to another entity
•Filing a document
Do not connect two documents except when forwarding
to another column.
•When a document is forwarded, show it in both
locations.
Show forwarded document in both locations
 When using multiple copies of a document, place
document numbers in the upper, right-hand corner.
Show on-page connectors and label them clearly to avoid
excess flow lines.
Use off-page connectors if the flow goes to another page.
Are there other off-page connectors on this flowchart?
If a flowchart takes more than one page, label the pages
GUIDELINES FOR PREPARING FLOWCHARTS as 1 of 5, 2 of 5, 3 of 5, etc.
Let’s step through some guidelines for preparing Show documents or reports first in the column where
flowcharts: they are created.
As with DFDs, you can’t effectively prepare a flowchart if Start with a rough draft; then redesign to avoid clutter
you don’t understand the system, so: and crossed lines.
•Interview users, developers, auditors, and management Verify the accuracy of your flowchart by reviewing it with
•Administer questionnaires users, etc.
•Read through narratives Place the flowchart name, the date, and the preparer’s
•Walk through systems transactions name on each page of the final copy.
Identify: Now that we’ve looked at document flowcharts and
•Entities to be flowcharted, e.g., departments, functions, guidelines for creating flowcharts, let’s take a brief look at
external parties (the parties who ―do‖ things in the story) system flowcharts. A system flowchart depicts the
•Documents or information flows relationship among the inputs, processes, and outputs of
•Processes an AIS. The system flowchart begins by identifying the
inputs to the system.
As you read through a narrative, you may want to mark
the preceding items with different shapes (e.g., drawing a
rectangle around entities, circling documents, etc.). SYSTEM FLOWCHARTS
A system flowchart depicts the relationship among the
Use separate columns for the activity of each entity. inputs, processes, and outputs of an AIS. The system
•Example: If there are three different departments or flowchart begins by identifying the inputs to the system.
functions that ―do‖ things in the narrative, there would be Each input is followed by a process, i.e., the steps
three columns on the flowchart. performed on the data.
•If the process is performed by a computer, the logicof the
Flowchart the normal course of operations, and identify computer program would be depicted in a program
exceptions with annotations. flowchart.
As much as possible, the flow should go from top to
bottom and left to right. inputs can be:
Use standard flowcharting symbols, and draw with a –New data
template or computer. –Data stored for future use
 Clearly label all symbols. Use annotations if necessary to –Both
provide adequate explanation.
Give the flowchart a clear beginning and ending. output may be:
•Show where each document originated and its –Stored for later use
final disposition.
PE1
–Displayed on a screen Now let’s change the story so that students enter
–Printed on paper enrollment data online. The registrar’s office sends a tape
–An input to the next process file of the enrollment data to the bursar’s office and
continues to send paper class lists to faculty.
PROGRAM FLOWCHARTS
Program flowcharts illustrate the sequence of logical
operations performed by a computer in executing a
program. hey also follow an input—process—output
pattern.
Moral of the story: Changes in the physical characteristics

of the process do affect the flowchart but have little or no
impact on the DFD.
FLOWCHARTS VS. DFDs The DFD focuses more on the logic.
Now that we’ve examined both flowcharts and DFDs, it When deciding which tool to employ, consider the
may be useful to discuss the differences again. DFDs place information needs of those who will view it.
a heavy emphasis on the logical aspects of a system.
Flowcharts place more emphasis on the physical
characteristics of the system. CHAPTER 7
EXAMPLE: The registrar’s office of a small college receives COMPUTER-BASED INFORMATION

paper enrollment forms from students. They sort these
records alphabetically and then update the student record SYSTEMS CONTROLS
file to show the new classes.They also prepare class lists
from the same data. The sorted enrollment forms are Threats to Accounting Information Systems
forwarded to the bursar’s office for billing purposes. Class What are examples of natural and politicaldisasters?
lists are mailed to faculty members. –fire or excessive heat
–floods
–earthquakes
–high winds
–war
What are examples of software errors andequipment
malfunctions?
–hardware failures
–power outages and fluctuations
–undetected data transmission errors
What are examples of unintentional acts?
–accidents caused by human carelessness
–innocent errors of omissions
–lost or misplaced data
–logic errors
–systems that do not meet company needs
What are examples of intentional acts?
–sabotage
–computer fraud
–embezzlement
PE1
1. Control environment
Why are AIS Threats Increasing? 2. Control activities
Increasing numbers of client/server systems mean that 3. Risk assessment
information is available to an unprecedented number of 4. Information and communication
workers. Because LANs and client/server systems 5. Monitoring
distribute data to many users, they are harder to control
than centralized mainframe systems. WANs are giving Information Systems Auditand Control Foundation
customers and suppliers access to each other’s systems The Information Systems Audit and Control Foundation
and data, making confidentiality a concern. (ISACF) recently developed the Control Objectives for
Information and related Technology (COBIT). COBIT
Overview of Control Concepts consolidates standards from 36 different sources into a
What is the traditional definition of internal control? single framework. The framework addresses the issue of
Internal control is the plan of organization and the control from three vantage points, or dimensions:
methods a business uses to safeguard assets, provide
accurate and reliable information, promote and improve 1. Information: needs to conform to certain criteria that
operational efficiency, and encourage adherence to COBIT refers to as business requirements for information
prescribed managerial policies. 2. IT resources: people, application systems, technology,
facilities, and data
Overview of Control Concepts 3. IT processes: planning and organization, acquisition and
What is management control? implementation, delivery and support, and monitoring
Management control encompasses the following three
features: The Control Environment
1. It is an integral part of management responsibilities. The first component of COSO’s internal control model is
2. It is designed to reduce errors, irregularities, and achieve the control environment. The control environment consists
organizational goals. of many factors, including the following:
3. It is personnel-oriented and seeks to help employees 1. Commitment to integrity and ethical values
attain company goals. 2. Management’s philosophy and operating style
3. Organizational structure
4. The audit committee of the board of directors
5. Methods of assigning authority and responsibility
Internal Control Classifications 6. Human resources policies and practices
The specific control procedures used in the internal control 7. External influences
and management control systems may be classified using
the following four internal control classifications: Control Activities
The second component of COSO’s internal control model is
1. Preventive, detective, and corrective controls control activities. Generally, control procedures fall into
2. General and application controls one of five categories:
3. Administrative and accounting controls 1. Proper authorization of transactions and activities
4. Input, processing, and output controls 2. Segregation of duties
The Foreign Corrupt Practices Act 3. Design and use of adequate documents and records
4. Adequate safeguards of assets and records
Committee of Sponsoring Organizations (COSO) 5. Independent checks on performance
The Committee of Sponsoring Organizations (COSO) is a
private sector group consisting of five organizations: Proper Authorization of Transactions and Activities
1. American Accounting Association Authorizationis the empowerment management gives
2. American Institute of Certified Public Accountants employees to perform activities and make decisions.
3. Institute of Internal Auditors
4. Institute of Management Accountants Digital signatureor fingerprint is a means of signing a
5. Financial Executives Institute document with a piece of data that cannot be forged.
In 1992, COSO issued the results of a study to develop a Specific authorizationis the granting of authorization by
definition of internal controls and to provide guidance for management for certain activities or transactions.
evaluating internal control systems. The report has been
widely accepted as the authority on internal controls. Segregation of Duties
Good internal control demands that no single employee
The COSO study defines internal control as the process be given too much responsibility. An employee should not
implemented by the board of directors, management, and be in a position to perpetrate and conceal fraud or
those under their direction to provide reasonable unintentional errors.
assurance that control objectives are achieved with regard
to:
–effectiveness and efficiency of operations
–reliability of financial reporting
–compliance with applicable laws and regulations
COSO’s internal control model has five crucial
components:
PE1
4. A line count is the number of lines of data entered.

5. A cross-footing balance test compares the grand total of
all the rows with the grand total of all the columns to
check that they are equal.
Risk Assessment
The third component of COSO’s internal control model is
risk assessment. Companies must identify the threats they
face:
–strategic —doing the wrong thing
–financial —having financial resources lost, wasted, or
stolen
–information —faulty or irrelevant information, or
If two of these three functions are the responsibility of a unreliable systems
single person, problems can arise. Segregation of duties
prevents employees from falsifying records in order to Companies that implement electronic data interchange
conceal theft of assets entrusted to them. Prevent (EDI) must identify the threats the system will face, such
authorization of a fictitious or inaccurate transaction as a as:
means of concealing asset thefts. 1. Choosing an inappropriate technology
2. Unauthorized system access
Segregation of duties prevents an employee from falsifying 3. Tapping into data transmissions
records to cover up an inaccurate or false transaction that 4. Loss of data integrity
was inappropriately authorized. 5. Incomplete transactions
6. System failures
Design and Use of Adequate Documents and Records 7. Incompatible systems
The proper design and use of documents and records helps
ensure the accurate and complete recording of all relevant Some threats pose a greater risk because the probability of
transaction data. Documents that initiate a transaction their occurrence is more likely. For example: A company is
should contain a space for authorization. The following more likely to be the victim of a computer fraud rather
procedures safeguard assets from theft, unauthorized use, than a terrorist attack. Risk and exposure must be
and vandalism: considered together.
–effectively supervising and segregating duties Learning
–maintaining accurate records of assets, including
information Estimate Cost and Benefits
–restricting physical access to cash and paper assets No internal control system can provide foolproof
–having restricted storage areas protection against all internal control threats. The cost of a
foolproof system would be prohibitively high. One way to
calculate benefits involves calculating expected loss.
Adequate Safeguards ofAssets and Records
What can be used to safeguard assets? Expected loss = risk × exposure
–cash registers Information and Communication
–safes, lockboxes The fourth component of COSO’s internal control model is
–safety deposit boxes information and communication. Accountants must
–restricted and fireproof storage areas understand the following:
–controlling the environment
–restricted access to computer rooms, computer files, and 1.How transactions are initiated
information 2.How data are captured in machine-readable form or
converted from source documents
Independent Checkson Performance 3.How computer files are accessed and updated
Independent checks ensure that transactions are 4.How data are processed to prepare information
processed accurately are another important control 5.How information is reported
element. 6.How transactions are initiated
What are various types of independent checks? All of these items make it possible for the system to have
–reconciliation of two independently maintained sets of an audit trail. An audit trail exists when individual company
records transactions can be traced through the system.
–comparison of actual quantities with recorded amounts
–double-entry accounting Monitoring Performance
–batch totals The fifth component of COSO’s internal control model is
monitoring.
Five batch totals are used in computer systems:
1. A financial total is the sum of a dollar field. What are the key methods of monitoring performance?
2. A hash total is the sum of a field that would usually not –effective supervision
be added. –responsibility accounting
Independent Checkson Performance –internal auditing
3. A record count is the number of documents processed.
PE1
•Periodic testing and revision

CHAPTER 8 •Complete documentation
COMPUTER CONTROLS AND SECURITY Developing a Security Plan

Developing and continuously updating a comprehensive
security plan is one of the most important controls a
company can identify.
The Four Principles of a Reliable System
1.Availabilityof the system when needed. What questions need to be asked?
2.Securityof the system against unauthorized physical and Whoneeds access to whatinformation?
logical access. Whendo they need it?
3.Maintainabilityof the system as required without On whichsystems does the information reside?
affecting its availability, security, and integrity.
4.Integrityof the system to ensure that processing is Segregation of Duties Withinthe Systems Function
complete, accurate, timely, and authorized. In a highly integrated AIS, procedures that used to be
The Criteria Used To Evaluate Reliability Principles performed by separate individuals are combined. Any
person who has unrestricted access to the computer, its
For each of the four principles of reliability, three criteria programs, and live data could have the opportunity to both
are used to evaluate whether or not the principle has been perpetrate and conceal fraud. To combat this threat,
achieved. organizations must implement compensating control
1.The entity has defined, documented, and communicated procedures.
performance objectives, policies, and standards that
achieve each of the four principles. Authority and responsibility must be clearly divided among
2.The entity uses procedures, people, software, data, and the following functions:
infrastructure to achieve each principle in accordance with 1.Systems administration
established policies and standards. 2.Network management
3.The entity monitors the system and takes action to 3.Security management
achieve compliance with the objectives, policies, and 4.Change management
standards for each principle. 5.Users
6.Systems analysis
Controls Related to More Than One Reliability Principle 7.Programming
- Strategic Planning & Budgeting 8.Computer operations
- Developing a Systems Reliability Plan 9.Information system library
- Documentation 10.Data control
Documentation may be classified into three basic It is important that different people perform these
categories: functions. Allowing a person to perform two or more of
Administrative documentation: Describes the standards them exposes the company to the possibility of fraud.
and procedures for data processing.
 Systems documentation: Describes each application
system and its key processing functions. Physical Access Controls
Operating documentation: Describes what is needed to How can physical access security be achieved?
run a program. –Place computer equipment in locked rooms and restrict
access to authorized personnel
Availability –Have only one or two entrances to the computer room
Minimizing Systems Downtime –Require proper employee ID
Preventive maintenance –Require that visitors sign a log
•UPS –Use a security alarm system
•Fault tolerance –Restrict access to private secured telephone lines and
terminals or PCs.
Disaster Recovery Plan –Install locks on PCs.
•Minimize the extent of disruption, damage, and loss –Restrict access of off-line programs, data and equipment
•Temporarily establish an alternative means of processing –Locate hardware and other critical system components
information away from hazardous materials.
•Resume normal operations as soon as possible –Install fire and smoke detectors and fire extinguishers
Availability that don not damage computer equipment
•Train and familiarize personnel with emergency
operations Logical Access Controls
•Priorities for the recovery process Users should be allowed access only to the data they are
•Insurance authorized to use and then only to perform specific
•Backup data and program files authorized functions.
•Electronic vaulting
•Grandfather-father-son concept What are some logical access controls?
•Rollback procedures –passwords
•Specific assignments –physical possession identification
•Backup computer and telecommunication facilities –biometric identification
PE1
–compatibility tests  Require all requests to be submitted in

standardized format
Protection of PCs and Client/Server Networks  Log and review requests form authorized users for
Many of the policies and procedures for mainframe control changes and additions to systems
are applicable to PCs and networks.  Assess the impact of requested changes on system
The following controls are also important: reliability objectives, policies and standards
Train users in PC-related control concepts.  Change Management Controls,continued
Restrict access by using locks and keys on PCs.  Categorize and rank all changes using established
Establish policies and procedures. priorities
Protection of PCs and Client/Server Networks  Implement procedures to handle urgent matters
Portable PCs should not bestored in cars.  Communicate all changes to management
Keep sensitive data in the most secure environment  Require IT management to review, monitor, and
possible. approve all changes to software, hardware and
Install software that automatically shuts down a terminal personnel responsibilities
after its been idle for a certain amount of time.  Assign specific responsibilities to those involved in
Back up hard disks regularly. the change and monitor their work.
Encrypt or password protect files.
Build protective walls around operating systems.  Change Management Controls,continued
Ensure that PCs are booted up within a secure system.  Control system access rights to avoid unauthorized
Use multilevel password controls to limit employee systems and data access
access to incompatible data.  Make sure all changes go through the appropriate
Use specialists to detect holes in the network. steps
 Test all changes
Internet and e-Commerce Controls  Make sure there is a plan for backing our of any
Why caution should be exercised when conducting changes in the event they don’t work properly
business on the Internet.  Implement a quality assurance function
–the large and global base of people that depend on the  Update all documentation and procedures when
Internet change is implemented
–the variability in quality, compatibility, completeness, and
stability of network products and services Integrity
Internet and e-Commerce Controls A company designs general controlsto ensure that its
–access of messages by others overall computer system is stable and well managed.
–security flaws in Web sites Application controls prevent, detect and correct errors in
–attraction of hackers to the Internet transactions as they flow through the various stages of a
What controls can be used to secure Internet activity? specific data processing program.
–passwords
–encryption technology Integrity: Source Data Controls
–routing verification procedures Companies must establish control procedures to ensure
Internet and e-Commerce Controls that all source documents are authorized, accurate ,
Another control is installing a firewall, hardware and complete and properly accounted for, and entered into the
software that control communications between a system or sent ot their intended destination in a timely
company’s internal network (trusted network) and an manner.
external network.
Source data controls include:
The firewall is a barrier between the networks that does Integrity: Source Data Controls
not allow information to flow into and out of the trusted Forms design
network. Electronic envelopes can protect e-mail messages Prenumbered forms sequence test
Turnaround documents
Maintainability Cancellation and storage of documents
Two categories of controls help ensure the maintainability Authorization and segregation of duties
of a system: Visual scanning
Project development and acquisition controls Check digit ve rification
Change management controls Key verification
Project Development and Acquisition Controls Integrity:Input Validation Routines

Project development and acquisition controls include: Input validation routines are programs the check the
Strategic Master Plan integrity of input data. They include:
Project Controls Limit check
Data Processing Schedule Range check
System Performance Measurements Reasonableness test
Postimplementation Review Redundant data check
Sequence check
Change Management Controls Field check
Change management controls include: Sign check
 Periodically review all systems for needed changes Validity check
Capacity check
PE1
2. Electronic identification should be required for all

Integrity: On-line Data Entry Controls authorized network terminals.
The goal of on-line data entry control is to ensure the 3. Strict logical access control procedures are essential,
integrity of transaction data entered from on-line with passwords and dial-in phone numbers changed on a
terminals and PCs by minimizing errors and omissions. regular basis.
4. Encryption should be used to secure stored data as well
They include: as data being transmitted.
 Field, limit, range, reasonableness, sign, validity, 5. Details of all transactions should be recorded in a log
redundant data checks that is periodically reviewed.
 User ID numbers
 Compatibility tests CHAPTER 9
 Automatic entry of transaction data, where
possible
 Prompting COMPUTER FRAUD
 Preformatting
 Completeness check
 Closed-lop verification
 Transaction log The Fraud Process
 Error messages Most frauds involve three steps.
 The theft ofsomething
 Retain data for legal purposes
 The conversionto cash
Controls to help preserve the integrity of data processing  Theconcealment
and stored data:
Policies and procedures What is a common way to hide a theft?
Data control function –to charge the stolen item to an expense account
Reconciliation procedure What is a payroll example?
External data reconciliation –to add a fictitious name to the company’s payroll
Exception reporting
Data currency checks What is lapping?
Default values In a lapping scheme, the perpetrator steals cash received
Data matching from customer A to pay its accounts receivable. Funds
File labels received at a later date from customer B are used to pay
Write protection mechanisms off customer A’s balance, etc.
Database protection mechanisms
Data conversion controls What is kiting?
Data security In a kiting scheme, the perpetrator covers up a theft by
creating cash through the transfer of money between
Output Controls banks. The perpetrator deposits a check from bank A to
The data control functions should review all output for bank B and then withdraws the money.Since there are
reasonableness and proper format and should reconcile insufficient funds in bank A to cover the check, the
corresponding output and input control totals. perpetrator deposits a check from bank C to bank A before
Data control is also responsible for distributing computer his check to bank B clears.
output to the appropriate user departments.Users are Since bank C also has insufficient funds, money must be
responsible for carefully reviewing the completeness and deposited to bank C before the check to bank A clears.
accuracy of all computer output that they receive. A The scheme continues to keep checks from bouncing.
shredder can be used to destroy highly confidential data.
Why Fraud Occurs
Data Transmission Controls Researchers have compared the psychological and
To reduce the risk of data transmission failures, companies demographic characteristics of three groups of people:
should monitor the network.
How can data transmission errors be minimized?
–using data encryption (cryptography)
–implementing routing verification procedures
–adding parity
–using message acknowledgment techniques
Data Transmission Controls take on added importance in
organizations that utilize electronic data interchange (EDI)
or electronic funds transfer (EFT).In these types of
environments, sound internal control is achieved using the
following control procedures: What are some common characteristics of fraud
perpetrators?
1. Physical access to network facilities should be strictly  Most spend their illegal income rather than invest
controlled. or save it.
PE1
 Once they begin the fraud, it is very hard for them –theft of money by altering computer records or the theft
to stop. of computer time
 They usually begin to rely on the extra income. –theft or destruction of computer hardware
–use or the conspiracy to use computer resources to
Perpetrators of computer fraud tend to be younger and commit a felony
possess more computer knowledge, experience, and skills. –intent to illegally obtain information or tangible property
Some computer fraud perpetrators are more motivated by through the use of computers
curiosity and the challenge of ―beating the system. Others
commit fraud to gain stature among others in the The Rise in Computer Fraud
computer community. Organizations that track computer fraud estimate that 80%
of U.S. businesses have been victimized by at least one
Three conditions are necessary for fraud to occur: incident of computer fraud.No one knows for sure exactly
1.A pressure or motive how much companies lose to computer fraud. Why?
2.An opportunity
3.A rationalization There is disagreement on what computer fraud is.
Many computer frauds go undetected, or unreported.
Pressures Most networkshave a low level of security.
What are some financial pressures? Many Internet pages give instructions on how to
–living beyond means perpetrate computer crimes.
–high personal debt Law enforcement is unable to keep up with fraud.
–inadequate‖ income
–poor credit ratings Computer Fraud Classifications
–heavy financial losses
–large gambling debts
What are some work-relatedpressures?
–low salary
–nonrecognition of performance
–job dissatisfaction
–fear of losing job
–overaggressive bonus plans
What are otherpressures?
–challenge
–family/peer pressure
–emotional instability Computer Fraud and Abuse Techniques
–need for power or control What are some of the more common techniques to
–excessive pride or ambition commit computer fraud?
– Cracking
Opportunities – Data diddling
An opportunity is the condition or situation that allows a – Data leakage
person to commit and conceal a dishonest act. – Denial of service attack
Opportunities often stem from a lack of internal controls. – Eavesdropping
However, the most prevalent opportunity for fraud results – E-mail forgery and threats
from a company’s failure to enforceits system of internal –Hacking
controls. –Internet misinformation and terrorism
Rationalizations –Logic time bomb
Most perpetrators have an excuse or a rationalization that –Masquerading or impersonation
allows them to justify their illegal behavior. –Password cracking
–Piggybacking
What are some rationalizations? –Round-down
The perpetratoris just ―borrowing‖ the stolen assets. –Salami technique
The perpetrator is not hurting a real person, just a –Software piracy
computer system. –Scavenging
No one will ever know. –Social engineering
–Superzapping
Computer Fraud –Trap door
The U.S. Department of Justice defines computer fraud as –Trojan horse
any illegal act for which knowledge of computer –Virus
technology is essential for its perpetration, investigation, –Worm
or prosecution.
Preventing and Detecting Computer Fraud
What are examples of computer fraud? What are some measures that can decrease the potential
–unauthorized use, access, modification, copying, and of fraud?
destruction of software or data 1. Make fraud less likely to occur.
Computer Fraud 2. Increase the difficulty of committing fraud.
PE1
3. Improve detection methods. review, and documentation of audit evidence. Internal

4. Reduce fraud losses. Auditing Standards According to the Institute of Internal
5. Prosecute and incarcerate fraud perpetrators. Auditors (IIA), the purpose of an internal audit is to
evaluate the adequacy and effectiveness of a company’s
Preventing and Detecting Computer Fraud internal control system.Also, it is to determine the extent
1. Make fraud less likely to occur. to which assigned responsibilities are actually carried out.
Use proper hiring and firing practices.
Manage disgruntled employees. Internal Auditing Standards
Train employees in security and fraud prevention. The IIA’s five audit scope standards are:
Manage and tracksoftware licenses. 1. Review the reliability and integrity of operating and
Require signed confidentiality agreements. financial information and how it is identified, measured,
classified, and reported.
2. Determine whether the systems designed to comply
2. Increase the difficulty of committing fraud. with operating and reporting policies, plans, procedures,
Develop a strong system of internal controls. laws, and regulations are actually being followed.
Segregate duties. Internal Auditing Standards
Require vacations and rotate duties. 3. Review how assets are safeguarded, and verify the
Restrict access to computer equipmentand data files. existence of assets as appropriate.
Encrypt data and programs. 4. Examine company resources to determine how
effectively and efficiently they are utilized.
3. Improve detection methods. 5. Review company operations and programs to determine
Protect telephone lines and the system from viruses. whether they are being carried out as planned and
Control sensitive data. whether they are meeting their objectives.
Control laptop computers.
Monitor hacker information. Types of Internal Auditing Work
What are the three different types of audits commonly
4. Reduce fraud losses. performed?
Maintain adequate insurance. 1. Financial audit
Store backup copies of programs and data files in a 2. Information system (IS) audit
secure, off-site location. 3. Operational or management audit
Develop a contingency plan for fraud occurrences.
Use software to monitor system activity and recover from The financial audit examines the reliability and integrity of
fraud. accounting records (both financial and operating
information). The information systems (IS) auditreviews
5. Prosecute and incarcerate fraud perpetrators. the general and application controls in an AIS to assess its
Most fraud cases go unreported and unprosecuted. Why? compliance with internal control policies and procedures
•Many cases of computer fraud are as yet undetected. and its effectiveness in safeguarding assets.
•Companies are reluctant to report computer crimes.
The operational, or management, auditis concerned with
Law enforcement officials and the courts are so busy with the economical and efficient use of resources and the
violent crimes that they have little time for fraud cases. It is accomplishment of established goals and objectives. An
difficult, costly, and time consuming to investigate. Many
law enforcement officials, lawyers, and judges lack the All audits follow a similar sequence of activities and may be
computer skills needed to investigate, prosecute, and divided into four stages.
evaluate computer crimes. 1. Audit planning
2. Collection of audit evidence
3. Evaluation of audit evidence
CHAPTER 10 4. Communication of audit results
AUDITING OF COMPUTER BASED
INFORMATION SYSTEMS
The Nature of Auditing

The American Accounting Association defines auditing as
follows :
Auditing is a systematic process of objectively obtaining
and evaluating evidence regarding assertions about
economic actions and events to ascertain the degree of
correspondence between those assertions and established
criteria and communicating the results to interested users.
Auditing requires a step-by-step approach characterized by
careful planning and judicious selection and execution of
appropriate techniques. Auditing involves the collection,
PE1
Some types of control procedures:

–developing an information security/protection plan, and
restricting physical and logical access
–encrypting data and protecting against viruses
–implementing firewalls
–instituting data transmission controls, and preventing and
recovering from system failures or disasters
Some systems review audit procedures:
–inspecting computer sites
–interviewing personnel
–reviewing policies and procedures
–examining access logs, insurance policies, and the disaster
recovery plan
Some tests of control audit procedures:
–observing procedures
–verifying that controls are in place and work as intended
Information Systems Audits –investigating errors or problems to ensure they were
The purpose of an AIS audit is to review and evaluate the handled correctly
internal controls that protect the system. When –examining any test previously performed
performing an IS audit, auditors should ascertain that the Some compensating controls:
following objectives are met: –Sound personnel policies
1. Securityprovisions protect computer equipment, –Effective user controls
programs, communications, and data from unauthorized –Segregation of incompatible duties
access, modification, or destruction.
Information Systems Audits Some types of errors and fraud:
2. Program developmentand acquisition is performed in –Inadvertent programming errors
accordance with management’s general and specific –Unauthorized program code
authorization.
3. Program modificationshave the authorization and Some types of control procedures:
approval of management. –Management authorization for program development
4. Processingof transactions, files, reports, and other and approval of programming specifications
computer records is accurate and complete. –User approval of programming specifications
Information Systems Audits –Thorough testing of new programs and user acceptance
5. Source datathat are inaccurate or improperly authorized testing
are identified and handled according to prescribed –Complete systems documentation
managerial policies.
6. Computer data filesare accurate, complete, and Some systems review audit procedures:
confidential. –Independent and concurrent review of systems
The Risk-Based Audit Approach development process
The risk-based approach to auditing provides auditors with –Systems review of development policies, authorization,
a clear understanding of the errors and irregularities that and approval procedure
can occur and the related risks and exposures. This –Programming evaluation and documentation standards,
understanding provides a sound basis for developing and program testing and test approval procedures
recommendations to management on how the AIS control
system should be improved. Framework for Audit of Program Development (Objective
What is the four-step approach to internal control 2)
evaluation? Some tests of control audit procedures:
1. Determine the threats facing the AIS. –User interviews about involvement in systems design and
2. Identify the control procedures that should be in place implementation
to minimize each threat. –Reviewing minutes of development team meetings for
3. Evaluate the control procedures. evidence of involvement
4. Evaluate weakness (errors and irregularities not covered –Verifying management and user sign-off at milestone
by control procedures). points in the development process
Framework for Audit of Computer Security (Objective 1) –Reviewing test specifications, data, and results
Some types of security errors and fraud: Framework for Audit of Program Development (Objective
–theft of accidental or intentional damage to hardware 2)
and files Some compensating controls:
–loss, theft, or unauthorized access to programs, data files; –Strong processing controls
or disclosure of confidential data –Independent processing of test data by auditor
–unauthorized modification or use of programs and data Some types of errors and fraud:
files
PE1
oInadvertent programming errors –Verify adherence to processing control procedure by

oUnauthorized program code observing computer operations and the data control
oThese are the same as in audit program development. function
–Trace disposition of a sample of errors flagged by data
Framework for Audit of Program Modification Procedures edit routines to ensure proper handling
(Objective 3) –Monitor on-line processing systems using concurrent
Some types of control procedures: audit techniques
–Listing of program components that are to be modified,
and management authorization and approval of Some compensating controls:
programming modifications –Strong user controls
–User approval of program changes specifications –Effective source data controls
–Thorough testing of program changes, including user
acceptance test Framework for Audit of Source Data Controls(Objective 5)
Some types of errors and fraud:
Some systems review audit procedures: –Inadequate source data
–Reviewing program modification policies, standards, and –Unauthorized source data
procedures –Some types of control procedures:
–Reviewing documentation standards for program –User authorization of source data input
modification, program modification testing, and test –Effective handling of source data input by data control
approval procedures personnel
–Discussing systems development procedures with –Logging of the receipt, movement, and disposition of
management source data input
–Use of turnaround documents
Some tests of control audit procedures:
–Interviewing users about involvement in systems design Some systems review audit procedures:
and implementation –Reviewing documentation for source data control
–Reviewing minutes of development team meetings for standards
evidence of involvement –Document accounting source data controls using an input
–Verifying management and user sign-off at milestone control matrix
points in the development process –Reviewing accounting systems documentation to identify
–Reviewing test specifications, data, and results source data content and processing steps and specific
source data controls used.
Some compensating controls:
–Strong processing controls Some tests of control audit procedures:
–Independent processing of test data by auditor oObservation and evaluation of data control department
These are the same as in audit program development. oReconciliation of a sample of batch totals and follow up
on discrepancies
Framework for Audit of Computer Processing oExamination of samples of accounting source data for
Controls(Objective 4) proper authorization
Some types of errors and fraud: oSome compensating controls:
–Failure to detect incorrect, incomplete or unauthorized oStrong processing controls
input data oStrong user controls
–Failure to properly correct errors flagged by data editing
procedures Framework for Audit of DataFile Controls(Objective 6)
–Introduction of errors into files or databases during Some types of errors and fraud:
updating –Unauthorized modification or disclosure of stored data
–Destruction of stored data due to inadvertent errors,
Some types of control procedures: hardware or software malfunctions and intentional acts of
–Computer data editing routines sabotage or vandalism
–Proper use of internal and external file labels
–Effective error correction procedures Some types of control procedures:
–File change listings and summaries prepared for user –Concurrent update controls
department review –Proper use of file labels and write-control mechanisms
–Use of virus protection software
Some systems review audit procedures:
–Review administrative documentation for processing Some systems review audit procedures:
control standards –Examination of disaster recovery plan
–Observe computer operations and data control functions –Discussion of data file control procedures with systems
–Review copies of error listings, batch total reports and file managers and operators
change list –Review of logical access policies and procedures
–Review of documentation for functions of file library
Some tests of control audit procedures: operation
–Evaluation of adequacy and completeness of data editing
controls Some tests of control audit procedures:
–Observing and evaluating file library operations
–Review records of password assignment and modification
PE1
–Observation of the preparation of off-site storage back-up Four basic business activities are performed in the revenue
facilities cycle:
–Reconciliation of master file totals with separately Sales order entry
maintained control totals Shipping
Billing
Some compensating controls: Cash collection
–Effective computer security controls
–Strong user controls SALES ORDER ENTRY
–Strong processing controls Sales order entry is performed by the sales order
department. The sales order department typically reports
Computer Software to the VP of Marketing.
A number of computer programs, called computer audit
software (CAS) or generalized audit software (GAS), have Steps in the sales order entry process include:
been written especially for auditors. CAS is a computer Take the customer’s order.
program that, based on the auditor’s specifications, Check the customer’s credit.
generates programs that perform the audit functions. Check inventory availability.
 Respond to customer inquiries (may be done by
Usage of Computer Software customer service or sales order entry).
The auditor’s first step is to decide on audit objectives,
learn about the files to be audited, design the audit
reports, and determine how to produce them. This
information is recorded on specification sheets and
entered into the system via a data entry program. This
program creates specification records that the CAS uses to
produce one or more auditing programs. The auditing
programs process the sources files and perform the
auditing operations needed to produce the specified audit
reports.
General Functions of Computer Audit Software
–Reformatting
–File manipulation
–Calculation
–Data selection
–Data analysis
–File processing
–Statistics
–Report generation
Operational Audits of an AIS
The techniques and procedures used in operational audits
are similar to those of IS and financial audits. The basic
difference is that the IS audit scope is confined to internal
controls, whereas the financial audit scope is limited to IIS
output. The operational audit scope encompasses all Take customer orders
aspects of IS management. Operational audit objectives Order data are received on a sales order document which
include evaluating effectiveness, efficiency, and goal may be completed and received:
achievement. •In the store
•By mail
What are some evidence collection activities? •By phone
–Reviewing operating policies and documentation •On a Website
–Confirming procedures with management and operating •By a salesperson in the field
personnel
–Observing operating functions and activities The sales order (paper or electronic) indicates:
–Examining financial and operating plans and reports Item numbers ordered
–Testing the accuracy of operating information Quantities
–Testing controls Prices
Salesperson
CHAPTER 11 To reduce human error, customers should enter data

themselves as much as possible:
THE REVENUE CYCLE : SALES TO CASH On Websites
On OCR forms
COLLECTIONS Via phone menus
REVENUE CYCLE BUSINESS ACTIVITIES How IT can improve efficiency and effectiveness:
PE1
Orders entered online can be routed directly to the

warehouse for picking and shipping. Accurate inventory records are needed so customers can
Sales history can be used to customize solicitations. be accurately advised of their order status.
Choiceboards can be used to customize orders. Requires careful data entry in the sales and shipping
•Initially popular with Dell and Gateway. processes.
•Now used for purchases of shoes and jeans! Can be problematic in retail establishments:
Electronic data interchange (EDI) can be used to link a Clerks running a similar item over the scanner several
company directly with its customers to receive orders or times instead of running each item. Mishandling of sales
even manage the customer’s inventory. Email and instant returns such that returned merchandise isn’t re-entered in
messaging are used to notify sales staff of price changes inventory records.
and promotions. Laptops and handheld devices can equip
sales staff with presentations, prices, marketing and Respond to customer inquiries (may be done by customer
technical data, etc. service or sales order entry).
Another step in the sales order entry process is responding
Check the customer’s credit. to customer inquiries:
Credit sales should be approved before the order is May occur before or after the order is placed.
processed any further. The quality of this customer service can be critical to
company success.
There are two types of credit authorization:
General authorization Many companies use Customer Relationship Management
Specific authorization (CRM) systems to support this process:
 Organizes customer data to facilitate efficient and
For existing customers below their credit limit who don’t personalized service.
have past-due balances. Credit limits vary by customer  Provides data about customer needs and business
based on past history and ability to pay. General practices so they can be contacted proactively about the
authorization involves checking the customer master need to reorder.
file to verify the account and status.
The goal of CRM is to retain customers:
For customers who are: Rule of thumb: It takes 5 times as much effort to attract a
–New new customer as it does to retain an existing one.
–Have past-due balances CRMs should be seen as tools to improve the level of
–Are placing orders that would exceed their credit limit customer service and encourage loyalty—not as a way to
keep them off your back.
Specific authorization is done by the credit manager, who
reports to the treasurer. Transaction processing technology can be used to improve
customer relationships:
How can IT improve the process? POS systems can link to the customer master file to:
Automatic checking of credit limits and balances •Automatically update accounts receivable.
Emails or IMs to the credit manager for accounts needing •Print customized coupons (e.g., if the customer just
specific authorization bought yogurt, print a yogurt coupon to encourage repeat
sales).
Check inventory availability.
When the order has been received and the customer’s IT should be used to automate responses to routine
credit approved, the next step is to ensure there is customer requests.
sufficient inventory to fill the order and advise the Examples:
customer of the delivery date. The sales order clerk can  Providing telephone menus or Websites that lead
usually reference a screen displaying: customers to answers about:
Quantity on hand •Account balances
Quantity already committed to others •Order status
Quantity on order •Frequently asked questions (FAQs)
Online chat or instant messaging.
If there are enough units to fill the order:
Complete the sales order. These methods free up customer service reps to deal with
Update the quantity availablefield in the inventory file. less routine issues.
Notify the following departments of the sale: EXAMPLE: Timex includes their watch manuals online, so a
•Shipping customer who’s missing his manual can find out how to
•Inventory reset his watch when Daylight Savings Time rolls around.
•Billing No human intervention required.
Send an acknowledgment to the customer.
The effectiveness of a website depends on its design:
If there’s not enough to fill the order, initiate a back order.  Review records of customer interactions to identify
For manufacturing companies, notify the production potential problems.
department that more should be manufactured.  A poorly-designed, difficult-to-use website can create
For retail companies, notify purchasing that more should customer ill will.
be purchased.
PE1
A well-designed site can provide insights that lead to What quantity

increased sales, e.g., by analyzing website traffic to
determine products of greatest interest. Warehouse workers record the quantities picked on the
picking ticket, which may be a paper or electronic
Sales order entry involved the steps of: document. The picked inventory is then transferred to the
Taking the customer’s order shipping department. Technology can speed the
Checking the ucstomer’s credit movement of inventory and improve the accuracy of
Checking inventory availability perpetual inventory records:
Responding to customer inquiries Bar code scanners and RFID systems
Conveyer belts
REVENUE CYCLE BUSINESS ACTIVITIES Wireless technology so workers can receive instructions
Four basic business activities are performed in the revenue without returning to dispatch.
cycle: Radio frequency identification (RFID) tags:
Sales order entry
Shipping •Eliminate the need to align goods with scanner.
Billing •Allow inventory to be tracked as it moves through
Cash collection warehouse.
•Can store up to 128 bytes of data.
SHIPPING •For companies that handle large volumes of merchandise,
The second basic activity in the revenue cycle is filling like Federal Express and UPS, RFID's ability to reduce by
customer orders and shipping the desired merchandise. even a few seconds the time it takes to process each
The process consists of two steps : package can yield enormous cost savings.
Picking and packing the order
Shipping the order Shipping the order.
The warehouse department typically picks the order. The
The warehouse department typically picks the order. The shipping departments packs and ships the order. Both
shipping departments packs and ships the order . Both functions include custody of inventory and ultimately
functions include custody of inventory and ultimately report to the VP of Manufacturing.The shipping
report to the VP of Manufacturing. department compares the following quantities:
Physical count of inventory.
Quantities indicated on picking ticket.
Quantities on salesorder.
Discrepancies can arise if:
Items weren’t stored in the location indicated
Perpetual inventory records were inaccurate.
If there are discrepancies, a back order is initiated.
The clerk then records online:
The sales order number.
The itemnumbers ordered.
The quantities shipped.
This process:
Updates the quantity-on-hand field in the inventory
master file.
Produces a packing lsip.
•The packing slip lists the quantity and description
of each item in the shipment.
The clerk then records online:
The sales order number.
The item numbers ordered.
The quantities shipped.
Picking and packing the order. This produces:

The warehouse department typically picks the order. The Updates the quantity-on-hand field in the inventory
shipping departments packs and ships the order. Both master file.
functions include custody of inventory and ultimately A packing slip.
report to the VP of Manufacturing. A picking ticket is Multiple copies of the bill of lading.
printed by sales order entry and triggers the pick-and-pack •The bill of lading is a legal contract that defines
process responsibility for goods in transit
The picking ticket identifies: It identifies:

Which products to pick –The carrier
PE1
–The source
–The destination
–Special shipping instructions
–Who pays for the shipping
The shipment is accompanied by:
The packing slip.
A copy of the bill of lading.
The freight bill.
•(Sometimes bill of lading doubles as freight bill).
What happens to other copies of the bill of lading?
One is kept in shipping to track and confirm delivery.
One is sent to billing to trigger an invoice.
One is retained by the freight carrier.
A major shipping decision is the choice of delivery
methods:
Some companies maintain a fleet of trucks.
Companies increasingly outsource to commercial carriers.
•Reduces costs.
•Allows company to focus on core business.
Selecting best carrier means collecting and monitoring
carrier performance data for:
•On-time delivery. Invoicing
•Condition of merchandise delivered. Accurate and timely billing is crucial. Billing is an
information processing activity that repackages and
Another decision relates to the location of distribution summarizes information from the sales order entry and
centers. Many customers want suppliers to deliver shipping activities. Requires information from:
products only when needed. Logistical software tools can Shipping Departmenton items and quantities shipped.
help identify optimal locations to: Saleson prices and other sales terms.
•Minimize amount of inventory carried.
•Meet customers’ needs. The basic document created is the sales invoice. The
•Also helps optimize the use of delivery vehicles on a day- invoice notifies the customer of:
to-day basis. The amount to be paid.
Where to send payment.
Globalization makes outbound logistics more complex:
Distribution methods differ around the worldin terms of Invoices may be sent/received:
efficiency and effectiveness. In paper form.
Country-specific taxes and regulations affect distribution By EDI.
choices. •Common for larger companies.
Logistical software can also help with these issues. •Faster and cheaper than snail mail.
Advanced communications systems can provide real-time
info on shipping status and thus add value: When buyer and seller have accurate online systems:
If you know a shipment will be late and notify the Invoicing process may be skipped.
customer, it helps the customer adapt. •Seller sends an email when goods are shipped.
•Buyer sends acknowledgment when goods are received.
BILLING •Buyer automatically remits payments within a specified
The third revenue cycle activity is billing customers. number of days after receiving the goods.
This activity involves two tasks: Can produce substantial cost savings.
Invoicing
Updating accounts receivable An integrated AIS may also merge the billing process with
sales and marketing by using data about a customer’s past
purchases to send information about related products and
services with his monthly statement.
Updating accounts receivable
The accounts receivable function reports to the controller.
This function performs two basic tasks:
Debits customer accounts for the amount the customer
is invoiced.
Credits customer accounts for the amount of customer
payments.
Two basic ways to maintain accounts receivable:
Open-invoice method
Balanceforward method
PE1
Open-invoice method: •Returns

Customers pay according to each invoice. •Allowances for damaged goods
Two copies of the invoice are typically sent to the •Write-offs as uncollectible
customer.
•Customer is asked to return one copy with payment. These adjustments arehandled by the credit manager.
•This copy is a turnaround document called a remittance
advice. If there’s a return, the credit manager:
Advantages of open-invoice method: Receives confirmation from the receiving dock that the
•Conducive to offering early-payment discounts goods were actually returned to inventory.
•Results in more uniform flow of cash collections Then issues a credit memo which authorizes the crediting
Disadvantages of open-invoice method: of the customer’s account.
•More complex to maintain If goods are slightly damaged, the customer may agree to
keep them for a price reduction.
Balance forward method: Credit manager issues a credit memo to reflect that
Customers pay according to amount on their monthly reduction.
statement, rather than by invoice.
 Monthly statement lists transactions since the last Distribution of credit memos:
statement and lists the current balance. One copy to accounts receivable to adjust the customer
•The tear-off portion includes pre-printed information with account.
customer name, account number, and balance Onecopy to the customer.
•Customers are asked to return the stub, which serves as If repeated attempts to collect payment fail, the credit
the remittance advice. manager may issue a credit memo to write off an account.
•Remittances are applied against the total balance rather A copy will not be sent to the customer.
than against a specific invoice.
NOTE: Because accounts receivable handles the customer
Advanta ges of balance-forward method: accounts, why does someone else have to issue the credit
•It’s more efficient and reduces costs because you don’t memos?
bill for each individual sale.
•It’s more convenient for the customer to make one EXAMPLE: Anaccounts receivable employee could allow a
monthly remittance. relative or friend (or even himself) to run up an account
with the company and then simply write the account off or
Cycle billing credit it for returns and allowances.
Cycle billing is commonly used with the balance-forward
method. Having the credit memos issued by the credit manager is
good segregation of duties between:
Monthly statements are prepared for subsets of Authorizing a transaction (write-off).
customers at different times. Recording the transaction.
•EXAMPLE: Bill customers according to the following
schedule: CASH COLLECTIONS
•1stweek of month—Last names beginning with A-F The final activity in the revenue cycle is collecting cash
•2ndweek of month—Last names beginning with G-M from customers. The cashier, who reports to the treasurer,
•3rdweek of month—Last names beginning with N-S handles customer remittances and deposits them in the
•4thweek of month—Last names beginning with T-Z bank. Because cash and checks are highly vulnerable,
controls should be in place to discourage theft. Accounts
Advantages of cycle billing: receivable personnel should not have access to cash
Produces more even cash flow. (including checks).
Produces more even workload.
Doesn’t tie up computer for several days to print Possible approaches to collecting cash:
statements. Turnaround documents forwarded to accounts receivable.
•The mailroom opens customer envelopes and forwards
Image processing to accounts receivable either:
Image processing can improve the efficiency and –Remittance advices.
effectiveness of managing customer accounts. –Photocopies of remittance advices.
Digital images of customer remittances and accounts are –A remittance list prepared in the mailroom.
stored electronically
Lockbox arrangements.
Advantages: •Customers remit payments to a bank P.O. box.
Fast, easy retrieval. •The bank sends the company:
Copy of document can be instantly transmitted to –Remittance advices.
customer or others. –An electronic list of the remittances.
Multiple people can view document at once. –Copies of the checks.
Drastically reduces document storage space.
Advantages:
Exception procedures: Account adjustments and write-offs: –Prevents theft by company employees.
Adjustments to customer accounts may need to be made –Improves cash flow management.
for:
PE1
•Lockboxes may be regional, which reduces time in the In the revenue cycle (or any cycle), a well-designed AIS
mail. should provide adequate controls to ensure that the
•Checks are deposited immediately on receipt. following objectives are met:
•Foreign banks can be utilized for international customers.
All transactions are properly authorized.
Electronic boxes All recorded transactions are valid.
Upon receiving and scanning the checks, the bank All valid and authorized transactions are recorded.
immediately sends electronic notification to the company, All transactionsare recorded accurately.
including: Assets are safeguarded from loss or theft.
–Customer account number Business activities are performed efficiently and
–Amount remitted effectively.
The company is in compliance with all applicable laws and
Electronic funds transfer and bill payment regulations.
Customers remit payment electronically to the company’s All disclosure
s are full and fair.
bank.
•Eliminates mailing delays. All transactions are properly authorized.
•Typically done through banking system’s Automated A related threat would be that a transaction would go
Clearing House (ACH) network. through without proper authorization. •Such a transaction
might result from either a mistake or a fraud.
PROBLEM: Some banks do not have both EDI and EFT EXAMPLE: An employee might process an unauthorized
capabilities, which complicates the task of crediting the write-off of his own account, so that he wouldn’t have to
customer’s account on a timely basis. pay.
Financial Electronic Data Interchange (FEDI) All recorded transactions are valid
•Integrates EFT with EDI. The related threat is that a transaction would be recorded
•Remittance data and funds transfer instructions are sent that isn’t valid, i.e., it didn’t actually occur.
simultaneously by the customer. EXAMPLE 1: An employee records a return of merchandise
•Requires that both buyer and seller use EDI-capable on his own account when the goods were never really
banks. returned.
EXAMPLE 2: Many financial statement frauds involve
Accept credit cards or procurement cards from customers. companies recording totally fictitious revenues in order to
•Speeds collection because credit card issuer usually make the company’s financial position appear more
transfers funds within two days. favorable than it actually is.
•Typically costs 2–4% of gross sales price.
All valid and authorized transactions are recorded.
The related threat would be that a transaction that actually
did occur didn’t get recorded.
•EXAMPLE 1: An employee fails to record a sale that the
company made to him so he won’t have to pay the
receivable.
•EXAMPLE 2: In financial statement fraud cases, the
company often fails to record transactions that reduce
income or net assets, e.g., doesn’t record returns from
customers or discounts granted to them. This omission
causes net sales to appear higher than they really are.
All transactions are recorded accurately.
The threat would be that a transaction is recorded
inaccurately. Inaccurate recording typically means that a
transaction is recorded either:
–In the wrong amount
–In the wrong account
–In the wrong time period
•It could also mean that the transaction was credited to
the wrong agents or participants.
EXAMPLES: A fraud might involve a company:
–Over-recording the amount of a sale (wrong amount)
–Recording an unearned revenue as an earned revenue
(wrong account)
–Recording a sale earlier than it occurs (wrong time period)
–Crediting the wrong salesperson for the sale (wrong
agent)
The reverse side of these activities might include:
CONTROL OBJECTIVES, THREATS, AND PROCEDURES –Under-recording a sales return (wrong amount)
PE1
–Debiting an asset account instead of sales returns (wrong 4.THREAT 4: Stockouts, carrying costs, and markdowns
account) 5. THREAT 5: Shipping Errors
–Recording the return later than it actually occurred 6. THREAT 6: Theft of Inventory
(wrong time period) 7. THREAT 7: Failure to bill customers
8. THREAT 8: Billing errors
Assets are safeguarded from loss or theft. 9. THREAT 9: Errors in maintaining customer accounts
Threats in this area usually involve theft, destruction, or 10. THREAT 10: Theft of cash
misuse of assets, including data. 11. HREAT 11: Loss, alteration, or unauthorized disclosure
of 12. THREAT 12: Poor performance
Business activities are performed efficiently and
effectively. REVENUE CYCLE INFORMATION NEEDS
The threat is that the activities would be performed Information is needed for the following operational tasks
inefficiently or ineffectively. in the revenue cycle:
Responding to customer inquiries
The company is in compliance with all applicable laws and Deciding onextending credit to a customer
regulations. Determining inventory availability
The obvious threat is non-compliance with laws and Selecting merchandise delivery methods
regulations. An example in the revenue cycle could be a car
dealer who: Information is needed for the following strategic decisions:
–Sells a vehicle to which he doesn’t have clear title; or Setting prices for products/services
–Refuses to allow a customer to return a car in violation of Establishing policies on returns and warranties
state lemon laws. Deciding on credit terms
Determining short-term borrowing needs
Another example might be requesting a credit check on a Planning new marketing campaigns
customer in violation of the Fair Credit Reporting Act
(FCRA). The AIS needs to provide information to evaluate critical
revenue cycle processes:
All disclosures are full and fair. Response time to satisfactorily resolve customer inquiries
•The threat is incomplete and/or misleading disclosures. Time to fill and deliver orders
•This threat is more important in other areas, particularly Percentage of sales orders back ordered
those areas that involve liabilities and contingencies. Customer satisfaction rates and trends
•However, one threat in the revenue cycle could be Analyses of market share and sales trends
misleading disclosures about customers’ rights to return Profitability by product, customer, and region
product. Sales volume in dollars and market share
Effectiveness of advertising and promotions
There are several actions a company can take with respect Sales staff performance
to any cycle to reduce threats of errors or irregularities. Bad debtexpense
These include: Days receivables outstanding
Using simple, easy-to-complete documents with clear Remittances processed daily
instructions (enhances accuracy and reliability).
Using appropriate application controls, such as validity Both financial and non-financial information are needed to
checks and field checks (enhances accuracy and reliability). manage and evaluate revenue cycle activities.
Providing space on forms to record who completed and Likewise, both external and internal information is needed.
who reviewed the form (encourages proper authorizations
and accountability). When the AIS integrates information from the various
cycles, sources, and types, the reports that can be
Pre -numbering documents (encourages recording of valid generated are unlimited. They include reports on:
and only valid transactions). Sales order entry efficiency
Restricting accessto blank documents (reduces risk of Sales breakdowns by salesperson, region, product, etc.
unauthorized transaction). Profitability by territory, customer
, etc.
In the following sections, we’ll discuss the threats that may Frequency and size of backorders
arise in the four major steps of the revenue cycle, as well Slow-moving products
as the controls that can prevent those threats. Projected cash inflows and outflows (called a cash
budget)
THREATS IN SALES ORDER ENTRY Accounts receivable aging
The primary objectives of this process: Revenue margin (gross margin minus selling costs)
Accurately and efficiently process customer orders.
Ensure that all sales are legitimate and that the company Accountants should continually refine and improve an
gets paid for all sales. organization’s performance reports.
Minimize revenue loss arising from poor inventory
management. Revenue Cycle Data Model
The four major business events in the revenue cycle
Threats in the sales order entry process include: (orders, filling the orders, shipping [sales], and cash
1.THREAT 1: Incomplete or inaccurate customer orders collections)
2.THREAT 2: Sales to customers with poor credit The primary external agent (customer) as well as the
3.THREAT 3: Orders that are not legitimate various internal agents involved in revenue cycle activities
PE1
 Is sufficient cash available to take advantage of any

Partial REA Diagram of the Revenue Cycle discounts suppliers offer?
 How can payments to vendors be managed to
maximize cash flow?
Expenditure Cycle:Business Activities
What are the three basic business activities in the
expenditure cycle?
1.Ordering goods, supplies and services
2.Receiving and storing goods, supplies and services
3.Paying for goods, supplies and services
Ordering Goods, Supplies And Services
The first major business activity in the expenditure cycle is
ordering inventory or supplies.
The traditional inventory control method(often called
economic order quantity [EOQ]):
•This approach is based on calculating an optimal order
size so as to minimize the sum of ordering, carrying, and
stockout costs.
Alternative inventory control methods:
–MRP (material requirement planning)
•This approach seeks to reduce required inventory levels
by scheduling production, rather than estimating needs.
–JIT (just in time)
•JIT systems attempt to minimize both carrying and
stockout costs.
What is a major difference between MRP and JIT?
MRP systems schedule production to meet estimated
sales need, thereby creating a stock of finished goods
inventory.
JIT systems schedule production to meet customer
CHAPTER 12 demands, thereby virtually eliminating finished goods
inventory.
THE EXPENDITURE CYCLE : PURCHASING Documents and procedures:
AND CASH DISBURSEMENTS The purchase requisition is a document that identifies the
following:
–requisitioner and item number
Expenditure Cycle: Main Objective –specifies the delivery location and date needed
The expenditure cycleis a recurring set of business –specifies descriptions, quantity, and price of each item
activities and related data processing operations requested
associated with the purchase of and payment for goods –may suggest a vendor
and services.
What is a key decision?
The primary objective of the expenditure cycle is to –determine vendor
minimize the total cost of acquiring and maintaining
inventories, supplies, and the various services necessary What factors should be considered?
for the organization to function. –price
–quality of materials
Expenditure Cycle: Key Decisions –dependability in making deliveries
 What is the optimal level of inventory and supplies Ordering Goods, Supplies And Services
to carry?
 Which suppliers provide the best quality and The purchase order is a document that formally requests a
service at the best prices? vendor to sell and deliver specified products at designated
 Where should inventories and supplies be held? prices. It is also a promise to pay and becomes a contract
 How can the organization consolidate purchases once it is accepted by the vendor. Frequently, several
across units to obtain optimal prices? purchase orders are generated to fill one purchase
 Expenditure Cycle: Key Decisions requisition.
 How can information technology be used to
improve both the efficiency and accuracy of the Receiving and Storing Goods, Supplies and Services
inbound logistics function? The second major business activity involves the receipt and
storage of ordered items.
PE1
Key decisions and information needs:

The receiving department has two major responsibilities:
1.Deciding whether to accept a delivery
2.Verifying quantity and quality
Expenditure Cycle
Documents and procedures:
The receiving reportdocuments details about each
delivery, including the date received, shipper, vendor, and
purchase order number. For each item received, it shows
the item number, description, unit of measure, and count
of the quantity received.
Pay for Goods and Services:Approve Vendor Invoices
The third activity entails approving vendor invoices for
payments.
 The accounts payable department approves
vendor invoices for payment
 The cashier is responsible for making the payment
The objective of accounts payable is to authorize payment
only for goods and services that were ordered and actually
received. There are two ways to process vendor invoices:
1.Nonvoucher system
2.Voucher system
Processing efficiency can be improved by:
 Requiring suppliers to submit invoices
electronically, either by EDI or via the Internet
 Eliminating vendor invoices. This ―invoiceless‖
approach is called evaluated receipt settlement
(ERS).
Pay for Goods: Pay Approved Invoices
The cashier approves invoices. The combination of vendor
invoice and supporting documentation is called a voucher
package. A key decision in the cash disbursement process
is determining whether to take advantage of discounts for
prompt payment.
Information Needs
The third functionof the AIS is to provide information
useful for decision making. Usefulness in the expenditure
cycle means that the AIS must provide the operational
information needed to perform the following functions:
Determine when and how much additionalinventory to
order
Select the appropriate vendors from whom to order.
Verify the accuracy of vendor invoices.
Decide whether purchase discounts should be taken.
Monitor cash flow needs to pay outstanding obligations.
What are examples of additional information The AIS
should provide?
–Efficiency and effectiveness of the purchasing department
–Analyses of vendor performance such as on-time delivery,
quality, etc.
–Time taken to move goods from the receiving dock into
production
–Percentage of purchase discounts taken
PE1
–approved purchase requisitions

–restricted access to blank purchase requisitions
–price list consultation
–budgetary controls
–use of approved vendor lists
–approval of purchase orders
–prenumbered purchase orders
–prohibition of gifts from vendors
–incentives to count all deliveries
–physical access control
–recheck of invoice accuracy
–cancellation of voucher package
Expenditure Cycle Data Model
The REA data model integrates both traditional accounting
transactions data with other operational data.
What are some examples?
–the date and amount of each purchase
–information about where items are stored
–vendor performance measures, such as delivery date
Expenditure Cycle Data Model
Partial REA Diagram of the Expenditure Cycle
Control: Objectives,Threats, and Procedures

Another functionof a well-designed AIS is to provide The REA diagram models the relationship between the
adequate controls to ensure that the following objectives request goods and order goods events as being many-to-
are met: one.
 Transactions are properly authorized.
 Recorded transactions are valid. Why?
The company sometimes issues purchase orders for
 Valid, authorized transactions are recorded. individual purchase requests.
 Transactions are recorded accurately. At other times it takes advantage of volume discounts by
 Business activities are performed efficientlyand issuing one purchase order for a set of requests.
effectively.
Partial REA Diagram of the Expenditure Cycle
What are some threats?
–stockouts
–purchasing too many or unnecessary goods
–purchasing goods at inflated prices
–purchasing goods of inferior quality
–purchasing from unauthorized vendors
–kickbacks
–receiving unordered goods
–errors in counting goods
–theft of inventory
–failure to take available purchasing discounts
–errors in recording and posting purchases and payments
–loss of data
What are some control procedures?
–inventory control system
–vendor performance analysis
PE1
Why is there a many-to-many relationship between the MRP-II is an extension of materials resource planning that
order goods and receive goods events? seeks to match existing production capacity and raw
Vendors sometimesmake several separate deliveries to materials needs with forecasted sales demands.
fill one purchase order. The goal of JIT is to minimize inventories of raw materials,
Other times, vendors fill several purchase orders with one work in process, and finished goods.
delivery.
Sometimes, vendors make a delivery to fill a single Documents, forms and procedures:
purchase order in full. The master production schedule (MPS)specifies how
much of each product is to be produced during the
planning period and when that production should occur.
CHAPTER 13 A materials requisitionauthorizes removal of materials
from the storeroom to the factory.
THE PRODUCTION CYCLE Subsequent transfers of these materials are documented
on move tickets.
How can accountants be involved in planning and
Production Cycle Activities scheduling?
The production cycleis a recurring set of business activities –by ensuring that the AIS collects and reports costs in a
and related data processing operations associated with the manner consistent with the production planning
manufacturing of products. Accurate and timely cost techniques used by the company
accounting information is essential input to decisions –by helping to choose whether MRP-II or JIT is more
about: appropriate
•Product mix
•Product pricing Production Operations (Activity 3)
•Resource allocation and planning The third step in the production cycle is the actual
•Cost management manufacture of products. The manner in which this activity
is accomplished varies greatly across companies.
There are four basic activities in the production cycle:
1.Product design What is computer-integrated manufacturing (CIM)?
2.Planning and scheduling It is the use of information technology in the production
3.Production operations process.
4.Cost accounting
Computer-Integrated Manufacturing (CIM) is the use of
Product Design (Activity 1) various forms of IT in the production process, such as
The first step in the production cycle is product design. The robots and computer-controlled machinery, to reduce
objective of this activity is to design a product that meets production costs. Every firm needs to collect data about
customer requirements for quality, durability, and the following four facets of its production operations:
functionality while simultaneously minimizing production 1.Raw materials used
costs. 2.Labor-hours expended
3.Machine operations performed
Documents and procedures: 4.Other manufacturing overhead costs incurred
The product design activity creates two main documents:
1.Bill of materials Cost Accounting (Activity 4)
2.Operations list The final step in the production cycle is cost accounting.
What are the three principal objectives of the cost
How can accountants be involved in product design? accounting system?
–by showing how various design trade-offs affect 1.To provide information for planning, controlling, and
production costs and thereby profitability evaluating the performance of production operations
–by ensuring that the AIS is designed to collect and provide 2.To provide accurate cost data about products for use in
information about the machine setup and materials pricing and product mix decisions
handling costs associated with alternative product designs 3.To collect and process the information used to calculate
–by providing data about repair and warranty costs the inventory and cost of goods sold values
associated with existing products
What are two types of cost accounting systems?
Planning and Scheduling (Activity 2) 1. Job-order costing
The second step in the production cycle is planning and 2. Process costing
scheduling. The objective of this step is a production plan Job-order costing assigns costs to specific production
efficient enough to meet existing orders and anticipate batches or to individual jobs.
short-term demand without creating excess finished goods Process costing assigns costs to each process, and then
inventories. calculates the average cost for all units produced.
What are two common methods of production planning?
1.Manufacturing resource planning (MRP-II) The choice of job-order or process costing affects only the
2.Just-in-time (JIT) manufacturing systems method used to assign costs to products, not the method
used for data collection. Raw Materials:
When production is initiated, the issuance of a materials
requisition triggers the journal entry.
PE1
3.All valid, authorized production cycle transactions are

Assume that $15,000 of raw materials were issued. recorded.
What is the journal entry? 4.All production cycle transactions are recorded accurately.
Work in Process 15,000 5.Accurate records are maintained and protected from
Raw Materials Inventory 15,000 loss.
6.Production cycle activities are performed efficiently and
To record issuance of raw materials effectively.
Assume that $1,000 of raw materials were returned to What are some threats?
inventory. –unauthorized transaction
What is the journal entry? –theft or destruction of inventories and fixed assets
Raw Materials Inventory 1,000 –recording and posting errors
Work in Process 1,000 –loss of data
–inefficiencies and quality control problems
To record return of raw materials to inventory
What are some control procedures?
Most raw materials are bar-coded. Inventory clerks use –accurate sales forecasts and inventory records
online terminals to enter usage data for those items that –authorization of production
are not bar-coded. –restricted access to production planning program and to
blank production order documents
Direct Labor: –review and approval of capital asset expenditures
A job-time ticket is a paper document used to collect data –documentation of all internal movements of inventory
about labor activity. This document records the amount of –proper segregation of duties
time a worker spent on each specific job task. Workers can –source data automation
enter this data using online terminals at each factory –online data entry edit controls
workstation. –backup and disaster recovery procedures
–regular performance reports
Machinery and Equipment: –cost of quality control measurement
As companies implement CIM to automate the production
process, an even larger proportion of product cost relate to Information Needs and Procedures
the machinery and equipment used to make the product. The third functionof the AIS is to provide information
useful for decision making. In the production cycle, cost
Manufacturing Overhead: information is needed by internal and external users.
What is manufacturing overhead? Traditionally, most cost accounting systems have been
–all manufacturing costs that are not economically feasible designed primarily to meet financial reporting
to trace directly to specific jobs or processes requirements.
Accounting for Fixed Assets: What are two major criticisms of traditional cost
The AIS also needs to collect and process information accounting systems?
about investment in the property, plant, and equipment 1.Inappropriate allocation of overhead costs
used in the production cycle. Fixed assets should be bar- 2.Inaccurate performance measures
coded.
What is a potential solution to the first criticism?
What minimum information should organizations keep
about their fixed assets? Activity-Based Costing (ABC):
–identification number ABC attempts to trace costs to the activities that create
–serial number them and only subsequently allocates those costs to
–location products or departments. ABC systems distinguish three
–cost separate categories of overhead.
–date of acquisition
–vendor name and address 1.Batch-related overhead
–expected life 2.Product-related overhead
–expected salvage value 3.Company-wide overhead
–depreciation method
–depreciation charges to date The bases used to allocate manufacturing overhead are the
–improvements cost drivers.
–maintenance services performed
What is a cost driver?
Control: Objectives,Threats, and Procedures –anything that has a cause-and-effect relationship on costs
The second functionof a well-designed AIS is to provide Information Needs and Procedures
adequate controls to ensure that the following objectives What are some benefits of ABC?
are met: –better decisions
1.All production and fixed asset acquisitions are properly –improved cost management
authorized.
2.Work-in-process inventories and fixed assets are
safeguarded.
PE1
More accurate cost data results in better product mix and

pricing decisions. More detailed cost data improves
management’s ability to control and manage total costs.
What is the potential solution to the second criticism?
–Integrated production cycle data model
Read and understand a data model (REA diagram) of the
production cycle
.
Production Cycle Data Model
To maximize its usefulness for cost management and
decision making, production cycle data must be collected
at the lowest possible level of aggregation. The following
diagram presents relationships between the work in
process (resource entity) and raw materials, labor, and
machine operations (event entities) used to produce a
batch of goods. Partial REA Diagram of the Production Cycle
Partial R EA Diagram of the Production Cycle
What is the relationship between the two agent entities?

–many-to-one
What does it reflect?
Each employee is assigned to a specific supervisor.
Production cycle Each supervisor is responsible for many employees.
CHAPTER 14
THE HUMAN RESOURCES MANAGEMENT

AND PAYROLL CYCLE
Payroll Cycle Activities

What are the basic activities performed in the payroll
cycle?
1.Update master payroll file
2.Update tax rates and deductions
3.Validate time and attendance data
4.Prepare payroll
5.Disburse payroll
6.Calculate employer-paid benefits and taxes
7.Disburse payroll taxes and other deductions
Update Master Payroll File (Activity 1)
The first activity in the HRM/payroll cycle involves updating
the payroll master file to reflect payroll changes such as
new hires, terminations, changes in pay rates, or changes
in discretionary withholdings. It is important that all payroll
changes are entered in a timely manner and are properly
reflected in the next pay period.
Update Tax Rates and Deductions (Activity 2)
The second activity in the HRM/payroll cycle involves
updating information about tax rates and other
withholdings. These changes happen whenever updates
about changes in tax rates and other payroll deductions
PE1
are received from various government units and insurance –online terminals
companies. –corporate intranets
Validate Time andAttendance Data (Activity 3) Disburse Payroll (Activity 5)
The third activity in the payroll cycle is to validate each The fifth activity is actual disbursement of paychecks to
employee’s time and attendance data. This information employees. Most employees are paid either by check or by
comes in various forms, depending on an employee’s direct deposit of the net pay amount into the employee’s
status. bank account.
What are some pay schemes? Procedures:
–time cards for those paid on an hourly basis  Once paychecks have been prepared, the payroll
–self report for professionals register is sent to the accounts payable
–straight commission or salary plus commission department for review and approval.
–incentives and bonuses  A disbursement voucher is then prepared.
 The disbursement voucher and payroll register are
Procedures: then sent to the cashier.
 The payroll department is responsible for
validating employee time records.
 For factory workers, validation involves comparing Opportunities for Using Information Technology
the total time worked with the time spent on each What are some opportunities of using information
job. technology to disburse payroll (Activity 5)?
 The payroll clerk calculates batch totals and enters –direct deposit
them along with the time data. –outsourcing to a payroll service bureau
 The batch totals are recalculated by the computer
after subsequent processing steps. Calculate Employer-Paid Benefits and Taxes (Activity 6)
 Payroll transaction data are entered through Some payroll taxes and employee benefits are paid directly
online terminals. by the employer. Federal and state laws require employers
 Edit checks are performed on each time and to contribute a specified percentage of each employee’s
attendance record. gross pay to federal and state unemployment
compensation insurance funds. Employers often contribute
What are some opportunities of using information to health, disability, and insurance premiums. Many
technology tovalidate time and attendance data (Activity companies also offer their employees flexible benefit
3)? plans. Many employees are offered and contribute toward
–collecting employee time and attendance data a choice of retirement savings plans.
electronically, instead of on paper documents
–using badge readers Disburse Payroll Taxes and Other Deductions (Activity 7)
–using electronic time clocks The final activity in the payroll process involves paying the
payroll tax liability and the other voluntary deductions of
Prepare Payroll (Activity 4) each employee. An organization must periodically prepare
The fourth activity in the payroll cycle involves preparing checks or use electronic transfer to pay the various tax
payroll. Data about the hours worked are provided by the liabilities incurred. The timing of these payments is
department in which the employee works. Pay rate specified by the respective government agencies. The
information is obtained from the payroll master file. The funds voluntarily withheld from each employee’s paycheck
person responsible for preparing paychecks cannot add for various benefits must be disbursed to the appropriate
new records to this file. organizations.
Procedures: Control: Objectives,Threats, and Procedures

 Payroll processing is performed in the computer The second functionof the AIS in the HRM/payroll cycle is
operations department. to provide adequate internal controls to ensure meeting
 The payroll transaction file is sorted by employee the following objectives:
number. 1.Payroll transactions are properly authorized
 The sorted time data file is used to prepare 2.Recorded payroll transactions are valid
employee paychecks. 3.Authorized payroll transactions are recorded
 All payroll deductions are summed and the total is 4.Payroll transactions are accurately recorded
subtracted from gross pay to obtain net pay. Control: Objectives,Threats, and Procedures
 What are types of payroll deductions? 5.Applicable government regulations regarding remittance
o withholdings of taxes and filing of payroll and HRM reports are met
o voluntary deductions 6.Assets (both cash and data) are safeguarded from loss or
 Finally, the payroll register and employee theft
paychecks are printed. 7.HRM/payroll cycle activities are performed efficiently
and effectively
Opportunities for Using Information Technology What are some threats?
What are some opportunities of using information 1.Hiring of unqualified or larcenous employees
technologyto prepare payroll (Activity 4)? 2.Violation of employment law
–produce and distribute payroll reports electronically 3.Unauthorized changes to the master payroll file
rather than on paper
PE1
4.Inaccurate time data Why?

5.Inaccurate processing of payroll Many people typically apply for each job opening.
6.Theft or fraudulent distribution of paychecks A given individual may also respond to more than one
7.Loss or unauthorized disclosure of payroll data recruiting event.
8.Poor performance
What are some control procedures? CHAPTER 15
–sound hiring practices (verification of job applicant’s skills,
references, and employment history) GENERAL LEDGER AND REPORTING SYSTEM
–thorough documentation of hiring procedures
–segregation of duties
–batch totals and other application controls
–direct deposit General Ledger and Reporting Activities
–paycheck distribution by someone independent of payroll What are the four basic activities performed in the general
process ledger and reporting system?
–investigation of all unclaimed paychecks 1.Update the general ledger
–separate payroll checking account 2.Post adjusting entries
–access control 3.Prepare financial statements
–backup procedures 4.Produce managerial reports
–encryption
Update The General Ledger(Activity 1)
Information Needs and Procedures The first activity in the general ledger system is to update
The third functionof the AIS is to provide information the general ledger.Updating consists of posting journal
useful for decision making. The payroll system must be entries that originated from two sources:
designed to collect and integrate cost data with other 1.Accounting subsystems
types of information in order to enable management to 2.The treasurer
make the following kinds of decisions:
Information Needs and Procedures
1.Future work force staffing needs
2.Employee performance
3.Employee morale
4.Payroll processing efficiency and effectiveness
Some of the information has traditionally been provided by
the payroll system. Other information, such as data about
employee skills, had normally been provided and
maintained by the HRM system. Other information, such as
data about employee morale, has traditionally not been
collected. Post Adjusting Entries (Activity 2)
The second activity in the general ledger system involves
Payroll Cycle Data Model posting various adjusting entries.
Adjusting entries originate from he t controller’s office,
after the initial trial balance has been prepared.
What are the five basic categories of adjusting entries?
1.Accruals (wages payable)
2.Deferrals (rent, interest, insurance)
3.Estimates (depreciation)
4.Revaluation (change in inventory method)
5.Corrections
What is the relationship between skills and recruiting?

–one-to-many
It reflects the fact that each advertisement seeks a specific
skill and that, over time, there may be several
advertisements for a given skill.
What is the relationship between the recruiting event and
job applicants?
–many-to-many
PE1
Prepare Financial Statements (Activity 3) Errors made in updating the general ledger can lead to
The third activity in the general ledger and reporting poor decision making based on erroneous information in
system involves the preparation of financial statements. financial performance reports. Control procedures fall into
three categories:
The income statement is prepared first. 1.Input edit and processing controls
The balance sheet isprepared next. 2.Reconciliations and control reports
The cash flows statement is prepared last. 3.Maintenance of an adequate audit trail
Produce Managerial Reports (Activity 4) Input Edit and Processing Controls
The final activity in the general ledger and reporting There are two sources of journal entries for updating the
system involves the production of various managerial general ledger:
reports. 1.Summary journal entries from other AIS cycles
What are the two main categories of managerial reports? 2.Direct entries made by the treasurer or controller
1.General ledger control reports
2.Budgets Journal entries made by the treasurer and controller are
original data entry. Several types of input edit and
What are examples of control reports? processing controls are needed to ensure that they are
–lists of journal vouchers by numerical sequence, account accurate and complete. These are:
number, or date Validity Check
–listing of general ledger account balances Field Checks
Zero-balance checks
What are examples of budgets? Completeness test
–operating budget Closed-loop verification
–capital expenditures budget Calculation run-to-run totals to verify accuracy of journal
voucher batch processing
Budgets and performance reports should be developed on Standard adjusting entry file for recurring adjusting
the basis of responsibility accounting. entries made each period
Sign check
What is responsibility accounting?
It involves reporting financial results on the basis of Reconciliation and Control Report
managerial responsibilities within an organization. Reconciliations and control reports can detect if any errors
were made during the process of updating the general
Control: Objectives,Threats, and Procedures ledger. Examples include:
What are the control objectives in the general ledger and Preparation of the trial balance
reporting system? Comparing the general ledger control account balances to
1.Updates to the general ledger are properly authorized. the total balance in the corresponding ledger
2.Recorded general ledger transactions are valid.
3.Valid, authorized general ledger transactions are The audit trail is the path of a transaction through the
recorded. accounting system. The audit trail facilitates these three
Control: Objectives,Threats, and Procedures tasks:
4.General ledger transactions are accurately recorded. 1.Trace any transaction from its original source document
5.General ledger data are safeguarded from loss or theft. to the general ledger and to any report or other document
6.General ledger system activities are performed efficiently using that data.
and effectively. Reconciliation and Control Report
The audit trail, continued
Threats and Controls in the General Ledger and Reporting 2.Trace any item appearing in a report back through the
System general ledger to its original source document
3.Trace all changes in general ledger accounts from their
beginning balance to their ending balance
Threat 2: Unauthorized Access to the General Ledger
Unauthorized access to the general ledger can result in
confidential data leaks to competitors or corruption of the
general ledger. It can also provide a means for concealing
the theft of assets.
Some controls against this threat are:
User IDs and passwords
Read-only access to the general ledger
System checks of authorization codes for each journal
voucher record before posting
Threat 3: Loss or Destruction of the General Ledger
Adequate backup and disaster recover y procedures must
Threat 1: Errors in Updating the General Ledger be in place to protect the general ledger. Backup controls
include:
PE1
1.Use of internal and external file labels Data warehouses, which contain both current and
2.Performance of regular backup of the general ledger historical data, can provide additional support for strategic
decision making. Whereas transaction-processing
Integrated Data Model databases are designed to minimize redundancy, data
An integrated enterprise-wide data model represents a warehouses purposely build in redundancies in order to
merging of separate data models. This merging primarily maximize query efficiency.The process of accessing data
involves linking each resource with the events that contained in the data warehouse and using it for strategic
increase and decrease that resource. decision making is referred to as Business Intelligence.
Integrated Data Model
The two main techniques of business intelligence are:
Online Analytical Processing (OLAP)
Data mining
Opportunities for Using Information Technology
The Extensible Business Reporting Language (XBRL) has
addressed two problems:
Different requirements for the manner in which
information is delivered.
The need for manual reentry of information into
standalone decision analysis tools.
XBRL provides two benefits:
It enables organizations to publish information only once
using standard XBRL tags.
XBRL tags are interpretable.
Benefits of an Integrated Data Model

What are some benefits of an Integrated data model?
–Improved support for decision making
–Integration of financial and nonfinancial information
–Improved internal reporting
Development of a virtual value chain occurs in three
stages.
What are these stages?
1.Visibility
2.Mirroring
3.Building new customer relationships
Balanced Scorecard
What is a balanced scorecard?
•A report that provides a multidimensional perspective of
organizational performance
•It contains measures reflecting four perspectives of the
organization:
•Financial
•Customer
•Internal operations
•Innovation and learning
Data Warehouses
PE1

Ringkasan SIA

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ringkasan SIA

Uploaded by

Copyright:

Available Formats

Disusun oleh : Muhammad Firman (Akuntansi FE UI 2012)

SISTEM INFORMASI AKUNTANSI

What Is An AIS? A survey conducted by the Institute of Management

The ultimate goal of any business is to provide value to its

Characteristics of Useful Information

Common Source Documents and Functions Record Transaction Datain Journals

Data Processing Cycle: Data Processing

What is a budget? E-business encompasses an organization’s external

Electronic Data Interchange (EDI): Standard protocol,

Integrated Electronic Data Interchange (EDI) Information Flows in Electronic Commerce

E-Business Effects on Value Chain Activities

Financial Electronic Data Interchange (FEDI)

2. The Internet Interface Devices

In a centralized WAN, all terminals and other devices are

In a decentralized WAN, each departmental unit has its

Each desktop computer is referred to as a client. The client

The DBMS controls the database so that users can access,

Mapping conceptual level facts to internal level

DBMS Languages In the text, if a particular Inventory item were

The REA data model provides structure in two ways:

Example: The sales event may be decomposed into the

The maximum cardinality of 1 in the (1, 1) cardinality pair

Cardinalities are not arbitrarily chosen by the database

3.A many-to-many relationship (M:N)

SYSTEMS DEVELOPMENT AND

Due to the fact that S&S sells mass-produced goods, its

Each sales transaction is paid in full by a cash collection

If two data elements flow together, then the use of one

If the data elements do not always flow together, then

DATA FLOW DIAGRAMS

One approach you can use is to read through the

Every manual process should have at least one input and

Moral of the story: Changes in the physical characteristics

EXAMPLE: The registrar’s office of a small college receives COMPUTER-BASED INFORMATION

4. A line count is the number of lines of data entered.

•Periodic testing and revision

COMPUTER CONTROLS AND SECURITY Developing a Security Plan

–compatibility tests  Require all requests to be submitted in

Project Development and Acquisition Controls Integrity:Input Validation Routines

2. Electronic identification should be required for all

3. Improve detection methods. review, and documentation of audit evidence. Internal

The Nature of Auditing

Some types of control procedures:

oInadvertent programming errors –Verify adherence to processing control procedure by

CHAPTER 11 To reduce human error, customers should enter data

Orders entered online can be routed directly to the

A well-designed site can provide insights that lead to What quantity

Picking and packing the order. This produces:

The picking ticket identifies: It identifies:

Open-invoice method: •Returns

 Is sufficient cash available to take advantage of any

Key decisions and information needs:

–approved purchase requisitions

Control: Objectives,Threats, and Procedures

3.All valid, authorized production cycle transactions are

More accurate cost data results in better product mix and

What is the relationship between the two agent entities?

THE HUMAN RESOURCES MANAGEMENT

Payroll Cycle Activities

Procedures: Control: Objectives,Threats, and Procedures

4.Inaccurate time data Why?

What is the relationship between skills and recruiting?

Benefits of an Integrated Data Model