CHAPTER 1

Data vs. Information

Data are input. Information is output.

Expenditure Cycle involves interactions between an organization and its

suppliers.

Revenue Cycle involves interactions between an organization and its customers,

such as shipping them goods. This business processes includes goods storage,
receiving vendor invoices and updating payable accounts.

Production or Conversion Cycle involves the transformation of raw materials

into finished goods.

Financial Cycle deals with interactions between an organization and its lenders
and owners.

Service is a primary activity in the value chain.

Expenditure includes transactions between an organization and its suppliers.

Means by which information improves decision making:

 Reduces uncertainty: more reliable information leads to less uncertainty
and thus better decisions.
 Provides feedback about effectiveness of prior decisions: Knowledge of
effective and ineffective decisions can lead to better decisions in the
future.
 Identifies situations requiring management action: Identifying the need for
management action can lead to improved decision making.

Upgrading IT is a support activity. Technology activities, including investing in IT,

are considered a support activity.
Note: The value chain includes only primary and support activities. A structured activity is
neither a primary nor a secondary activity.

Goal Conflict is when a subsystem’s goals are inconsistent with the goals of
another subsystem or the system as a whole.

Goal Congruence is when a subsystem achieves its goals while contributing to the
organization’s overall goal.
Function of an AIS:
Provide information to executives for the purpose of making strategic decisions
Transforming data into useful information

Component of AIS:
The procedures and instructions used to collect, process and store data is
transforming data into information so that the management can plan, execute,
control and evaluate activities, resources and personnel.

CHAPTER 2

Data Processing Cycle:

 Data Input – where data is captured, collected and entered into the system.
 Data Storage – where data is stored for future use.
 Data Processing – where stored data is updated with new input data.

File is designed to include information of many.

Record should include all information maintained by the system about a particular
entity.

Attribute is a descriptor or a characteristic of an entity.

Field represents a data value for a particular attribute storage space.

Sequence Code are numbered items consecutively to account for all of them, and
missing ones cause a gap in the sequence.

Block Code are blocks of numbers reserved for specific categories of data.

Group Code are two or more subgroups of digits used to code items, are often in
conjunction with block codes.

Mnemonic Code are letters and numbers interspersed to identify an item.

Accounts receivable is typically made up of many individual customer accounts in

a subsidiary ledger. The total of all individual customer accounts maintained in the
accounts receivable control account in the general ledger.

The most likely to be used in the expenditure cycle is the receiving report, it is
used to record the receipt of goods from suppliers. Companies pay their suppliers
based on the goods received and recording on the receiving report.

The Sales Order is a revenue cycle document that captures the information about
the customer’s order.
The Credit Memo is a revenue cycle document that is used to give a credit to a
customer for damaged or returned goods.

A Job Time Ticket is a production cycle documents that is used to record the time
spent on specific jobs.
Note: The Chart of Accounts list general ledger accounts by the order in which they appear
in financial statements.

Advantages of an ERP System:

 Better access control

 Standardization of procedures and reports
 Improved monitoring capabilities
Note: ERP Systems are quite complex and costly.

Turnaround Documents are records of company data sent to an external party

and then returned to the system input.

Source Data Automation Documents is the capturing of input data in machine-

readable form.

Source Document collect data about business activities.

External Input Documents originate from external sources.

Online Batch Processing involves entering transaction data and editing them as
they occur.

Batch Processing involves updating periodically.

Online Real-Time Processing involves updating transactions as it occurs. It

ensures that stored information is always current, thereby increasing decision-
making usefulness.

CHAPTER 3

A DFD is a representation of a flow of data in an organization. It is a graphical

representation of how data move through an organization. Decision rules are
objective statements specific to computer programs.

Computer Hardware Configuration shows how various parts of a computer fit

together.
Note: Documentation methods such as DFDs, BPDs and flowcharts save both time and
money, adding value to an organization.
Document Flowchart illustrates the flow of documents and date among areas of
responsibility within an organization.

System Flowcharts depicts the relationships among input, processing, storage and
output.

Program Flowchart illustrates the sequence of logical operations performed by a

computer in executing a program.
Note: All data elements should be named, with the exception of data flows into data stores,
when the inflows and outflows make naming the data store redundant.

Documentation skills that accountants require:

Read documentation to determine how the system works, all accountants
should at least be able to read and understand system documentation.
Although senior accountants may critique and correct documentation
prepared by junior accountants, at a minimum all accountants need to be able to
read and understand documentation.
Some accountants may need to develop internal control documentation,
but system developers and analysts normally prepare systems documentation, but
system developers and analysts normally prepare systems documentation.
Most accountants will not be asked to teach documentation skills.
Note: A system flowchart is narrative representation of an information system. A flowchart
is a graphical rather than a narrative representation of an information system.

Document flowcharts emphasize the flow of documents or records containing data.

Flowcharts symbols are divided into four categories: input/output symbols,
processing symbols, storage symbols, and flow and miscellaneous symbols.

Recommended guidelines for making flowcharts more readable, clear, concise,

consistent and understandable:
 Divide a document flowchart into columns with label
 Design the flowchart so that flow proceeds from top to bottom and from
left to right
 Show the final disposition of all documents to present loose ends that
leave the reader dangling

Data sources and Destinations are represented as a square in a data flow diagram.
A curved arrow represents a data flow. A circle represents a process. Two parallel
lines represents a data store.

CHAPTER 4

The relational data model portrays data as being stored in tables or relation
format.
A hierarchical database portrays data as being stored in hierarchies.

An object-oriented database portrays data as being stored as objects.

The file-based data model portrays data as being stored in files.

Data Integration are master files that are combined into large “pools” of data that
many application programs access. This may be an employee database that
consolidates payroll, personnel, and job skills master files.

Data Sharing are more easily shared with authorized users. Database are easily
browsed to research a problem or obtain detailed information underlying a report.

Data Independence. As a data and the programs that use them are independent of
each other, each can be changed without changing the other.

Relation is a table in a relational database.

Attribute is each column in a relational database that describes some

characteristics of the entity about which data are stored.

Anomaly is a problem in a database, such as an insert anomaly or a delete

anomaly.

Tuple is each row in a relational database table.

Note: The internal-level schema of a database system consists of an individual user’s view
of portions of a database, also called a subschema. The internal-level schema, a low-level
view of the database, describes how the data are stored and accessed, including record
layouts, definitions, addresses and indexes.

DML (Data Manipulation Language): is used for data maintenance.

DDL (Data Definition Language): is used to build the data dictionary, create a
database, describe logical views, and specify any limitations or constraints on
security.

DQL (Data Query Language): is used to retrieve information from a database.

A primary key must be unique which is why a supplier number would be the most
likely attribute.

DBMS (Database Management System): is a software program that acts as an

interface between and various application programs.

Entity Integrity Rule. Every primary key in a relational table must have a nonnull
value.
Referential Integrity Rule. Stipulates that foreign keys must have values that
correspond to the value of primary key in another table or be empty.

 Primary keys cannot uniquely identify a row in a table if it is null (blank).

 In a relational database, there can only be one value per cell.
 Foreign keys, if not null, must have values that correspond to the value of a
primary key in another table. They link rows in one table to rows in another
table.
 All nonkey attributes in a table must describe a characteristic of the objects
identified by the primary key.

CHAPTER 5

Input Fraud is the simplest and most common way to commit a computer fraud. It
involves altering or falsifying input.

Processor Fraud includes unauthorized system use, including the theft of

computer time and services.

Computer Instructions Fraud includes tampering with company software, using

software in an unauthorized manner and developing software to carry out an
unauthorized activity.

Output Fraud unless properly safeguarded, display or printed output can be

stolen, copied or misused.

Kiting is a scheme involving bank transfers.

Fraudulent Financial Reporting is attesting to such is the basis of a large

percentage of lawsuits against auditors.

Ponzi Schemes, in which money from new investors is used to pay off earlier
investors, are investment frauds that often do not involve auditors.

Lapping, in which later payments on account are used to pay off earlier payments
that were stolen.

 The psychological profiles of white-collar criminals differ from those of violent

criminals.
 The psychological profiles of white-collar criminals are significantly different
from those of the general public.
 There is little difference between computer fraud perpetrators and other types
of white-collar criminals.
 Some computer fraud perpetrators do not view themselves as criminals.
Fraud Triangle (conditions is/are usually necessary for a fraud to occur):
 Pressure
 Opportunity
 Rationalization

Computer Fraud
 Theft of money by altering computer records
 Obtaining information illegally using a computer
 Unauthorized modification of a software
Note: Majority of computer security problems are caused by human errors.

Responsibilities of auditors in detecting fraud according to SAS No. 99:

 Evaluating the results of their audit tests
 Incorporating a technology focus
 Discussing the risks of material fraudulent misstatements

Encryption is used to code data in transit so it cannot be read unless it is decoded.

It does not stop employees from lapping accounts receivable payments.

Continual Update of the Access Control Matrix is what computer functions

employees can perform and what data they can access with a computer. It does not
stop employees from lapping accounts receivable payments.

Background Check on Employees can help screen out dishonest job applicants,
but it does not stop employees from lapping accounts receivable payments.

Periodic Rotation of Duties. Lapping requires a constant and ongoing cover-up to

hide the stolen funds. Rotating duties such that the perpetrator does not have access
to the necessary accounting records will most likely result in the fraud’s discovery.
Note: The most important, basic and effective control to deter fraud is segregation of duties.
Segregating duties among different employees is the most effective control for the largest
number of fraud schemes, because it makes it difficult for any single employee to both
commit and conceal fraud.

Insurance will pay for all or a portion of fraud losses.

Regular backup of data and programs helps the injured party recover lost or
damaged data and programs.

Contingency plan helps the injured party restart operations on a timely basis.

Segregation of duties is an effective method of deterring fraud but does not help a
company recover from fraud once it occurs.
CHAPTER 6

Virus damages a system using a segment of executable code that attaches itself to
software, replicates itself and spreads to other systems or files.

Worm is a program that hides in a host program and copies and actively transmits
itself directly to other systems.

Trap Door is entering a system using a back door that bypasses normal system
controls.

Trojan Horse is placing unauthorized computer instructions, such as fraudulently

increasingly increasing an employee’s pay, in an authorized and properly
functioning program.

Logic Bomb sabotages a system using a program that lies idle until some specified
circumstances or a particular time triggers it.

Typosquatting is the practice of setting up websites with names similar to real

websites so that users who make typographical errors when typing website names
are sent to a site filled with malware.

URL Hijacking

Chipping is planting a chip that records transaction data in a legitimate credit card
reader.

Round-down fraud are interest calculations truncated at two decimal places, and
the excess decimals are put into an account the perpetrator controls.

Phishing is the practice of sending e-mails requesting recipients to visit a webpage

and verify data or fill in missing data. The e-mails and websites look like
legitimate companies, primarily financial institutions.

Phreaking is a perpetrator that attacks phone systems to obtain free phone line
access or uses telephone lines to transmit viruses and to access, steal and destroy
data.

Pharming is redirecting traffic to a spoofed website to gain access to personal and

confidential information.

Vishing is voice publishing, in which e-mail recipients are asked to call a phone
number where they are asked to divulge confidential data,

Cyber-terrorism or Internet Terrorism is using the internet to disrupt

communications and e-commerce.
Blackmailing is the extortion of money or something else of value from a person
by the threat of exposing a criminal act or discreditable information.

Cyber-extortion is fraud perpetrators threaten to harm a company if it does not

pay a specified amount of money.

Scareware is a software of limited or no benefit, often malicious in nature, that s

sold using scare tactics. The most common scare tactic is a dire warning that the
person’s computer is infected with viruses, spyware or some other catastrophic.

Pretexting is one specific type of social engineering. It involves acting under false
pretenses to gain confidential information.

Posing is one specific type of social engineering in which someone creates a

seemingly legitimate business, collects personal information while making a sale
and never delivers the item sold.

Social Engineering techniques used to obtain confidential information, often by

tricking people.

Identify Theft is a type of social engineering in which one person assumes

another’s identity, usually for economic gain, by illegally obtaining confidential
information, such as a Social Security Number.

Rootkit is a software that conceals processes, files, network connections and

system data from the operating system and other programs.

Torpedo Software is software that destroys competing malware, resulting in

“malware warfare” between competing developers.

Spyware is a type of software secretly collects personal information about users

and sends it to someone else without the user’s permission.

Malware is a general term that applies to any software used to do harm.

Packet Sniffers are programs that capture data from information packets as they
travel other the Internet or company networks.

Bluebugging is taking control of someone else’s phone to make or listen to calls,

send or read text messages, connect to the internet, forward the victim’s calls, and
call numbers that charge fees.

Bluesnarfing is a type of computer attack steals contact lists, images and other
data using Bluetooth.

Butter overflow is inputting so much data that input buffer overflows. The
overflow contains code that takes control of the computer.
Carding is verifying card validity; buying and selling stolen credit cards.

CHAPTER 7

Detective Controls are controls designed to discover control problems that were
not prevented.

Preventive Controls are controls that deter problems before they arise…

Application Controls are controls that prevent, detect and correct transaction
errors and fraud in application programs.

General Controls are controls designed to make sure an organization’s

information system and control environment is stable and well managed.

Strategic Objectives are high-level goals aligned with the company’s mission and
are one of the objectives in COSO’s ERM model.

Compliance Objectives help the economy comply with all applicable laws and
regulations and are one of the objectives in COSO’s ERM model.

Reporting Objectives help ensure the accuracy, completeness and reliability of

internal and external reports and are one of the objectives in COSO’s ERM model.

Operations Objectives deal with the effectiveness and efficiency of operations

and are one of the objectives in COSO’s ERM model.
Note: COSO’s internal control integrated framework has been widely accepted as the
authority on internal controls. The internal control integrated framework is the accepted
authority on internal controls and is incorporated into policies, rules and regulations that are
used to control business activities.

Preventive controls are superior to detective controls with respect to

controls, it is always of utmost importance to prevent errors from occurring.

 An overly complex or unclear organizational structure may be indicative of

problems that are more serious.
 A written policy and procedures manual are an important tool for assigning
authority and responsibility.
 Supervision is especially important in organizations that cannot afford elaborate
responsibility reporting or are too small to have an adequate separation duty.
Note: To achieve effective segregation of duties, certain functions must be separated.
Authorization, recording and custody.
Independent Check:
 Bank reconciliation
 Periodic comparison of subsidiary ledger totals to control accounts
 Trial balance

A Sequentially prenumbering sales invoices, designing documents so that

they are sequentially prenumbered and then using them in order is a control
procedure relating to both the design and the use of documents.

The risk assessment steps: Identify threats, estimate risk and exposure, identify
controls and estimate costs and benefits.