ACCOUNTING INFORMATION 15TH EDITION, GLOBAL EDITION BY MARSHALL B. ROMNEY, PAUL JOHN STEINBART, SCOT by QuentinAxel

Solutions Manual For

Accounting Information Systems 15th Edition, Global Edition

Marshall B. Romney Paul John Steinbart Scott L. Summers David A. Wood

CHAPTER 1 ACCOUNTING INFORMATION SYSTEMS: AN OVERVIEW SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 1.1

Discuss the concept of a system and the issues of goal conflict and goal congruence. A system is a set of two or more components that are somehow interrelated and interact together to achieve a specific goal. A system usually consists of smaller components called subsystems. These subsystems have specific and defined functions, which interact with and support the larger system. The concept of systems is key to information technology and AIS. All systems, including the AIS, must work to achieve one or more organizational goals. Goal conflict results when a decision or action of a subsystem is inconsistent with another subsystem or the system (organization) as a whole. Goal congruence results when a subsystem achieves its goals while contributing to the organization's overall goal. Subsystems should maximize organizational goals.

1.2

Give an example of how an AIS can improve decision making and describe the multistep activities involved in the process. Decision making is a complex, multistep activity: identify the problem, collect and interpret information, evaluate ways to solve the problem, select a solution methodology, and implement the solution. An AIS can provide assistance in all phases of decision making. Reports can help to identify potential problems. Decision models and analytical tools can be provided to users. Query languages can gather relevant data to help make the decision. Various tools, such as graphical interfaces, can help the decision maker interpret decision model results, evaluate them, and choose among alternative courses of action. In addition, the AIS can provide feedback on the results of actions.

An AIS can help improve decision making in several ways:   

 

It can identify situations requiring management action. For example, a cost report with a large variance might stimulate management to investigate and, if necessary, take corrective action. It can reduce uncertainty and thereby provide a basis for choosing among alternative actions. It can store information about the results of previous decisions, which provides valuable feedback that can be used to improve future decisions. For example, if a company tries a particular marketing strategy and the information gathered indicates that it did not succeed, the company can use that information to select a different marketing strategy. It can provide accurate information in a timely manner. For example, Walmart has an enormous database that contains detailed information about sales transactions at each of its stores. It uses this information to optimize the amount of each product carried at each store. It can analyze sales data to discover items that are purchased together and can use such information to improve the layout of merchandise or to encourage additional sales of related items. For example, Amazon uses its sales database to suggest additional books for customers to purchase.

1-1 .

Ch. 1: Accounting Information Systems: An Overview

1.3

A software company in Munich is organizing a competition, inviting business ideas that promote the use of smartphone technology to conduct business. You enter your business plan, an initiative to involve unemployed teenagers and young adults from local communities to generate business and employment, and it was so well received that you were awarded a special prize of €5,000. You plan on using your prize money to implement your idea. a. Identify key decisions you need to make, the information you require to make these key decisions, and the five major business processes you need to engage in. b. Identify the external parties with whom you would need to exchange information and specify the information you will receive from these parties and the information that you will send to these parties. The author uses this as a class discussion: the typical process the author follows is that students work through the content of a chapter before it is covered in class. Students are required to answer questions (such as this one) and submit it before the lecture. The author then assesses the answers, and, based on problems identified within the answers, the lecture content would be determined. Students are thus required to complete the questions before coming to the class. In class, the students are divided into small groups (about 4 – 5 students per group). Each small group has to come to some consensus about the answers that they will present to the class. The groups could be randomly allocated, or the groups could be based on similarity in initial ideas. A group is then selected (or a group can volunteer) to present their answers to the class. Since all students have had the opportunity to engage with the content prior to the presentation in class, there should be meaningful contributions and discussions about how the presented solutions could be improved. Answers will vary, but the main aim is to get students to understand (for part a) how the business processes, key decisions, and information needs are all intertwined (as shown in Table 1-2). This then links to the external parties (part b) in Figure 1-1. Since the scenario indicated the use of mobile phones to conduct business, students should ideally relate their answers to some form of retail (buying / selling of goods / services).

1-2 .

Accounting Information Systems 15e, GE

1.4

How do an organization’s business processes and lines of business affect the design of its AIS? Give several examples of how differences among organizations are reflected in their AIS. An organization’s AIS must reflect its business processes and its line of business. For example:    

 

1.5

Manufacturing companies will need a set of procedures and documents for the production cycle; non-manufacturing companies do not. Government agencies need procedures to track separately all inflows and outflows from various funds, to ensure that legal requirements about the use of specific funds are followed. Financial institutions do not need extensive inventory control systems. Passenger service companies (e.g., airlines, bus, and trains) generally receive payments in advance of providing services. Therefore, extensive billing and accounts receivable procedures are not needed; instead, they must develop procedures to account for prepaid revenue. Construction firms typically receive payments at regular intervals, based on the percentage of work completed. Thus, their revenue cycles must be designed to track carefully all work performed and the amount of work remaining to be done. Service companies (e.g., public accounting and law firms) do not sell physical goods and, therefore, do not need inventory control systems. They must develop and maintain detailed records of the work performed for each customer to provide backup for the amounts billed. Tracking individual employee time is especially important for these firms because labor is the major cost component.

Figure 1-5 shows that organizational culture and the design of an AIS influence one another. What does this imply about the degree to which an innovative system developed by one company can be transferred to another company? Since people are one of the basic components of any system, it will always be difficult to transfer successfully a specific information systems design intact to another organization. Considering in advance how aspects of the new organizational culture are likely to affect acceptance of the system can increase the chances for successful transfer. Doing so may enable the organization to take steps to mitigate likely causes of resistance. The design of an AIS, however, itself can influence and change an organization’s culture and philosophy. Therefore, with adequate top management support, implementation of a new AIS can be used as a vehicle to change an organization. The reciprocal effects of technology and organizational culture on one another, however, mean that it is unrealistic to expect that the introduction of a new AIS will produce the same results observed in another organization.

1-3 .

Ch. 1: Accounting Information Systems: An Overview

1.6

Why are accounting software packages designed with separate transaction modules? Since every organization does not necessarily use all of the transaction cycles in its operations, it is to the advantage of the organization to be able to “pick and choose” from among various software modules that track and record different transaction cycles. For example, a law firm would have no need to implement a production cycle module. Also, the nature of a transaction cycle varies across the broad spectrum of business organizations. Again, a law firm would have a revenue cycle, but it would not involve the purchase, receipt, and payment for products or merchandise; likewise, a retail store chain may not sell any consulting services to its customers.

1.7

Apply the value chain concept to S&S. Explain how it would perform the various primary and support activities. The value chain classifies business activities into two categories: primary and support. The five primary activities at S&S: a. Inbound logistics includes all processes involved in ordering, receiving, and temporarily storing merchandise that is going to be sold to S&S customers. b. S&S does not manufacture any goods, thus its operations activities consists of displaying merchandise for sale and protecting it from theft. c. Outbound logistics includes delivering the products to the customer. d. Sales & marketing includes ringing up and processing all sales transactions and advertising products to increase sales. e. Service includes repairs, periodic maintenance, and all other post-sales services offered to customers. The four support activities at S&S: a. Firm infrastructure includes the accounting, finance, legal, and general administration functions required to start and maintain a business. b. Human resource management includes recruiting, hiring, training, evaluating, compensating, and dismissing employees. c. Technology includes all investments in computer technology and various input/output devices, such as point-of-sale scanners. It also includes all support activities for the technology. d. Purchasing includes all processes involved in identifying and selecting vendors to supply goods and negotiating the best prices, terms, and support from those suppliers.

1-4 .

Accounting Information Systems 15e, GE

1.8

Information technology enables organizations to easily collect large amounts of information about employees. Discuss the following issues: These questions involve traditional economic cost/benefit issues and less well-defined ethical issues. a. To what extent should management monitor employees’ e-mail? Generally, the courts have held that organizations have the right to monitor employees’ email. Such monitoring can have disastrous effects on employee morale, however. On the other hand, it might provide legitimate information about group members’ individual contributions and productivity. b. To what extent should management monitor which Web sites employees visit? Students are likely to argue whether or not this should be done. One potential benefit that could be argued is the likelihood that if employees are aware that they will be monitored they will be less prone to surf the Web for non-work-related uses. c. To what extent should management monitor employee performance by, for example, using software to track keystrokes per hour or some other unit of time? If such information is collected, how should it be used? Arguments pro and con can be generated about the effects of such monitoring on performance and on morale. Clearly, the specifics of any incentive schemes tied to such metrics are important. d. Should companies use software to electronically “shred” all traces of e-mail? Arguments can be raised on both sides of this issue. Try to get students to go beyond the legal ramifications of recent news stories and to explore the ethical implications of destroying different kinds of email. e. Under what circumstances and to whom is it appropriate for a company to distribute information it collects about the people who visit its Web site? Direct students to the guidelines followed by organizations that certify how various web sites use the information they collect. Students are likely to make the argument that personal information is inherently private and sacrosanct. To challenge that view, ask them about the legitimacy of developing and maintaining a reputation. Doesn’t that involve the divulgence and sharing of personal information among strangers? Ask the class if it is feasible (or undesirable) to totally prevent or prohibit such sharing of information. The instructor should also refer the students to GAPP, as one of its criteria concerns sharing information with 3rd parties. The instructor and the students could read the GAPP criterion about sharing data together, and then discuss what they think. Remind the students that GAPP is not regulatory law – just recommended best practice.

1-5 .

Ch. 1: Accounting Information Systems: An Overview

SUGGESTED ANSWERS TO THE PROBLEMS 24.1

Match the terms with their definitions:

1. _Q__ direct conversion 2. _A__ conceptual design specifications 3. _C__ scheduled report 4. _O__ acceptance test 5. _U_ postimplementation review 6. _N__ processing test data 7. _T__ pilot conversion 8. __I__ program maintenance 9. __G_ structured programming 10. _V__ postimplementation review report 11. _F__ demand report 12. _R__ parallel conversion 13. _M__ walk-throughs 14. _J__ physical systems design report 15. _S__ phase- in conversion 16. _ E __ triggered exception report 17. _K __ systems implementation 18. _D___ specialpurpose analysis report 19. _L__ implementation plan 20. _H__ debugging

a. Requirement specifications for systems output, data storage, input, processing procedures, and operations b. Summarizes conceptual design, guides physical design, and communicates how information needs will be met c. Report prepared on a regular basis, with a pre-specified content and format d. Report with no pre-specified content, format, or pre-specified schedule; usually prepared at management request e. Report with pre-specified content and format, prepared in response to abnormal conditions f. Report with a pre-specified content and format, prepared only on request g. Modular programming approach; each module performs specific function and is coordinated by a control module h. Process of discovering and eliminating program errors i. Updating a computer program due to changed user needs, fixing bugs, or legal or regulatory changes j. Summarizes what was accomplished in physical design; used to determine whether to proceed to implementation k. Process of installing hardware and software and getting the IS up and running l. Written plan showing how new system will be implemented and when the project is complete and the IS operational m. Step-by-step reviews of program logic to find incorrect logic, errors, omissions, or other problems n. Processing valid and erroneous transactions to see if a program operates as designed and errors are detected and corrected o. Using real transactions to determine if user-developed acceptance criteria are met p. Process of changing from an old computer system to a new one q. Changing from an old to a new system by terminating the old when the new is introduced r. Changing from an old to a new system by operating both simultaneously until confident the new system functions correctly s. Gradually replacing elements in an old system with new elements until the old system is replaced t. Implementing a new system in one location, resolving its problems, and then implementing it in the rest of the organization u. Review of new system after operating for a brief period to 24-5 .

Ch 24: Systems Design, Implementation, and Operation

ensure it meets planned objectives and review system controls v. Report that analyzes a newly system to determine if it achieved its intended purpose 21 not used: B conceptual systems design report P conversion

24-6 .

Accounting Information Systems 15e, GE 24.2 Wang Lab’s tremendous growth left the company with a serious problem. Customers would often wait months for Wang to fill orders and process invoices. Repeated attempts by Wang’s understaffed IS department to solve these problems met with failure. Finally, Wang hired a consulting firm to solve its revenue tracking problems and expedite prompt receipt of payments. The 18-month project turned into a doubly long nightmare. After three years and $10 million, the consultants were dismissed from the unfinished project. The project failed for many reasons. The systems development process was so dynamic that the failure to complete the project quickly became self-defeating as modifications took over the original design. Second, management did not have a clear vision of the new AIS and lacked a strong support staff. As a result, a number of incompatible tracking systems sprang from the company’s distributed computer system. Third, the project was too large and complex for the consulting firm, who had little experience with the complex database at the heart of the new system. Finally, the project had too many applications. Interdependencies among subprograms left consultants with few completed programs. Every program was linked to several subprograms, which in turn were linked to several other programs. Programmers eventually found themselves lost in a morass of subroutines with no completed program. The IS department finally developed a system to solve the problem, but their revenue tracking system suffered quality problems for years. Wang Labs asked you, a member of the IS staff, to write a memo explaining the failure of the systems development project. a. Why did the development project fail? What role did the consultants play in the failure? 

Dynamic requirements. The development process was so dynamic that the failure to complete the project quickly was self-defeating as modifications took over the original design. System requirements were never “frozen” so the project could be completed.



Management did not have a clear vision of the new system. As a result, incompatible tracking systems sprung up throughout the company's distributed processing system.



Management lacked a strong IS staff. A qualified IS staff could have planned and managed the development project better, improving the chances for success.



The project was too large and too complex and the consulting firm had little experience. The firm had little understanding of the desired technology: a complex database that represented the heart of the new system.



The project had too many applications. Interdependencies among subprograms and subroutines left consultants with few completed programs.

b. Identify the organizational issues that management must address in the future. 

Management should develop a unified strategic information plan. Organizations should reinforce their business strategy with a complementary information strategy.



Wang should establish an IS steering committee to govern the development process and support the strategic plan. A steering committee monitors systems development activities and could have provided management oversight to the consulting team.



Wang should support the strategy with an expanded, qualified IS staff. A company's reputation is tarnished when it develops an inadequate and unreliable system. Management should hire a larger IS staff, adding more qualified employees – ones that have the necessary skills to support the information strategy. 24-7 .

Ch 24: Systems Design, Implementation, and Operation 

Wang should set policies governing systems developme nt. Well-established procedures governing the planning, scheduling, design, implementation, and documentation of a new information system can minimize the risk of runaway projects. Management must also set standards governing the selection of consultants, if necessary.

c. Recommend steps the company could take to guarantee consulting service quality. 

Wang should improve existing development policies. Wang must first establish its internal development policies that govern the systems development process. For example, a more effective internal MIS staff can provide the consultants with necessary support.



Wang should establish consulting services evaluation criteria. Management must view consultants as vendors and evaluate which consulting firm provides the best service at a fair price. This may include closed bidding, background checks, credential checks, and probing meetings to determine if the firm has the skills to complete the project.



Wang should use an IS steering committee and project development teams to monitor consultants. An oversight body can reinforce the information strategy and hold the consulting team accountable for the development process.

24-8 .

Accounting Information Systems 15e, GE 24.3

Tiny Toddlers, a manufacturer of children’s toys and furniture, is designing and implementing a distributed system to assist its sales force. Each of the 10 sales offices in Canada and 20 in the United States maintains its own customers and is responsible for granting credit and collecting receivables. Electronic data input forms used by each sales office to maintain the customer master file and to enter the daily sales orders are shown in Figures 24-4 and 24-5. Evaluate the electronic data input forms shown in Figures 24-4 and 24-5 using the following format: Weakness

Explanation

Recommendation(s)

Customer Maintenance Form

Weakness

Explanation

Recommendation(s)

No fields for recording a new customer’s phone number, email address, or website.

Tiny Toddlers cannot call or email the customer or visit their website without this data.

The form should have fields for this information after the address information.

The form is not prenumbered.

There is no way to ensure that all maintenance forms are processed and accounted for.

The form should have a preprinted number in the upper right or left corner.

No indication that information has been entered into the computer system.

The person entering the data does not initial the form after the data is entered into the system. A form may be missed or entered twice.

The report should have a space to record the initials of the person entering the data and the date it is entered.

There is no space provided for recording date the form is created (or the effective date of the change).

The company would not know the effective date of the change nor when the form was created.

An effective change date should be added to this report. If the effective change date can be different from the date the form is created, a field for that date should also be included.

The form does not have a place where the person who fills out the form can sign or initial.

If the data entry clerk could not read or understand the information on the form, she would not know who filled out the form.

A place should be provided for the person who fills out the form to sign or initial it.

24-9 .

Ch 24: Systems Design, Implementation, and Operation 24.3 (continued) Sales Order Form Weakness

Explanation

Recommendation(s)

There is no indication that the customer approves of the order.

Where possible, all orders should be signed by the customer to ensure that the customer is responsible for requesting the order.

Provision should be provided on the form for the customer's order approval.

The form is not prenumbered.

There is no way to ensure that all sales orders are processed and accounted for.

There is no space to enter a ship to address or shipping instructions

The goods cannot be shipped to a different address than the customer’s office address, as there is no ship to address. Nor is there any want to know a customer’s special shipping instructions. There is no way for the company to reference back to purchase order from the customer There is no way to know if the customer was given a special price, a sale price, or a standard price.

The form should have a preprinted number in the upper right corner. Add a ship to address to the sales order form as well as a space to record special shipping instructions.

There is no space for the customer’s purchase order number There is no room for the unit price or extended amounts on the sales order form

Add as space on the form for the customer purchase order number Include columns for Unit Price and Extended Amount.

Some students may refer to the sales order form shown in the Revenue Cycle chapter.

24-10 .

Accounting Information Systems 15e, GE 24.4 Mickie Louderman is the new assistant controller of Pickens Publishers. She was the controller of a company in a similar industry, where she was in charge of accounting and had considerable influence over computer center operations. Pickens wants to revamp its information system, placing increased emphasis on decentralized data access and online systems. John Richards, the controller, is near retirement. He has put Mickie in charge of developing a new system that integrates the company’s accounting-related functions. Her promotion to controller will depend on the success of the new AIS. Mickie uses the same design characte ristics and reporting format she used at her former company. She sends details of the new AIS to the departments that interface with accounting, including inventory control, purchasing, human resources, production control, and marketing. If they do not respond with suggestions by a prescribed date, she will continue the development process. Mickie and John have established a new schedule for many of the reports, changing the frequency from weekly to monthly. After a meeting with the director of IS, Mickie selects a programmer to help her with the details of the new reporting formats. Most control features of the old system are maintained to decrease the installation time, with a few new ones added for unusual situations. The procedures for maintaining the controls are substantially changed. Mickie makes all the AIS control change and program-testing decisions, including screening the control features related to payroll, inventory control, accounts receivable, cash deposits, and accounts payable. As each module is completed, Mickie has the corresponding department implement the change immediately to take advantage of the labor savings. Incomplete instructions accompany these changes, and specific implementation responsibility is not assigned to departmental personnel. Mickie believes operations people should learn as they go, reporting errors as they occur. Accounts payable and inventory control are implemented first, and several problems arise. The semimonthly payroll runs, which had been weekly under the old system, have abundant errors, requiring numerous manual paychecks. Payroll run control totals take hours to reconcile with the computer printout. To expedite matters, Mickie authorizes the payroll clerk to prepare payroll journal entries. The new inventory control system fails to improve the carrying level of many stock items. This causes critical stock outs of raw mate rial that result in expensive rush orders. The new system’s primary control procedure is the availability of ordering and user information. The information is available to both inventory control and purchasing personnel so that both departments can issue timely purchase orders. Because the inventory levels are updated daily, Mickie discontinues the previous weekly report. Because of these problems, system documentation is behind schedule, and proper backup procedures have not been implemented. Mickie has requested budget approval to hire two systems analysts, an accountant, and an administrative assistant to help her implement the new system. John is disturbed by her request because her predecessor had only one part-time assistant. Adapted from the CMA Exam. a.

List the steps Mickie should have taken during while designing the AIS to ensure that end-user needs were satisfied.  Interviews should have been conducted with users affected by the changes to understand existing system and business processes, what organizational units are affected by the changes, procedures used to provide information, decision users make and the information needed to make them, current problems users face, needed improvements, and future information needs  The capabilities of the new system should have been explained so users can determine how the capabilities can be used to improve the system – ways the developers may not 24-11 .

Ch 24: Systems Design, Implementation, and Operation

have thought of. In other words, employees in the individual departments should have been encouraged to make suggestions for changes and improvements.  Mickie should not have automatically assumed that the things that worked for her previous employer would work at Pickens. While they can be used as a starting point, Mickie needs to make sure that the human aspect of systems development is not ignored. That is, Pickens employees have to buy into the new system.  As the different parts of the system are developed, the changes should be reviewed with the affected users to ensure that their needs are met. Mickie should have been more proactive in this process. It is not acceptable to give them a date to respond and then proceed with development if she does not hear from them. The users should have been actively involved in the development process all during development. This would endure that all affected users approve of the changes and buy into the change.  Mickie and John should not take upon themselves the responsibility of determining what information users need or when they need it. They should not have established a new schedule for many of the reports, changing the frequency from weekly to monthly.  Mickie should not have assumed that the control features of the old system were sufficient in the new system. While this may save time, it does not ensure adequate controls. Mickie should not change the procedures for maintaining the controls without user input and approval. In fact, all controls issues should be approved by the users.  Mickie cannot possibly understand the system and user needs well enough to make all the control change and program testing decisions. The departments affected by the changes should have been consulted.  While having departments implement changes immediately might produce labor savings, there are more important things to consider when deciding when to implement the system. These include whether it has been completely tested and how it interfaces with the rest of the changes. This is evidenced by the problems that surfaced when the changes were introduced too soon.  Incomplete instructions accompanied the changes, and specific implementation responsibility was not assigned to departmental personnel. That, and Mickie’s belief that operations people should learn as they go and report errors as they occur, is very bad development policy.  Documentation should be complete and back up procedures should be in place before a systems conversion takes place. Identify and describe three ways Mickie violated internal control principles during the AIS implementation. 

Most of the control features of the "old" system were retained in the "new" system; however, the procedures for maintaining controls were substantially changed. The procedures and controls were not coordinated. More importantly, controls appropriate for the "new" systems were not properly developed and evaluated.



Proper backup procedures were not implemented in many areas. This put the system and overall operations in a vulnerable position.



Systems, programming, and operating documentation were behind schedule. Documentation should be complete before a systems conversion takes place.



Separation of duties was violated by allowing o

both inventory control and purchasing personnel to issue purchase orders

payroll clerks to prepare journal entries for payroll processing 24-12 .

Accounting Information Systems 15e, GE c.

Identify and describe the weaknesses in Mickie’s approach to implementing the new AIS. How could you improve the development process for the remaining parts of the AIS?

Weaknesses No systems analysis or feasibility study. Poor planning

Systems testing and reviews were not conducted prior to implementation. Little or no user involvement

System modules implemented without adequate training, documentation, or instructions.

Recommendations Perform a thorough systems analysis that includes a feasibility study. Prepare a development plan, a budget, and a schedule for project completion. An accepted implementation plan for each module must be formalized and followed All modules should be properly tested for processing, informational, and control effectiveness. . Users must participate in the development of the systems plan, the tests of information content and controls, and final implementation acceptance. New modules should not be implemented until adequate documentation is prepared and all affected organizations and personnel have been appropriately trained.

24-13 .

Ch 24: Systems Design, Implementation, and Operation 24.5

Ryon Pulsipher, manager of Columbia’s property accounting division, has had difficulty responding to the following departmental requests for information about fixed assets. 1. The controller has requested individual fixed assets schedules to support the general ledger balance. Although Ryon has furnished the information, it is late. The way the records are organized makes it difficult to obtain information easily. 2. The maintenance manager wants to verify the existence of a punch press that he thinks was repaired twice. He has asked Ryon to confirm the asset number and the location of the press. 3. The insurance department wants data on the cost and book values of assets to include in its review of current insurance coverage. 4. The tax department has requested data to determine whether Columbia should switch depreciation methods for tax purposes. 5. The internal auditors have spent significant time in the property accounting division to confirm the annual depreciation expense. Ryon’s property account records, kept in an Excel spreadsheet, show the asset acquisition date, its account number, the dollar amount capitalized, and its estimated useful life for depreciation purposes. After many frustrations, Ryon realizes his records are inadequate and that he cannot supply data easily when requested. He discusses his problems with the controller, Gig Griffith. RYON: Gig, something has to give. My people are working overtime and can’t keep up. You worked in property accounting before you became controller. You know I can’t tell the tax, insurance, and maintenance people everything they need to know from my records. Internal auditing is living in my area, and that slows down the work. The requests of these people are reasonable, and we should be able to answer their questions and provide the needed data. I think we need an automated property accounting system. I want to talk with the AIS people to see if they can help me. GIG: I think that’s a great idea. Just be sure you are personally involved in the design of any system so you get all the info you need. Keep me posted on the project’s progress. Adapted from the CMA Exam. a. Identify and justify four major objectives Columbia’s automated property accounting system should possess to respond to departmental requests for information. Chapter 1 lists the following seven characteristics of useful information  Relevant. Information is relevant if it reduces uncertainty, improves decision-making, or confirms or corrects prior expectations. 

Reliable. Information is reliable if it is free from error or bias and accurately represents organization events or activities.



Complete. Information is complete if it does not omit important aspects of the events or activities it measures.



Timely. Information is timely if it is provided in time for decision makers to make decisions.



Understandable. Information is understandable if it is presented in a useful and intelligible format.



Verifiable. Information is verifiable if two independent, knowledgeable people produce the same information. 24-14 .

Accounting Information Systems 15e, GE 

Accessible. Information is accessible if it is available to users when they need it and in a format, they can use.

The CMA exam answer included a characteristic not on the above list: 

Flexibility. Flexibility ensures that the computer will adapt to changing business needs without a complete redesign.

b. Identify the data that should be included in the database for each asset.  Asset name  Manufacturer  Model  Serial number  Asset class code  Company assigned asset number  General ledger account number  Location data (plant, department, building)  Acquisition date  Original cost  Data for book depreciation and tax depreciation  Maintenance record: cycle, date, amount  Estimated salvage value

24-15 .

Ch 24: Systems Design, Implementation, and Operation 24.6

A credit union is developing a new AIS. The internal auditors suggest planning the systems development process in accordance with the SDLC concept. The following nine items are identified as major systems development activities that will have to be completed. 1. System test 2. User specifications 3. Conversion 4. Systems survey 5. Technical specifications 6. Post-implementation planning 7. Implementation planning 8. User procedures and training 9. Programming Adapted from the CIA Exam. a. Arrange the nine items in the sequence in which they should logically occur. The logical sequence of occurrence is as follows: 1. Systems Survey 2. User Specifications 3. Technical Specifications 4. Implementation Planning 5. Programming 6. User Procedures and Training 7. System Test 8. Conversion 9. Postimplementation Planning b. One major activity is converting data files from the old system to the new one. List three types of file conversion documentation that would be of particular interest to an auditor. 1. Conversion completion documentation indicating that all previously existing files have been converted at a satisfactory level of quality. 2. Operating test documentation indicating that the converted files are able to support the volume of work in the application. 3. Application approval documentation indicating that the implemented system had proper user and EDP management approval.

24-16 .

Accounting Information Systems 15e, GE 24.7 MetLife, an insurance company, spent $11 billion to acquire Travelers Life and Annuity from Citicorp in one of the largest insurance company acquisitions of all time. The Metlife CIO estimated it would take three years to integrate the two systems. Because the integration project was especially critical, he figured he could accomplish the integration in 18 months if he pulled out all the stops. The MetLife CEO gave him nine months to complete the task. To pull off the integration in nine months, he had to: 

Integrate over 600 IS applications, all with their own infrastructure and business processes. The new systems had to comply with “One MetLife,” a company policy that all information systems had to have a common look and feel companywide and be able to function seamlessly with other MetLife systems.



Work with over 4,000 employees located in 88 offices scattered all over the globe.



Supervise an oversight team and 50 integration teams in seven project management offices.



Work with hostile, uncooperative Travelers employees for the six months it took to get regulatory approval and close the deal. The systems had to be integrated three months after the deal closed.



Identify integration deliverables (144 in total) and manage the process to deliver them.



Negotiate with Citicorp for hundreds of transition services that would not be immediately converted to MetLife’s systems.

24-17 .

Ch 24: Systems Design, Implementation, and Operation a. What tasks do you think MetLife would have to perform to successfully integrate the Traveler systems into MetLife’s?  Separate Travelers’ IS operations and assets from Citicorp’s so MetLife could begin the systems integration process.  Determine what systems had to be integrated before the deadline and which could be outsourced to Citicorp until they could be integrated into MetLife’s system.  Develop a critical path for the integration process so delays in critical path activities did not delay the whole process.  Train large numbers of employees in project planning activities and tools.  Identify and freeze systems requirements as soon as possible. The project management team should establish early deadlines for systems requirements and hold users to them.  Increase system capacity to handle all of the new data from the Travelers’ systems.  Develop/modify transaction-processing systems to handle all of Travelers’ transaction data.  Perform a security and privacy analysis of all of Travelers’ systems and determine needed upgrades to comply with MetLife’s security policies.  Change Travelers’ laptop and desktop infrastructure so that it matched that of MetLife.  Enlarge MetLife’s distribution system by integrating over 150 annuity and life insurance wholesalers and giving them appropriate access to MetLife’s systems.  Add all 4000 plus Travelers’ employees to MetLife’s Human Resources and Payroll systems and to their email system.  Move Travelers’ 6 life insurance and 2 annuity product lines to MetLife’s systems. Travelers’ investment portfolio had to be made accessible to MetLife managers before the deal closed. Both projects required MetLife and Travelers employees to analyze the differences between the ways data were stored in the two companies. They then had to map all data elements in each system so they could convert Travelers data to the MetLife data storage format. This was one of the most difficult acquisition tasks.  Integrate the two company’s data centers. This required some data centers to be combined and others to be expanded.  Determine system test capacities, build test environments, and lock down testing procedures and capabilities. Stress and user acceptance testing had to be performed at least 3 months prior to the integration date.  Travel to every country and every major Travelers office to train former Travelers employees on the MetLife systems. b.

Search the Internet for articles that describe the integration process. Write a two-page summary of the problems and successes that MetLife experienced while integrating the two systems. A number of articles describe MetLife’s experience. A particularly good article is “Nine Months to Merge” found in the February 20, 2006 issue of Information Week.

24-18 .

Accounting Information Systems 15e, GE 24.8 During final testing, just before launching a new payroll system, the project manager at Reutzel Legal Services found that the purchased payroll system was doing the following: 

Writing checks for negative amounts

 

Printing checks with names and employee numbers that did not match Making errors; for example, $8 per hour became $800 per hour if a decimal point was not entered

 Writing checks for amounts greater than a full year’s salary Fortunately, payroll was still installed on time, and only 1.5% of the checks had to be manually reissued every payday until the problem was solved. Other problems were that no one had made sure the new system was compatible with the existing payroll database, and there appeared to be no formal transition between the development of the project and the implementation of the project. The system was never run in parallel. Although the programming manager lost his job, the payroll problems helped raise awareness of the company’s growing dependence on IT. Lacking a major problem, there was a perception that the information system did not affect operations. a. What does “the system was never run in parallel” mean? Running in parallel refers to operating the old and new systems simultaneously for a period. A company processes all transactions with both systems, compares the output, reconciles the differences, and corrects problems. The old and new systems are run in parallel until the new system proves itself and the organization is certain that the new system is functioning properly. b.

If the company had run the system in parallel, what should have occurred? Parallel processing protects companies from errors, but it is costly and stressful because the same set of transactions and activities must be processed twice. This places a significant burden on the company, a burden many companies are not willing to undertake. However, because companies often experience problems during conversion, parallel processing has gained widespread popularity. If the company had operated the new and old systems in parallel, they should have been able to use the paychecks produced by the old system until all errors were detected and corrected.

What other testing methodologies could have been used by the firm? The company could have implemented a pilot conversion where one office or branch of the company could have implemented, tested, and corrected any errors before releasing the system to the rest of the organization. Alternatively, the company could have performed a phased conversion where a new system is implemented, tested, and modified one phase or module at a time.

What other types of problems are evident from reading the case? There does not appear to be proper management or leadership of the system development, implementation, or testing processes involved in this system. For example 

Final testing should have been attempted prior to just before launching the payroll system.



Management should have made sure the new system was compatible with the existing payroll database and the new system should have been tested using the existing database.



There should have been a formal transition between the development of the project and the implementation of the project.

24-19 .

Ch 24: Systems Design, Implementation, and Operation 24.9 A new program at Jones and Carter Corporation (JCC) was supposed to track customer calls. Unfortunately, the program took 20 minutes to load on a PC, and it crashed frequently. The project did not have a traditional reporting structure, and it appeared that no one was actually in charge. The lead project manager quit halfway through the project, the in-house programmers we re reassigned to other projects or let go, and two layers of management loosely supervised the systems analyst. Management hired consultants to fix the application, but after three months and $200,000, the project was discontinued. JCC did not check the references of the consulting firm it hired to create the new system. The consultants, who were located two states away, made many programming errors. Although the systems analyst caught some of the consultant’s mistakes, they grew increasingly distant and difficult to work with. They would not even furnish the source code to the project managers, most likely because they were afraid of revealing their incompetence. a.

Identify potential causes for the system implementation failure.

•

• 

Leadership and managerial oversight is clearly lacking at Jones and Carter Corp (JCC). When the project was managed internally, the following problems existed: o

There was no evident reporting structure to support and manage the project. It appeared that no one was actually in charge

The lead project manager quit halfway through the project

The in-house programmers who were familiar with the project were reassigned to other projects or let go.

Two layers of management loosely supervised the systems analyst.

Management falsely assumed that the problems could be solved by hiring a consultant. In truth, the problem with the project was internal and caused by poor management, supervision, and project management. When a consulting firm was hired, it does not appear that anyone checked out their competence, obtained referrals, or did any other due diligence with regard to the consulting firm.

What steps should JCC have taken to successfully design and implement the call tracking system? 

Start and end the process with a clearly designated manager over the project and with clearly defined lines of authority.



Institute a formal review process for hiring consultants.



Require change control documentation so managers can see what changes were made during development.



Assign a central manager for the project team who is the conduit for communication and decisions.

In summary, JCC should have followed the systems development processes explained in chapters 22-24.

24-20 .

Accounting Information Systems 15e, GE 24.10 This chapter describes several different systems conversion approaches. Select one of the approaches and conduct a search (using written materials, the Internet, electronic databases, etc.) for one or more companies that have successfully used the approach to convert from an older system to a newer system. Per your professor’s instructions, prepare an oral or written summary of the successful conversion. Include in your summary the nature of the system, the approach used to convert the system, and a description of how successful the conversion was, including what worked well and what did not.

Student answers will vary depending upon what they find.

24-21 .

Ch 24: Systems Design, Implementation, and Operation

SUGGESTED ANSWERS TO THE CASES 24.1 Citizen’s Gas Company (CGC) provides natural gas service to 200,000 customers . The customer base is divided into the following three revenue classes: Class Residential Commercial Industrial Totals

Customers Sales in Cubic Feet 160,000 80 billion 38,000 15 billion 2,000 50 billion 145 billion

Revenues $160 million $ 25 million $ 65 million $250 million

Residential customer gas usage is highly correlated with the weather. Commercial customer usage is partially weather dependent. Industrial customer usage is governed almost entirely by business factors. The company buys natural gas from 10 pipeline companies in the amounts specified in contracts that run for 5 to 15 years. For some contracts, the supply is in equal monthly increments; for other contracts, the supply varies according to the heating season. Supply over the contract amounts is not available, and some contracts contain take-or-pay clauses. That is, the company must pay for the gas volume specified in the contract, regardless of the amount used. To match customer demand with supply, gas is pumped into a storage field when supply exceeds customer demand. Gas is withdrawn when demand exceeds supply. There are no restrictions on the gas storage field except that the field must be full at the beginning of each gas year (September 1). Consequently, when the contractual supply for the remainder of the gas year is less than that required to satisfy projected demand and fill the storage field, CGC curtails service to industrial customers (except for heating quantities). The curtailments must be care fully controlled to prevent either an oversupply at year-end or a curtailing of commercial or residential customers so the storage field can be filled at year-end. In recent years, CGC’s planning efforts have not been able to control the supply during the gas year or provide the information needed to establish long-term contracts. Customer demand has been projected only as a function of the total number of customers. Commercial and industrial customers’ demand for gas has been curtailed. This has resulted in lost sales and caused an excess of supply at the end of the gas year. To correct the problems, CGC has hired a director of corporate planning. She is presented with a conceptual design for an information system that will help analyze gas supply and demand. The system will provide a monthly gas plan for the next five years, with particular emphasis on the first year. The plan will provide detailed reports that assist in the decisionmaking process. The system will use actual data during the ye ar to project demand for the year. The president has indicated that she will base her decisions on the effect alternative plans have on operating income. Adapted from the CMA Exam. 1. Discuss the criteria to consider in specifying the structure and features of CGC’s new system. 

Need for market information. The factors that affect the demand and supply for gas must be isolated, their re lative importance determined, and their effect quantified.



Need for accuracy. The level of accuracy required of the system determines the required level of detail, quality of the input data, and sophistication of the system logic. While the system must be designed to provide the accuracy that matches the need, care must be taken to ensure that excessive effort is not spent in being overly accurate in specific areas when the overall accuracy is inherently less due to the planning environment. 24-22 .

Accounting Information Systems 15e, GE 

Frequency of use. The frequency of system use provides direction as to the level of automation and sophistication needed. If the system will be used only once each month to project the effect of the most recent actual data, it may be sufficient to develop a less sophisticated system. If it is likely that a variety of alternatives will be evaluated each month, a sophisticated, on-line system will be more desirable.



Turnaround required. The need for timely reporting at month end provides guidance as to the degree of automation and the level of complexity that will be appropriate. Because the system is to be used for both multi-year planning and monthly tactical planning, the system should be designed to provide for quick turnaround of results at month end. Accordingly, consideration must be given to minimizing data input requirements.



Cost/benefit analysis. The new system must be justified on a cost/benefit basis.



Data processing environment. Typically, planning systems require a significant amount of computer resources, both in terms of processing time and data storage.



Supportability. Company personnel must be able to support the system on an ongoing basis. This includes collecting and entering data as well as updating the system. If the support burden is excessive, the system will suffer from lack of timely reporting or will be run using simplifying assumptions that affect the degree of accuracy and credibility of the system. If the system cannot be readily modified and maintained, it will quickly fall into a state of disrepair and will no longer be used.

2. Identify the data that should be incorporated into CGC’s new system to provide adequate planning capability. Explain why each data item it is important and the level of detail needed for the data to be useful. 

Number of customers. The customer count should be projected by month, unless customer growth is regular, in which case a base customer count can be used in conjunction with a growth factor. The customer count should be broken into categories based upon use which will facilitate estimating demand, [i.e., residential, commercial heating, commercial non-heating, industrial heating, industrial non-heating].



Weather data. The weather data needed to project heating requirements should be entered as needed. For the first year, meteorological trends may indicate an unusually warm or cold year. For the following years, average monthly weather data may be used. As the year progresses, more accurate short-term forecasts should be entered to improve the predictive ability of the panning system



Heating factors. Heating factors are data that convert weather data to customers' demand. They should be provided for each type of customer which uses heating, i.e., residential, commercial heating, and industrial heating. The heating factors need not vary by month unless it is determined that a seasonal relationship exists or that trends such as conservation are likely.



Customer unit demand. The average monthly consumption for each commercial and industrial non-heating customer must be provided, either as a constant or as varying over time, to reflect both seasonal fluctuations and longer term trends. This data would also be used to project the non-heating portion of commercial and industrial customer demand.



Sales forecasts. The sales to the top industrial accounts should be forecast individually by month for the first year of the five-year plan; future years may make use of annual growth rates. Heating and non-heating sales for all other customers will be projected by 24-23 .

Ch 24: Systems Design, Implementation, and Operation revenue class. 

Customer rate structure. The customer rate structure should provide monthly rate information at the revenue class level, i.e., residential, commercial, and industrial. Data must be monthly to provide for periodic rate changes by revenue class.



Supplier contract terms. For each supply contract, the contract term (beginning and end dates), monthly volumes, unit costs, and take-or-pay conditions must be maintained.



Storage field capacity. The capacity of the gas storage field is required in order to determine if gas remains in storage that can be withdrawn to supplement pipeline supply.



Priority system. A priority system needs to be established in case the company needs to curtail service to its customers due to an inadequate supply of gas.

The first six factors are necessary in order to determine the demand for gas. The next two items are necessary to determine supply. The last item is necessary to give direction whenever the supply is not adequate to meet demand. Data must be considered on a monthly basis because of the implied monthly variations of demand and supply.

24-24 .

Instructor’s Resource Manual

Accounting Information Systems 15th Edition, Global Edition

Marshall B. Romney Paul John Steinbart Scott L. Summers David A. Wood

CHAPTER 1 ACCOUNTING INFORMATION SYSTEMS: AN OVERVIEW Instructor’s Manual Learning Objectives: 1. Distinguish between data and information, discuss the characteristics of useful information, and explain how to determine the value of information. 2. Explain the decisions an organization makes and the information needed to make them, and the major business processes present in most companies. 3. Explain how an AIS adds value to an organization, how it affects and is affected by corporate strategy, and its role in a value chain.

Learning Objective One Distinguish data from information, discuss the characteristics of useful information, and explain how to determine the value of information.

Systems, Data, and Information Systems A system is a set of detailed methods, procedures, and routines that carry out specific activities, perform a duty, achieve goals or objectives, or solve problems. Systems are almost always composed of smaller subsystems Each subsystem is designed to achieve one or more organizational goals. For example, the college of business is a system composed of various subsystems known as departments (e.g., Marketing, Management, Accounting, etc.). Each subsystem is designed to achieve one or more organizational goals, changes in subsystems cannot be made without considering the effect on other subsystems and the system as a whole. Goal conflict occurs when a subsystem’s goals are inconsistent with the goals of another subsystem or the system as a whole.

1-1 .

Goal congruence is achieved when a subsystem achieves its goals while contributing to the organization’s overall goal.

Data Data are facts that are collected, recorded, stored, and processed by an information system. Several kinds of data need to be collected in businesses, such as: 1. Facts about the activities that take place (e.g., date, total amount). 2. The resources affected by the activities (e.g., number of units). 3. The people who participate in the activity (e.g., S&S).

Information Information is data that have been organized and processed to provide meaning and context that can improve the decision-making process. If using the example of data provided above—date, number of units, and S&S—would you be able to determine if this is a sales transaction, purchase transaction, or any other type of transaction? No, because it is not organized and contextual, meaning it is not determinable. You would need to know that the context of the transaction is a sales transaction and S&S is a customer (as opposed to a vendor). Number of units are number of units sold. Data is most useful when it is machine-readable and standardized such that it can be processed by a computer with little human intervention. For example, digital transaction information such as “IR144, $12.95, Infrared reader, 3, $38.85” might be presented digitally, but the meaning of that data is not clear. This might be a purchase transaction or a sales transaction. IR144 might represent a transaction ID, employee ID, vendor ID, or customer ID. Taxonomies have been created to embed meaning in digital data. XBRL is a taxonomy that structures business information for communication between business systems. Using the XBRL taxonomy is quite complex and embeds a lot of information about the characteristics and constraints of each data field. An XBRL presentation of Cash of 11,000 from a balance sheet for 2022 may be represented in XBRL as <iascf-pfs:CashCashEquivalents numericContext="Group2022AsOf">11000</iascfpfs:CashCashEquivalents>

Note the tag name of CashCashEquivalents. Tag names have to be created in XBRL for all financial statement elements. Also, note the attribute numericContext that has a value of Group2020AsOf. This provides additional context to the value of 11,000. The XBRL taxonomy does not have elements for tagging individual transactions. 1-2 .

Thus XBRL cannot effectively ‘tag’ the transaction noted above. The UBL taxonomy, an open source taxonomy for tagging business transactions has a schema for invoices. http://docs.oasisopen.org/ubl/os-UBL-2.2/UBL-2.2.html Below is an example of how the data above might be tagged in that taxonomy. <cac:InvoiceLine> <cbc:ID>1</cbc:ID> <cbc:InvoicedQuantity>3</cbc:InvoicedQuantity> <cbc:LineExtensionAmount currencyID="USD">38.85</cbc:LineExtensionAm ount> <cac:Item> <cbc:Name>Infrared reader</cbc:Name> <cac:SellersItemIdentification> <cbc:ID>IR144</cbc:ID> </cac:SellersItemIdentification> </cac:Item> <cac:Price> <cbc:PriceAmount currencyID="USD">12.95</cbc:PriceAmount> </cac:Price> </cac:InvoiceLine> Tagging data with agreed upon taxonomies allows data elements and their context to be transmitted between systems. It also improves reliability, relevance, accessibility, understandability, and timeliness. There are limits to the amount of information the human mind can effectively absorb and process. Information overload occurs when those limits are passed. When you get more information than you can effectively assimilate, you suffer from information overload. •

Example: Final exams week!

When you have reached the overload point, the quality of decisions declines while the costs of producing the information increases. Information Technology (IT) are computers and other electronic devices used to store, retrieve, transmit, and manipulate data to help decision makers more effectively filter and condense information. The value of information is the benefit produced by the information minus the cost of producing it. Benefits include reduced uncertainty, improved decisions, and improved ability to plan and schedule activities. Costs include the time and resources spent to produce and distribute information. A good example of the value of information is provided on page 31 for the 7-Eleven stores in Japan. Each store uses information for: 1. Keeping track of the 3,000 items sold in each store and 1-3 .

determining what products are moving, at what time of the day, and under what weather conditions. 2. Keeping track of customers (what and when they buy). If their best customers are single men, for example, the store makes sure it has the fresh rice dishes they purchase on their lunch hour and at the end of the workday. 3. Ordering sandwiches and rice dishes from suppliers automatically. Orders are placed and filled three times a day so stores can always have fresh food. 7-Eleven allows its suppliers to access sales data in their computers so they can forecast demand. 4. Coordinating deliveries with suppliers. This allows the stores to reduce the number of deliveries from 34 to 12 a day, resulting in less clerical receiving time. 5. Preparing a color graphic display that indicates which store areas contribute the most to sales and profits. Table 1-1 on page 30 provides the fourteen characteristics that make information useful and meaningful for decision making. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14.

Access Restricted Accurate Available Reputable Complete Concise Consistent Current Objective Relevant Timely Useable Understandable Verifiable

Multiple Choice 1 Data differ from information in which way? a. Data are facts about a sale b. Information is data organized to provide meaning c. Data are meaningful bits of information d. There is no difference Multiple Choice 2 Which of the following is not a characteristic that makes information useful? a. It is reputable b. It is timely c. It is inexpensive 1-4 .

d. It is relevant

Learning Objective Two Explain the decisions an organization makes and the information needed to make them , and the major business processes present in most companies. .

Key Decisions and Information Needs Using the S&S case, we can determine what information will be needed to make better decisions. An information system is comprised of the people and technology that produce information. Information in an organization is organized through a set of related, coordinated, and structured activities and tasks, performed by a person, a computer, or a machine that help accomplish a specific organizational goal known as a business process. The case will help students to understand that before collecting data and processing it into information, the decisions that management and other external users will be making need to be known first. Only after this is known can we begin designing and using the AIS to capture, collect, and process the correct data as needed by decision makers. These information needs and key decisions are provided in Table 1-2 on page 32. Multiple Choice 3 What information needs are generally associated with the acquire inventory business process? a. Market Analysis b. Vendor Performance c. Inventory status reports d. All of the above

Learning Objective Three Explain how an AIS adds value to an organization, how it affects and is affected by corporate strategy, and its role in a value chain.

Business Processes

1-5 .

Taking the list of specific business processes from S&S it is easier to group them into related transactions. A transaction is an agreement between two entities to exchange goods or services or any other event that can be measured in economic terms by an organization. Transaction processing is the process of capturing transaction data, processing it, storing it for later use, and producing information output such as a financial statement. The activities between two entities are pairs of events involved in give-get exchange (e.g., give inventory to a customer, get cash from the customer). These frequent give-get exchanges that occur in companies are grouped around business processes or transaction cycles and are: 1. The Revenue Cycle (AKA customer to cash (C2C)—Activities associated with selling goods and services in exchange for cash or future promise to receive cash (Accounts Receivable). 2. The Expenditure Cycle—(AKA purchase to pay (P2P))Purchase of inventory for resale or raw materials for use in production in exchange for cash or a promise to pay cash in the future (Accounts Payable). 3. The Production or Conversion Cycle—Raw materials are converted into finished goods. 4. The Human Resource/Payroll Cycle—Employees are hired, trained, compensated, evaluated, promoted, and terminated. 5. The Financing Cycle—Companies acquire capital by selling shares or borrowing money and where investors are paid dividends or interest. For each of these processes there is a basic give-get relationship. Figure 1-2 on page 33 provides a description of the basic give-get exchanges. 1. Revenue Cycle—Give goods, get cash or A/R. 2. Expenditure Cycle—Give cash or A/P, get goods or raw materials. 3. Production Cycle—Give labor and raw materials, get finished goods. 4. Human Resource—Give cash, get labor. 5. Financing Cycle—Give cash, get cash. Figure 1-3 on page 34 shows the relationship between these cycles and the general ledger and reporting system function which is used to generate information for both management and external parties. Multiple Choice 4 Which transaction cycle includes interactions between an organization and its suppliers? a. Revenue cycle b. Expenditure cycle c. Human resources/payroll cycle 1-6 .

d. General ledger and reporting system Multiple Choice 5 In which cycle does a company ship goods to customers? a. Production cycle b. Financing cycle c. Revenue cycle d. Expenditure cycle

Accounting Information Systems An accounting information system (AIS) is a system that collects, records, stores, and processes data to produce information for decision makers. This is illustrated in Figure 1-4 on page 37. An AIS can be a pencil and paper manual system or one that involves the latest technology. Six components of an AIS 1. The people who operate the system and perform various functions. 2. The procedures and instructions, both manual and automated, involved in collecting, processing, and storing data about the organization’s activities. 3. The data about the organization and its business processes. 4. The software used to process the organization’s data. 5. The information technology infrastructure, including computers, peripheral devices, and network communications devices used to collect, store, process, and transmit data and information. 6. The internal controls and security measures that safeguard the data in the AIS. These six components enable an AIS to fulfill three important business functions: 1. Collect and store data about organizational activities, resources, and personnel. 2. Transform data into information that is useful for making decisions so management can plan, execute, control, and evaluate activities, resources, and personnel. 3. Provide adequate controls to safeguard the organization’s assets, including its data, to ensure that the assets and data 1-7 .

are available when needed and the data are accurate and reliable. Multiple Choice 6 Which of the following is a function of an AIS? a. Reducing the need to identify a strategy and strategic position. b. Transforming data into useful information. c. Allocating organizational resources. d. Automating all decision making.

How an AIS Can Add Value to an Organization 1. Improve the quality and reduce the costs of products or services. 2. Improve efficiency. A well-designed AIS can make operations more efficient by providing more timely information. 3. Share knowledge. A well-designed AIS can make it easier to share knowledge and expertise, perhaps thereby improving operations and even providing a competitive advantage. 4. Improve the efficiency and effectiveness of its supply chain. 5. Improve the internal control structure. 6. Improve decision making.

Multiple Choice 7 An AIS provides value by: a. improving products or services through information that increases quality and reduces costs b. providing timely and reliable information to decision makers c. creating new products d. both A and B

An AIS Can Use Artificial Intelligence and Data Analytics to Improve Decision Making Artificial Intelligence uses computer systems to simulate human intelligence processes such as learning, reasoning, and self-improvement. Within accounting AI may be used to automate parts of the financial reporting process, the audit, and many operational decisions. Data Analytics is the use of software and algorithms to discover, describe, interpret, communicate, and apply meaningful patterns to improve business performance. Data analytics have long been used to analyze past

1-8 .

performance. Increasingly data analytics are designed to focus on the future. A data dashboard is an essential part of most analytic tools. It displays important data points, key metrics, and key performance indicators in the form of graphs, tables, and gauges.

The AIS and Blockchain Blockchain is appropriately named as it chains blocks of data together through the use of cryptography algorithms that create hashes. The hash of a prior block is included in the latest block, creating the chain. At a high level a blockchain repeatedly executes the following 5 steps: 1. Initiate transaction 2. Validate transaction 3. Create a block 4. Calculate and insert a hash 5. Complete transaction A detailed discussion of the processes of using and maintaining a blockchain are covered in Chapter 11. Blockchain advantages include: 1. Accuracy 2. Transparency 3. Data consistency 4. Trust 5. No need for third parties 6. Single set of books 7. Cost 8. Decentralization 9. Efficiency 10. Privacy 11. Security 12. Provenance Blockchain disadvantages include: 1. Cost 2. Loss of privacy and confidentiality 3. Susceptibility

Cloud Computing, Virtualization, and the Internet of Things Cloud computing takes advantage of the modern global network to allow individuals to access software (software as a service), hardware (infrastructure as a service), and application environments (platform as a service) remotely. Variations include: public, private, or hybrid clouds, depending on whether the remote resources are owned by the user. Virtualization is the installation of multiple computing environments in a single physical computer. A corporation might virtualize their database server, email server, and file server (three separate computing environments – each with their own operating system) on a single physical computer. This cuts hardware costs and reduces maintenance costs.

1-9 .

The Internet of Things (IOT) refers to the embedding of sensors in a multitude of devices that are capable of communicating (sharing data) with the internet. IOT allows for monitoring and control of many common devices such as heating, appliances, and lights from any internet connection in the world. There are significant security implications to the IOT.

The AIS and Corporate Strategy Figure 1-5 on page 45 shows three factors that influence the design of an AIS: IT developments, business strategy, and organizational culture. For example, the growth of the internet has affected the way many value chain activities are performed. The internet makes a company’s products available almost anywhere. An organization’s AIS play an important role in helping it adopt and maintain a strategic position. The information system can collect financial and nonfinancial data about the organization’s activities.

The Role of the AIS in the Value Chain The role of an AIS in the value chain is detailed in Figure 1-6 on page 45 showing the linking together of all the primary and support activities in a business. The objective of most organizations is to provide value to their customers. Five primary activities that directly provide value to its customers: 1. Inbound logistics consists of receiving, storing, and distributing the materials an organization uses to create the services and products it sells. 2. Operations activities transform inputs into final products or services. 3. Outbound logistics activities distribute finished products or services to customers. 4. Marketing and sales activities help customers buy the organization’s products or services. 5. Service activities provide post-sale support to customers. Four Categories of Support Activities

1-10 .

1. Firm infrastructure is the accounting, finance, legal, and general administration activities that allow an organization to function. 2. Human resources activities include recruiting, hiring, training, and providing employee benefits and compensation. 3. Technology activities improve a product or service. 4. Purchasing activities procure raw materials, supplies, machinery, and the buildings used to carry out the primary activities. Supply Chain [Figure 1-7 on Page 46] shows an extended system that includes an organization’s value chain (manufacturer) as well as suppliers, distributers, retailers, and customers. 1. Raw Materials Supplier 2. Manufacturer 3. Distributor 4. Retailer 5. Consumer Multiple Choice 8 The value chain concept is composed of the following two types of activities: a. Primary and secondary b. Primary and support c. Support and value d. Technology and support Multiple Choice 9 Which of the following is a primary activity in the value chain? a. Purchasing b. Accounting c. Post-sales service d. Human resource management

Multiple Choice 10 Which of the following is a support activity in the value chain? a. Purchasing b. Manufacturing c. Post-sales service d. Receiving materials

1-11 .

Answers to Multiple Choice Questions: Multiple Choice Number 1 2 3 4 5

Multiple Choice Answer B C D B C

Multiple Choice Number 6 7 8 9 10

Multiple Choice Answer B D B C A

References Used: 1. Michael E. Porter and Victor E. Millar, How Information Gives You Competitive Advantage. Harvard Business Review, (July–August 1985), pp. 175–186. 2. Michael E. Porter, What Is Strategy? Harvard Business Review, November-December 1996), pp. 87-104.

1-12 .

CHAPTER 2 OVERVIEW OF TRANSACTION PROCESSING AND ENTERPRISE RESOURCE PLANNING SYSTEMS Instructor’s Manual Learning Objectives: 1. Describe the data processing cycle used to process transactions, including how data is input, stored, and processed and how information is output. 2. Discuss how organizations use enterprise resource planning (ERP) systems to process transactions and provide information. Questions to be addressed in this chapter include: 1. How should I organize the accounting records so that financial statements can be easily produced? 2. How am I going to collect and process data about all of S&S’s transactions? 3. How do I organize all the data that will be collected? 4. How should I design the AIS so that the information provided is reliable and accurate? 5. How can I design procedures to ensure that they meet all government obligations, such as remitting sales, income, and payroll taxes?

Learning Objective One Describe the data processing cycle used to process transactions, including how data is input, stored, and processed and how information is output.

Transaction Processing: The Data Processing Cycle Four Major Steps in the Data Processing Cycle

2-1 .

1) Data Input 2) Data Storage 3) Data Processing 4) Information Output The first step in processing transactions is to capture the data for each transaction that takes place and enter them into the system. Data Input Data must be collected about three facets of each business activity: 1. Each activity of interest 2. The resource(s) affected by each activity 3. The people who participate in each activity For example, collect the following data about a sales transaction: 1. Date and time of day the sale occurred 2. Employee who made the sale and the checkout clerk who processed the sale 3. Checkout register where the sale was processed 4. Item(s) sold 5. Quantity of each item sold 6. List price and actual price of each item sold 7. Total amount of the sale 8. For credit sales: delivery instructions, customer bill-to and ship-to addresses, customer name For the above example, the activity of interest is the sales activity. A sales activity involves resources of inventory and cash (the company gives inventory and in exchange receives cash). The people who participated in this activity are the salesperson and the customer. Source documents are used to capture data at the beginning of the transaction. Table 2-1 (p. 59) provides details as to various business activities and related source documents. Many times this data is automatically captured such as point-ofsale (POS) scanners or even automated invoice scanning that uses scanners that will automatically capture common items from a vendor invoice and processes it to accounts payable. These types of examples are known as source data automation.

2-2 .

Source documents are documents used to collect data about their business activities. Source documents are also used to support the validity of the business activities. XBRL is a good example of a format that supports source data automation between financial reporting systems. UBL is an example of a format that supports source data automation between transaction processing systems. If paper documents are exchanged with customers or suppliers, data input accuracy and efficiency is improved by using turnaround documents, which are records of company data sent to an external party and then returned to the system as input (e.g., remittance slip). Data Storage A company’s data are one of its most important resources. Accountants need to know how to manage data for maximum corporate use. Ledgers General ledger contains summary-level data for every asset, liability, equity, revenue, and expense account of the organization. Subsidiary ledger records all the detailed data for any general ledger account that has many individual subaccounts. These subsidiary ledgers would be used for accounts receivable and accounts payable. Accounts receivable subsidiary ledger would record detailed data for customers whom buy products or services on credit. The accounts receivable subsidiary ledger would support the accounts receivable general ledger controlling account. Accounts payable subsidiary ledger would record detailed data for the individual vendor credit purchases of merchandise or supplies made by the company. The accounts payable subsidiary ledger would support the accounts payable general ledger controlling account. Coding Techniques Coding is the systematic assignment of numbers or letters to items to classify and organize them.

2-3 .

1. With sequence codes, items are numbered consecutively to ensure that there will be no gaps in the sequence. 2. With a block code, blocks of numbers within a numerical sequence are reserved for categories having meaning to the user. S&S had the specific range of code numbers for their following major product categories: Product Code 1000000-1999999 2000000-2999999 3000000-3999999 4000000-4999999

Product Type Electric range Refrigerator Washer Dryer

3. Group codes are often used in conjunction with the block code. S&S uses a seven-digit product code number, for example, the group coding technique might be applied as follows: Digit Position 1-2 3 4-5 6-7

Meaning Product line, size, style Color Year of manufacture Operational features

4. Mnemonic codes are letters and numbers used in a combination to identify an item. The code is derived from the description of the item and is usually easy to memorize. For example, Dry300W05 could represent a low end (300), white (W) dryer (Dry) made by Sears (05). In designing a coding system, the following guidelines will result in a better coding system: 1. The code should be consistent with its intended use, which requires the code designer to determine the types of system outputs desired by users prior to selecting the code. 2. Make sure the code allows for growth in the number of items to be coded. 3. Make the coding system as simple as possible in order to minimize costs, facilitate memorization and interpretation of coding categories, and ensure employee acceptance. Make sure the coding system is consistent (1) with the company’s organizational structure and (2) across the different divisions of an organization. Chart of Accounts

2-4 .

A chart of accounts is a list of all general ledger accounts an organization uses with each general ledger account being assigned a specific number. Audit Trail: The accounting data and records should provide a trail starting with the source document that supports the transaction (e.g., let’s use credit sales) all the way through to the final posting in the general ledger accounts to the financial statements. An audit trail provides a means to check the accuracy and validity of ledger postings. In auditing, this technique would be called tracing. In the opposite direction; from the general ledger to the journals and subsidiary ledgers to the source document; this is called vouching for auditors. This is covered in more detail in Auditing Theory and Practice courses. Computer-Based Storage Concepts An entity is something about which information is stored (e.g., employees, inventory items, and customers). Each entity has attributes, or characteristics of interest, which need to be stored. For example, an employee’s hourly rate of pay, unit cost of an inventory item, and a customer’s address. Figure 2-3 on page 64 provides examples of data storage elements: 1. Data values are stored in a physical space called a field. In the figure the fields are Customer number, Customer name, Address, Credit limit, and Balance. 2. A row of fields that contain data about various attributes (values) of the same entity forms a record. In the figure the records are represented by each of the three rows; so there are three records. 3. The contents of each field within a record are called a data value. Sometimes, not mentioned in this book, the contents of each field are called a specific data element which contains the value of the data. 4. In turn, data elements/data value is composed of characters such as letters, numbers, and symbols. 5. Related records are grouped to form a file. 6. Two basic types of files exist: 

A master file is conceptually similar to a ledger in a manual AIS.



The second basic type of file is called a transaction file, which is conceptually similar to a journal in manual AIS.

Data Processing 2-5 .

Once data about a business activity have been collected and entered into the system they must be processed. Data processing implies the execution of certain procedures, usually involving a series of tasks. There are four different types of file processing, referred to as CRUD: 1. Creating new data records, such as adding a new employee to the payroll master file or database after they have been hired. 2. Reading, retrieving, or viewing existing data. 3. Updating data previously stored about the activity, the resources affected by the activity, or the people who performed the activity (see Figure 2-4, page 65). 4. Deleting data, such as purging the vendor master file of all vendors that the company no longer does business with. Periodic updating of data is referred to as batch processing. This approach may be combined with either the offline or online entry of data. Under the real-time processing method of processing, individual transactions are entered directly into the computer via a terminal as they occur; thus, ensuring that stored information is always current. Information Output This is the final step in the data processing cycle. Forms of Information Output Documents are records of transaction or other company data, such as checks and invoices. Documents generated at the end of transaction processing activities are called operational documents to distinguish them from source documents, which are used at the beginning of the process. Reports are prepared for both internal and external users. We are all familiar with the external reports called financial statements. Information needs cannot always be satisfied strictly by documents or periodic reports. Instead, problems and questions constantly arise that need rapid action or answers. To respond to this problem, personal computers or terminals are used to query the system. For example, it is much easier for a customer service 2-6 .

employee to help solve a customer billing problem by looking up the information instead of looking through several different reports.

Purpose of Output There are four main types of financial reports that were covered in Principles of Accounting I & II courses, the balance sheet, income statement, statement of owner’s equity, or statement of stockholder’s equity, and the statement of cash flows. Sometimes a statement of retained earnings is used instead of the statement of stockholder’s equity. These financial statements are used by both external and internal users. Budgets are used by the management of the firm. Budgets require estimating future revenue/sales, cost, and expenses. This is the operational budget. There are also cash budgets and capital expenditure budgets. Blockchain is more than a distributed ledger that you learned about in Chapter 1. Transactions can be processed through blockchain in the form of smart contracts. Smart contracts are regular contracts with terms and agreements. They are stored in the blockchain in such a way that when the terms are met, they can autoexecute to fulfill the contract. The terms can be met by actions happening within the blockchain. The terms (and autoexecution) can also be tied to external events such as receiving inventory or fulfilling service terms. Multiple Choice 1 Which of the following is not a step in the data processing cycle? a. Data collection b. Data input c. Data storage d. Data processing Multiple Choice 2 Recording and processing information about a transaction at the time it occurs is referred to as which of the following? a. Batch processing b. Real-time processing c. Captured transaction processing d. Chart of accounts processing Multiple Choice 3 How does the chart of accounts list general ledger accounts? a. Alphabetical order b. Chronological order c. Size order d. The order in which they appear in financial statements

2-7 .

Multiple Choice 4 Which one below is not a type of data processing activity? a. Creating b. Updating c. Recording d. Reading Multiple Choice 5 Which of the items below are not an attribute of a smart contract? a. Has terms b. Can auto-execute c. Built into blockchain d. Must use cryptocurrency For class discussion: Why is it important for an accountant to understand their business and industry as well as management’s informational needs in addition to knowing how to generate financial statements? (You may use S&S as the context while asking this question.) This discussion question is useful to get students to understand that accounting information is not just about knowing debits and credits. The role of an accountant is an important role in understanding the business information, how to incorporate controls for that information, and how to help management measure performance by providing insight, foresight, and oversight to the business. Hence, an accountant can be an active member of the business management team.

Learning Objective Two Discuss how organizations use enterprise resource planning (ERP) systems to process transactions and provide information.

ERP systems are designed to overcome problems as they integrate all aspects of a company’s operations with its traditional AIS. A key feature of ERP systems is the integration of financial with other nonfinancial operating data. More sophisticated ERP systems are using tools to integrate external information with their internal information to be more proactive in managing the business.

Multiple Choice 6 Which of the following is not an advantage of an ERP system? a. Better access control 2-8 .

b. Standardization of procedures and reports c. Improved monitoring capabilities d. Simplicity and reduced costs

Class Discussion Question: Think about the various forms of social media (e.g., Twitter, Facebook). Would this nonfinancial information external to the company be of use? What other nonfinancial information would be useful? Could you think of financial information that is external to the organization that might be useful to management as well? This discussion question is to get the students thinking in a “data analytic mindset” because organizations need to compete in a global market which requires synthesizing information that is both internal and external to the organization. For example, Walmart uses sales information as well as weather forecasts to predict which items stores should be stocked up on during a hurricane (NYtimes.com, 2004). This allows the company to use past information from within the organization and synthesize it with external information to be more proactive. In addition, IBM purchased weather.com specifically so weather data analytics can be used by organizations to better predict their inventory needs (Thurai, November 9, 2015). Sources: https://www.nytimes.com/2004/11/14/business/yourmoney/whatwalmart-knows-about-customers-habits.html https://www.ibmbigdatahub.com/blog/author/andy-thurai

Answers to Multiple Choice Questions: Multiple Choice Number 1 2 3 4 5 6

Multiple Choice Answer A B D C D D

2-9 .

CHAPTER 3 SYSTEMS DOCUMENTATION TECHNIQUES Instructor’s Manual Learning Objectives: 1. Prepare and use business process diagrams (BPDs) to understand, evaluate, and document information systems. 2. Prepare and use flowcharts to understand, evaluate, and document information systems. 3. Prepare and use data flow diagrams to understand, evaluate, and document information systems.

Questions to be addressed in this chapter include: 1. What is the purpose of documentation? 2. Why do accountants need to understand documentation? 3. What documentation techniques are used in accounting systems? 4. What are BPDs, flowcharts, and data flow diagrams? •

How are they alike and different?

•

How are they prepared?

Introduction Techniques Used to Document a System Narratives, flowcharts, diagrams, and other written materials that explain how a system works. Documentation tools are important on one or more of the following levels: 1. At a minimum, you must be able to read documentation to determine how the system works. 2. You may be required to evaluate internal control systems documentation to identify control strengths and weaknesses and recommend improvements. Alternatively, you may have to evaluate the documentation for a proposed system to determine if the system meets the company’s needs. 3. The greatest amount of skill is needed to prepare documentation. If you are a member of a team that is developing a new system, then you must prepare documentation to show how both the existing and the 3-1 .

proposed systems operate. This chapter discusses the following three documentation tools: 1. BPD is a graphical description of the business processes used by a company. 2. Flowcharts a. Document flowchart is a graphical description of the flow of documents and information between departments or areas of responsibility within an organization. i. Internal Control flowchart is used to describe, analyze, and evaluate internal controls, including identifying system strengths, weaknesses, and inefficiencies. b. System flowchart is a graphical description of the relationship among the input, processing, and output in an information system. c. Program flowchart is a graphical description of the sequence of logical operations that a computer performs as it executes a program.

3. Data flow diagram is a graphical description of data sources, data flows, transformation processes, data storage, and data destinations.

Accountants need to understand systems documentation for many reasons. For example, auditing standards require independent auditors to understand the automated and manual internal control procedures an entity uses. In addition, Sarbanes-Oxley Act (SOX) of 2002 requires an internal control report in public company annual reports. To be able to document and attest to internal controls requires the use and knowledge of systems documentation tools.

Learning Objective One Prepare and use business process diagrams to understand, evaluate, and document information systems.

Business Process Diagrams A BPD is a visual representation of the different steps or activities in a business process. Figure 3-1 on page 87 shows the basic symbols used for drawing BPDs as well as the Payroll at S&S. The Business 3-2 .

Process Modeling Initiative Notation Working Group established standards for drawing BPD’s. Guidelines are in Focus 3-1 on page 87: 1. Identify and understand the business processes. 2. Ignore certain items (e.g., documents as they flow through the system of where they are stored). 3. Decide how much detail to include. 4. Organize diagram. 5. Enter each business process on the diagram. 6. Draw a rough sketch of the BPD. 7. Draw a final copy of the BPD. Multiple Choice 1 A BPD is a visual way of: a. Describing the systems program b. Describing the activities in a process c. Describing the internal controls of a process d. Describing the documents in a process

Learning Objective Two Prepare and use flowcharts to understand, evaluate, and document information systems.

Flowcharts A flowchart is a pictorial, analytical technique used to describe some aspect of an information system in a clear, concise, and logical manner. Flowcharts use a standard set of symbols to describe pictorially the transaction processing procedures a company uses and the flow of data through a system. The Sarbanes-Oxley Act requires companies to document their business processes and internal controls. 1. Input/output symbols. Input/output symbols represent devices or media that provide input to or record output from processing operations. 2. Processing symbols. Processing symbols either show what type of device is used to process data or indicate when processing is performed manually. 3. Storage symbols. Storage symbols represent the device used to store data that the system is not currently using. 4. Flow and miscellaneous symbols. Flow and miscellaneous symbols indicate the flow of data and goods. They also represent such operations as where flowcharts begin or end, where decisions are made, and when to add explanatory notes to flowcharts. 3-3 .

Figure 3-3 on pages 90-91 contains common flowcharting symbols. Focus 3-2 on page 91 provides the following guidelines for preparing flowcharts: 1 2 3

Understand a system before flowcharting it. Identify the entities to be flowcharted. Organize flowchart. Design so that data flows from top to bottom and from left to right. Show where documents or processes originate, where data is processed, and where data is stored and sent. Show the final disposition of all documents to prevent loose ends that leave the reader dangling. Show data entered into or retrieved from a database as passing through a processing operation (i.e., computer program) first. In document flowcharts, divide the flowchart into columns with labels. Clearly label all symbols. Write a description of the input, process, or output inside the symbol. Use arrowheads on all flow lines.

Page Connectors. If flowchart cannot fit on one page use offpage connectors.

Draw a rough sketch of the flowchart. Be more concerned with capturing content than with making a perfect drawing. Review it with people familiar with the system. Make sure all uses of flowcharting conventions are consistent.

Draw the final flowchart. Place the flowchart name, date, and preparer’s name on each page.

Document Flowcharts A document flowchart illustrates the flow of documents and information among areas of responsibility within an organization. Document flowcharts that describe and evaluate internal controls are often referred to as internal control flowcharts. The document flowchart for the S&S payroll process, as described in Table 3-1 on page 88 and 89, is now shown in Figure 3-4 on pages 92 and 93. Note that there are four areas of responsibility: payroll, accounts payable, management, and general ledger. Note that the solid lines represent the document or processing flow whereas the dashed lines represent the data or information flow.

System Flowcharts System flowcharts depict the relationship among the input, processing, and output of an accounting information system. 3-4 .

Program Flowcharts A program flowchart illustrates the sequence of logical operations performed by a computer in executing a program. Some of the computer programs are COBOL (Common Business Language), FORTRAN, and RPG from the old days. COBOL is still being used in many large organizations. Now, there is C++ and Java. Multiple Choice 2 Which of the following statements is FALSE? a. A flowchart is an analytical technique used to describe some aspect of an information system in a clear, concise, and logical manner. b. Flowcharts use a standard set of symbols to describe pictorially the flow of documents and data through a system. c. Flowcharts are easy to prepare and revise when the designer utilizes a flowcharting software package. d. A system flowchart is a narrative representation to identify system weaknesses. e. A program flowchart shows the logic used in computer programs.

Learning Objective Three Prepare and use data flow diagrams to understand, evaluate, and document information systems.

Data Flow Diagrams A data flow diagram (DFD) graphically describes the flow of data within an organization. Elements in a Data Flow Diagram (Figure 3-1, p. 87 of the book) Four Basic Elements: 1.

Data sources and destinations

Data flows

Transformation processes

3-5 .

Data stores

Internal Control

Data flow diagram symbols shown in Figure 3-7 on page 95: Data sources and destinations

Data flows Transformation processes Data stores Internal Control Figure 3-8 on page 96 shows the basic data flow diagram elements between data source, process, and data destination. Data Sources and Destinations Data sources and data destinations are represented by squares, as illustrated by items A (customer), J (bank), and K (credit manager) in Figure 3-9 on page 97. A data flow represents the flow of data among processes, data stores, and data sources and destinations. Processes represent the transformation of data. Figure 3-9 shows that process payment (c) takes the customer payment and splits it in to the remittance data and the deposit (which includes the checks and deposit slip created within process payment). A data store is a temporary or permanent repository of data. Subdividing the Data Flow Diagram The highest-level data flow diagram is referred to as a context diagram. A context diagram provides the reader with a summarylevel view of the system. Figure 3-11 (p. 98) provides an example of the data flows at this summary level. Focus 3-3 on Page 99 Guidelines for Drawing a Data Flow Diagram 1.

Understand the system.

Ignore certain aspects of the system.

Determine system boundaries.

Develop a context diagram.

Identify data flows. 3-6 .

Group data flows.

Identify transformation processes.

Group transformation processes.

Identify all files or data stores.

10.

Identify all data sources and destinations.

11.

Name all data flow diagram elements.

12.

Subdivide the data flow diagram.

13.

Give each process a sequential number.

14.

Repeat the process.

15.

Prepare a final copy.

Multiple Choice 1 A DFD is a representation of which of the following? a. Relationship among modules, data, and programs of an AIS b. Flow of data in an organization c. Decision rules in a computer program d. Computer hardware configuration

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer 1 B 2 D 3 B

3-7 .

CHAPTER 4 RELATIONAL DATABASES Instructor’s Manual Learning Objectives: 1. Explain the importance and advantages of databases, as well as the difference between database and file-based legacy systems. 2. Explain database systems, including logical and physical views, schemas, the data dictionary, and DBMS languages. 3. Describe what a relational database is and how it organizes data, and how to create a set of well-structured relational database tables. 4. Query a relational database using visual methods as well as using structured query language. Questions to be addressed in this chapter: 1. What is a database system, and how is this different from fileoriented systems? 2. What is a relational database? 3. How do you design a well-structured set of tables in a relational database? 4. How do you query a relational database system?

Introduction The emphasis in this chapter will be on understanding the structure of a relational database system. Databases and Files Figure 4-1 on page 120 provides a comparison of file-oriented versus database systems. A key concept to remember is that fileoriented data stays in the originating department whereas the database approach is an organizational resource used by the entire organization. Most firms developing new systems and applications for use in today’s business environment choose the database approach to data management. Data independence, a critical feature of the database approach, is the separation of data from the program applications that access and process the data. Data independence is achieved by interposing the database management system (DBMS) software between the database and the users of the data (e.g., the application programs). 4-1 .

A DBMS acts as an interface between the database and the various application programs. As technology improves many companies are developing very large databases called data warehouses which are used as analysis (and not transaction processing) to provide support for strategic decision making. A file, as described in the back of our book in the glossary, is a set of logically related records, such as the payroll records of all employees. A database is a set of interrelated, centrally coordinated data tables stored electronically with as little data redundancy as possible. Figure 4-2 on page 120 shows the basic elements of data hierarchy. Fields contain data about one customer such as the customers address, customer name, and so on. All the fields for one customer form a record (e.g., customer record). A set of related records, such as all customer records, forms a table (e.g., customer table). A set of interrelated tables forms a database (e.g., a customer sales database may include customer table, inventory table, and sales table). We use the term database to mean the collected data sets that are organized and stored as an integral part of an organization’s computer-based information system. Data analytics is discussed more fully in Chapter 7. Three techniques are introduced here: 1. Business Intelligence is the analysis of large amounts of data for strategic decision making. 2. Online analytical processing (OLAP) is the process of using queries to investigate hypothesized relationships among data. 3. Data mining is the process of analyzing data repositories for unhypothesized relationships in the company’s data and business processes using sophisticated statistical analysis.

Learning Objective One Explain the importance and advantages of databases, as well as the difference between database and file-based legacy systems.

4-2 .

The Importance and Advantages of Database Systems Note to Students: Many job announcements for accounting positions require the knowledge and skills from experience in using databases and data analytics. Understanding the data structure of an AIS is critical when you need to create custom reports.

Most accounting students will audit or work for a company that uses database technology to store, process, and report accounting transactions. Database technology is widespread because it provides organizations with the following benefits: 1. Data integration: Integration is achieved by combining files into larger “pools” of data that many application programs can access. An example is an employee database that consolidates data formerly contained in payroll, personnel, and job skills master files. This makes it easier for information to be combined in unlimited ways. 2. Data sharing: Integrating data makes it easier to share data with all authorized users. 3. Minimal data redundancy and data inconsistencies: Because data items are usually stored only once, data redundancy and data inconsistencies are minimized. 4. Data independence: Because data and the programs that use them are independent of one another, each can be changed without having to change the other. This makes programming easier and simplifies data management. 5. Cross-functional analysis: In a database system, relationships, such as the association between selling costs and promotional campaigns, can be explicitly defined and used in the preparation of management reports. Note to the Instructor: This additional benefit could be added that is not mentioned in the book: One-time Data Entry and Storage: In the database approach to data management, data are input into the database once, stored in a particular location, and available for use by multiple applications and users. Multiple Choice 1 4-3 .

A customer’s name would be a: a. database b. table c. field d. record Multiple Choice 2 Which of the following would be identified as a table? a. A customer’s name b. Data about one customer c. All inventory records d. Data about one inventory item Multiple Choice 3 Which of the following is not an advantage of database systems? a. Data sharing b. Data independence c. Data privacy d. Data integration For class discussion: How would sales data information be used in the following management positions? Sales Manager Marketing Manager Purchasing Manager Manufacturing Manager Accounting Manager The reason for this discussion is to get the class to think broader about how the same information is useful within different contexts. For example, the sales manager may use sales information to examine two different commission plans before making a final decision. The purchasing manager may use sales information to help predict demand for certain products. The manufacturing manager may use sales information to help plan for product production. It is also good to tie this into a discussion of why it’s important to have good quality data. This may be a good time to discuss rights to data by posing the question of who should have access to the particular elements within sales data.

Learning Objective Two Explain database systems, including logical and physical views, schemas, the data dictionary, and DBMS languages.

4-4 .

Database Systems Logical and Physical Views of Data Figure 4-3 on page 122 provides an example of a record layout of an accounts receivable table. The logical view is how the user or programmer conceptually organizes and understands the data. The physical view refers to how and where the data are physically arranged and stored in the computer system. Figure 4-4 on page 123 provides two logical views of data. As shown in Figure 4-4, DBMS software handles the link between the way data are physically stored and each user’s logical view of the data.

Schemas A schema describes the logical structure of a database. Three levels of schemas: the conceptual, the external, and the internal. Figure 4-5 on page 124 provides the three levels of schemas. The conceptual-level schema is the organization-wide view of the entire database. The external-level schema consists of a set of individual user views of portions of the database, each of which is also referred to as a subschema. The internal-level schema provides a low-level view of the database. It describes how the data are actually stored and accessed, including information about record layouts, definitions, addresses, and indexes.

The Data Dictionary The data dictionary contains information about the structure of the database. The data elements composing the database are fully described in a data dictionary, which serves as a repository containing facts about the structure of the data elements employed in applications. Table 4-1 on page 125 provides an example of a data dictionary. The data dictionary is a useful document to refer to when you are creating queries or customized reports. 4-5 .

For class discussion: As students are learning about structure and relationships of data tables in a database, it is important to remind them that not extracting the right information can lead to poor decisions. For example, if the accountant was reviewing sales returns and pulled the following information: Return date Item returned Price This information may appear to be normal sales return information, from a comparison of period to period; however, adding the field store #, and/or salesperson #, the accountant may discover that one store, or one particular salesperson has a higher amount of sales returns compared to others. A further examination of the detail may indicate fraudulent activity.

DBMS Languages The data definition language (DDL) is used to (1) build the data dictionary, (2) initialize or create the database, (3) describe the logical views for each individual user or programmer, and (4) specify any limitations or constraints on security imposed on database records or fields. The data manipulation language (DML) is used for data maintenance, which includes such operations as updating, inserting, and deleting portions of the database. The data query language (DQL) is used to interrogate the database. The DQL retrieves, sorts, orders, and presents subsets of the database in response to user queries. A report writer is a language that simplifies report creation.

4-6 .

Note to the Instructor: The additional definition and additional uses that were not included in the book could be provided to the students: A database control system (DBCS) controls the various components of the DBMS. For example, the DBCS creates and manages the structure used for storing the data. It also creates the necessary support components that allow simultaneous multiple-user access to the data. In addition to the functions provided by these components, many DBMS packages allow users to: 1. 2. 3.

Analyze data and create ad hoc or customized reports Create and display graphs Create customized applications via host programming languages 4. Import and export data and images from other packages 5. Perform online data editing 6. Purge or archive obsolete data 7. Consolidate redundant master file records 8. Back up data 9. Maintain other security measures 10. Interface with communications networks

Multiple Choice 4 The data view that shows how the user or programmer conceptually organizes and understands the data is the: a. record layout view b. logical view c. physical view d. none of the above Multiple Choice 5 Which of the following statements is FALSE? a. The data dictionary contains information about the structure of the database. b. The internal-level schema provides a high-level view of the database. c. The DDL is used to build the data dictionary. d. The conceptual-level schema is the organization-wide view of the entire database. Multiple Choice 6 The way data are physically arranged and stored in the computer system is the: a. physical view b. logical view 4-7 .

c. schema view d. system view

Learning Objective Three Describe what a relational database is, how it organizes data, and how to create a set of well-structured relational database tables.

Relational Databases A data model is an abstract visual representation of the contents of a database. The relational data model represents everything in the database as being stored in the form of tables such as the one shown in Table 4-2 on page 126. Technically, these tables are called relations (hence the name relational data model), but we will use the two words interchangeably. Each row in a relation, called a tuple, contains data about a specific occurrence of the type of entity represented by that table. For example, each row in the inventory table in Table 4-2 contains data about a particular inventory item that S&S carries. Types of Attributes A primary key is the attribute, or combination of attributes, that uniquely identifies a specific row in a table. The primary key for the inventory table in Table 4-2 is the Item Number. A foreign key is an attribute in a table that is a primary key in another table. Foreign keys are used to link tables. For example, the Inventory table in Table 4-2 has a foreign key of Vendor number (VendorID is a primary key in the Vendor table.) By having this foreign key, we can create a relationship between the Inventory table and the Vendor table. Multiple Choice 7 In a Sales Table, the most likely primary key would be: a. sales invoice ID b. inventory item ID c. customer ID d. customer name Multiple Choice 8 4-8 .

In an inventory table, the most likely nonkey column(s) would be: a. item number b. color c. price d. b and c e. a and c

Designing a Relational Database for S&S, Inc. Option 1: Store All Data in One Uniform Table. This data is provided in Table 4-3 on page 128 This approach has several disadvantages: 1. It creates a great deal of redundancy in terms of stored data. For example, because there are three separate inventory items sold, the sales invoice number 102 is listed three times with the invoice and customer data is repeated each time an item is sold. 2. The second problem that can occur is referred to as an insert anomaly, because there is no way to store information about prospective customers until they actually make a purchase. 3. A third problem that can occur is referred to as an update anomaly, changing the customer data would require reviewing the entire table and selecting each occurrence for that one change. This may be difficult and result in errors in the database. 4. A final problem that can occur is referred to as a delete anomaly, in which unintended consequences can occur. For example, deleting one transaction may remove information about a customer. Note to the Instructor: A good way to reinforce the concepts of insert, update, and delete anomalies is a simple spreadsheet and physically identify the issues above showing the problems.

Option 2: Vary the Number of Columns This data is provided in Table 4-4 on pages 129. In this option, the data storage is to record the sales invoice and customer information just once. This required additional items which required four additional columns:

4-9 .

1. Item 2. Quantity 3. Unit Price 4. Extended Amount We still have disadvantages. This approach does not reduce some of the redundancy and some of the anomalies associated with the data storage scheme illustrated in Table 4-4. This table is set up for the sale of three items. What happens if eight items are sold? This would require 40 columns! Now we are going to have even more columns to add three more items. The problems associated with Options 1 and 2 in Tables 4-3 and 44 can be solved with a relational database (a set of tables). Basic Requirements of a Relational Database 1. Every column in a row must be single valued. 2. Primary keys cannot be null. 3. Foreign keys, if not null, must have values that correspond to the value of a primary key in another table. 4. All nonkey attributes in a table should describe a characteristic about the object identified by the primary key. A set of relational databases are provided in Table 4-5 on page 130. As shown in Table 4-5, we now have more than one table that have relationships: 1. Sales Table 2. Sales_Inventory Table 3. Inventory Table 4. Customer Table Primary key is the attribute, or combination of attributes, that uniquely identifies a specific row in a table. As a result, the value for a primary key cannot be blank (null). If it was blank, then there would be no way to identify a specific row and retrieve any data. The entity integrity rule ensures that every row in every relation must represent data about some specific object in the real world.

4-10 .

Foreign keys are used to link rows in one table to rows in another table. Refer to the lines and arrows in Table 4-5. CustomerID can link each sales transaction with the customer who participated in that event only if the Sales table CustomerID value corresponds to an actual customer number in the Customer table. This is referred to as the referential integrity rule that ensures the consistency of the database. For example, the customer number is a foreign key in the sales table that relates to the customer number that is a primary key in the customer table. Note to the Instructor: Students sometimes have difficulty understanding the referential integrity rule, and it may be easier to explain in terms of master files and transaction files and demonstrate it in class using MS Access. For the example above, the master file is customer table and the transaction file is the sales table. To keep track of all customer sales transactions, it will require that a customer has been set up in the customer file first (master file) before you can enter the sales transaction. Demonstrating this in MS Access requires that your relationships between the tables “Enforce Referential Integrity.” Thus, by entering a sales transaction that does not have a customer number existing from the Customer Table will give an error message. Foreign keys can have a null value. Some customers that pay cash may not want to give up their identity which would allow a company to track them. Therefore, there will be some customer number fields that will be left blank. Nonkey attributes are items in a table that are neither a primary key nor a foreign key. As previously described as the fourth basic requirement for a relational database, all nonkey attributes in a table should describe a characteristic about the object identified by the primary key. Two Approaches to Database Design One approach is called normalization, which starts with the assumption that everything is initially stored in one large table. A normalized database means that it is free of update, insert, and delete anomalies. Another alternative way to design well-structured relational databases involves semantic data modeling. Under this approach, the database designer uses knowledge about how business processes typically work and about the information needs associated with transaction processing to draw a graphical picture of what should be included in the database. The resulting figure can then be directly used to create a set of relational tables that are in third normal form (3NF). Refer to the website for the third normal form. 4-11 .

Multiple Choice 9 Which of the following is not a basic requirement of a relational database? a. Every column in a row must be single valued. b. Primary keys cannot be null. c. Foreign keys, if not null, must have values that correspond to the value of another foreign key in another table. d. All nonkey attributes in a table should describe a characteristic about the object identified by the primary key. e. All of the above are basic requirements of a relational database.

Creating Relational Database Queries In the text we demonstrate creating queries using the QBE and SQL interfaces. While some may think that the QBE interface is sufficient for all queries, we note that even moderately complex queries overwhelm the QBE interface. Additionally, becoming proficient in the SQL language allows your query skills to be transportable across all relational database products.

Note to the Instructor: If students want to follow along with the five queries and create these queries; they need to first bring up this website: http://www.pearsonglobaleditions.com Next, the students need to follow the following steps: 1. Left click on “Student Download Page” under “Accounting Information Systems 15/e.” 2. Click on “Case and Problem Spreadsheets” 3. Click on “Chapter 4” 4. This will give the student the Chapter 4 Relational Database with “Customer,” “Inventory,” “Sales” and “Sales_Inventory” to be used to follow along and practice.

Query 1. List the invoice numbers, dates, and salesperson for sales made to Lola Doyle. We are using the Sales and Customer Tables for this Query. We determine that these are the appropriate tables by examining the fields that are needed for output as well as examining the criteria fields. Studying the logical model we see that the needed fields are in the two tables and that the tables are connected by a primary key/foreign key pair. Next, we select the columns from each Table to be included in the Query. Note the Sales Table Primary Key is SalesInvoiceID and the Foreign Key is the CustomerID which is the Primary Key for the Customer Table.

4-12 .

Both QBE and SQL solutions are shown in Table 4-7 on page 134. The Sales and Customer Tables, and the Results of the Query are shown in Table 4-8 on page 135. Query 2. List the SaleDate, Description, and Quantity for each transaction in which refrigerators were sold in October. This query involves the Sales, Sales_Inventory, and Inventory tables. We determined that these were the appropriate tables by identifying the fields desired for presentation as well as the criteria fields. Examining the logical model is always a good starting place for determining which tables to include in the query. Students should be able now to determine the Primary Keys and the Foreign Keys involved. The Completed Query 2 and Query 2 Answer are provided in Table 410 on page 136. Query 3. How many refrigerators were sold in October? This query builds off of query 2 and introduces aggregating data across rows. As with query 2 we are using three tables; Sales, Sales_Inventory, and Inventory tables. The inclusion of an aggregation now displays a “total” line in the QBE view. In the SQL view the aggregate action occurs primarily in the SELECT clause. With an aggregate action, you may now use GROUP BY and HAVING as needed to complete your query. In this case GROUP BY isn’t needed as the query requests a single number… the number of refrigerators. The Completed Inquiry 3 and Query 3 Answer are provided in Table 4-12 on page 138. Table 4-13 highlights the difference between a non-aggregate and aggregate query in the SQL view. Query 4. This query asks for the description and quantity sold for inventory items that sold 2 or more units. We will be using the Sales, Sales_Inventory, and Inventory tables again. Consider that this query builds upon query 3. Query 3 had an aggregate expression without any grouping, so it produced a single row of output. By adding a grouping (Group By in the “total’ line of QBE or GROUP BY statement in SQL), a row of output will be produced for each grouping. For this query, we want a group (sum) for each inventory item. In the example the field Inventory.Description is used for the grouping field. While this works for this example, it would have been better to group by the Inventory.ItemID field as it uniquely identifies an inventory item. The Description field may produce incorrect results if two or more inventory items have the same description. With the grouping complete, if you ran the query you will get a list with a sum of quantity sold for each inventory item. We are not yet finished, as we want to limit the output to those items that have sold two or more. This query is designed to show the HAVING clause. You cannot use the WHERE clause to limit the output as the computed total is not yet available when the WHERE clause operates. See note below.

4-13 .

Note to instructor: For instruction simplicity and clarity of thought, we recommend telling students to think of SQL being executed in the following order: 1. FROM collects the tables and joins them together 2. WHERE filters the rows based on criteria 3. SELECT selects the columns to display 4. GROUP BY performs aggregate actions 5. HAVING filter aggregated rows based on criteria This ordering helps students see the bigger picture by 1. identifying the tables, creating linkages, 2. applying criteria, 3. selecting columns, and then 4. and 5. doing aggregate actions. Keep in mind that this is just a good way to think of how SQL operates and is not intended as a ‘fact’. Each vendor’s SQL engine has its own optimization techniques. The computed total is available after the execution of the GROUP BY. The HAVING can then filter based on computed aggregate values. The Completed SQL for query 3 and 4 are presented in Table 4-13 in order to contrast the single aggregate of query 3 with the grouped aggregate of query 4. The completed Query 4 and Query 4 Answer are provided in Table 4-14 on page 139. Query 5. Lists the SaleDate and InvoiceTotal for each invoice. It is designed to build off of Query 4. The added element in Query 5 is the demonstration of mathematical operations between fields within a row. In this case the students will need to compute the extended price of an item, which is Quantity * SoldPrice. This row total is computed in the SELECT clause and could be presented as an Extended Amount. However, as this query asks for an invoice total, the calculated field needs to be summed for each invoice. Thus, there may be some confusion of whether a calculated amount must be inside of a SUM as it is in this example. Clearly calculated amounts do not need to be inside of aggregate functions. They may stand on their own and be aliased with the AS clause. The Completed Query 5 and Query 5 Answer are provided in Table 415 on page 141. Multiple Choice 10 Which tables were needed in the query that answered the question: “How many ranges were sold in October?” a. Sales table b. Inventory table c. Sales_Inventory table d. All of the above e. a and c

Database Systems and the Future of Accounting The most significant effect of database systems will be in the way accounting information is used in decision making. 4-14 .

Relational databases, however, provide query languages that are powerful and easy to use. Managers can concentrate solely on specifying what information they want and query the database or use the query to build a custom report. Why is this important? Because the database creates flexibility and while most businesses may be similar on the surface (they do sales and purchase goods and services); underneath they may be very unique in how they get things done which gives them competitive advantage. Finally, relational DBMSs provide the capability of integrating financial and operational data.

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 C 6 A 2 C 7 A 3 C 8 D 4 B 9 E 5 B 10 D

4-15 .

CHAPTER 5 Introduction to Data Analytics in Accounting Instructor’s Manual Learning Objectives: 1. Explain what makes a good question and evaluate questions relative to the SMART framework. 2. Describe the extract, transform, and load (ETL) process and key components of each step of the process. 3. Explain the differences between descriptive, diagnostic, predictive, and prescriptive analytics. Understand the situations for which each type of analytic is appropriate. 4. List the principles that lead to high-quality data visualizations. 5. Describe how automation interacts with the analytics mindset and when data analytics is not the right tool for making a decision.

Introduction Data is more prevalent, easier to analyze, and increasingly important in business. These changes have led people to talk about big data which are data sets characterized by huge amounts of data (data volume), in various formats (data variety), and for which the quality may be suspect (data veracity). These “V’s” combined with data velocity (the pace at which data is created and stored) represent the 4 V’s of big data. The 4 V’s of big data are changing business and accounting. Focus 5-1 on page 164 discusses how accountants must change in this emerging world. A key to this change, is that accountants must focus on developing new mindsets, which is a mental attitude, a way of thinking, or a frame of mind. In particular, the analytics mindset is key to navigating big data and being a successful accountant of the future. The analytics mindset (as defined by Ernst and Young or EY) is the ability to  Ask the right questions.  Extract, transform, and load relevant data.  Apply appropriate data analytic techniques.  Interpret and share the results with stakeholders. Although this is a “new” mindset, it is worth pointing out to students that this mindset parallels the scientific method and is a time-honored method for knowledge acquisition. The entire chapter (and chapters 6 and 7) build off the idea of the analytics mindset. Multiple Choice 1 A key competency that accountants and business professionals must develop in the age of big data is which of the following? 5-1 .

a. Analytics mindset b. Big data mindset c. The ETL mindset d. The SMART mindset

Learning Objective One Explain what makes a good question and evaluate questions relative to the SMART framework.

Ask the Right questions Asking the right questions is the first step of the analytics mindset. Good questions follow the SMART framework. The SMART acronym is defined as • Specific: needs to be direct and focused to produce a meaningful answer. • Measurable: must be amenable to data analysis and thus the inputs to answering the question must be measurable with data. • Achievable: should be able to be answered and the answer should cause a decision maker to take an action. • Relevant: should relate to the objectives of the organization or the situation under consideration. • Timely: must have a defined time horizon for answering. Note to Instructor: you can have students practice developing good questions by giving them a context and having them design questions that fit the SMART framework. For example, the context could be an external auditor visiting with several employees to understand the “tone at the top” of the organization. Students can ask questions and then discuss how to improve them using this framework. Here is an example:  Initial question: “How is the tone at the top?” o Improvements: (specific) “How does the CEO communicate the following internal controls are important or unimportant?” o Improvements: (measurable) “How often do employees complete training related to making ethical decisions?” o Improvements: (timely) “During the last year, how many times did the CEO not follow a rule or encourage another employee to not follow a rule?”

Multiple Choice 2 Which of the following is not one of the SMART question criteria: 5-2 .

a. Achievable b. Specific c. Timely d. Reliable

Learning Objective Two Describe the extract, transform, and load (ETL) process and key components of each step of the process.

Extract, Transform, and Load Relevant Data The ETL process is a set of procedures for preparing data. The acronym stands for extract, transform, and load data. Given how important the ETL process is, the AICPA has developed a set of Audit Data Standards to help with this process. You can review these standards at https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/audit datastandards.html. The voluntary standards provide guidance so that computer systems can be designed to output client data in a standard format and then the auditor can more easily import the data into tools for analysis.

Extracting Data Extracting data follows a three step process: 1. Understand data needs and the data available. 2. Perform the data extraction. 3. Verify the data extraction quality and document what you have done. In understanding data, it is important to understand the following principles about data. Data comes in several different forms, including structured data, unstructured data, and semi-structured data. Structured data is data that is highly organized and fits into fixed fields. Semi-structured data is data that has some organization but is not fully organized to be inserted into a relational database. Unstructured data is data that has no uniform structure. Some examples of each are as follows:  Structured data: financial data such as debit and credit amounts, sales records, customer information (e.g., name, address, phone number, etc.) 

Semi-structured data: email, XML data, CSV files



Unstructured data: pdf files, images, video recordings 5-3 .

Data is usually stored in organizations in several different structures, including data warehouses, data marts, and data lakes. Figure 5-1 on page 167 shows various ways that these data structures can be built. Data warehouses are very large databases containing detailed and summarized data for a number of years used for analysis rather than transaction processing (defined in Chapter 4). Data marts hold structured data for a subset of the organization (e.g., for a region). Data lakes are a collection of structured, semi-structured, and unstructured data stored in a single location. Data lakes typically hold all data in an organization and relevant data from outside an organization (e.g., social media data). When information the organization has collected and stored that would be useful for analysis but is not analyzed and is thus ignored is called dark data. Most estimates suggest that most data in an organization is dark data. For example, IBM estimates that 90% of data generated by sensors and analog-to-digital conversions is dark data. Data swamps are repositories that are not accurately documented so that the stored data cannot be properly identified and analyzed. To help reduce the likelihood of dark data and data swamps, companies should document metadata in data dictionaries. Metadata is data that describes data and examples include what type of data is allowed in a field, the format of data, etc. Extracting data can be a very time consuming process. Chapter 6 focuses much more specifically on this topic. Some basic principles students should understand from this chapter relate to flat files, delimiters, and text qualifiers. A flat file is a text file that contains data from multiple tables or sources and merges that data into a single row. For example, a relational database would show data for customers and their purchases separated into three tables (as shown in the figures below): Figure: Snippets of Relational Database Tables for Customers and Orders

5-4 .

In contrast, a flat file might combine the information about customers in multiple different tables into a single table of information (often displayed in Microsoft Excel or a query output) as follows:

Note, that often flat files reduce the information in a relational database through aggregation (e.g., sum, median, max, etc.). Or, flat files will violate the design principles of a relational database discussed in Chapter 4 (e.g., a flat file may contain redundant customer information). When flat files are saved, the computer system needs to somehow determine which information is stored in each column. To do this, computers use delimiters and text qualifiers. Table 5-1 on page 169 contains examples of delimiters and text qualifiers. Delimiters are a character, or series of characters, that marks the end of one field and the beginning of the next field. The most common delimiters (delimiter is listed between “”) are a space “ “ and a comma “,”. However, neither of these are very useful because they are commonly used in normal writing. Thus, the audit data standards recommend using a pipe “|”. A text qualifier are two characters that indicate the beginning and ending of a field and tell a computer program 5-5 .

to ignore any delimiters contained between the characters. The most common text qualifier are beginning and ending quotes “”. Note to Instructor: a class exercise can be to put examples of data on the screen (or in a handout) and have students identify the text qualifiers and delimiters. Identifying delimiters and text qualifiers will help students look for patterns in data that can be useful for the ETL process. Here are a few examples: Example 1 Flat file, Header Row: InventoryNo InventoryName MaxUnitsSold CostPerUnit Flat file, Data Row: 1001 ‘Unique Bargains Barb Eyeless 10# Hooks’ 25 $5.23 1002 ‘10Pcs Rod Tip Clamp Fish Bite Lure’ 15 $9.52 Solution: The delimiter is a space “ “, and the text qualifier are single quotes ‘’ Example 2 Flat file, Header Row: CustNo@ @FirsName@ @LastName@ @Email@ @StreetAddress Flat file, Data Row: 100@ @Larry@ @Blackhurts@ @lbst@rigg.com@ @44 Crab Avenue, West Chicago IL 60185 101@ @Odette@ @Schlochindorf@ @swasing@timi.com@ @765 Olive Tree Circle, Kennewick, WA 99337 Solution: The delimiter is “@ @” and there is no text qualifier. This can be a tricky one to show students. In this case the email address is not a problem because the delimiter is three characters “@ @” and email addresses only have a single @ sign and no space. So, a text qualifier is not needed. This is not a likely case used in practice, but it helps students to understand what is and is not a delimiter and text qualifier.

Transforming Data There are four steps to transforming data: 1. Understand the data and the desired outcome 2. Standardize, structure, and clean the data 3. Validate data quality and verify data meets data

requirements 4. Document the transformation process These steps are not always sequential and may need to be performed multiple times iteratively. It may be the case that as data is cleaned and transformed objectives change and the data will have to be further refined. Chapter 6 goes into these steps in much more detail. 5-6 .

Loading Data Typically when data has been extracted and transformed well, the data loading process is a relatively simple process. However, data loading often reveals errors in the transformation steps as the data is not accepted correctly into the new system. Also, a key step that is often skipped in loading data is providing high quality documentation of what the loaded data means, so users of the data do not make mistakes in using the data. A simple loading exercise that can be done in class is to save data as a CSV file (or other delimited file) and then have the students load the data into Excel (or use Excel and have the students load the data into a program like Access). The students can set the delimiters and understand how the program “reads” the CSV data and interprets it. The original CSV file can contain a few errors, such as extra data on a line, an extra delimiter, and the students can visually see how the program reacts when trying to load it. Multiple Choice 3 Which of the characters would be best to use as a delimiter for financial data? a. $ (dollar sign) b. ~ (tilde) c. % (percentage sign) d. - (minus sign) Multiple Choice 4 Which of the following types of data is most likely to properly use delimiters and text qualifiers? a. Dark data b. Unstructured data c. Semi-structured data d. Structured data

Learning Objective Three Explain the differences between descriptive, diagnostic, predictive, and prescriptive analytics. Understand the situations for which each type of analytic is appropriate.

Apply Appropriate Data Analytic Techniques Data analytics can be categorized into four categories: 1. Descriptive analytics: information that results from the examination of data to understand the past, answers the question “what happened?” 5-7 .

2. Diagnostic analytics: information that results from the examination of data to determine causal relationships, answers the question “why did this happen?” 3. Predictive analytics: information that results from analyses that focus on predicting the future, answers the question, “what might happen in the future?” 4. Prescriptive analytics: information that results from analyses to provide a recommendation of what should happen, answers the question “what should be done?” Each of these analytics is covered in more depth in Chapter 7. Some things to help students understand that all of these are used in practice, but they are typically used most in the following order: descriptive, diagnostic and predictive, prescriptive. Also, diagnostic and predictive analytics are related in that if you understand what causes something, you then are better able to predict the future. The difference is whether you are trying to understand “why” something happens (diagnostic) or explicitly trying to predict the future (predictive). Often, companies will perform diagnostic analytics first and then build predictive analytic models. Also, predictive analytics and prescriptive analytics are closely related. To perform a prescriptive analytic, you must have a predictive analytic. That is, a model or algorithm will predict something and then the prescriptive analytic decides what to do or makes a recommendation based on that prediction. A few examples of each type of analytic follows: 1. Descriptive analytics: common financial ratios such as earnings per share, inventory turnover ratios, profitability ratios, etc. 2. Diagnostic analytics: often statistical analyses such as using regression to see if one thing causes (or more often is associated with) another. Seeing if more frequent maintenance reduces manufacturing defects, testing if weather events cause employee happiness which then causes performance differences. 3. Predictive analytics: all forecasting analytics are examples of predictive analytics (sales forecasts, EPS forecasts, stock price forecasts, etc.) 4. Prescriptive analytics: these are often models that provide a recommendation. Machines are increasingly monitored with sensors and metrics that will predict when the machine might fail and make the recommendation to perform maintenance or replace the machine. When making credit approval decisions, a company will gather various data to predict how likely a customer will be a “good” customer that pays and then make a recommendation to accept or not. The chapter also provides discussion of future skills that students will need, see Figure 5-2 on page 172. These skills are likely to change over time. The key point to make to students is that the accounting profession requires continual learning and development. Also, the predicted most valuable skills of the future accountant relate to improving with technology and data. Multiple Choice 5 A company develops a computer program to replace stock analysts that makes stock purchasing recommendations based on financial statement 5-8 .

data and social media information. This is an example of which type of analytic? a. Descriptive b. Diagnostic c. Predictive d. Prescriptive analytics Multiple Choice 6 In order to create a computer program that predicts customer demand in a restaurant, a data analyst tests to see if different sport seasons cause more customers to go out to eat. The data analyst computed which type of analytic? a. Descriptive b. Diagnostic c. Predictive d. Prescriptive analytics

Learning Objective Four List the principles that lead to high-quality data visualizations.

Interpret and Share the Results with Stakeholders Interpreting Results Interpretation of results is a very important step of the analytic mindset. While on the surface level, it seems obvious, this step can result in significant differences in interpreting the data. One way to help teach students about this topic, is to provide a mini case study and assign half the class to take one role and the other class to take a different role. This is often done in academic studies. 1 At the end of this section, a case study used in the Burton, Emett, Simon, and Wood (2012) article (citation contained in the footnote) is provided that can be used for this type of activity. Sharing Results This chapter introduces this topic. It is covered in much more depth in chapter 7. Results are often shared using data visualizations in data dashboards by using data storytelling. Data visualization is the use of a graphical representation of data to convey meaning. A data dashboard is the display of important data points, metrics, and key performance indicators in easily understood data visualizations. Data storytelling 1

For example, see the following: Ahlawat, S. S., & Lowe, D. J. (2004). An examination of internal auditor objectivity: In-house versus outsourcing. Auditing: A Journal of Practice & Theory, 23(2), 147-158. Burton, F. G., Emett, S. A., Simon, C. A., & Wood, D. A. (2012). Corporate managers' reliance on internal auditor recommendations. Auditing: A Journal of Practice & Theory, 31(2), 151-166.

5-9 .

is the process of translating often complex data analyses into more easily understood terms to enable better decision making. The key to sharing results depend on following good data visualization principles. The following principles are basic, key principles for sharing results successfully:  Choosing the right type of visualization.  Simplifying the presentation of data.  Emphasizing what is important.  Representing the data ethically. For teaching purposes, you can display various data visualizations found on the internet and discuss how they used these principles. Some examples of high quality visualizations can be found at the following links:  https://public.tableau.com/en-us/gallery/?tab=viz-of-theday&type=viz-of-the-day The visualization company Tableau provides daily good visualizations.  https://piktochart.com/data-visualization-examples/  Perform a web search for “Best Data visualizations of YEAR” and you will find many additional examples. Some examples of poor data visualizations can be found at the following links:  https://flowingdata.com/category/visualization/uglyvisualization/  https://www.businessinsider.com/the-27-worst-charts-of-all-time2013-6#burger-king-has-3-times-as-much-in-sales-than-starbucksit-makes-sense-that-its-three-times-taller-but-the-fact-that-itsarea-is-nine-times-that-of-starbucks-shows-why-this-chartexemplifies-everything-that-is-wrong-with-charts-that-try-toincorporate-cutesy-graphics-2  http://livingqlikview.com/the-9-worst-data-visualizations-evercreated/  Perform a web search for “Worst Data visualizations of YEAR” and you will find many additional examples. Multiple Choice 7 Which of the following is not a problem have with interpreting data correctly: a. Mistaking correlation for causation b. Confirmation bias c. Data overload d. All the above are problems Multiple Choice 8 Which of the following statements is FALSE: a. Data storytelling allows a person to make the data say anything s/he wants to achieve his/her objective. b. Data dashboards show multiple visuals to tell a complete story. c. Data interpretation can differ between individuals for nonnefarious reasons. 5-10 .

d. Data visualization often communicates information more quickly and in a more memorable fashion than using text.

Learning Objective Five Describe how automation interacts with the analytics mindset and when data analytics is not the right tool for making a decision.

Additional Data Analytics Considerations Automation is the application of machines to automatically perform tasks once performed by humans. Automation has increased as computing resources have become less expensive and more powerful, and as computer scientists have developed better algorithms for performing tasks. Within accounting, robotic process automation (RPA) is making significant inroads. You can find more about the state of RPA in accounting by reviewing the article at https://doi.org/10.2308/acch52466 (Cooper, L. A., Holderness Jr, D. K., Sorensen, T. L., & Wood, D. A. (2019). Robotic process automation in public accounting. Accounting Horizons, 33(4), 15-35.). Focus 5-2 on page 175 provides a discussion of how automation can change and not change an industry. This discussion can lead to a nice classroom discussion on the strengths and weaknesses of automation in accounting. In this discussion, it is worth noting that the tasks that are the easiest to automate are those that are rules-based and stable. They are also more likely to be automated if they are frequently performed and time consuming. This can help students realize the importance of education, especially learning how to do challenging, judgment-oriented tasks. Note to Instructor: If your students are unfamiliar with RPA, you may choose to do a quick in class demo showing students how RPA works. Alternatively, You could have the students watch a video such as https://www.uipath.com/solutions/process/finance-and-accountingautomation to understand what RPA can do in business.

The chapter concludes with the caution that data analytics is not always the right tool for decision making. Although the chapter focuses on data analytics, it is important to emphasize to students the situations where data analytics might not be the best tool for decision making. A few examples where data analytics are not appropriate include ethical decisions (even if the data says to do something wrong, you should not do it), times where there is no data, and for hard to measure decisions (however, defining this is difficult because often better measures can be captured). Multiple Choice 9 Choose the best answer, the creation of a “bot” is related to which of the following words? 5-11 .

a. Dark data b. Data visualization c. Robotic process automation (RPA) d. The extract, transform, and load (ETL) process Multiple Choice 10 Which of the following is a situation where data analytics is better than using human judgment to inform or to make a decision? a. There is not enough data for estimating an analytic. b. Making an ethical judgment. c. Data cannot measure a phenomenon well. d. All of the above are situations where human judgment is better than using data analytics.

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 A 6 B 2 D 7 C 3 B 8 A 4 D 9 C 5 D 10 D

5-12 .

Possible Case study for classroom use. Case comes from Burton, F. G., Emett, S. A., Simon, C. A., & Wood, D. A. (2012). Corporate managers' reliance on internal auditor recommendations. Auditing: A Journal of Practice & Theory, 31(2), 151-166. For use in the classroom, assign students to take different roles such as internal auditor, manager, audit committee member, etc. Then have the students come to a recommendation. Very frequently, the students will have different recommendations based on their role. This can facilitate a rich discussion on how various factors (such as position, incentives, etc.) influence interpretation of the same data. Introduction You are a manager in a major chemical company’s headquarters. You have recently taken over responsibility for analysis related to polypropylene, one of the plastics produced by the North American Plastics Division. Polypropylene is sold primarily in granular form and is used in a number of products, ranging from food packaging to diapers to automotive parts. The versatility of polypropylene has led to increased demand over the last several years. Polypropylene is produced in a “continuous process,” meaning that large quantities of a homogeneous product are made in a nonstop operation. The process stops only for repairs to or maintenance of the machinery used. Further, the steps of the production process are highly interrelated, so that shutting down one portion of the plant requires shutting down the entire plant. One of the current issues at the Milwaukee plant pertains to a “turnaround” currently planned to take place in several months. A “turnaround” is simply a planned whole-plant shutdown for the purpose of performing all inspection, maintenance, and modification activities in a coordinated effort at one time. The machinery must be shut down to perform many of these activities, so plant downtime is minimized if they are all performed at the same time. Since it began operating, the Milwaukee plant has completed a turnaround every two years. When you arrived at work this morning, you learned that several employees, who are paid based on annual production, suggest that the planned turnaround be postponed for one year. They say that turnarounds are tremendously expensive operations, requiring a three-week shutdown. They argue that the company can improve profitability by changing the Milwaukee plant turnaround interval from every two years to every three years. Although they have made these recommendations, you will make the final decision about the turnaround interval. Your job performance ratings and compensation are based on the decisions you make that maximize the long-term profitability of the company. Additional Information Following is a report prepared by Jessie Lunt on the issue of postponing the turnaround. You told Jessie of your initial impression about postponing the turnaround and Jessie went to work to do more research on the issue at your request. Jessie is one of the company’s in-house internal auditors.

5-13 .

Jessie was hired directly out of college to work for the company in its internal audit department and has been with the company for 5 years. Jessie has been promoted to manager within the internal audit function and works directly with the head of internal audit on various internal auditing projects. The head of internal audit assigned Jessie to perform a detailed cost/benefit analysis of the plant turnaround and present the findings to you. On the following page you will find Jessie’s recommendations. As you read Jessie’s recommendations, there are two important things to keep in mind. 1. Most aspects of turnaround analyses are inherently subjective. In fact, much of the analysis done for this type of decision is based on soft data, such as estimates, opinions, and assumptions. Accordingly, there is a lot of room for judgment in this type of analysis. 2. Making a good decision here is critical as your compensation and job success depend on maximizing the company’s long-term profitability. Jessie’s Recommendations The Milwaukee plant has traditionally performed a turnaround every two years. A few other plants in the company’s plastics division have adopted three-year turnaround intervals. I propose that we continue with the two-year turnaround schedule and proceed with the scheduled turnaround this year. When deciding whether to change the turnaround interval, it is necessary to compare the benefits associated with changing the planned turnaround to the costs associated with the increase in unplanned shutdown days that will likely occur if the planned turnaround interval is changed. Benefits Associated with Changing the Turnaround Interval – If the turnaround interval is changed, benefits would arise from two sources: 1.

No out-of-pocket costs will be incurred this year for the turnaround activities listed below Inspect the internal condition of all vessels Tear down, inspect, and replace parts of compressors Clean and pressure-test heat-exchanger tube bundles Recalibrate all instruments Remove and replace spent catalysts Total out-of-pocket costs of a turnaround

$1,800,000 $2,900,000 $1,300,000 $600,000 $900,000 $7,500,000

Additional production and sales that would result from not shutting-down the plant for the turnaround. Daily polypropylene production (based on future productive capacity) Sales price Polypropylene daily revenue

1,500,000 lbs/day * $0.35 per lb $525,000

Other daily revenue (scrap and by-product sales)

+ $75,000

5-14 .

Equals: Total daily revenue

= $600,000

Less: Daily variable cost (1,500,000 lbs per day * $0.18 per lb)

- $270,000

Equals: Extra daily revenue if turnaround is postponed

= $330,000

Duration of a normal turnaround

* 21 days

Total extra daily revenue if turnaround is postponed

= $6,930,000

Summary: If the turnaround is performed this year, it will require $7,500,000 in out-of-pocket costs and result in lost sales of $6,930,000. In other words, a turnaround costs $14,430,000. If you spread out this total turnaround cost over three years, it comes to an average cost of $4,810,000 per year. If you spread it over two years, it comes to $7,215,000 per year. Thus, the average annual savings are $2,405,000 ($7,215,000 $4,810,000) if you change from doing one planned shutdown every two years to one every three years. Costs Associated with Changing the Turnaround Interval – The plastics division loses money whenever there is an unplanned shutdown of the plant. It is likely that some unplanned shutdown days will occur, even if the turnaround is performed this year. Moreover, plants operating on a 3-year turnaround interval typically have more unplanned shutdown days than those operating on a 2-year interval. Thus, if the planned turnaround is delayed, then it is reasonable to expect an increase in the number of unplanned shutdown days. Costs of unplanned shutdowns include sales lost due to unplanned production interruption and other costs such as decreased equipment life, repair costs, ruined inventory, and cancellation fees, etc.

Daily cash flow foregone during shutdown (see previous analysis) Estimated average number of additional days lost due to unplanned shutdowns during next year Total cash flow foregone during unplanned shutdown Other costs (decreased equipment life, repair costs, ruined inventory, cancellation fees, etc.) Total costs of unplanned shutdown (per year)

$330,000 * 7.5 days = $2,475,000 + $300,000 = $2,775,000

Overall Recommendation In my opinion, the benefits of increasing the turnaround interval to threeyears ($2,405,000 per year) will not exceed the costs resulting from unplanned additional shutdown days ($2,775,000 per year. Thus, I recommend that you do not approve the proposal to increase the turnaround interval to three years and thus carry out the turnaround this year as scheduled. Questions 1. Do you recommend the turnaround to be postponed? 2. How confident are you in your choice? 3. Explain your reasoning behind your recommendation concerning the turnaround. 5-15 .

CHAPTER 6 Transforming Data Instructor’s Manual Learning Objectives: 1. Describe the principles of data structuring related to aggregating data, data joining, and data pivoting. 2. Describe data parsing, data concatenation, cryptic data values, misfielded data values, data formatting, and data consistency and how they relate to data standardization. 3. Describe how to diagnose and fix the data cleaning errors related to data duplication, data filtering, data contradiction errors, data threshold violations, violated attribute dependencies, and data entry errors. 4. List and describe four different techniques to perform data validation.

Introduction This chapter covers how to transform data. The chapter uses examples throughout based on a shared scenario. The data that is used throughout the chapter is listed in Figure 6-1 on page 189. Figure 6-2 on page 190 provides an abbreviated data dictionary for the data contained in Figure 6-1. Figure 6-10 on page 202 provides a solution with all of the data properly cleaned. A few observations are important to keep in mind:  Data transformation can range from simple to very complex. It is important to help students understand the range of complexity that might be encountered in data transformation. In transforming data, a key objective is to assure the data is of high quality. The attributes of high quality data are presented in Table 6-1 on page 191 (these were also referenced in Chapter 1 of the text). 

Transformation techniques are presented individually to aid in understanding; however, in practice these techniques can be combined in many different ways and used together.



Data transformation is at its core an exercise in understanding objectives, pattern recognition, and using logic. Often there are multiple ways to achieve the same objectives. Learning multiple techniques will allow the student to choose the most efficient transformation techniques.



Transformation is typically the most time consuming part of using data. Even though it is often not “seen” by stakeholders since it is done behind the scene, but is critical to the success of any data analysis.

6-1 .

Learning Objective One Describe the principles of data structuring related to aggregating data, data joining, and data pivoting.

Data Structuring Data structuring is the process of changing the organization and relationships among data fields to prepare the data for analysis. You can think of data structuring as organizing the data and getting it into the right layout. There are three key principles to consider when structuring data: 1. Aggregate data: the presentation of data in a summarized form. Companies record data at a fully disaggregated level, usually recording details of each individual transaction. This data is then aggregated to different levels. Some examples include summing all sales by customers to see how much each customer purchases or creating financial statements (which aggregate all data according to accounting rules). A key concept about aggregating data is that information is lost when data is aggregated. For example, when summing customer purchases, the data about when they made purchases or the size of their purchases is lost in the aggregate data. Figure 6-4 on page 192 contains examples of data aggregated at different levels. 2. Data joining (discussed in Chapter 4): the joining of data contained in different tables into a single table. 3. Data pivoting: A technique that rotates data from rows to columns. This is often performed because different programs are designed to handle data in different formats. Students most likely have experience using data pivoting in Microsoft Excel pivot tables. Pivoting changes the orientation of the data. This may allow us to quickly see patterns in data or create different presentations of data. Data pivoting often requires aggregating data to different levels. Figure 6-5 and 6-6 on pages 192-193 provide examples of data that has been pivoted. Multiple Choice 1 Susy receives a data extract of the purchasing transactions for various purchasing agents at the company. She would like to understand if purchasing agents with more experience are better at their jobs. To do this, she needs the years of experience of each purchasing agent, which is contained in a different table in the relational database. What technique will Susy need to use to add the new data to the data extract she received? a. Aggregating data b. Data joining c. Data pivoting d. None of the above 6-2 .

Multiple Choice 2 Paul has a list that contains four columns, inventory numbers, region numbers, date of sale, and total sales for the date. Paul wants to create a table that shows all inventory numbers in the first column of the table and then the name of each region across the top of the table, with total sales per region and inventory item in the body of the table (with no regard to dates of sales). To do this, what technique does Paul need to use? a. Aggregating data b. Data joining c. Data pivoting d. A and B e. A and C f. B and C g. A, B, and C

Learning Objective Two Describe data parsing, data concatenation, cryptic data values, misfielded data values, data formatting, and data consistency and how they relate to data standardization.

Data Standardization Data standardization is the process of standardizing the structure and meaning of each data element so it can be analyzed and used in decision making. If dealing with a flat file, you can think of data standardization as making sure the data in each column correctly represents that column, whereas data cleaning (discussed subsequently) is making sure the data in the rows are correct. Data standardization involves the following principles: 1. Data parsing and data concatenation: Data parsing is the separation of data from a single field into multiple fields whereas data concatenation is the combining of data from two or more fields into a single field. Figure 6-7 on page 194 presents an example of data parsing. Figure 6-8 on page 195 presents an example of data concatenation. You can show students examples of data parsing and data concatenation using Excel. These can be shown as follows: o Data parsing in Excel can be done using formulas such as “left”, “right”, and “mid”. These formulas extract the specified characters from another field. PCWorld provides a detailed example of this at https://www.pcworld.com/article/3163966/excel-tutorial-howto-import-and-parse-complicated-data.html. Data can also be parsed in Excel using the “Text-to-Columns” features. Microsoft provides discussion of this functionality at https://support.office.com/en-us/article/split-text-intodifferent-columns-with-the-convert-text-to-columns-wizard30b14928-5550-41f5-97ca-7a3e9c363ed7. o Data concatenation in Excel can be done using the formula 6-3 .

“concatenate” or using the operator “&”. Microsoft provides discussion of both of these ways of concatenating at https://support.office.com/en-us/article/concatenatefunction-8f8ae884-2ca8-4f7a-b093-75d702bea31d. 2. Cryptic data values: are data items that have no meaning without understanding a coding scheme. The text gives an example of a consulting firm keeping track of the positions of employees in the organization by using a coding scheme of 1 for partner, 2 for senior consultant, and 3 for research analyst. Without understanding the coding, the numbers 1, 2, and 3 in the employee table are meaningless. For dummy variables or dichotomous variables there is a general understanding of their meaning and they are usually not considered cryptic data values. Dummy variables and dichotomous variables are two names for the same thing: a data field that contains only two responses, typically 0 or 1. Generally speaking, the value of 1 is interpreted as signifying the presence of the attribute and 0 the absence of the attribute. If well named, these variables are easily understood. For example, a dummy variable for Male of 1 and 0 means the customer is male (1) or female (0); however, the dummy variable of gender with 1 and 0 is a cryptic data value. 3. Misfielded data values: are data values that are correctly formatted but not listed in the correct field. The example used in the text is for the data field “City” that contains the country name “Germany.” Germany is a correct value, it is just in the wrong field. It should be in the “Country” field. It is important to realize that misfielded data values can apply to an entire column or to just a specific value. 4. Data formatting and data consistency: data formatting relates to ensuring that the same type of data is presented in the same way e.g., all currency amounts in a column have a $ sign and two decimal places. Data consistency is making sure every value in a field is stored in the same way. In practice, it is not always obvious whether a problem is caused by data formatting or data consistency as they both have the same appearance in the extracted data. To understand what the actual problem is, it is usually necessary to examine the underlying coding of a database. That being the case, the solution to a transformation for either problem is usually the same, fix the data so it is the same. To fix the underlying problem so it doesn’t happen again requires more investigation and effort. Figure 6-9 on page 197 contains an example of phone numbers in different data formats. There is also a lengthy discussion of different data consistency and data formats in Figure 6-1 (on the chapter problem). The bullet points on page 197 list all of these problems.

6-4 .

Multiple Choice 3 The combining of data into a single column is called ________ whereas the separation of data into different columns is called ________? a. Data consistency, Data formatting b. Data formatting, Data consistency c. Data concatenation, Data parsing d. Data parsing, Data concatenation Multiple Choice 4 Consider the data extract listed below. The information in the Age field, suffers from which of the following problems?

a. Cryptic data values b. Misfielded data values c. Data formatting d. Data consistency Multiple Choice 5 A field labeled “ReceivesDiscount” in a customer table contains values of 0 and 1. Which of the following is the best description of this field and data? a. The field lacks consistency b. The field has cryptic data values c. The field is a dummy variable d. The field should be concatenated

Learning Objective Three Describe how to diagnose and fix the data cleaning errors related to data duplication, data filtering, data contradiction errors, data threshold violations, violated attribute dependencies, and data entry errors.

Data Cleaning Data cleaning is the process of updating data to be consistent, accurate, and complete. When data is inconsistent, inaccurate, or incomplete it is called dirty data. The chapter discusses 6 common errors to look for when cleaning data. 1. Data de-duplication: The process of analyzing data and removing two or more records that contain identical information. Most common solution is to delete the duplicate entry of data. Encourage the students to really understand their data. For example, if an extract of sales transactions has duplicate rows 6-5 .

of a customerid, productid, quantity, and price, this may or may not be duplicate data. A customer may come to a store every morning and buy the same amount of the same product. Thus, without a date field, it is difficult to know if the data is duplicated. 2. Data filtering: The process of removing records or fields of information from a data source. When filtering data, you must decide what to do with null values: ignore them, delete them, or replace them. The process of replacing a null or missing value with a substituted value is called data imputation. All of these choices come with pros and cons; whatever choice is made, it is critical to document choice for others who use the data. 3. Data contradiction errors: an error that exists when the same entity is described in two conflicting ways. Most common solution is to investigate which data is “truth” and update the incorrect entry. For example, if the same sales order is listed with two different dates in a system, the sales order with the incorrect date should be removed or corrected. 4. Data threshold violations: data errors that occur when a data value falls outside an allowable level. The most common solution is to find the violation and correct it (or to replace it with a null value if the truth cannot be determined). As an example, a sale should not have a negative value for the quantity sold (unless the company uses negatives to show sales returns). 5. Violated attribute dependencies: errors that occur when a secondary attribute in a row of data does not match the primary attribute. The most common solution is to correct the data that contains the error. For example, a supplier may be listed as being from the United States but then in the state field it says “Spain.” The state field should be adjusted to a state within the United States. 6. Data entry errors: all types of errors that come from entering data incorrectly. These errors should be investigated and corrected. Two common examples are spelling mistakes and transposition errors. Note to Instructors: The European Spreadsheet Risks Interest Group keeps a list of “horror stories” related to using spreadsheets. Many of these horror stories relate to dirty data. You can pull examples from this website or have students review and give reports on common dirty data problems in spreadsheets. The stories are listed at http://www.eusprig.org/horror-stories.htm The following data is used for multiple choice questions 6-8.

6-6 .

Multiple Choice 6 What type of error is present on line 4 and 5? a. Data de-duplication error b. Data imputation error c. Data contradiction error d. Violated attribute dependency error e. Data entry error Multiple Choice 7 Assume that in the data above, that Joe’s Hamburgers on line 2, 7, and 8 represents the same business operating in a single location. If the field CustomerAddress was added as column E, what type of error would be present if one of the entries on line 2, 7, or 8 was for a different, real restaurant? a. Data de-duplication error b. Data imputation error c. Data contradiction error d. Data entry error Multiple Choice 8 Assume the real name of the company on row 6 in Column C is Tim’s Salads. What most likely caused this error? a. Data de-duplication error b. Data imputation error c. Data contradiction error d. Violated attribute dependency error e. Data entry error

Learning Objective Four List and describe four different techniques to perform data validation.

Data Validation

6-7 .

Data validation is the process of analyzing data to make certain the data has the properties of high-quality data: accuracy, completeness, consistency, timeliness, and validity. There are four techniques that can be used to validate data. 1. Visual Inspection: This is the process of examining data using human vision to see if there are problems. 2. Basic Statistical Tests: Using basic statistical tests (often using descriptive statistics like mean, average, counts, etc.) to find if there are errors in the data. 3. Audit a Sample: Taking a sample of data and carefully analyzing the sample for errors. 4. Advanced Testing Techniques: Using a deep understanding of relationships and the data to analyze the data for errors. It is important to note that these validation techniques are often used in combinations and in sequence. Each has strengths and weaknesses. It can be a worthwhile exercise to have students individually, or as groups, brainstorm positives and negatives about each technique. Below are listed several possible positives and negatives for each technique. 1. Visual Inspection a. Positives: i. Quick and easy to perform. ii. Can identify data structure problems as well as standardization problems. b. Negatives: i. Hard to perform on large datasets. Relies on the training and expertise of the observer (which may be high or low). ii. Hard to document systematic changes for external parties (i.e., change management controls, or improvements for external auditors). 2. Basic Statistical Tests a. Positives i. Easy to perform on large datasets ii. More useful for quantitative amounts. iii. Very useful for identifying outliers and other statistical anomalies. iv. Good first step to understanding data before additional analysis. b. Negatives i. Limited in the types of errors that can be discovered. ii. Of limited value for qualitative amounts. iii. Not good for finding data standardization problems. 3. Audit a Sample a. Positives i. Can determine error rates that can be extrapolated to the population. For example, if you randomly select 1% of the population of transactions for audit and find 3 spelling errors and 15 duplicate values, you can estimate that the full data set has 300 selling errors (3/0.01) and 1,500 duplicate values (15/0.01). 6-8 .

ii. Can detect all types of errors. iii. Allows for identifying extraction and loading errors if data is checked against original data. b. Negatives i. Selecting and analyzing a large sample is time consuming. ii. Sampling is never perfect and may miss errors. 4. Advanced Testing Techniques a. Positives i. Can discover complex errors (such as errors of logic). ii. Can be targeted to errors that are more serious for the objective of the analysis. b. Negatives i. Requires expertise in the domain. ii. Not always available for all data sets. Multiple Choice 9 A production manager wants her data analyzed to help improve efficiency on the product line. However, the manager knows the data she has is not always accurate. To be useful, she needs to make sure that at least 95% of the data is correct. What validation technique should the manager use to have confidence in her data? a. Visual inspection b. Basic statistical tests c. Audit a sample d. Advanced testing techniques Multiple Choice 10 Which type of data validation technique is best able to detect outliers in numeric fields? a. Visual inspection b. Basic statistical tests c. Audit a sample d. Advanced testing techniques

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 B 6 A 2 E 7 C 3 C 8 E 4 B 9 C 5 C 10 B

6-9 .

CHAPTER 7 Data Analysis and Presentation Instructor’s Manual Learning Objectives: 1. Define and give examples of descriptive, diagnostic, predictive, and prescriptive analytics. 2. Describe when each type of analytic is most appropriately used in a business context. 3. Select the correct type of visualization format for visualizing data. 4. Understand design principles of simplification, emphasis, and ethical data presentation to design high-quality data visualizations.

Introduction After preparing the data (the topic of chapter 6), the data must be analyzed and the results communicated to the relevant stakeholders. This chapter focuses on these two key parts of the analytics mindset.

Learning Objective One Define and give examples of descriptive, diagnostic, predictive, and prescriptive analytics.

Learning Objective Two Describe when each type of analytic is most appropriately used in a business context.

These two learning objectives are closely related, and thus we discuss them together.

Data Analysis The third step of the analytics mindset presented in Chapter 5 is to “Apply appropriate data analytic techniques.” There are many analytic techniques that can be applied, this chapter breaks these techniques into four areas: descriptive analytics, diagnostic analytics, predictive analytics, and prescriptive analytics. Figure 7-1 on page 216 provides a graph to show how 7-1 .

these analytics are related to complexity and value added to the organization.

Descriptive Analytics Descriptive analytics, as defined in Chapter 5, examine the question of “what happened?” Examples of descriptive analytics include external auditors computing profit margins and leverage ratios to determine if business risk changed significantly during a period and to identify possible fraud. Corporate accountants computing metrics such as cost-per-unit, inventory turnover ratios, customer acquisition costs, and variance of budgets-toactual expenses and revenues to understand how the business is performing. Descriptive analytics often use exploratory data analysis techniques, which is an approach to examining data that seeks to explore the data without testing formal models or hypotheses. These types of techniques are often used to:  To find mistakes in the data.  To understand the structure of data.  To check assumptions required by more formal statistical modeling techniques.  To determine the size, direction, and strength of relationships between variables. Descriptive analytics often explore central tendency, spread, distributions, and correlations. These attributes of data are commonly shown in a visualization (also called a viz). A viz is any visual representation of data, such as a graph, diagram, or animation. Common measures of each of these concepts, including appropriate visualization techniques, are as follows:  Central tendency: mean and median. These are often shown in charts using bar charts or box-and-whisker charts. Medians are less influenced by outliers, which is a data point or a few data points, that lie an abnormal distance from other values in the data. 

Spread (or dispersion of the data around a central value): standard deviations and examining quartiles. These are often shown in charts using box-and-whisker charts.



Distribution: while there are formal statistical measures of distribution, this is often examined using histograms.



Correlations: correlation coefficients. These are often shown in charts using scatterplots or in correlation tables. Correlations range from -1 to 1. Scores of -1 show a perfect negative correlation, meaning as one variable goes up, the other goes down. A score of 1 shows a perfect positive correlation. Zero means there is no relation between the two variables.

Diagnostic Analytics 7-2 .

Diagnostic analytics, as defined in Chapter 5, examine the question of “why did this happen?” Diagnostic analytics include both informal and formal analyses. Informal analyses build off of descriptive analytics and often use logic and basic tests to reveal relationships in the data that explain why something happened. The following example was used in the text: If a company observes that the overall gross margin fell in the last quarter (a descriptive analytic), they might examine the mix of products sold. The analysis can be as simple as creating a table that shows all products sold in the last quarter versus the previous quarter, then computing the difference to see if more or fewer products with high/low gross margins sold. Analysts often must ask follow-up questions and perform analyses related to these questions to uncover the true underlying cause. For example, if a large quantity of low gross margin products were sold, the data analyst could again investigate why this was the case and may find that the marketing department advertised these products heavily in the last quarter. In turn, that might lead the analyst to ask why the marketing department focused on those products. The process continues until the analyst has discovered the root cause. A general rule of thumb for informal analysis is the “5 Why’s” principle, which states that it often requires asking “Why?” five times in order to uncover the true reason why something happened. Formal analyses typically build off confirmatory data analysis tests. Confirmatory data analysis use hypothesis testing and provide statistical evidence of the likelihood that the evidence refutes or supports a hypothesis. This type of testing involves using the following 4 steps: 1. State a null and alternative hypothesis. 2. Select a level of significance for refuting the null hypothesis. 3. Collect a sample of data and compute the probability value. 4. Compare the computed probability against the level of significance and determine if the evidence refutes the null hypothesis. Failing to refute the hypothesis is seen as support of the alternative hypothesis. A null hypothesis is a proposed explanation worded in the form of an equality, meaning that one of the two concepts, ideas, or groups will be no different than the other concept, idea, or group. In contrast, an alternative hypothesis is a proposed explanation worded in the form of an inequality, meaning that one of the two concepts, ideas, or group will be greater or less than the other concept idea or group. An example of a null and alternative hypothesis can be developed around the idea of whether giving stock options makes employees more likely to commit fraud. The following two hypotheses could be tested: 7-3 .



Null hypothesis: Paying employees with stock options will have no effect on their likelihood of committing fraud.



Alternative hypothesis: Paying employees with stock options will increase (or you could say decrease) the likelihood of committing fraud.

Notice that both the null and alternative hypotheses can’t both be right, the data will either support one or the other. With a null and alternative hypothesis generated, there are two types of errors that are possible when analyzing data. The following tables shows these errors.

The data finds

Null hypothesis is true Null hypothesis is false

Null hypothesis is actually: True False Correct Type II Error Type I Error Correct

In statistics, to avoid finding a type I error, the person analyzing the data would select the probability that they are willing to accept for having a type I error. This level of significance is usually 0.05, but the values of 0.01 and 0.10 are also commonly selected. Once this level is chosen, the statistical test can be performed (e.g., an ANOVA, regression, etc.). The statistical test will result in a p-value computation that can be compared to the selected significance level. The analyst can then decide whether to reject the null hypothesis or if the evidence supports the alternative hypothesis. Statistical significance does not tell how important the relation is (or how strong it is). To do this, you need to examine a computation of effect size. An effect size is a quantitative measure of the magnitude of the effect. Determining the importance of the computed effect size depends on the situation.

Predictive Analytics Predictive analytics, as defined in Chapter 5, examines the question of “what is likely to happen in the future?” Examples of predictive analytics include predicting customer behavior (e.g., purchasing behavior, repayment behavior, etc.) and predicting local or world events (e.g., will interest rates increase). Predictive analytics use historical data to find patterns that may continue in the future. Creating predictive analytics usually follows the following steps: 1. Select the target outcome. It is important to know the difference between continuous variables and categorical data. Categorical data are data items that take on a limited number of assigned values to represent different groups. It is important to understand categorical data, because when you use categorical data you must use classification analysis (in step 3). Classification analyses are techniques that identify various groups and 7-4 .

then try to classify new observations into one of those groups. 2. Find and prepare the appropriate data. This involves the ETL process discussed in Chapter 6. 3. Create and validate a model. Models are usually built with a training dataset, which is a subset of data used to train a model for future prediction. The model is then tested on a test dataset, which is a subset of data not used for the development of a model but used to test how well the model predicts the target outcomes. Separating your data into training and test datasets is important to avoid data overfitting, which is when a model is designed to fit training data very well but does not predict well when applied to other datasets. Techniques are being developed that continue to learn (or said differently, to improve) over time with the accumulation of additional data. One popular way to do this is use machine learning, which is an application of artificial intelligence that allows computer systems to improve and update prediction models without explicit programming.

Prescriptive Analytics Prescriptive analytics, as defined in Chapter 5, examine the question of “what should be done?” Prescriptive analytics can either provide a recommended course of action or a programmed action for a system based on predictive analytics results. These types of analytics are in development and appear to be tuned to specific business scenarios. They are least used in practice. One example of prescriptive analytics is UPS using prescriptive analytics to design routes for drivers to deliver their packages. Prescriptive analytics use techniques such as artificial intelligence (AI), machine learning, and other statistics to generate predictions.

Common Problems with Data Analytics Data analytics are not infallible. They are powerful tools, but they can be easily misused or misunderstood. Focus 7-1 on page 221 discusses the Space Shuttle Challenger explosion and the Japan Fukushima Daiichi nuclear reactor disaster that were both related to misusing data analytics. Common problems with data analytics include the following:  GIGO (Garbage in, garbage out), which means that data analysis has no value if the underlying data is not of high quality. 

Overfitting (discussed previously).



Extrapolation beyond the range which is a process of estimating a value beyond the range for the data used to 7-5 .

create the model (and is related to the Space Shuttle Challenge explosion previously mentioned). This challenge relates to not fully appreciating the variance inherent in statistics and that statistical estimates are better thought of as possible ranges of solutions rather than specific answers. Multiple Choice 1 A CEO wants to know the trends in her company’s market share relative to her competitors. She asks an analyst to prepare analytics to show how the market share of each company in the industry has changed over the last 5 years. What type of analytic is the analyst going to prepare? a. Diagnostic analytic b. Prescriptive analytic c. Predictive analytic d. Descriptive analytic Multiple Choice 2 Which of the following is the best example of a prescriptive analytic? a. Evaluating whether billboards increase sales for a pharmaceutical company. b. Creating a model predicting employee absenteeism based on weather for a trucking company. c. Developing a model to predict audit risk that includes a recommendation for accepting audit clients based on the model outcomes. d. Evaluating the performance of airline on-time-arrivals to large and to small cities. Multiple Choice 3 An accounting firm predicts the likelihood of employees passing the CPA exam within one year of accepting an offer. In creating the dataset, the HR analyst sorts the data incorrectly so that the hire date and the exam pass date on each line do not correspond. This analysis most likely suffers from which of the following problems? a. GIGO b. Overfitting c. Extrapolating beyond the range d. Too much variance Multiple Choice 4 A company developed a dessert in their lab that involves a special freezing process. The company tested the production process using temperatures in the range of -50 to -30 Celsius. The company’s freezing equipment on the production line is not functioning as well as expected, so it can only cool things to -10 Celsius. The data analysts believe this will still work to successfully produce the dessert based on their analysis of previous data. What problem are the data analysts ignoring in this example? a. GIGO b. Overfitting c. Extrapolating beyond the range 7-6 .

d. Too much variance

Learning Objective Three Select the correct type of visualization format for visualizing data.

Choosing the Right Visualization Figure 7-2 on page 223 provides a summary of how to select the correct visualization to share data. The key to choosing the correct visualization is understanding the purpose of the visualization. Five purposes for showing business data and the charts common for each purpose are: 

Comparison: Comparing data across categories. Most often shown with a bar chart or bullet chart.



Correlation: Comparing how two numeric variables fluctuate with each other. Most often shown with a scatterplot or heatmap.



Distribution: Show the spread of numeric data values. Most often shown with a histogram or boxplot.



Trend Evaluation: Show changes over an ordered variable (most often time). Most often shown with a line chart or area chart.



Part to Whole: Show which items make up the parts of a total. Most often shown with a pie chart or treemap.

There are other visualization types and purposes such as using maps to show special data, showing flows of data, and using combo charts.

Multiple Choice 5 The first visualization you see in the report is a boxplot. If the people designing the viz use good practice, what is the likely purpose of this visualization? a. Comparison b. Correlation c. Distribution d. Trend Evaluation e. Part to Whole f. Other Multiple Choice 6 Which of the following graph types would be best to show correlation? a. Bullet chart b. Treemap 7-7 .

c. Area chart d. Histogram e. None of the above

Learning Objective Four Understand design principles of simplification, emphasis, and ethical data presentation to design high-quality data visualizations.

Designing High-Quality Visualizations To communicate effectively, visualizations should be well designed. An egregiously poorly designed visualization is show in Figure 7-3 on page 225. This visualization is used to discuss the principles of high quality design. Note that the chapter discusses 3 of the most important visualization principles based on research, but these are not the only principles for high quality viz design. The idea is that these 3 principles will help students with the most important concepts, to which they can add more concepts in the future. The three principles are: 1. Simplification: principle of making a visualization easy to interpret and understand. 2. Emphasis: principle of assuring the most important message is easily identifiable. 3. Ethical data presentation: principle of avoiding the intentional or unintentional use of deceptive practices that can alter the user’s understanding of the data being presented. These design principles apply to each part of the viz including: the title, axes including labels, tick marks, and lines), legend, and data area. The data area in a visualization is the area where the lines/bar/slices/etc. are displayed. Principle: Simplification Visualizations are more effective when they simplify the presentation to clearly and concisely communicate. Four important techniques that can help simplify data visualization are: 1. Quantity: Visualizations should follow the goldilocks principle of containing not too much and not too little, but just the right amount of data. Examples of how Figure 7-3 can be improved in terms of quantity include, shortening the title, simplifying the axes (removing so many numbers, not reporting so many decimal places, etc.), removing information overload, and not using so many different formats.

7-8 .

2. Distance: The farther items are placed from each other, the harder it is to interpret. Putting similar things close together simplifies a viz. Figure 7-4 on page 227 provides an example of how you can move labels from a legend to the body of the viz to reduce distance. Also, it shows how you can move labels to the top of each bar (so you don’t have to refer to an axis) to remove distance and simplify the viz. Grouping data is also helpful for removing distance. In Figure 7-4 data are grouped by department (colors are for departments), and if the primary purpose of the viz was to look at education levels, then the data could be grouped by education levels to remove distance from the different education levels for making comparisons. 3. Orientation: Data is easier to understand if it is oriented in the correct fashion. For example, bar charts can be turned sideways so that there is sufficient space to see all the data and so the labels are presented in horizontal fashion. Figure 76 on page 229 provides an example of how changing the orientation can simplify a viz. 4. Color (this principle applies to both simplification and emphasis, it is covered in Focus 7-2 on page 230). For the principle of simplification, color should have meaning. You should only use colors for communication (e.g., don’t just color all bars a different color to make the viz have lots of colors). Principle: Emphasis Visualizations are created for a purpose. A high quality viz will emphasize that purpose and make it easy to understand. There are several techniques for emphasizing data (we note that color is again important, but it is embedded in both highlighting and weighting so we do not call it out as a separate technique): 1. Highlighting: This technique uses colors, contrast, call-outs, labels, fonts, arrows, or other means to bring attention to an item. Usually highlighting is applied in the data area of a viz. Colors are often used for highlighting. Figure 7-7 on page 230 shows how color can be used to highlight effectively. 2. Weighting: Visual weight refers to the amount of attention an element attracts. Objects that have more visual weight are “heavy” and draw more attention than “light” objects. Figure 7—8 on page 231 shows how color, contrast, complexity, density, and size all relate to visual weight and gives examples of heavier and lighter weights for each technique. 3. Ordering: Data ordering is the intentional arranging of viz items in a way to produce emphasis. The two 7-9 .

most common ways to use ordering to produce emphasis are (1) use categories on the axes and (2) order by the values of the data. These methods are almost always superior to random data ordering. Figure 7-9 on pages 232-233 illustrate the power of ordering to emphasize what is important. Ordering typically makes the highest and lowest values most salient. Ordering is very effective when combined with other emphasis techniques. Principle: Ethical Data Presentation A data analyst may choose to use presentation tools to “make the data say anything they want.” This is unethical. It is critical to help students understand that emphasis and simplification are used to help bring understanding and meaning to what the data actually say and not what someone wants the data to say. The tools are not intended to inappropriately or unethically influence others. Helping students understand ethical principles of data presentation will also help them detect when a viz is designed to manipulate them. Data deception is a graphical depiction of information, designed with or without an intent to deceive, that creates a belief about the message and/or its components, which varies from the actual message. To avoid deception, consider the following three principles: 1. Show representations of numbers proportional to the reported number (starting the y-axis at zero helps ensure this). Figure 7-10 on page 233 shows examples of how this principle is violated. Using this principle avoids making minor differences look like they are more important than they really are (i.e. the 0.1 different in the left graph looks like a much bigger deal than in the middle graph). Also if you use visual weight to make something larger than another it looks like it is more important than it is (the viz on the far right of the figure). 2. In vizs designed to depict trends, time should progress from left to right on the x-axis. Figure 711 on page 234 shows a violation of this rule. It also shows how poor labeling can compound the problem since most people assume that time increases as you move to the right on the viz. 3. Present complete data given the context. Figure 7-12 on page 235 shows how you can take the full timeline of data and cut it into different pieces that will tell an incomplete picture (i.e., the market is improving, staying the same, or dropping when it is in fact doing all three).

7-10 .

Teaching Note: A useful in-class exercise can be to present poorly designed visualizations and have the students critique the vizs using the principles discussed. You can find bad viz examples by doing a Google image search for “bad viz examples.” In addition to critiquing the viz, you can ask the students to come up with solutions to improve the viz. Multiple Choice 7 Which of the following is not a technique for increasing visual weight? a. Color b. Size c. Complexity d. Highlighting e. Density Multiple Choice 8 All of the following techniques are useful for simplifying a visualization except for which one? a. Ordering b. Color c. Distance d. Quantity Multiple Choice 9 A manager wants to report division products in a way that makes her division look better than they actually are. To do this, she uses a line chart that only shows data for the last 20 days and not the last 90 days as the last 20 days show an upward trend in production. The manager did not follow which ethical rule? a. Show representations of numbers proportional to the reported number (starting the y-axis at zero helps ensure this). b. In vizs designed to depict trends, show time progressing from left to right on the x-axis. c. Present complete data given the context. d. None of the above.

Multiple Choice 10 When using a pie chart, what is the mostly likely ethical violations that can be perpetrated? a. Show representations of numbers proportional to the reported number (starting the y-axis at zero helps ensure this). b. In vizs designed to depict trends, show time progressing from left to right on the x-axis. c. Present complete data given the context. d. All the above can be perpetrated in a pie chart.

7-11 .

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 D 6 E 2 C 7 D 3 A 8 A 4 C 9 C 5 C 10 C

7-12 .

CHAPTER 8 FRAUD AND ERRORS Instructor’s Manual Learning Objectives: 1. Explain the threats faced by modern information systems. 2. Define fraud and describe both the different types of fraud and the auditor’s responsibility to detect fraud. 3. Discuss who perpetrates fraud and why it occurs, including the pressures, opportunities, and rationalizations that are present in most frauds. 4. Define computer fraud and discuss the different computer fraud classifications. 5. Explain how to prevent and detect computer fraud and abuse. Jason anticipated the following questions that management was going to ask: 1. What constitutes a fraud, and is the withholding problem a fraud? 2. How was the fraud perpetrated? What motivated Don to commit it? 3. Why did the company not catch these mistakes? Was there a breakdown in controls? 4. How can the company detect and prevent fraud? 5. How vulnerable is the company’s computer system to fraud?

Introduction Our society has become increasingly dependent on accounting information systems. As system complexity and our dependence on systems increase, companies face the growing risk of their systems being compromised. A recent survey disclosed that 1. 67% of companies had a security breach. 2. More than 45% were targeted by organized crime. 3. 60% reported financial losses. 4. Data breaches are up over 400% from 2017 to 2018.

8-1 .

Note to instructors: there are many resources online that provide an extensive update on data breaches, to show students the extent of the problem, for example: http://www.idtheftcenter.org/ this website provides good information on identity theft. http://breachlevelindex.com/ this website has good visualizations that can be shared with students (look in resources tab for infographic).

The four types of threats to an AIS a company faces are explained in Table 8-1 on page 250.

Learning Objective One Explain the threats faced by modern information systems.

AIS Threats Four Types of System Threats: 1. Natural and political disasters 2. Software errors and equipment malfunctions 3. Unintentional acts 4. Intentional acts 1. Natural and political disasters Fires, excessive heat, floods, earthquakes, high winds, war, and attacks by terrorists. 

World Trade Center in New York City (9/11)



Flood in Chicago



Heavy rains in Mississippi and Missouri Rivers



Earthquakes in Los Angeles and San Francisco



Attacks on government information systems by foreign countries, espionage agents, and terrorists

2. Software Errors and Equipment Malfunctions 8-2 .

Losses due to software bugs are at almost $60 billion a year. More than 60% of the companies studied had significant software errors in the previous year. For example: 

Bugs in a new tax accounting system were to blame for California’s failure to collect $635 million in business taxes.



There have been a number of massive power failures that have left hundreds of thousands of people and many businesses without power when an industrial control system in part of the grid failed leaving 50 million people in the Northeast without power.



A software bug in Burger King’s software resulted in a $4,334.33 debit card charge for four hamburgers. The cashier accidentally keyed in the $4.33 charge twice.

3. Unintentional Acts Caused by human carelessness, failure to follow established procedures, and poorly trained or supervised personnel. The Computing Technology Industry Association estimates that human errors cause 80% of security problems. Forrester Research estimates that employees unintentionally create legal, regulatory, or financial risks in 25% of their outbound e-mails. Programmers make logic errors. Examples include the following: 

In Japan, a data entry clerk at Mizuho Securities mistakenly keyed in a sale for 610,000 shares of JCom for 1 yen instead of the sale of 1 share for 610,000 yen. The error cost the company $250 million.



A bank programmer mistakenly calculated interest for each month using 31 days. Resulted in more than $100,000 in excess interest paid.



A U of Washington employee moved data from one server to another (which has a different configuration). This exposed nearly 1 million patient records. The error was discovered when a patient found his data by googling himself.



UPS lost a cardboard box with computer tapes containing information, such as names, Social Security numbers, account numbers, and payment histories on 3.9 million Citigroup customers. 8-3 .



A programmer made a one-line-of-code error that priced all goods at Zappos, an online retailer, at $49.95—even though some of the items it sells are worth thousands of dollars. The change went into effect at midnight, and by the time it was detected at 6:00 A.M., the company had lost $1.6 million on goods sold far below cost.

4. Intentional Acts The most frequent type of computer crime is fraud. This is where the intent is to steal something of value. The threat can also be in the form of sabotage, in which the intent is to destroy or harm a system or some of its components. Focus 8-1 on p. 250-251 “Electronic Warfare” describes recent cyber-attacks. Information systems are increasingly vulnerable to attack. In a recent three-year period, the number of networks that were compromised rose 700%. Example of security breaches: consider the case of OpenTable, a restaurant reservation service that did not design its cookie properly. A cookie is data that websites store on your computer. The cookie identifies the websites to your computer and identifies you to the website so you do not have to log on each time you visit the site. At OpenTable, the customer number stored in the cookie was very easy to change. An experienced programmer opened an account at OpenTable and, in less than an hour, wrote a program that cycled through all the customer numbers and downloaded most of the company’s database. Note to the Instructor: there are probably several recent local examples that you can identify to help make this concept relevant to students at your school. In fact, you may be surprised by how robust this discussion gets and students will sometimes share their own personal experiences. Multiple Choice 1 Operating system crashes are an example of: a. natural and political disasters b. intentional acts c. unintentional acts d. software errors and equipment malfunctions

8-4 .

Learning Objective Two Define fraud and describe both the different types of fraud and the auditor’s responsibility to detect fraud.

INTRODUCTION TO FRAUD Fraud is any and all means a person uses to gain an unfair advantage over another person. Legally, for an act to be considered fraudulent there must be: 1. A false statement, representation, or disclosure 2. A material fact, which is something that induces a person to act 3. An intent to deceive 4. A justifiable reliance; that is, the person relies on the misrepresentation to take an action 5. An injury or loss suffered by the victim Attempts to Estimate the Staggering Losses from Fraud: The Association of Certified Fraud Examiners (https://www.acfe.com/) estimates total yearly global fraud losses to be over $3.7 trillion a year. Most fraud perpetrators are knowledgeable insiders. This is because they understand the company’s system and its weaknesses to perpetrate fraud. Fraud perpetrators are also referred to as white-collar criminals. Two types of Fraud: 1. Misappropriation of assets and 2. Fraudulent financial reporting

Misappropriation of Assets Misappropriation of assets is often referred to as employee fraud. Typical employee fraud has a number of important elements or characteristics: 8-5 .

1. The fraud perpetrator must gain the trust or confidence of the person or company being defrauded. 2. Instead of a weapon or physical force to commit a crime, fraud perpetrators use trickery, cunning, or false or misleading information to obtain money or assets. 3. They hide their tracks by falsifying records or other information. 4. Few frauds are terminated voluntarily. Instead, the fraud perpetrator continues due to “need or greed.” Often, perpetrators begin to depend on the “extra” income and get to a point where they cannot afford to stop. Other times they move to a higher lifestyle that requires a greater amount of money. It is at this point where they get braver, or should we say more relaxed, where the perpetrator gets greedy and starts stealing larger amounts of money; this is where they normally get caught. 5. Sees how easy it is to get extra money. The need or the greed impels them to continue with the fraud. 6. Fraud perpetrators spend their ill-gotten gains, usually on an extravagant lifestyle. Rarely do they save or invest the money they take. Some of these high cost luxurious items include big homes, fancy cars, gambling, or just a big spender type person. 7. Many perpetrators that become greedy not only start taking greater amounts of money, but also take the money more often. 8. As previously mentioned, perpetrators at some point start getting braver and grow careless or overconfident. The fraud perpetrator cannot get away with stealing cash or property forever. At some point, although it may take some time, they are going to get caught.

Fraudulent Financial Reporting The Treadway Commission (National Commission on Fraudulent Financial Reporting) defined fraudulent financial reporting as intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements.

8-6 .

The Treadway Commission studied 450 lawsuits against auditors and found undetected fraud to be a factor in half of them. Some prime examples are Enron, WorldCom, Tyco, Adelphia, HealthSouth, Global Crossing, and Xerox. Executives cook the books, as they say, by fictitiously inflating revenues, recognizing revenues before they are earned, closing the books early (delaying current period expenses to a later period), overstating inventories or fixed assets, and concealing losses and liabilities. The Treadway Commission recommended four actions to reduce the possibility of fraudulent financial reporting: 1. Establish an organizational environment that contributes to the integrity of the financial reporting process. 2. Identify and understand the factors that lead to fraudulent financial reporting. 3. Assess the risk of fraudulent financial reporting within the company. 4. Design and implement internal controls to provide reasonable assurance that fraudulent financial reporting is prevented. A study by the Association of Certified Fraud Examiners found that misappropriation of assets by employees is more than 17 times more likely than fraudulent financial reporting. SAS No. 99 (AU-C Section 240): The Auditor’s Responsibility to Detect Fraud SAS No. 99 requires auditors to: 1. Understand fraud. 2. Discuss the risks of material fraudulent misstatements. 3. Obtain information. 4. Identify, assess, and respond to risks. 5. Evaluate the results of their audit tests. 6. Document and communicate findings. 7. Incorporate a technology focus.

Multiple Choice 2 8-7 .

The Association of Certified Fraud Examiners (ACFE) estimates total global fraud losses to be more than: a. $9.2 trillion a year. b. $3.7 trillion a year. c. $290 billion a year. d. $920 billion a year. Multiple Choice 3 Which of the following statements is FALSE? a. Fraudulent financial reporting are large errors in the financial statements. b. Misappropriation of assets is employee theft. c. SAS No. 99 requires auditors to understand fraud. d. SAS No. 99 was adopted in 2002.

Learning Objective Three Discuss who perpetrates fraud and why it occurs, including the pressures, opportunities, and rationalizations that are present in most frauds.

Who Perpetrates Fraud and Why Perpetrators of computer fraud tend to be younger and possess more computer knowledge, experience, and skills. Some hackers and computer fraud perpetrators are more motivated by curiosity, a quest for knowledge, the desire to learn how things work, and the challenge of “beating the system.” Most have no previous criminal record. Research shows that three conditions are necessary for fraud to occur: a pressure, an opportunity, and a rationalization. This is referred to as the fraud triangle and is shown as the middle triangle in Figure 8-1 on page 257.

Pressures A pressure is a person’s incentive or motivation for committing the fraud. The three common types of pressures are financial, emotional, and lifestyle, which are summarized in Table 8-2 on page 257. Table 8-3 on page 258 provides the pressures that can lead to financial statement fraud.

Opportunities

8-8 .

As shown in the opportunity triangle in Figure 8-1 on page 257, opportunity is the condition or situation that allows a person or organization to do three things: 1. Commit the fraud Most fraudulent financial reporting consists of the overstatement of assets or revenues or the understatement of liabilities, or the failure to disclose information. 2. Conceal the fraud A common and effective way to hide a theft is to charge the stolen item to an expense account. For example, charge supplies to an expense account when they are initially purchased, before they are used. This allows the perpetrator the opportunity to use some of the supplies for personal benefit at the expense of the company. These unused supplies should have been recorded as an asset called Supplies until they are used. Another way to hide a decrease in assets is by lapping. In a lapping scheme, the perpetrator steals the cash or check that customer A mails in to pay its accounts receivable. Funds received at a later date from customer B are used to pay off customer A’s balance. Funds from customer C is used to pay off customer B, and so forth. In a kiting scheme, the perpetrator covers up a theft by creating cash through the transfer of money between banks. For example, suppose a fraud perpetrator opens checking accounts in three banks, called bank A, B, and C, and deposits $100 in each account. Then the perpetrator “creates” cash by depositing a $1,000 check from bank A into bank B and then withdraws the $1,000 from bank B. It takes two days for his check to clear bank A. Because there are insufficient funds in bank A to cover the $1,000 check, the perpetrator deposits a $1,000 check from bank C to bank A before his check to bank B clears bank A. Because bank C also has insufficient funds, $1,000 must be deposited to bank C before the check to bank A clears. The check to bank C is written from bank B, which also has insufficient funds. And the scheme continues. I have also seen situations where kiting also includes credit cards with the use of checking accounts. Note to Instructor: Because most banks would require you to deposit some money to start a checking account, an initial deposit of $100 in each bank was included above. In addition, the following charts provide a picture explanation of the above kiting scheme. The chart uses dates, balances, and NSF due dates. 8-9 .

Rationalizations Rationalization allows perpetrators to justify their illegal behavior. A list of some of the rationalizations people use: 1. I am only “borrowing” the money (or asset) and will repay my “loan.” 2. You would understand if you knew how badly I needed it. 3. What I did was not that serious. 4. It was for a good cause (the Robin Hood syndrome, robbing from the rich to give to the poor). 5. I occupy a very important position of trust. I am above the rules. 6. Everyone else is doing it, so it is not that wrong. 7. No one will ever know. 8. The company owes it to me, and I am taking no more than is rightfully mine. Multiple Choice 4 The three conditions that are present when fraud occurs include: a. attitude b. opportunity c. lack of control d. financial Multiple Choice 5 The pressures that can lead to employee fraud include: a. fear of losing job b. lack of control c. poor performance ratings d. family or peer pressure e. a and d Multiple Choice 6 Internal control factors that provide an opportunity for employee and financial statement fraud includes a. incompetent personnel b. operating on a crisis basis c. inadequate supervision d. low employee morale and loyalty Note to the Instructor: Generally it is fairly easy to find several recent fraud schemes in the local news. Going through the news article and trying to identify the pressure, opportunity, and rationalization 8-11 .

as an in-class exercise or discussion is a good way for students to understand these concepts through telling of the story vs. memorization.

Learning Objective Four Define computer fraud and discuss the different computer fraud classifications.

Computer Fraud Computer fraud is any illegal act for which knowledge of computer technology is essential for its perpetration, investigation, or prosecution. More specifically, computer fraud includes the following: 1. Unauthorized theft, use, access, modification, copying, and destruction of software or data. 2. Theft of assets by altering computer records.

3. Intent to illegally obtain information or tangible property through the use of computers. The Rise in Computer Fraud Estimated costs of computer fraud in the United States is from $70 to $125 billion a year and rising. Computer systems are particularly vulnerable to computer crimes for the following reasons: 1. Billions of characters of data are stored in company databases. People who manage to break into these databases can steal, destroy, or alter massive amounts of data in very little time. 2. Computer fraud is difficult to detect. 3. Organizations want employees, customers, and suppliers to have access to their system. The number and variety of these access points significantly increase the risks. (A good example of this was Target’s computer fraud; http://krebsonsecurity.com/2014/02/target-hackers-broke-invia-hvac-company/). 4. Computer programs need to be changed or modified illegally only once without permission for the system to operate improperly for as long as the system is in use. 5. Modern systems utilize personal computers (PCs), which are inherently more vulnerable to security risks. It is difficult to control physical access to each networked PC. 8-12 .

In addition, PCs and their data can be lost, stolen, or misplaced. 6. Computer systems face a number of unique challenges: reliability (e.g., accuracy, completeness), equipment failure, environmental dependency (e.g., power, damage from water or fire), vulnerability to electromagnetic interference and interruption, eavesdropping, and misrouting. The increase in computer fraud schemes is due to some of the following reasons: 1. Not everyone agrees on what constitutes computer fraud. 2. Many computer frauds go undetected. For example, the Pentagon, which has the U.S. government’s most advanced hacker-awareness program, detected and reported only 1 in 500 break-ins. 3. A high percentage of uncovered frauds are not reported. 4. Many networks have a low level of security. 5. Many Internet pages give step-by-step instructions on how to perpetrate computer crimes and abuses. 6. Law enforcement is unable to keep up with the growing number of computer frauds. 7. The total dollar value of losses is difficult to calculate. Computer Fraud Classifications As shown in Figure 8-2 on page 263, one way to categorize computer fraud is to use the data processing model: input, processor, computer instructions, stored data, and output. Input Fraud The simplest and most common way to commit fraud is to alter computer input. It requires little, if any, computer skills. Instead, perpetrators need only understand how the system operates so they can cover their tracks. To commit payroll fraud, perpetrators can enter data to increase their salary, create a fictitious employee, or retain a terminated employee on the records. Example of input fraud: a New York bank employee changes the company deposit slips to forged deposit slips. For three days he deposited bank deposits in his personal account. Then he disappeared and was not caught as he used an alias name. There are more examples on page 263. 8-13 .

Processor Fraud Computer fraud can be committed through unauthorized system use, including the theft of computer time and services. Example of processor fraud: employees of an insurance company were running an illegal gambling website. These employees hid the computers under the floor. There are more examples on page 263. Computer Instructions Fraud Computer fraud can be accomplished by tampering with the software that processes company data. Data Fraud Illegally using, copying, browsing, searching, or harming company data constitutes data fraud. The greatest exposure in data fraud comes from employees with access to the data. The most frequent type of data fraud is the illegal use of company data, typically by copying it, using it, or searching it without permission. For example, an employee using a small flash drive or an iPod can steal large amounts of data and remove it without being detected. The following are some recent examples of stolen data: 1. The office manager of a Wall Street law firm found information about prospective mergers and acquisitions in the firm’s Word files. He sold the information to friends and relatives, who made several million dollars trading the securities illegally. 2. A 22-year-old Kazakhstan man broke into Bloomberg’s network and stole account information, including that of Michael Bloomberg, the mayor of New York and the founder of the financial news company. He demanded $200,000 in exchange for not using or selling the information. He was arrested in London when accepting the ransom. 3. A software engineer tried to steal Intel’s plans for a new microprocessor. Because he could view but not copy or print the manufacturing plans, he photographed them screen by screen late at night in his office. One of Intel’s controls was to notify security when the plans were viewed after hours. He was caught photographing the plans. 4. Cyber-criminals used sophisticated hacking and identity theft techniques to hack into seven major online brokerage firm accounts. They sold the securities in those accounts and used the cash to pump up the price of 15 low-priced, 8-14 .

thinly traded public companies they already owned. They then dumped the 15 stocks in their personal accounts for huge gains. E-trade lost $18 million and Ameritrade $4 million in similar pump-and-dump schemes. 5. The U.S. Department of Veterans Affairs was sued because an employee laptop that contained the records of 26.5 million veterans was stolen, exposing them all to identity theft. Later, another laptop with the records of 38,000 people disappeared from a subcontractor’s office. Data can also be changed, damaged, destroyed, or defaced. Data also can be lost due to negligence or carelessness. Deleting files does not erase them. Even reformatting a hard drive often does not erase files or wipe the drive clean. Output Fraud Computer output, displayed on monitors or printed on paper, can be stolen or misused. Fraud perpetrators can use computers and output devices to forge authentic-looking outputs. For example, a company laserprinter could be used to prepare paychecks. Multiple Choice 7 Computer fraud is increasing rapidly due to the fact that: a. not everyone agrees on what constitutes computer fraud b. many computer frauds go undetected c. the total dollar value of losses is difficult to calculate d. all of the above Multiple Choice 8 Which of the following is not a classification of computer fraud: a. Data fraud b. Input fraud c. Processor fraud d. Program fraud

Multiple Choice 9 An employee downloaded new product development plans after hours. This is an example of: a. Input fraud b. Output fraud c. Processing fraud d. Data fraud e. Computer instructions fraud

8-15 .

Learning Objective Five Explain how to prevent and detect computer fraud and abuse.

Preventing and Detecting Computer Fraud and Abuse Table 8-5 on pages 265 and 266 provides a summary of ways to prevent and detect computer fraud. 1. Make fraud less likely to occur. 2. Increase the difficulty of committing fraud. 3. Improve detection methods. 4. Reduce fraud losses and errors. Multiple Choice 10 Ways to prevent and detect computer fraud include: a. Develop a strong system of internal controls. b. Install fraud detection software. c. Segregate the accounting functions of authorization, recording, and custody. d. All of the above.

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 D 6 C 2 B 7 D 3 A 8 D 4 B 9 D 5 E 10 D Note to the Instructor: The following is taken from the Certified Fraud Examiners Manual that includes additional information regarding fraud schemes that may be included for the students.

EMPLOYEE FRAUD SCHEMES Cash Cash is the focal point of most accounting entries. Cash, both on deposit in banks and petty cash, can be misappropriated through many different schemes. These schemes can be either on-book or off-book, 8-16 .

depending on where they occur. Generally, cash schemes are smaller than other internal fraud schemes because companies have a tendency to have comprehensive internal controls over cash and those internal controls are adhered to. Cash fraud schemes follow general basic patterns, including skimming, voids/under-rings, swapping checks for cash, alteration of cash receipt tapes, fictitious refunds and discounts, journal entries, and kiting. Skimming Skimming involves removing cash from the entity before the cash is recorded in the accounting system. This is an off-book scheme; receipt of the cash is never reported to the entity. A related type of scheme is to ring up a sale for less than the actual sale amount. (The difference between the actual sale and the amount on the cash register tape can then be diverted.) This is of particular concern in retail operations (e.g., fast food restaurants) where much of the daily sales are in cash, and not by check or credit card. EXAMPLE According to an investigation, fare revenues on the Chicago Transit Authority’s (CTA) rail system allegedly were misappropriated by agency employees. The statistics indicate that the thefts are not confined to the one station that originally was suspected and that the fare-skimming by transit workers might have been reduced by news of the investigation. In the four days after reports of skimming surfaced, about $792,000 was turned in by station agents system wide. In a similar Monday through Friday period only $723,000 was turned in by station agents. CTA officials estimated that a planned installation of a $38 million automated fare-collection system would eliminate $6.5 million annually in revenue “shrinkage,” mostly from employee theft. At least 10 workers have been investigated, including nine ticket agents and one supervisor or clerk. Early reports indicated that agents pocketed money after recording “transfer” or “monthly passes” as cash-paying customers passed through turnstiles. Voids/Under-Rings There are three basic voids/under-ring schemes. The first is to record a sale/cash receipt and then void the same sale, thereby removing the cash from the register. The second, and more common variation, is to purchase merchandise at unauthorized discounts. The third scheme, which is a variation of the unauthorized discount, is to sell merchandise to a friend or co-conspirator using the employee’s discount. The coconspirator then returns the merchandise for a full refund, disregarding the original discount. EXAMPLE Roberta Fellerman, a former Ball State University employee, was indicted on federal charges of stealing about $105,000 from the school’s bookstore operations. Fellerman was charged with stealing the money over a 33-month period. 8-17 .

The thefts allegedly were from proceeds of the sales of books to students who took Ball State courses through an “off-campus” program at many cities around Indiana. Fellerman was in charge of the sale of the books from the book store. Fellerman was accused of altering records and taking currency from a cash drawer. She was also charged with income tax violations for failing to report the stolen money on her federal tax returns. Swapping Checks for Cash One common method where an employee can misappropriate cash is to exchange his own check for cash in the cash register or cash drawer. Periodically, a new check is written to replace the old check. This process can be continued so that on any given day, there is a current check for the cash removed. This is a form of unauthorized “borrowing” from the company. Obviously, if it is the company policy that cash drawers or registers are reconciled at the conclusion of each day and turned over to a custodian, then this fraud scheme is less likely to be committed. However, if personnel are allowed to keep their own cash drawers and only remit the day’s receipts, then this method of unauthorized borrowing will be more common. EXAMPLE Lisa Smith, a Garfield High School fiscal clerk at a central treasurer function allegedly “borrowed” $2,400 by placing 23 personal checks in deposits which were made from various student activities at decentralized locations. Ms. Smith placed a personal check in each deposit as a method of keeping track of the amount of money which had been “borrowed.” The transactions were inappropriately delayed for up to five months. Auditors detected the delayed transactions during an unannounced cash count. On the day of the count, the fund custodian had only a few hundred dollars in his bank account (confirmed by telephone upon receipts of custodian’s authorization). When all 23 personal checks were deposited in the district’s account, several were returned as NSF. After payday, all NSF checks subsequently cleared the bank. The custodian’s employment with the district was terminated. Alteration of Cash Receipts Documentation A lack of segregation of duties can create an opportunity for an employee to misappropriate company funds. For example, if the same person is responsible for both collecting and depositing the cash receipts, then this person has the opportunity to remove funds from the business for his own personal use and conceal such theft through the deposits. This is often the case in smaller organizations where there are few personnel to divide the daily operations. A variation of this scheme is to mutilate or destroy the cash receipts documentation so that any attempt to reconcile the cash deposited with the cash receipts is thwarted. 8-18 .

EXAMPLE An elected county treasurer allegedly stole $62,400 over a threeyear period from property tax receipts. Every other day, after cash receipt transactions were batched and posted to the subsidiary accounting records, the treasurer altered the total cash receipts and the actual deposit. Therefore, the control account and the deposit were equal but that total did not match the total postings to the individual tax payers’ accounts. In each of the three years, the difference between the control account receivable and the summation of the individuals in the subsidiary accounts was written off. These were unsupported accounting adjustments. Evidence was obtained by reconstructing the three years’ cash receipts and matching the differences between the total cash receipts, control account, and the individual (subsidiary) accounts with the unsupported accounting adjustments. Fictitious Refunds and Discounts Fictitious refunds occur when an employee enters a transaction as if a refund were given; however, no merchandise is returned, or no discount is approved which substantiates the refund or discount. The employee misappropriates funds equal to the fictitious refund or discount. This scheme is most prevalent in the retail/merchandise industry; however, it can occur in any operation in which a refund or discount is given. EXAMPLE Dora Malfrici, a former New York University student financial aid official, was charged along with her husband Salvatore with stealing $4.1 million. This was allegedly done by falsifying more than a thousand tuition refund checks. The loss was described as one of the largest embezzlements ever uncovered at a U.S. university. The money was allegedly taken from the Tuition Assistance Program, operated by the New York State Higher Education Services Corporation to provide expenses money to needy students. However, NYU officials assert that the funds came from a University account, not from State money. Malfrici’s job was to assure that students entitled to funds from the Corporation received their checks. According to the U.S. Attorney, she arranged for checks to be made out to hundreds of legitimate NYU students who were not entitled to receive any funds. These students were kept unaware of this because the checks were deposited into bank accounts in Manhattan and New Jersey that allegedly were controlled by the Malfricis. These checks were made over to Elizabeth Pappa before being deposited into accounts in that name. Some other checks were made payable directly to Pappa. The FBI was unable to locate Elizabeth Pappa and believes that such a person never existed. Reportedly, the Malfricis spent $785,000 of the funds in question on expensive jewelry and $85,000 of the money on Florida real estate. Kiting 8-19 .

Kiting is the process whereby cash is recorded in more than one bank account, but in reality, the cash is either nonexistent or is in transit. Kiting schemes can be perpetrated using one bank and more than one account or between several banks and several different accounts. Although banks generally have a daily report that indicates potential kiting schemes, experience has shown that they are somewhat hesitant to report the scheme until the balance in their customers’ accounts is zero. There is one important element to check kiting schemes: all kiting schemes require banks to pay on unfunded deposits. This is not to say that all payments on unfunded deposits are kiting schemes, but rather, that all kiting schemes require payments be made on unfunded deposits. In other words, if a bank allows its customers to withdraw funds on deposits that the bank has not yet collected the cash, then kiting schemes are possible. In today’s environment where customers use wire transfers, kiting schemes can be perpetrated very quickly and in very large numbers. EXAMPLE Ronald W.P. Sylvia, 59, and his son-in-law, Philip L. Grandone, 33, both of Dartmouth, admitted to participating in a checkkiting scheme that bilked the Bank of Boston out of $907,000. Grandone, owner of two pharmacies in the New Bedford area, had cash-flow problems when Sylvia, operator of two auto sales and leasing businesses, offered to write a check to cover some of his son-in-law’s operating expenses. Grandone repaid that $50,000 loan within a few days, but borrowed again and again “in everincreasing amounts” to bring fresh infusions of cash into his faltering pharmacy businesses. An exchange of checks between Grandone and Sylvia eventually occurred literally daily until Sylvia’s bank caught on to the float scheme and froze Sylvia’s account. Cut off from Sylvia’s supply of cash, Grandone’s account with the Bank of Boston was left overdrawn by $907,000. Grandone was ordered to make restitution to the Bank of Boston.

8-20 .

CHAPTER 9 COMPUTER FRAUD AND ABUSE TECHNIQUES Instructor’s Manual Learning Objectives: 1. Compare and contrast computer attack and abuse tactics. 2. Explain how social engineering techniques are used to gain physical or logical access to computer resources. 3. Describe the different types of malware used to harm computers.

Learning Objective One Compare and contrast computer attack and abuse tactics.

Computer Attacks and Abuse Techniques Computer Attacks Six steps that many criminals use to attack information systems. 1. Conduct Reconnaissance. Study the target to learn as much as possible about the target and potential vulnerabilities. 2. Attempt Social Engineering. Often the easiest method to break into a system is to get someone to open the ‘door’. Imaging a phone call that goes as follows: “Hi this is Bill from IT Support. You may have noticed your computer is running slowly. We think you have a malware. Let me help. Logoff and restart your computer. As the computer boots, tell me everything you see on the computer screen. Now tell me each thing that you type in as you boot the computer. It’s OK to tell me your userid and password. After all, I’m from support.” 3. Scan and map the target. This is done to identify potential points of remote entry or other vulnerabilities. There is a lot of software tools that are available to help even a novice attacker perform sophisticated attacks.

9-1 .

Note to Instructor: You could illustrate the ease by which an attacker can conduct reconnaissance on a system. They can use open source software such as SAINT https://en.wikipedia.org/wiki/SAINT (software) which launches a set of probes to a system to detect anything that might allow them to gain unauthorized access.

4. Research the software, hardware, and other devices associated with the network. 5. Execute the attack. 6. Cover tracks. Find and delete logs. Install software to create a backdoor for future visits to the compromised system.

Hacking is the unauthorized access to and use of computer systems, usually by means of a personal computer and a telecommunications network. Most hackers are able to break into systems using known flaws in operating systems or application programs, or as a result of poor access controls. Some hackers are motivated by the challenge of breaking into computer systems and just browse or look for things to copy and keep. Other hackers have malicious intentions. The following examples illustrate hacking attacks and the damage they cause: 1. Several years ago, Russian hackers broke into Citibank’s system and stole $10 million from customer accounts. 2. 101 million Sony PlayStation accounts were hacked, crashing the network for over a month. More than 12 million credit card numbers, e-mail addresses, passwords, home addresses, and other data were stolen. Hijacking is gaining control of someone else’s computer to carry out illicit activities without the user’s knowledge. A botnet, short for robot network, is a network of hijacked computers. Hackers who control the hijacked computers, called bot herders, use the combined power of the infected machines, called zombies. A denial-of-service (DoS) attack occurs when an attacker sends so many e-mail bombs (thousands per second), often from randomly generated false addresses, that the Internet service provider’s e-mail server is overloaded and shuts down. Another DoS attack is sending so many requests for web pages that the web server crashes. 9-2 .

A good example was when lots of people were receiving so many e-mails so fast that they could not even delete them all; it was just a constant flow of e-mails in which these people could not do anything else. As a result, some people now have more than one e-mail provider, one which they only use to catch the junk e-mails. Most DoS attacks are quite easy to accomplish and involve the following: 1. The attacker infects a botnet with a DoS program. 2. The attacker activates the program and the zombie computers begin sending pings (e-mails or requests for data) to the computer being attacked. The victim computer responds to each ping, not realizing the zombie computer sent it a fictitious return address and waits for a response that never comes. 3. Because the victim computer is waiting for so many responses that never come, system performance begins to degrade until the computer finally freezes (it does nothing but respond to the pings) or it crashes. 4. The attacker terminates the attack after an hour or two to limit the victim’s ability to trace the source of the attacks. Brute Force Attack. All possible combinations of characters are used when performing the attack. Newer computers can do every possible combination of 8 characters in about 2 hours. Longer passwords are becoming more and more important. Dictionary Attack. Rather than use every possible combination, software uses the words and combinations of words in a dictionary iteratively to find a match. You may note patterns in how email addresses are assigned in businesses. That pattern can be placed in software such that email addresses are generated that follow the pattern. Let the fishing begin… Lewis University found that 74% of emails received on one day were for nonexistent email addresses. Clearly an attack. See spamming below. Credential recycling is also prevalent. An attacker buys breached personal data from the dark web. They then use that data to attempt to access other websites. You can find out if your email address was breached in known breaches by visiting Have I Been PWNED https://haveibeenpwned.com/ The best defenses against attack are monitoring, long/complex passwords, limiting attempts, and multifactor authentication. Spamming is e-mailing the same unsolicited message to many people at the same time, often in an attempt to sell them something. Spammers use very creative means to find valid e-mail addresses. They scan the Internet for addresses 9-3 .

posted online and also hack into company databases and steal mailing lists. Hackers also spam blogs (Splogs), which are websites containing online journals, by placing random or nonsensical comments to blogs that allow visitor comments. Splogs, or spam blogs, promote affiliated websites to increase their Google Page Rank, a measure of how often a web page is referenced by other web pages. Spoofing is making an electronic communication look as if someone else sent it to gain the trust of the recipient. Spoofing includes the following types: E-mail spoofing is making an e-mail appear as though it originated from a different source. Caller ID spoofing is displaying an incorrect number (any number the attacker chooses) on a caller ID display to hide the caller’s identity. (This is an increasing activity with cellphones.) IP address spoofing is creating Internet Protocol (IP) packets with a forged source IP address to conceal the identity of the sender or to impersonate another computer system (often used in DoS attacks). SMS spoofing is using the short message service (SMS) to change the name or number a text message appears to come from. Web-page spoofing or phishing. A zero-day attack (or zero-hour attack) is an attack between the time a new software vulnerability is discovered, and the software developers and the security vendors release software, called a patch, that fixes the problem. Cross-site scripting (XSS) is a vulnerability in dynamic web pages that allows an attacker to bypass a browser’s security mechanisms and instruct the victim’s browser to execute code, thinking it came from the desired website. Buffer overflow attack happens when the amount of data entered into a program is greater than the amount of the memory (the input buffer) set aside to receive it usually causing the system to crash.

SQL Injection (insertion) attack, malicious code in the form of an SQL query is inserted into input so it can be passed to and executed by an application program. 9-4 .

In masquerading, or impersonation, the perpetrator gains access to the system by pretending to be an authorized user. This approach requires a perpetrator to know the legitimate user’s ID number and password. Man-in-the-middle (MITM) attack is when a hacker intercepts network traffic between a client and a host. Figure 9-1 on p. 188 describes a MITM attack. Piggybacking is tapping into a telecommunications line and latching on to a legitimate user before the user logs into a system. The legitimate user unknowingly carries the perpetrator into the system. Piggybacking has several meanings: 1.

The clandestine use of a neighbor’s Wi-Fi network; this can be prevented by enabling the security feature in the wireless network.

Tapping into a telecommunications line and electronically latching on to a legitimate user before the user enters a secure system; the legitimate user unknowingly carries the perpetrator into the system.

An unauthorized person passing through a secure door when an authorized person opens it, thereby bypassing physical security controls, such as keypads, ID cards, or biometric identification scanners.

Hackers who search for dial-up modem lines by programming computers to dial thousands of phone lines are referred to as war dialing. War driving is driving around looking for unprotected wireless networks. Some war drivers draw chalk symbols on sidewalks to mark unprotected wireless networks, referred to as war chalking. One enterprising group of researches went war rocketing. They sent rockets into the air that let loose wireless access points, each attached to a parachute. Podslurping is using a small device with a storage capacity (e.g., ipod or usb drive) to download unauthorized data. A fraud perpetrator can use the salami technique, to embezzle large sums of money a “salami slice” at a time from many different accounts (tiny slices of money are stolen over a period of time). The round-down fraud technique is used most frequently in financial institutions that pay interest. In the typical 9-5 .

scenario, the programmer instructs the computer to round down all interest calculations to two decimal places. The fraction of a cent that is rounded down on each calculation is put into the programmer’s account or one that he or she controls. Phreaking is attacking phone systems to obtain free phone line access. Phreakers also use the telephone lines to transmit viruses and to access, steal, and destroy data. Economic espionage is the theft of information, trade secrets, and intellectual property. This has increased by 323% during one five-year period. The U.S. Department of Justice estimates that intellectual property theft losses total $250 billion a year. Almost 75% of these losses are to an employer, former employer, contractor, or supplier. A growing problem is cyber-extortion, in which fraud perpetrators threaten to harm a company if it does not pay a specified amount of money. Cyber-bullying is using the Internet, cell phones, or other communication technologies to support deliberate, repeated, and hostile behavior that torments, threatens, harasses, humiliates, embarrasses, or otherwise harms another person. Sexting is exchanging sexually explicit text messages and revealing pictures, usually via phone. Internet misinformation is using the Internet to spread false or misleading information about people or companies. This can be done in a number of ways, including inflammatory messages in online chats, setting up websites, and spreading urban legends. Fraud perpetrators are beginning to use unsolicited e-mail threats to defraud people. For example, Global Communications sent a message to many people threatening legal action if an unspecified overdue amount was not paid within 24 hours. Internet auction fraud is using an Internet auction site to defraud another person. Internet pump-and-dump fraud is using the Internet to pump up the price of a stock and then selling it. Cryptocurrency Fraud - Defrauding investors in a variety of cryptocurrency-related fraud schemes, such as fake initial coin offerings and fake exchanges and wallets. Many companies advertise online and pay based on how many users click on ads that take them to the company’s website. Advertisers pay from a few cents to more than $10 for each click. Click fraud is intentionally clicking on these ads numerous times to inflate advertising bills. Software piracy is copying software without the publisher’s permission. It is estimated that for every legal copy of software 9-6 .

there are seven to eight illegal ones. I have seen some places where this is almost like an acceptable practice. Multiple Choice 1 Stealing tiny slices of money over time is which technique: a. Posing b. Salami technique c. Vishing d. Data diddling Multiple Choice 2 A hacker that places himself between a client and a host to intercept communications between them is: a. Man in the middle b. Evil twin c. Middleman d. None of the above

Learning Objective Two Explain how social engineering techniques are used to gain physical or logical access to computer resources.

Social Engineering Social engineering refers to techniques or psychological tricks used to get people to comply with perpetrators wishes to gain physical or logical access to a building, computer, server, or network. According to Cisco, perpetrators take advantage of several human traits to gain unauthorized access to networks, systems, or physical locations. 1. Compassion—people’s desire to help others. 2. Greed—getting a good deal or something for free. 3. Sex Appeal—more likely to cooperate if flirtatious. 4. Sloth—take advantage of laziness as few people want to do things the hard way. 5. Trust—more likely to cooperate if gain someone’s trust. 6. Urgency—sense of urgency or immediate need leads people to be more cooperative. 7. Vanity—more likely to be cooperative if appeal to someone’s vanity. To minimize the threat of social engineering: 9-7 .

1. Never let people follow you into a restricted area. 2. Never login for someone else on a computer. 3. Never give sensitive information over the phone or through email. 4. Never share passwords or user IDs. 5. Be cautious of anyone you do not know who is trying to gain access through you. Focus 9-2 on p. 293 discusses how social engineering is used on the social networking site, Facebook, to perpetrate fraud. Identity theft is assuming someone’s identity, usually for economic gain, by illegally obtaining and using confidential information, such as the person’s Social Security number or their bank account or credit card number. Identity thieves benefit financially by taking funds out of the victim’s bank accounts, taking out mortgages, or other loan obligations, and taking out credit cards and running up large debts. In one case, a convicted felon incurred $100,000 of credit card debt, took out a home loan, purchased homes and consumer goods, and then filed for bankruptcy in the victim’s name. In pretexting, people act under false pretenses to gain confidential information. For example, they might conduct a security investigation and lull the person into disclosing confidential information by asking 10 innocent questions before asking the confidential ones. Posing is creating a seemingly legitimate business, collecting personal information while making a sale, and never delivering a product. Phishing is sending out an e-mail, instant message, or text message pretending to be a legitimate company, usually a financial institution, and requesting information. The recipient is asked to either respond to the e-mail request or visit a web page and submit the data or respond to a text message. The IRS has set up a website and an e-mail address (phishing@irs.gov) where people can forward for investigation suspicious e-mails that purport to be from the IRS. In voice phishing, or vishing, e-mail recipients are asked to call a specified phone number, where a recording tells them to enter confidential data. Phished (and otherwise stolen) credit card numbers can be bought and sold, which is called carding. Pharming is redirecting a website’s traffic to a bogus (spoofed) website, usually to gain access to personal and confidential information. So how does pharming work? If you do not know someone’s phone number, you look it up in a phone book. If you could change XYZ Company’s number in the phone book to your phone number, people calling XYZ Company would reach you instead. You 9-8 .

could then ask them to divulge information only they would know to verify their identity. An evil twin is when a hacker sets up a wireless network with the same name (called Service Set Identifier, or SSID) as the wireless access point at a local hot spot or a corporation’s wireless network. Typosquatting, also called URL hijacking, is setting up websites with names very similar to real websites so when users make mistakes, such as typographical errors, in entering a website name the user is sent to an invalid site. The typosquatter’s site may do the following: 1. Trick the user into thinking she is at the real site by using a copied or a similar logo, website layout, or content. These sites often contain advertising that would appeal to the person looking for the real domain name. The typosquatter might also be a competitor. 2. Send the user to a site very different from what was wanted. In one famous case, a typosquatter sent people looking for sites that appealed to children to a pornographic website. 3. Use the false address to distribute viruses, adware, spyware, or other malware. Scavenging, or dumpster diving, is gaining access to confidential information by searching corporate or personal records. Some identity thieves search garbage cans, communal trash bins, and city dumps to find documents or printouts with confidential company information. They also look for personal information, such as checks, credit card statements, bank statements, tax returns, discarded applications for reapproved credit cards, or other records, that contain Social Security numbers, names, addresses, telephone numbers, and other data that allow them to assume an identity. Be sure to tear up (or preferably shred) your personal correspondence from banks and credit card companies to the point that the number cannot be read, before you throw it in to the trash; especially in a public trash container. Shoulder surfing is watching people as they enter telephone calling card or credit card numbers or listening to conversations as people give their credit card number over the telephone or to salesclerks. Lebanese looping, the perpetrator inserts a sleeve into an ATM that prevents the ATM from ejecting the card. The perpetrator pretends to help, tricking the person into entering her PIN again. Once the victim gives up, the thief removes the card and uses it and the PIN to withdraw money. Skimming is double-swiping a credit card in a legitimate terminal or covertly swiping a credit card in a small, hidden, handheld card reader that records credit card data for later use. 9-9 .

Chipping is posing as a service engineer and planting a small chip in a legitimate credit card reader. Eavesdropping enables perpetrators to observe private communications or transmissions of data. One way to intercept signals is by setting up a wiretap. Discussion Question: Do your activities using social media (e.g., Facebook, Twitter, Linkedin) expose any risks of computer attacks or fraud? What about your use of smartphones? The intent here is to get a discussion with the students to have them understand how their activities on social media websites may put them at risk. For example, many banking sites ask about your high school mascot, or the first car you drove, and so on. This information may be skimmed off of social media sites if the user is unaware of their privacy settings. Use of smartphones can also be a good discussion as to apps that are downloaded and how do you know that if they are free, they do not include malware? Multiple Choice 3 Techniques used to obtain confidential information, often by tricking people, are referred to as what? a. Pretexting b. Posing c. Social engineering d. Identity theft

Learning Objective Three Describe the different types of malware used to harm computers.

Malware This section describes malware, which is any software that can be used to do harm. Malware is not restricted to computers and is spread using several simultaneous approaches including fake versions of legitimate apps, file sharing, shared access to files, e-mail attachments, and remote access vulnerabilities. Pages 297-305 list various malware types. Spyware software secretly collects personal information about users and sends it to someone else without the user’s permission. The information is gathered by logging keystrokes, monitoring 9-10 .

computing habits, such as websites visited, and scanning documents on the computer’s hard disk. Spyware infections, of which users are usually unaware, come from the following: 1. Downloads, such as file sharing programs, system utilities, games, wallpaper, screensavers, music, and videos. 2. Websites that secretly download spyware when they are visited. This is call drive-by downloading. 3. A hacker using security holes in web browsers and other software. 4. Programs masquerading as anti-spyware security software. 5. A worm or virus. 6. Public wireless network. For example, users receive a message they believe is from the coffee shop or hotel where they are using wireless technology. Clicking on the message inadvertently downloads a Trojan horse or spyware application. One type of spyware, called adware (short for advertising supported software), does two things: First, it causes banner ads to pop up on your monitor as you surf the Internet. Second, it collects information about the user’s web-surfing and spending habits and forwards it to the company gathering the data, often an advertising or large media organization. Scareware is malicious software of no benefit that is sold using scare tactics. Ransomware locks you out of all your programs and data by encrypting them. Often times, victims are told to pay the ransom in bitcoins. Another form of spyware, called a keylogger, records computer activity, such as a user’s keystrokes, e-mails sent and received, websites visited, and chat session participation. A Trojan horse is a set of malicious, unauthorized computer instructions in an authorized and otherwise properly functioning program. Some Trojan horses give the creator the power to remotely control the victim’s computer. Unlike viruses and worms, the code does not try to replicate itself. Time bombs and logic bombs are Trojan horses that lie idle until triggered by a specified time or circumstance. Once triggered, the bomb goes off, destroying programs, data, or both. Company insiders, typically disgruntled programmers or other systems personnel who want to get even with their company, write many bombs. 9-11 .

A trap door, or back door, is a way into a system that bypasses normal system controls. Programmers use trap doors to modify programs during systems development and normally remove them before the system is put into operation. Packet sniffers are programs that capture data from information packets as they travel over the Internet or company networks. Captured data are sifted to find confidential information, such as user IDs and passwords, and confidential or proprietary information that can be sold or otherwise used. Steganography programs hide data from one file inside a host file, such as a large image or sound file. There are more than 200 different steganographic software programs available on the Internet. A rootkit is software that conceals processes, files, network connections, memory addresses, systems utility programs, and system data from the operating system and other programs. Rootkits often modify parts of the operating system or install themselves as drivers. A computer virus is a segment of self-replicating, executable code that attaches itself to software. Many viruses have two phases. In the first phase, the virus replicates itself and spreads to other systems or files when some predefined event occurs. In the attack phase, also triggered by some predefined event, the virus carries out its mission. In one survey, almost 90% of the respondents said their company was infected with a virus within the prior 12 months. During the attack phase, triggered by some predefined event, viruses destroy or alter data or programs, take control of the computer, destroy the hard disk’s file allocation table, delete or rename files or directories, reformat the hard disk, or change the content of files. Symptoms of a computer virus include computers that will not start or execute; unexpected read or write operations; an inability to save files; long program load times; abnormally large file sizes; slow systems operation; and unusual screen activity, error messages, or file names. The Sobig virus, written by Russian hackers, infected an estimated 1 of every 17 e-mails several years ago. The MyDoom virus infected 1 in 12 e-mails and did $4.75 billion in damages. It is estimated that viruses and worms cost businesses more than $20 billion a year. Most viruses attack computers, but all devices connected to the Internet or that are part of a communications network run the risk of being infected. Recent viruses have attacked cell phones 9-12 .

and personal digital assistants. These devices are infected through text messages, Internet page downloads, and Bluetooth wireless technology. Flows in Bluetooth applications have opened up the system to attack. Bluesnarfing is stealing (snarfing) contact lists, images, and other data from other devices using Bluetooth. Bluebugging is taking control of someone else’s phone to make calls or send text messages, or to listen to phone calls and monitor text messages received. A computer worm is a self-replicating computer program similar to a virus except for the following three differences: 1.

A virus is a segment of code hidden in or attached to a host program or executable file, whereas a worm is a standalone program.

A virus requires a human to do something (run a program, open a file, etc.) to replicate itself, whereas a worm does not and actively seeks to send copies of itself to other devices on a network.

Worms harm networks (if only by consuming bandwidth), whereas viruses infect or corrupt files or data on a targeted computer.

Worms often reside in e-mail attachments, which, when opened or activated, can damage the user’s system. A worm usually does not “live” very long, but it is quite destructive while “alive.”

Multiple Choice 4 What type of software secretly collects personal information about users and sends it to someone else without the user’s permission? a. Rootkit b. Torpedo software c. Spyware d. Malware Multiple Choice 5 Software that records computer activity is known as: a. Trojan horse b. Malware c. Spyware d. Keylogger

Answer to Multiple Choice Questions:

9-13 .

Multiple Choice Question Answers Number Answer 1 B 2 A 3 C 4 C 5 D Note to Instructors: This chapter contains a long list of terms and definitions. It can sometimes be difficult for a student to remember them in an efficient way. There are two resources that you may find helpful in assigning students to watch videos. The first resource is from Bryant University with 10 short videos 5–10 min each) called “A hacker’s guide to cybersecurity”. The first five videos are about hacking that relate to this chapter, the last five videos are on prevention and what to do if you have been breached. A Second resource is a documentary movie on the web, “Can you hack ithackers wanted” produced by Kevin Spacey (1.5 h long) that provides a good story with many of these terms. In addition, the FBI has a cybersecurity section to their web page that provides recent news on computer attacks. Resources: http://www.hackersguidetocybersecurity.com/ Documentary can be seen on YouTube: http://www.youtube.com/watch?v=CdfeXqKDWHg http://www.fbi.gov/about-us/investigate/cyber

9-14 .

CHAPTER 10 CONTROL AND ACCOUNTING INFORMATION SYSTEMS Instructor’s Manual Learning Objectives: 1. Explain basic control concepts and why computer control and security are important. 2. Compare and contrast the COBIT, COSO, and ERM control frameworks. 3. Describe the major elements in the environment of a company. 4. Explain how to assess and respond to risk using the Enterprise Risk Management (ERM) model. 5. Describe control activities commonly used in companies. 6. Describe how to communicate information and monitor control processes in organizations.

Introduction Why Accounting Information Systems Threats Are Increasing More than 60% of organizations have recently experienced a major control failure for some of the following reasons: 1. Increase in number of information systems means that information is available to an increasing number of workers. 2. Distributed (decentralized) computer networks are harder to control than centralized mainframe systems. 3. Wide area networks are giving customers and suppliers access to one another’s systems and data, making confidentiality a major concern. Some of the reasons why organizations do not adequately protect their data are: 1. Computer control problems have been underestimated and downplayed. 2. The control implications of moving from centralized, hostbased computer systems to a networked or Internet-based system have not been fully understood. 3. Many companies have not realized that data is a resource and must be protected. 4. Productivity and cost pressures have motivated management to forgo time-consuming control measures. 10-1 .

Any potential adverse occurrence that could be injurious to either the accounting information system or the organization is referred to as a threat. The potential dollar loss should a particular threat become a reality is referred to as the exposure or impact of the threat. The probability that the threat will happen is the likelihood associated with the threat.

Why Control and Security Are Important As an accountant you must have a good understanding of information technology (IT) and its capabilities and risks. Although, internal control objectives remain the same regardless of the data processing method, a computer-based AIS requires different internal control policies and procedures. One of the primary objectives of an accounting information system is to provide control in a business organization. One of management’s basic functions is to ensure that enterprise objectives are achieved. Thus, management’s decisions pertaining to controls are crucial to the firm’s success in meeting its objectives. Management expects accountants to: 1.

Take a proactive approach to eliminating system threats.

Detect, correct, and recover from threats when they occur.

Learning Objective One Explain basic control concepts and why computer control and security are important.

Overview of Control Concepts Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: 1. Safeguarding assets, including preventing or detecting, on a timely basis, the unauthorized acquisition, use, or disposition of material company assets.

10-2 .

2. Maintaining records in sufficient detail to accurately and fairly reflect company assets. 3. Providing accurate and reliable information. 4. Prepare financial reports in accordance with established criteria. 5. Promoting and improving operational efficiency, including making sure company receipts and expenditures are made in accordance with management and directors’ authorizations. 6. Encouraging adherence to prescribed managerial policies. 7. Complying with applicable laws and regulations. Preventive controls deter problems before they arise: anticipate the problem. Detective controls discover problems as soon as they arise: what we normally call in auditing “following the problem.” Corrective controls identify and correct problems that have been discovered and recover from resulting errors. They include procedures taken to identify the cause of a problem, correct resulting errors or difficulties, and modify the system so that future problems are minimized or eliminated. General controls are designed to make sure an organization’s control environment is stable and well managed. Some of the more important general controls are: 1.

Information systems management controls.

Security management controls.

Information technology infrastructure controls.

Software acquisition, development, and maintenance controls.

Application controls prevent, detect, and correct transaction errors and fraud in application programs. They are concerned with the accuracy, completeness, validity, and authorization of the data captured, entered, processed, stored, transmitted to other systems, and reported.

Levers of Control Many people feel there is a basic conflict between creativity and controls. In other words, you cannot have both. Four levels of control to help companies to reconcile this conflict: 1. The first is a concise belief system that 10-3 .

communicates company core values to employees and inspires them to live by them. 2. A boundary system helps employees act ethically by setting limits on employee behavior. This means encouraging employees to solve problems and meet customer needs within the limits of freedom. 3. To ensure the efficient and effective achievement of important goals, a diagnostic control system measures company progress by comparing actual performance to planned performance (budget). 4. An interactive control system helps top-level managers with high-level activities that demand frequent and regular attention, such as developing company strategy, setting company objectives, understanding and assessing threats and risks, monitoring changes in competitive conditions and emerging technologies, and developing responses and action plans to proactively deal with these highlevel issues. The Foreign Corrupt Practices and Sarbanes-Oxley Acts The Foreign Corrupt Practices Act (1977) The primary purpose of this Act was to prevent the bribery of foreign officials in order to obtain business. The chapter notes example of FCPA violations that resulted in fines in the billions. The Sarbanes-Oxley Act of 2002 (SOX) Applies to publicly held companies and their auditors and was intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen the internal controls at public companies, and punish executives who perpetrate fraud. Some of the important aspects of The Sarbanes-Oxley Act are: 1. Public Company Accounting Oversight Board (PCAOB) The PCAOB is a five-member board appointed by the Securities and Exchange Commission (SEC). The PCAOB sets and enforces auditing, quality control, ethics, independence, and other auditing standards. 2. New rules for auditors Auditors must report specific information to the company’s audit committee, such as critical accounting policies and practices, alternative GAAP treatments, and auditor-management disagreements. 10-4 .

CPA Auditors are prohibited from performing certain nonaudit services, such as bookkeeping, information systems design and implementation, internal audit outsourcing services, management functions, and human resource services. Audit firms cannot provide services to companies if top management was employed by the auditing firm and worked on the company’s audit in the preceding 12 months. 3. New roles for audit committees Audit committee members must be on the company’s board of directors and be independent of the company. 4. New rules for management Requires the CEO and CFO to certify that financial statements and disclosures are fairly presented, are reviewed by the management, and are not misleading. 5. New internal control requirements Requires publicly held companies to issue a report accompanying the financial statements that states management is responsible for establishing and maintaining an adequate internal control structure and appropriate control procedures. For more detailed information on The Sarbanes-Oxley Act, click on the following website: http://www.sec.gov/about/laws/soa2002.pdf After the Sarbanes-Oxley Act was passed, the SEC mandated that management must: 1. Base its evaluation on a recognized control framework. The most likely frameworks are formulated by The Committee of Sponsoring Organizations (COSO). 2. Disclose any and all material internal control weaknesses. 3. Conclude that a company does not have effective internal controls over financial reporting if there are any material weaknesses. Multiple Choice 1 What type of internal controls finds the problem before it occurs? a. Detective controls b. Preventive controls c. General controls d. Corrective controls 10-5 .

Multiple Choice 2 The Public Company Accounting Oversight Board consists of: a. Seven members b. Three members c. Five members d. Six members

Learning Objective Two Compare and contrast the COBIT, COSO, and ERM control frameworks.

Control Frameworks COBIT Framework The Information Systems Audit and Control Foundation (ISACF) developed the Control Objectives for Information and related Technology (COBIT) framework. COBIT is a framework of generally applicable information systems security and controls practices of Information Technology control. The framework allows: 1. Management to benchmark the security and control practices of Information Technology environments. 2. Users of Information Technology services to be assured that adequate security and control exist. 3. Auditors to substantiate their opinions on internal control and to advise on Information Technology security and control matters. The COBIT framework addresses the issue of control from five key principles: 1. Meeting stakeholder needs. Helps users to customize business processes and procedures to create an information system that adds value to its stakeholders. 2. Covering the enterprise end-to-end. Focus is not just on the IT operation; it integrates all IT functions and processes into companywide functions and processes. 3. Applying a single, integrated framework. COBIT can be aligned at a high level with other standards and frameworks. 4. Enabling a holistic approach. Applies a holistic approach that results in effective governance and management of all IT functions in the company. 5. Separating governance from management. Distinguishes between governance (direct, evaluate, and monitor) and management (plan, build, run, and monitor). 10-6 .

The objective of governance is to create value by optimizing the use of organizational resources to produce desired benefits in a manner that effectively addresses risk. Responsibility of the Board: 1. Evaluate stakeholder needs to identify objectives. 2. Provide management with direction by prioritizing objectives. 3. Monitor management’s performance. Responsibility of Management: 1. Planning, building, running, and monitoring the activities and processes used by the organization to pursue the objectives established by the board of directors. Governance and management of IT is an ongoing process requiring monitoring, communication, and feedback. Figure 10-2 on page 328 provides a COBIT process reference model using five governance processes to Evaluate, Direct, and Monitor (EDM01–EDM 05) and 32 management processes. The management processes are broken down into the following four domains: 1. Align, plan, and organize (APO). 2. Build, acquire, and implement (BAI). 3. Deliver, service, and support (DSS). 4. Monitor, evaluate, and assess (MEA).

The Committee of Sponsoring Organizations Internal Control Framework The Committee of Sponsoring Organizations (COSO) is a private-sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute. In 1992, COSO issued the Internal Control—Integrated Framework, which defines internal controls and provides guidance for evaluating and enhancing internal control systems. COSO was updated in 2013 to align with technological advancements. COSO’s internal control model has five crucial components, provided in Table 10-1 on page 330: 1. Control environment. 2. Risk assessment. 3. Control activities. 4. Information and communication. 10-7 .

5. Monitoring. Enterprise Risk Management—Integrated with Strategy and Performance Expands on the elements of the internal control integrated framework and provides an all-encompassing focus on the broader subject of enterprise risk management. The 2017 update is noted in Focus 10-1 on page 329. The basic principles behind enterprise risk management are: 1. Companies are formed to create value for their owners. 2. Company management must decide how much uncertainty it will accept as it creates value. 3. Uncertainty results in risk, which is the possibility that something will occur to affect adversely the company’s ability to create value or to erode existing value. 4. Uncertainty can also result in an opportunity, which is the possibility that something will occur to affect positively the company’s ability to create or preserve value. 5. The Enterprise Risk Management—Integrated Framework helps management to manage uncertainty, and its associated risk and opportunity, so they can build and preserve value.

Multiple Choice 3 Which of the following concepts were addressed in COSO-ERM beyond the original IC? a. Company value proposition b. How to address uncertainty c. The risk profile of opportunities d. All of the above Multiple Choice 4 Which of the following is not a component of COSO-IC? a. Control Activities b. External environment c. Monitoring d. b and c e. All of the above are components of COSO IC

10-8 .

Learning Objective Three Describe the major elements in the control environment of a company.

The Control Environment The control environment is the most important component of the ERM and internal control frameworks. An internal environment consists of items such as the following: 1. Management’s philosophy, operating style, and risk appetite. 2. The board of directors. 3. Commitment to integrity, ethical values, and competence. 4. Organizational structure. 5. Methods of assigning authority and responsibility. 6. Human resource standards. 7. External influences.

Management’s Philosophy, Operating Style, and Risk Appetite Companies have a risk appetite, which is the amount of risk a company is willing to accept in order to achieve its goals and objectives. The more responsible management’s philosophy and operating style and the more clearly they are communicated, the more likely employees will behave responsibly. Management’s philosophy, operating style, and risk appetite can be assessed by answering questions such as these: 1. Does management take undue business risks to achieve its objectives, or does it assess potential risks and rewards prior to acting? 2. Does management attempt to manipulate such performance measures as net income so that its performance can be seen in a more favorable light? 3. Does management pressure employees to achieve results regardless of the methods, or does it demand ethical behavior? In other words, does management believe the ends justify the means?

The Board of Directors 10-9 .

The Sarbanes-Oxley Act requires all public companies to have an audit committee composed entirely of outside (nonemployee), independent directors. The audit committee is responsible for overseeing the corporation’s internal control structure, its financial reporting process, and its compliance with related laws, regulations, and standards.

Commitment to Integrity, Ethical Values, and Competence It is important to create an organizational culture that stresses integrity and commitment to both ethical values and competence. Companies endorse integrity as a basic operating principle by actively teaching and requiring it. Management should consistently reward and encourage honesty and give verbal labels to honest and dishonest behavior. Management should develop clearly stated policies that explicitly describe honest and dishonest behaviors. Companies should require employees to report any dishonest, illegal, or unethical acts and discipline employees who knowingly fail to report violations.

Organizational Structure Important aspects of organizational structure include: 1. Centralization or decentralization of authority. 2. Assignment of responsibility for specific tasks. 3. Whether there is a direct reporting relationship (e.g., functional organizational structure or divisional organizational structure) or more of a matrix structure. A matrix organizational structure is a design that utilizes functional and divisional chains of command simultaneously in the same part of the organization. 4. Organization by industry, product line, geographical location, or by a particular distribution or marketing network. 5. The way responsibility allocation affects management’s information requirements. 6. The organization of the accounting and information system functions. 7. The size and nature of company activities.

10-10 .

Methods of Assigning Authority and Responsibility Authority and responsibility are assigned through formal job descriptions; employee training; operating plans, schedules, and budgets; a formal company code of conduct; and a written policy and procedures manual.

Human Resource Standards The following policies and procedures are important: 1.

Hiring. To obtain the most qualified and ethical employees, hiring should be based on educational background, relevant work experience, past achievements, honesty and integrity, and how well potential employees meet written job requirements.

A thorough background check includes verifying educational and work experience, talking to references, checking for a criminal record, and checking credit records.

Compensating. It is important to pay employees a fair and competitive wage. Poorly paid employees are likely to feel resentment and make up the difference in their wages by stealing money, property, or both.

Training. Training programs should familiarize new employees with their responsibilities; expected levels of performance and behavior; and the company’s policies and procedures, history, culture, and operating style. Training on Fraud and Ethics: 

Fraud awareness.



Ethical considerations.



Punishment for fraud and unethical behavior.

Evaluating and promoting. Employees should be given periodic performance appraisals that help them to understand their strengths and weaknesses. Promotion should be based on performance and how well qualified employees are for the next position.

Discharging. A company should take care when firing employees. To prevent sabotage or copying confidential data before they leave, dismissed employees should be removed from sensitive jobs immediately and denied access to the information system.

Managing disgruntled employees. Some employees who commit fraud are seeking revenge for a perceived

10-11 .

wrong done to them. Hence, companies should have procedures for identifying disgruntled employees and either helping them resolve their feelings or removing them from jobs where they might be able to harm the organization or perpetrate a fraud. 8.

Vacations and rotation of duties. Many fraud schemes, such as lapping and kiting, require the ongoing attention of the perpetrator. Many of these employee frauds are discovered when the perpetrator is suddenly forced, by illness or accident, to take time off.

Confidentiality agreements and fidelity bond insurance. All employees, suppliers, and contractors should be required to sign and abide by a nondisclosure or confidentiality agreement. Fidelity bond insurance coverage of key employees protects companies against losses arising from deliberate acts of fraud by bonded employees. Prosecute and incarcerate hackers and fraud perpetrators. Most fraud cases and hacker attacks go unreported and are not prosecuted for several reasons: 

Companies are reluctant to report computer crimes and intrusions—a recent study showed only 36% reporting intrusions—because a highly visible fraud is a public relations disaster.



Law enforcement officials and the courts are so busy with violent crimes that they have little time for computer crimes in which no physical harm occurs.



Fraud is difficult, costly, and time-consuming to investigate and prosecute.



Many law enforcement officials, lawyers, and judges lack the computer skills needed to investigate, prosecute, and evaluate computer crimes.



When fraud cases are prosecuted and a conviction is obtained, the sentences received are often light.

External Influences Financial Accounting Standards Board (FASB). Public Company Accounting Oversight Board (PCAOB). Security and Exchange Commission (SEC).

10-12 .

Multiple Choice 5 Which of the following is not considered the Control Environment in COSO-IC? a. External influences b. Management’s risk appetite c. Ethical Values d. Compliance with the SEC Multiple Choice 6 Which of the following statements is TRUE? a. An internal environment consists of an organizational structure. b. Control activities are a component of COSO-IC. c. The Sarbanes-Oxley Act requires all public companies to have an audit committee. d. All of the above are true.

Learning Objective Four Explain how to access and respond to risk using the Enterprise Risk Management model.

Risk Assessment and Risk Response The third component of COSO’s IC mode are risk assessment and risk response. The risks that exist before management takes any steps to control the likelihood or impact of a risk are called inherent risks. The risk that remains after management implements internal controls, or some other response to risk, is residual risk. The ERM model indicates that there are four ways to respond to risk: 1. Reduce. The most effective way to reduce the likelihood and impact of risk is to implement an effective system of internal controls. 2. Accept. Accepts the likelihood and impact of the risk by not acting to prevent or mitigate it.

10-13 .

3. Share. Share some of the risk or transfer it to someone else. For example, buy insurance, outsource an activity, or enter into hedging transactions. Auditing definition of hedges: hedges protect an entity against the risk of adverse price or interest-rate movements on its assets, liabilities, or anticipated transactions. A hedge avoids or reduces risk by counterbalancing losses with gains on separate positions. Hedge, in securities, is a transaction that reduces the risk of an investment. Hedge fund is a special type of investment fund with fewer restrictions on the types of investments it can make. Of note is a hedge fund’s ability to sell short. In exchange for the ability to use more aggressive strategies, hedge funds are more exclusive (e.g., fewer people). Usually only the wealthy are allowed to invest in hedge funds. There are three main types of hedges: fair value hedges, cash flow hedges, and foreign currency hedges—which are beyond the scope of this class. 4. Avoid. Risk is avoided by not engaging in the activity that produces the risk. This may require the company to sell a division, exit a product line, or not expand as anticipated. Accountants can assess and reduce inherent risk using the risk assessment and response strategy shown in Figure 10-3 on page 336.

Estimate Likelihood and Impact Some events pose a greater risk because the probability of their occurrence is more likely. For example, a company is more likely to be the victim of a fraud than of an earthquake, and employees are more likely to make unintentional errors than they are to commit fraud.

Identify Controls Management must identify one or more controls that will protect the company from each event.

Estimate Costs and Benefits No internal control system can provide foolproof protection against all events, as the cost would be prohibitive.

10-14 .

In addition, because many controls negatively affect operational efficiency, too many controls slow the system and make it inefficient. The benefits of an internal control procedure must exceed its costs. Benefits can be hard to quantify, but include: 1. Increased sales and productivity. 2. Reduced losses. 3. Better integration with customers and suppliers. 4. Increased customer loyalty. 5. Competitive advantages. 6. Lower insurance premiums. Costs are usually easier to measure than benefits. Primary cost is personnel, including: 1. Time to perform control procedures. 2. Costs of hiring additional employees to effectively segregate duties. 3. Costs of programming controls into a system. Other costs of a poor control system include: 1. Lost sales. 2. Lower productivity. 3. Drop in stock price if security problems arise. 4. Shareholder or regulator lawsuits. 5. Fines and penalties imposed by governmental agencies. One way to estimate the value of internal controls involves expected loss, the mathematical product of impact and likelihood: Expected loss = Impact × Likelihood Determine Cost/Benefit Effectiveness Total pay period payroll cost $10,000. Extra cost of $600 per pay period will reduce the likelihood of the event from 15% to 1%. The expected risk cost without the extra $600 validation procedure is $1,500 [$10,000 × 15%]. The expected risk cost with the extra $600 validation procedure is $100 [$10,000 × 1%].

10-15 .

The expected benefit of validation procedure is $800 as shown in Table 10-2 on page 337. Implement Control or Avoid, Share, or Accept the Risk When controls are cost-effective, they should be implemented so that risk can be reduced. Risks that are not reduced must be accepted, shared, or avoided. Multiple Choice 7 Which is inappropriate for a company’s response to risk? a. Ignore b. Share c. Reduce d. Avoid Multiple Choice 8 The cost of conducting and compiling the end of the month inventory is $20,000 and the risk of an inventory error is 12% without a validation procedure and 2% with the validation procedures. The expected total to retake and compile the inventory without a validation procedure is $1,200 and with the validation procedure is only $300. The cost of the validation procedure is $650. What is the net expected benefit of the validation procedure? a. $250 b. $350 c. $450 d. $600

Learning Objective Five Describe control activities commonly used in companies.

Control Activities The fourth component of COSO’s IC model is control activities, which are policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and the risk responses are carried out. Generally, control procedures fall into one of the following categories: 1. Proper authorization of transactions and activities

10-16 .

Management establishes policies for employees to follow and then empowers employees to perform accordingly. This empowerment, called authorization, is an important part of an organization’s control procedures. Authorizations are often documented by signing, initializing, or entering an authorization code on a transaction document or record. Computer systems are now capable of recording a digital signature, a means of signing a document with a piece of data that cannot be forged. Employees who process transactions should verify the presence of the appropriate authorization(s). Certain activities or transactions may be of such consequence that management grants specific authorization for them to occur. For example, management review and approval are often required for sales in excess of $20,000, capital expenditures in excess of $10,000, or uncollectible write-off in excess of $5,000. In contrast, management can authorize employees to handle routine transactions without special approval, a procedure known as general authorization. 2. Segregation(separation) of duties [Figure 10-4 on page 339] 

Authorization—approving transactions and decisions.



Recording—preparing source documents; entering data into online systems; maintaining journals, ledgers, files, or databases; preparing reconciliations; and preparing performance reports.



Custody—handling cash, tools, inventory, or fixed assets; receiving incoming customer checks; writing checks on the organization’s bank account.

If two of these three functions are the responsibility of a single person, then problems can arise. For example: The former city treasurer of Fairfax, Virginia, was convicted of embezzling $600,000 from the city treasury. When residents used cash to pay their taxes, she would keep the currency. She recorded tax collections on the property tax

10-17 .

records but did not report them to the city controller. The utilities director of Newport Beach, California, who was responsible for authorizing transactions and had custody of cash, was charged with embezzling $1.2 million. He forged invoices or easement documents (the right to pass through a person’s land), authorizing payments to a real or fictitious property owner. The payroll director of the Los Angeles Dodgers, who was responsible for both authorization and recording functions, pleaded guilty to embezzling $330,000 from the team. He credited employees for hours not worked and then received a kickback of 50% of their extra compensation. Collusion is when two or more people are working together to override the preventive aspect of the internal control system. 3. Segregation of systems duties: [Figure 10-5 on page 340] 

Authorization. This is authorization at a systems level. Giving rights for individuals to perform their job functions within the system. It is also the approval of changes to programming or even new programming or systems. Data Entry. Responsible for entering or capturing data for all business transactions, accounts, and relations. Programming. They determine information needs and design systems to meet those needs. Operations. Responsible for running the system. Assure that data is properly processed, stored, and that needed output is produced. Data Storage. Responsible for physical storage and custody of databases, files, and programs. Also responsible for maintaining backup copies. Users. Individually responsible for logical access and proper use. Must safeguard the dataset and output for which they are responsible. Management. These are the administrators of the AIS. These teams might include:  Systems administration. Systems administrators are responsible for ensuring that the different parts of an information system operate smoothly and efficiently.  Network management. Network managers ensure that all applicable devices are linked to the organization’s internal and external

    



10-18 .

networks and that the networks operate continuously and properly. 

Security management. Security management ensures that all aspects of the system are secure and protected from all internal and external threats.



Change management. These individuals manage all changes to an organization’s information system to ensure they are made smoothly and efficiently and to prevent errors and fraud.



Data Control. The data control group ensures that source data have been properly approved, monitors the flow of work through the computer, reconciles input and output, maintains a record of input errors to ensure their correction and resubmission, and distributes systems output.



Database Administrators. Described in Chapter 4. Coordinate, control, and manage the database.

Project Development and Acquisition Controls 1.

Strategic master plan. To align an organization’s information system with its business strategies, a multiyear strategic master plan is developed and updated yearly.

Project controls. A project development plan shows how a project will be completed, including the modules or tasks to be performed and who will perform them, the dates they should be completed, and project costs. Project milestones—significant points when progress is reviewed and actual and estimated completion times are compared. A performance evaluation of project team members should be prepared as each project is completed.

Data processing schedule. To maximize the use of scarce computer resources, all data processing tasks should be organized according to a data processing schedule.

Steering committee. A steering committee should be formed to guide and oversee systems development and acquisition.

System performance measurements. For a system to be evaluated properly, it must be assessed using system

10-19 .

performance measurements. Common measurements include throughput (output per unit of time), utilization (percentage of time the system is being productively used), and response time (how long it takes the system to respond). 6.

Post-implementation review. After a development project is completed, a post-implementation review should be performed to determine if the anticipated benefits were achieved. To simplify and improve systems development, some companies hire a systems integrator, a vendor who uses common standards and manages a cooperative systems development effort involving its own development personnel and those of the client and other vendors. Companies that use systems integrators should: 

Develop clear specifications.



Monitor the systems integration project.

Change Management Controls Change management is the process of making sure changes do not negatively affect systems reliability, security, confidentiality, integrity, and availability. Design and Use of Documents and Records The proper design and use of electronic and paper documents and records help ensure the accurate and complete recording of all relevant transaction data.

Safeguarding Assets, Records, and Data In addition to safeguarding cash and physical assets, such as inventory and equipment, a company needs to protect its information. Many people mistakenly believe that the greatest risks companies face are from outsiders. Companies also face significant risks from customers and vendors that have access to company data. New technologies such as blockchain can assist in safeguarding data from change. But it may also introduce risks to privacy. Some of the computer-based controls that can be put into place to safeguard assets include: 1.

Create and enforce appropriate policies and procedures.

10-20 .

Maintain accurate records of all assets.

Restrict access to assets.

Protect records and documents.

Independent Checks on Performance 1.

Top level reviews. Management at all levels should monitor company results and periodically compare actual company performance to (a) planned performance, as shown in budgets, targets, and forecasts; (b) prior period performance; and (c) the performance of competitors.

Analytical reviews. An analytical review is an examination of the relationship between different sets of data.

Reconciliation of two independently maintained sets of records.

Comparison of actual quantities with recorded amounts.

Double-entry accounting: debits must equal credits.

Independent review. After one person processes a transaction, a second person sometimes reviews the work of the first.

Multiple Choice 9 Which of the following would need specific authorization? a. Writing checks over a predetermined threshold. b. Sales manager approving a sale. c. Receiving clerk accepting goods. d. Cashier receiving payments. Multiple Choice 10 Which of the following does not violate separation of duties? a. Approving purchase orders and receiving items ordered. b. Approving payment to vendors and completing the monthly bank reconciliation. c. Receiving checks in the mail and maintaining the cash receipts journal. d. Writing checks and receiving checks in the mail.

Learning Objective Six Describe how to communicate information and monitor control processes in organizations.

10-21 .

Information and Communication Accounting Information Systems have five primary objectives: 1. Identify and record all valid transactions. 2. Properly classify transactions. 3. Record transactions at their proper monetary value. 4. Record transactions in the proper accounting period. 5. Properly present transactions and related disclosures in the financial statements.

Monitoring Perform ERM Evaluations. Implement Effective Supervision. Use Responsibility Accounting. Monitor System Activities. There are software packages available to review computer and network security measures, detect illegal entry into systems, test for weaknesses and vulnerabilities, report weaknesses found, and suggest improvements. Software is also available to monitor and combat viruses, spyware, spam, pop-up ads, and to prevent browsers from being hijacked. All system transactions and activities should be recorded in a log that indicates who accessed what data, when, and from which online device. In monitoring employees’ computers at work or at home, companies must be careful to ensure that they do not violate the employee’s privacy. To help, one way would be to have written policies that employees agree to in writing which indicate: 1.

The technology employees’ use on the job belongs to the company.

E-mails received on company computers are not private and can be read by supervisory personnel.

Employees should not use technology in any way to contribute to a hostile work environment.

10-22 .

Perhaps some of you have also seen this happen; many government activities and offices have taken the computer games off their computers.

Track Purchased Software The Business Software Alliance (BSA) is very aggressive in tracking down and finding companies who violate software license agreements. Companies should periodically conduct software audits.

Conduct Periodic Audits One way to monitor risk and detect fraud and errors is to conduct periodic external and internal audits, as well as special network security audits. Internal audits involve reviewing the reliability and integrity of financial and operating information and providing an appraisal of internal control effectiveness. Internal audits can detect excess overtime, underused assets, obsolete inventory, padded travel expense reimbursements, excessively loose budgets and quotas, poorly justified capital expenditures, and production bottlenecks.

Employ a Computer Security Officer and Computer Consultants A computer security officer (CSO) is in charge of AIS security and should be independent of the information system function and report to the COO or CEO. The overwhelming number of new tasks related to SOX and other forms of compliance has led many larger companies to delegate all compliance issues to a chief compliance officer (CCO).

Engage Forensic Specialists Forensic accountants specialize in fraud detection and investigation. Forensic accounting is now one of the fastest-growing areas of accounting due to the SarbanesOxley Act, new accounting rules such as SAS No. 99, and boards of directors demanding that forensic accounting be an ongoing part of the financial reporting and corporate governance process. Most forensic accountants are CPAs, and many have received specialized training with the FBI, the IRS, or other law enforcement agencies. Computer forensics is discovering, extracting, safeguarding, and documenting computer evidence such that

10-23 .

its authenticity, accuracy, and integrity will not succumb to legal challenges.

Install Fraud Detection Software People who commit fraud tend to follow certain patterns and leave behind clues, such as things that do not make sense. Software has been developed to uncover these fraud symptoms. ReliaStar Financial used a fraud detection package from IBM to detect the following: 1. Hundreds of thousands of dollars in fraudulent claims from a Los Angeles chiropractor. The software noticed that all of the chiropractor’s patients lived more than 50 miles from the doctor’s office and flagged the bills for investigation. 2. A Long Island doctor who submitted bills weekly for a rare and expensive procedure that is normally done once or twice in a lifetime. 3. A podiatrist who saw four patients and then billed ReliaStar for almost 500 separate procedures. Other companies have neural networks (programs that mimic the brain and have learning capabilities), which are quite accurate in identifying suspected fraud.

Implement a Fraud Hotline The Sarbanes-Oxley Act mandates that companies set up mechanisms for employees to report abuses such as fraud. Fraud hotlines provide a means for employees to anonymously report fraud.

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 B 6 D 2 C 7 A 3 D 8 B 4 B 9 A 5 D 10 D

10-24 .

CHAPTER 11 CONTROLS FOR INFORMATION SECURITY Instructor’s Manual Learning Objectives: 1. Explain how security and the other four principles in the Trust Services Framework affect systems reliability. 2. Explain three fundamental concepts: why information security is a management issue, how people’s behavior impacts security, and the time-based model of information security. 3. Describe the controls that can be used to protect an organization’s information. 4. Describe the controls that can be used to timely detect that an organization’s information system is under attack. 5. Discuss how organizations can timely respond to attacks against their information system. 6. Explain how virtualization, cloud computing, and the Internet of Things affect information security.

Learning Objective One Explain how security and the other four principles in the Trust Services Framework affect systems reliability.

One basic function of an accounting information system is to provide information useful for decision making. Figure 11-1 on page 362 shows the five fundamental principles that contribute to the overall objective of systems reliability: 1. Security—Security procedures restrict access (both physical and logical) to authorized users only. 2. Confidentiality—By restricting access, the confidentiality of sensitive organizational information is protected. 3. Privacy—Also, by restricting access, the privacy of personal identifying information collected from customers, employees, suppliers, or business partners is protected from unauthorized disclosure. 4. Processing integrity—data are processed accurately, completely, in a timely manner, and only with proper authorization. 11-1 .

5. Availability—the system and its information are available to meet operational and contractual obligations.

Multiple Choice 1 The five principles of the Trust Services Framework that contribute to the overall objective of systems reliability include: a. Effectiveness b. Processing integrity c. Plan and organize d. Reliability

Learning Objective Two Explain three fundamental concepts: why information security is a management issue, how people’s behavior impacts security, and the timebased model of information security.

There are three fundamental information security concepts: 1. Security is a management issue, not just a technology issue 2. People: The critical factor 3. The time-based model of information security Security is a management issue, not just a technology issue Effective information security requires the support of management and involvement throughout all phases of the security life cycle (see Figure 11-2 on page 353). There are four steps in the security life cycle: 1. Assess the information security-related threats that the organization faces and select an appropriate response. 2. Develop information security policies and communicate them to all employees. 3. Acquire and implement specific technological tools. 4. Monitor performance to evaluate the effectiveness of the organization’s information security program. People: The critical factor Training is a critical preventive control as employees must understand and follow the organization’s security policies. All employees should be taught why security measures are important to the organization’s long-run survival. Some good security measures include: 1.

Never open unsolicited e-mail attachments. 11-2 .

Only use approved software.

Never share or reveal your passwords.

Take steps to physically protect laptops. Training is especially needed to educate employees about social engineering attacks, which use deception to obtain unauthorized access to information resources. Employees also need to be trained not to allow other people to follow them through restricted access entrances. This social engineering attack, called piggybacking, can take place not only at the main entrance to the building but also at any internal locked doors, especially to rooms that contain computer equipment.

The time-based model of information security Time-based model of information security: Using the formula to evaluate if security procedures are effective (if true)… P>D+R, where P=the time it takes an attacker to break through the various controls that protect the organization’s information assets, D=the time it takes for the organization to detect that an attack is in progress, and R=the time it takes to respond to and stop the attack. Multiple Choice 2 The time-based model of information security is defined as: a. Time it takes an attacker to break through the various controls that protect the organization’s information assets. b. Time it takes for the organization to detect an attack. c. Time it takes to respond to an attack.

Learning Objective Three Describe the controls that can be used to protect an organization’s information.

Table 11-1 on page 366 provides examples of preventive, detective, and corrective controls used to satisfy the time-based model of security. 11-3 .

Preventive Controls Major types of preventive controls are listed in Table 11-1 on page 366. Preventive controls have four pieces of the security puzzle: Physical Security: access controls Process: user access controls Change management IT solutions Physical Security: Access Controls Controlling physical access to the system is absolutely essential. Within minutes a skilled attacker can gain physical access to the system and obtain sensitive data. Focus 11-2 on page 368 describes an especially elaborate set of physical access controls referred to as a “mantrap.” This technique involves the use of specially designed rooms that serve as an entryway to the data center. They typically contain two doors, each of which uses multiple authentication methods to control access. Laptops, cell phones, and Personal Digital Assistant (PDA) devices require special attention. A PDA is a handheld computer that has had a significant impact on personal productivity. Laptop theft is a huge problem. The major cost is not the price of replacing the laptop, but the loss of the confidential information it contains and the costs of notifying those affected.

Process: User Access Controls Authentication focuses on verifying the identity of the person or device attempting to access the system. Users can be authenticated by verifying: 1. Something they know, such as passwords or personal identification (PINs). 2. Something they have, such as smart cards or ID badges. 3. Some physical characteristic (referred to as a biometric identifier), such as their fingerprints or voice.

11-4 .

Focus 11-3 on page 370 discusses some of the requirements for creating strong passwords. 1. Length Most security experts recommend that strong passwords include at least eight characters. 2. Multiple character types Mixture of alphabetic, numeric, special characters, uppercase, and lowercase. 3. Randomness Should not be found in dictionary. Words should not be preceded or followed by a number. Should not be employee’s personal interest, hobbies, or other information. 4. Kept secret Passwords must be kept secret to be effective.

Authorization Controls Authorization restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform. Access control matrix is a table specifying which portions of the system users are permitted to access and what actions they can perform (see Figure 11-4 on page 371). When an employee attempts to access a particular information systems resource, the system performs a compatibility test that matches the user’s authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action. Authentication and authorization should also apply to devices. Every workstation, printer, or other computing device needs a Network Interface Card (NIC)to connect to the organization’s internal network. Each NIC has a unique identifier, referred to as its Media Access Control (MAC) address.

IT Solutions: Antimalware Controls

11-5 .

Malware is a major threat and can damage or destroy information or provide a means for unauthorized access. COBIT 5 DSS05.01 recommends the following: 1. Malicious software awareness education. 2. Installation of antimalware protection tools on all devices. 3. Centralized management of patches and updates to antimalware software. 4. Regular review of new malware threats. 5. Filtering of incoming traffic to block potential sources of malware. 6. Training employees not to install shared or unapproved software.

IT Solutions: Network Access Controls Perimeter Defense: Routers, Firewalls, and Intrusion Prevention Systems Figure 11-6 on page 373 shows the relationship between an organization’s information system and the Internet. A border router connects an organization’s information system to the Internet. Behind the border router is the main firewall, which is either a special-purpose hardware device or software running on a general-purpose computer. Firewall is a combination of security algorithms and router communications protocols that prevents outsiders from tapping into corporate databases and e-mail systems. The organization’s web servers and e-mail servers are placed in a separate network, called the demilitarized zone (DMZ) because it sits outside the corporate network yet is accessible from the Internet. Overview of TCP/IP and Routers Information travels throughout the Internet and internal local area networks in the form of packets. It is not documents or files that are sent to the printer. Instead they are broken down into packets and then sent to the printer. Well-defined rules and procedures called protocols dictate how to perform these activities. Figure 11-7 on page 374 shows how two important protocols, referred to as TCP/IP, govern the process for transmitting information over the Internet. The Transmission Control Protocol (TCP) specifies the procedures for dividing files and documents into 11-6 .

packets to be sent over the Internet and the methods for reassembly of the original document or file at the destination. The Internet Protocol (IP) specifies the structure of those packets and how to route them to the proper destination. Every IP packet consists of two parts: a header and a body. The header contains the packet’s origin and destination addresses, as well as information about the type of data contained in the body of the packet. Special-purpose devices called routers are designed to read the destination address fields in IP packet headers to decide where to send (route) the packet next. Controlling Access by Filtering Packets A set of rules, called an Access Control List (ACL), determines which packets are allowed entry and which are dropped. Border routers typically perform what is called static packet filtering, which screens individual IP packets based solely on the contents of the source or destination fields in the IP packet header. Deep Packet Inspection Stateful packet filtering is still limited to examining only information in the IP packet header. Undesirable mail can get through if the return address is not on the list of unacceptable sources. Clearly, control over incoming mail would be more effective if each envelope or package were opened and inspected. Such a process, called deep packet inspection, provides this added control. Intrusion prevention systems (IPS) are designed to identify and drop packets that are part of an attack. Defense-In-Depth to Restrict Network Access The use of multiple perimeter filtering devices is actually more efficient than trying to use only one device.

Securing Wireless Access The following procedures need to be followed to adequately secure wireless access: 1.

Turn on available security features.

Authenticate all devices attempting to establish 11-7 .

wireless access to the network before assigning them an IP address. 3.

Configure all authorized wireless Network Interface Cards (NICs) to operate only in infrastructure mode, which forces the device to connect only to wireless access points.

Use noninformative names for the access point’s address, which is called a Service Set Identifier (SSID).

Reduce the broadcast strength of wireless access points to make unauthorized reception off-premises more difficult.

Encrypt all wireless traffic. This is essential to protect the confidentiality and privacy of wireless communications because they are transmitted “over the air” and are inherently susceptible to unauthorized interception.

IT Solutions: Device and Software Hardening Controls Routers, firewalls, and intrusion prevention systems are designed to protect the network perimeter. However, information system security is enhanced by supplementing preventive controls. Three areas deserve special attention: 1. EndpointConfiguration. 2. User accounts. 3. Software design. 1. EndpointConfiguration Hosts can be made more secure by modifying their configurations. Every program running on a host represents a potential point of attack because it probably contains flaws, called vulnerabilities, which can be exploited to either crash the system or take control of it. Microsoft Baseline Security Analyzer and vulnerability scanners can be used to identify unused and, therefore, unnecessary programs that represent potential security threats. This process of turning off unnecessary features is called hardening. 2. User Account Management

11-8 .

Users who need administrative powers on a particular computer should be assigned two accounts: one with administrative rights and another that has only limited privileges. It is especially important that they be logged into their limited regular user account when browsing the web or reading their e-mail. 3. Software Design As organizations have increased the effectiveness of their perimeter security controls, attackers have increasingly targeted vulnerabilities in application programs. The most common input-related vulnerability is referred to as a buffer overflow attack, in which an attacker sends a program more data than it can handle. Most programs set aside a fixed amount of memory, referred to as a buffer, to hold user input. However, if the program does not carefully check the size of data being input, an attacker may enter many times the amount of data that was anticipated and overflow the buffer.

IT Solutions: Encryption Encryption is the final layer of defense to prevent unauthorized access to sensitive information. Multiple Choice 3 An example of preventive controls would include: a. Log analysis b. Authorization controls c. Encryption d. a and b e. b and c Multiple Choice 4 A biometric identifier includes: a. Passwords b. Fingerprints c. Smart cards d. PINs

Learning Objective Four Describe the controls that can be used to timely detect that an organization’s information system is under attack. 11-9 .

Answer to Multiple Choice Questions:

Four types of detective controls listed in Table 11-1 on page 366. 1. Log analysis is the process of examining logs to identify evidence of possible attacks. 2. Intrusion detection systems (IDSs) is a system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions. 3. Honeypots which is a decoy system used to provide early warning that an insider or outsider is attempting to search for confidential information. 4. Continuous monitoring of both employee compliance with the organization’s information security policies and overall performance of business processes.

Learning Objective Five Discuss how organizations can timely respond to attacks against their information system.

Responding to Attacks Two controls relate to responding to attacks: 1. Computer Incident Response Team (CIRT)is a team that is responsible for dealing with attacks and should do the following four steps: a. Recognition that a problem exists. b. Containment of the problem. c. Recovery. d. Follow-up. 2. Chief Information Security Officer (CISO) a. Sr. Manager position. b. Independent of other information systems functions and reports to Chief Operating Officer (COO) or the Chief Executive Officer (CEO). Monitor and Revise Security Solutions Penetration testing is an authorized attempt by either the internal audit team or an external security consulting firm to break into the organization’s information system. 11-10 .

Change Controls and Change Management is the formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability. Characteristics of a well-designed change control and change management process include:        

Documentation of all change requests, identifying the nature of the change, its rationale, date of request, and outcome of request. Documented approval of all change requests by management. Testing of all changes in a separate system, not the one used for daily business processes. Conversion controls to ensure that data are accurately and completely transferred from the old to the new system. Updating of all documentation (program instructions, system descriptions, procedures manuals, etc.) to reflect the newly implemented changes. A special process for timely review, approval, and documentation of emergency changes as soon after the crisis as is practical. Development and documentation of “backout” plans to facilitate reverting to previous configurations if the new change creates unexpected problems. Careful monitoring and review of user rights and privileges during the change process to ensure that proper segregation of duties is maintained.

Learning Objective Six Explain how virtualization, cloud computing, and the Internet of Things affect information security.

Virtualization and Cloud computing can increase risks possibly by:  Unsupervised physical access in virtualization environment exposes the entire virtual network to risk of theft or destruction.  Public clouds may have reliability issues because the organization is outsourcing control of its data and computing resources to a third party. However, there are opportunities to improve overall security by:  Implementing strong access controls in the cloud and using multifactor authentication.

11-11 .

Internet of Things (IoT) refers to embedding sensors in a multitude of devices so they can connect to the Internet. Again, there is a net effect of positive and negative effects. The major issue is that since these devices are connected to the Internet, there are more ways to gain access to the corporate network and must be secured. Answers to Multiple Choice Questions: Multiple Choice Question Answers Number Answer 1 B 2 A 3 E 4 B

11-12 .

CHAPTER 12 CONFIDENTIALITY AND PRIVACY CONTROLS Instructor’s Manual Learning Objectives: 1. Describe the controls that can be used to protect the confidentiality of an organization’s information and the privacy of personal information collected from customers, suppliers, and employees. 2. Discuss how the Generally Accepted Privacy Principles (GAPP) framework provides guidance in developing a comprehensive approach to protecting privacy that satisfies the requirements of privacy regulations such as the EU’s General Data Privacy Regulation. 3. Discuss how different types of encryption systems work, and explain the difference between encryption and hashing. 4. Explain how to create a digital signature and how it provides a means to create legally enforceable contracts. 5. Discuss how blockchain works.

Learning Objective One Describe the controls that can be used to protect the confidentiality of an organization’s information and the privacy of personal information collected from customers, suppliers, and employees.

Confidentiality and Privacy Reliable systems protect confidential information from unauthorized disclosure. Types of information that need to be protected would include: business plans, pricing strategies, client and customer lists, and legal documents. Figure 12-1 on page 395 identifies the four components of protecting confidentiality and privacy. 1. Identify and classify the information to be protected. 2. Encrypt the information. 3. Control access to the information. 4. Train employees to properly handle the information. Encryption is a fundamental control procedure for protecting the confidentiality of sensitive information.

12-1 .

It is easy to intercept information sent over the Internet. Encryption solves this problem. However, encryption only protects data when stored or during transmission and not during processing because data need to be decrypted in order to be processed. Therefore, supplementing encryption with the access controls and training is important. Information rights management (IRM) is software that provides an additional layer of protection to sensitive information that is stored in digital format offering the capability not only to limit access to specific files or documents but also to specify the actions (read, copy, print, download, etc.) to individuals granted access to that resource can perform.

Organizations may use data loss prevention (DLP) software to control the outbound communications. DLP is software that blocks outgoing messages (e-mail, instant messages, etc.) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect. DLP software is a preventative control, a detection control is using a digital watermark embedded in documents that enables an organization to identify confidential information that has been disclosed. Useful control procedures for doing so include the following: 1. Restrict access to rooms housing printers and fax machines. 2. Run password protected screensavers on laptops and computers. 3. Use screen protection devices that limit the distance and angle from which information can be seen. 4. It is especially important to control the disposal of information resources. Printed reports and microfilm containing sensitive information should be shredded before being thrown out. Proper disposal of computer media requires use of special software designed to “wipe” the media clean by repeatedly overwriting the disk with random patterns of data. Voice over IP (VoIP) telephone conversations should be encrypted. All communication between users and the cloud should be encrypted. Highly sensitive and confidential data should not be stored in a public cloud. Training is the most important control for protecting confidentiality. Employees need to know what information can be shared with outsiders. Employees need to be taught how to protect confidential data such as:

12-2 .

    

how to use encryption software, always log out of applications, use a password-protected screen saver, do not leave reports containing sensitive information in plain view on their desks, proper use of e-mail, blogs, instant messaging.

Multiple Choice 1 It is especially important to encrypt sensitive information stored in: a. Hard drives b. Public clouds c. Databases d. Turnaround documents Multiple Choice 2 It is important to control access to system output. Some of the control procedures include: a. The organization establishes a set of procedures and policies for protecting the privacy of personal information. b. Source documents and other forms should be designed to help ensure that errors and omissions are minimized. c. Train employees to not leave reports containing sensitive information in plain view on their desktops when they are not physically present. d. None of the above.

Learning Objective Two Discuss how the Generally Accepted Privacy Principles (GAPP) framework provides guidance in developing a comprehensive approach to protecting privacy that satisfies the requirements of privacy regulations such as the EU’s General Data Privacy Regulation.

Privacy Regulations and Generally Accepted Privacy Principles To improve privacy, one should understand relevant laws and privacy principles. The European Union (EU) passed one of the most far reaching and strict privacy regulations in the world, called the General Data Privacy Regulation or GDPR. These regulations require “privacy by design” meaning an organization needs to take a proactive approach to protecting privacy and can face penalties of up to 4% of global revenues if found to violate GDPR. The regulation applies to any company that stores any data about European residents. The regulations grant people a number of new rights including:

12-3 .

   

Access to the data that organizations have about them. Correction of errors in that stored data. Deletion of personal information stored about them (“the right to be forgotten”) Revocation of consent to sell or share their information with other organizations.

Generally Accepted Privacy Principles (GAPP) identifies the following 10 internationally recognized best practices for protecting the privacy of customers’ personal information: 1.

Management. The organization establishes a set of procedures and policies for protecting the privacy of personal information it collects and assigns responsibility and accountability for those policies to a specific person or group of employees.

Notice. The organization provides notice about its privacy policies and practices at or before the time it collects personal information from customers, or as soon as practicable thereafter.

Choice and consent. The organization describes the choices available to individuals and obtains their consent to the collection and use of their personal information.

Collection. The organization collects only that information needed to fulfill the purposes stated in its privacy policies.

Use, retention, and disposal. The organization uses its customers’ personal information only in the manner described in its stated privacy policies and retains that information only as long as it is needed. When information is no longer useful, it should be disposed of in a secure manner.

Access. The organization provides individuals with the ability to access, review, correct, and delete the personal information stored about them.

Disclosure to third parties. The organization discloses customers’ personal privacy policies and only to third parties who provide equivalent protection of that information.

Security. The organization takes reasonable steps to protect customers’ personal information from loss or unauthorized disclosure.

Quality. The organization maintains the integrity of its customers’ personal information.

10. Monitoring and enforcement. The organization assigns one or more employees to be responsible for assuring compliance with its stated privacy policies and 12-4 .

periodically verifies compliance with those policies. Identity theft: assuming someone’s identity usually for economic gain. Focus 12-1 on page 401 discusses the steps one can take to minimize the risk of identity theft: 1.

Shred all documents that contain personal information, especially unsolicited credit card offers.

Securely store documents that contain sensitive personal and financial information.

Never send personally identifying information in unencrypted e-mail.

Beware of e-mail, telephone, and print requests to verify personal information that the requesting party should already possess.

Do not carry your Social Security card with you.

Resist requests to provide your social security number to businesses that ask for it, as it is seldom needed for most transactions.

Print only your initials and last name, rather than your full name, on checks. This prevents a thief from knowing how you sign your name.

Limit the amount of other information (address and phone number) preprinted on checks, and consider totally eliminating such information.

Do not place outgoing mail containing checks or personal information in your mailbox for pickup.

10. Do not carry more than a few blank checks with you. 11. Use special software to thoroughly clean any digital media prior to disposal, or physically destroy the media. 12. Monitor your credit reports regularly. 13. File a police report as soon as you discover that your purse or wallet was stolen. 14. Make photocopies of driver’s licenses, passports, and credit cards. 15. Immediately cancel any stolen or lost credit cards.

Multiple Choice 3 Which of the following requires organizations to protect the privacy of their customers’ personal information? 12-5 .

a. COBIT DS 11 b. Trust Services Privacy Framework c. General Data Privacy Regulation (GDPR) d. AICPA Multiple Choice 4 Which of the following statements is FALSE? a. Employee use of e-mail and instant messaging probably represents two of the greatest threats to the confidentiality of sensitive information. b. To protect yourself from identity theft you should print only your initials and last name, rather than your full name on checks. c. The phrase “garbage in, garbage out” highlights the importance of data quality. d. Organizations should not provide individuals with the ability to access, review, correct, or delete the personal information stored about them.

Learning Objective Three Discuss how different types of encryption systems work, and explain the difference between encryption and hashing.

Encryption Encryption is the final layer of preventive controls. Encrypting information before sending it over the Internet creates what is called a Virtual Private Network (VPN). Encryption is the process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext. The term cipher is sometimes used as a synonym for ciphertext. In turn, a secret code is the same as a cipher. Decryption reverses this process, transforming ciphertext back into plaintext. Figure 12-2 on page 402 shows that both a key and an algorithm are used to encrypt plaintext into ciphertext and to decrypt the ciphertext back into plaintext. The key is also a string of binary digits of a fixed length. The binary code either has a value of 1 or 0. This code is written into successive powers of 2, rather than powers of

12-6 .

10 as in decimal. Thus, a binary number 1101 means (from right to left): 20 1 x 1 = 1 21 0 x 2 = 0 22 1 x 4 = 4 23 1 x 8 = 8 Thus, 11012 = 1310 The following is a Binary Number, Decimal, and Hexadecimal table. Hexadecimal is often used because it is simpler and takes less space. Binary number

Decimal equivalent

Hexadecimal equivalent

0001

0010

0011

0100

0101

0110

0111

1000

1001

1010

1011

1100

1101

1110

1111

12-7 .

The following website provides conversion between binary, decimal, and hexadecimal: www.easycalculation.com\\binary-converter.php

Note: Bits are combined in groups of eight bits called bytes. Encryption Strength Three important factors determine the strength of any encryption system: 1. Key length Longer keys provide stronger encryption by reducing the number of repeating blocks of ciphertext. This makes it harder to spot patterns in the ciphertext that reflect patterns in the original plaintext. The English binary 8-bit code is below:

2. Nature of encryption algorithm A third factor affecting encryption strength concerns the nature of the algorithm. 3. Key management policies The procedures used to store and manage the encryption keys are also important. COBIT control objective DS 5.8 identifies important control objectives related to the management of cryptographic keys, which are pieces of information (a parameter) that control the operation of a cryptographic algorithm. This is often the most vulnerable aspect of encryption systems.

12-8 .

Cryptography strictly applies to translating messages into cipher or code. The science of breaking codes and ciphers without a key is called cryptanalysis. Cryptology is the science that embraces both cryptography and cryptanalysis. Access to encryption keys must be tightly controlled. A second best alternative is a process called key escrow, which involves making copies of all encryption keys used by employees and storing those copies securely.

Types of Encryption Systems There are two basic types of encryption systems: 1. Symmetric encryption systems that use the same key both to encrypt and decrypt. Symmetric encryption has the following three problems: 

Both parties (sender and receiver) need to know the shared secret key.



Separate secret keys need to be created for use with each different party with whom encryption is going to be used.



Both parties using symmetric encryption must know the same secret key; there is no way to prove who created a specific document.

2. Asymmetric encryption systems that use two keys. One key, called the public key, is widely distributed and available to everyone. The other key, called the private key, is kept secret and known only to the owner of that pair of keys. Table 12-1 on page 404 provides a comparison of encryption systems.

Hashing Hashing is a process that takes plaintext of any length and transforms it into a short code called a hash. Table 12-2 on page 406 provides a comparison of hashing and encryption. For example, the SHA-256 algorithm creates a 256-bit hash.

12-9 .

Multiple Choice 5 Which of the following statements is TRUE? a. Symmetric encryption is faster than asymmetric encryption and can be used to provide nonrepudiation of contracts. b. Symmetric encryption is faster than asymmetric encryption but cannot be used to provide nonrepudiation of contracts. c. Asymmetric encryption is faster than symmetric encryption and can be used to provide nonrepudiation of contracts. d. Asymmetric encryption is faster than symmetric encryption but cannot be used to provide nonrepudiation of contracts.

Learning Objective Four Explain how to create a digital signature and how it provides a means to create legally enforceable contracts.

Digital Signatures Asymmetric encryption and hashing are used to create digital signatures. A digital signature is information encrypted with the creator’s private key. This encrypted information can only be decrypted using the corresponding public key. Using a hash of the original plaintext to create a digital signature not only is efficient but also provides a means for establishing that the message decrypted by the recipient is exactly the same as the message created by the sender.

Digital Certificates and Public Key Infrastructure A digital certificate is an electronic document, created and digitally signed by a trusted third party that certifies the identity of the owner of a particular public key. The term Public Key Infrastructure (PKI) refers to the system and processes used to issue and manage asymmetric keys and digital certificates. The organization that issues public and private keys and records the public key in a digital certificate is called a certificate authority.

12-10 .

Illustrative Example: The Role of Encryption and Hashing in E-Business (using a digital signature) Figure 12-5 on page 408 provides this example Step 1: A person “X” creates a contract. Step 2: “X” uses SHA-256 hashing algorithm to hash the contract. Step 3: “X” uses “X’s” private key to encrypt hash of contract (this creates the digital signature). “X” sends the contract and the digital signature to “Y”. Step 4: “Y” receives contract and digital signature from “X”. Step 5: “Y” performs the following steps: a. “Y” uses same hashing algorithm (in this case SHA256) to hash the contract. b. “Y” uses “X’s” public key to decrypt the digital signature. After performing A and B, “Y” now has the hash of a contract, and the hash received from X of the contract. Step 6: “Y” compares to see if the two hashes match. If they do, “Y” knows that “X” created the contract that “Y” now has. If they do not match, “Y” knows that “X” either did not create the contract, or the contract was corrupted during transmission.

Effects of Encryption on Other Layers of Defense Digital signatures use asymmetric encryption to create legally binding electronic documents. Web-based e-signatures are an alternative mechanism for accomplishing the same objective. An e-signature is a cursive-style imprint of a person’s name that is applied to an electronic document.

Multiple Choice 6 What word describes a legally binding agreement that cannot be unilaterally repudiated by either party? a. Digital Signature b. Nonrepudiation c. Encryption d. Hashing

12-11 .

Learning Objective Five Discuss how blockchain works.

Blockchain Blockchain is a distributed ledger of hashed documents with copies stored on multiple computers. Blockchain cannot be unilaterally altered by any one entity. Figure 12-6 on page 410411 provides a detailed instruction of how blocks are added to a blockchain. The process follows these steps (more details contained in the figure). 1. Create a root hash for a block of documents. 2. Validate the new block and store the validation number in block header. 3. Append the new block to existing chain 4. Copy the updated blockchain to computers of all other participants in the blockchain network. Multiple Choice 7 Which of the following statements is TRUE about blockchains? a. It is easier to detect changes to items that are included on a blockchain than in traditional ERP systems. b. Blockchains are faster for recording transactions than traditional ERP systems. c. Once created there is no way to change a blockchain transaction. d. All the above are false.

Answers to Multiple Choice Questions: Multiple Choice Question Answers Number Answer 1 B 2 C 3 C 4 D 5 B 6 B 7 C

12-12 .

CHAPTER 13 PROCESSING INTEGRITY AND AVAILABILITY CONTROLS Instructor’s Manual Learning Objectives: 1. Identify and explain controls designed to ensure processing integrity. 2. Identify and explain controls designed to ensure systems availability by minimizing the risk of system downtime and enabling efficient recovery and resumption of operations.

Learning Objective One Identify and explain controls designed to ensure processing integrity.

Processing Integrity Table 13-1 on page 424 lists the basic controls that are essential for processing integrity for the process stages input, processing, and output.

Input Controls As the old saying goes: “garbage in, garbage out.” The quality of data that is collected about business activities and entered into the information system is vital. The following source data controls regulate the integrity of input: 1. Forms design. Source documents and other forms should be designed to help ensure that errors and omissions are minimized. 

Prenumbered forms. Prenumbering forms improves control by making it possible to verify that none are missing.



Turnaround documents. A turnaround document is a record of company data sent to an external party and then returned by the external party to the system as input.

2. Cancellation and storage of documents. Documents that have been entered into the system should be cancelled so they cannot be inadvertently or fraudulently reentered into the system. Paper documents should be 13-1 .

defaced, e.g., by stamping them “paid.” Electronic documents can be similarly “cancelled” by setting a flag field to indicate that the document has already been processed. 3. Authorization and segregation of duties. Source documents should be prepared only by authorized personnel acting within their authority. 4. Visual scanning. Source documents should be scanned for reasonableness and propriety before being entered into the system.

Data Entry Controls The following tests are used to validate input data: 1.

A field check determines if the characters in a field are of the proper type.

A sign check(+/-) determines if the data in a field have the appropriate arithmetic sign.

A limit check tests a numerical amount to ensure that it does not exceed a predetermined value.

A range check is similar to a limit check except that it has both upper and lower limits.

A size check ensures that the input data will fit into the assigned field.

A completeness check on each input record determines if all required data items have been entered.

A validity check compares the ID code or account number in the transaction data with similar data in the master file to verify that the account exists.

A reasonableness test determines the correctness of the logical relationship between two data items.

Check digit verification. Authorized ID numbers (such as an employee number) can contain a check digit that is computed from the other digits. For example, the system could assign each new employee a nine-digit number, then calculate a tenth digit from the original nine and append that calculated digit to the original nine to form a 10-digit ID number. Data entry devices can be programmed to perform check digit verification by using the first nine digits to calculate the tenth digit each time an ID number is entered. If an error is made in entering any of the 10 digits, the

13-2 .

calculation made on the first nine digits will not match the tenth, or check digit. The above tests are used for both batch processing and online real-time processing.

Additional Batch Processing Data Entry Controls: 1.

Batch processing works correctly only if the transactions are presorted to be in the same sequence as records in the master file. A sequence check tests if a batch of input data is in the proper numerical or alphabetical sequence.

Information about data input or data processing errors (date they occurred, cause of the error, date corrected, and resubmitted) should be entered in an error log.

Batch totals. Three commonly used batch totals are: 

A financial total sums a field that contains dollar values, such as the total dollar amount of all sales for a batch of sales transactions.



A hash total sums a nonfinancial numeric field, such as the total of the quantity ordered field in a batch of sales transactions.



A record count sums the number of records in a batch.

Additional Online Data Entry Controls Whenever possible, the system should automatically enter transaction data, which saves keying time and reduces errors. Other Online Processing Data Entry Controls 1. Prompting, in which the system requests each input data item and waits for an acceptable response. This ensures that all necessary data are entered (e.g., an online completeness check). 2. Preformatting, in which the system displays a document with highlighted blank spaces and waits for the data to be entered. 3. Closed-loop verification checks the accuracy of input data by using it to retrieve and display other related information. 4. Creation of a transaction log that includes a detailed record of all transaction data; a unique transaction identifier; the date and time of entry; terminal, transmission line, and operator identification; and the sequence in which the

13-3 .

transaction was entered. 5. Error messages should indicate when an error has occurred, which items are in error, and what the operator should do to correct it.

Processing Controls Controls are also needed to ensure that data are processed correctly. 1. Data matching. In certain cases, two or more items of data must be matched before an action can take place. For example, the system should verify that information on the vendor invoice matches that on both the purchase order and the receiving report before paying a vendor. 2. File labels. File labels need to be checked to ensure that the correct and most current files are being updated. Two important types of internal labels are header and trailer records. The header record is located at the beginning of each file and contains the file name, expiration date, and other identification data. The trailer record is located at the end of the file and contains the batch totals calculated during input. 3. Recalculation of batch totals. Batch totals can be recomputed as each transaction record is processed and compared to the values in the trailer record. If financial or total discrepancy is evenly divisible by nine, the likely cause is a transposition error, in which two adjacent digits were inadvertently reversed (e.g., 46 instead of 64). 4. Cross-footing and zero-balance test. Often totals can be calculated in multiple ways. For example, in spreadsheets a grand total can often be computed either by summing a column of row totals or by summing a row of column totals. These two methods should produce the same result. 

A cross-footing balance test compares the results produced by each method to verify accuracy. For example, the totals for all debit columns are equal to the totals for all credit columns.

13-4 .



A zero-balance test applies the same logic to control accounts. For example, adding the balance for all customers in an accounts receivable subsidiary ledger and comparing to the balance in the accounts receivable general control account should be the same; the difference should be zero.

5. Write-protection mechanisms. These protect against the accidental writing over or erasing of data files stored on magnetic media. 6. Concurrent update controls protect records from errors that occur when two or more users attempt to update the same record simultaneously. This is accomplished by locking out one user until the system has finished processing the update entered by the other.

Output Controls Careful checking of system output provides additional control over processing integrity. Important output controls include: 1. User review of output. Users should carefully examine system output for reasonableness, completeness, and that they are the intended recipient. 2. Reconciliation procedures. Periodically, all transactions and other system updates should be reconciled to control reports, file status/update reports, or other control mechanisms. In addition, general ledger accounts should be reconciled to subsidiary account totals on a regular basis. 3. External data reconciliation. Database totals should periodically be reconciled with data maintained outside the system. For example, the number of employee records in the payroll file can be compared with the total from human resources to detect attempts to add fictitious employees to the payroll database. 4. Data transmission controls. Parity checking and message acknowledgement techniques are two basic types of data transmission controls (Checksums and parity bits). Checksums use a hash of a file to verify accuracy. Parity Checking Computers represent characters as a set of binary digits (bits). When data are transmitted, some bits may be lost or received incorrectly due to media disruptions or failures. To detect these types of errors, an extra digit, called a parity bit, is added to every character. For example, the digits 5 and 7 can be 13-5 .

represented by the seven-bit patterns 0000101 and 0000111, respectively. An eighth bit could be added to each character to serve as the parity bit. Two basic schemes are referred to as even parity and odd parity. In even parity, the parity bit is set so that each character has an even number of bits with the value 1; in odd parity, the parity bit is set so that an odd number of bits in the character have the value 1. Message Acknowledgment Techniques Techniques can be used to let the sender of an electronic message know that a message was received: 1.

Echo check. When data are transmitted, the system calculates a summary statistic, such as the number of bits in the message. The receiving unit performs the same calculation—a procedure known as an echo check—and sends the result to the sending unit. If the counts agree, the transmission is presumed to be accurate.

Trailer record. The sending unit stores control totals in a trailer record. The receiving unit uses that information to verify that the entire message was received.

Numbered batches. If a large message is transmitted in segments, each can be numbered sequentially so that the receiving unit can properly assemble the segments.

Example: Credit Sales Processing The following is an example of processing integrity controls using a credit sale as an example. The following transaction data are used: sales order number, customer account number, inventory item number, quantity sold, sale price, and delivery date. Processing these transactions includes the following steps: 1. Entering and editing the transaction data. 2. Updating the customer and inventory records (the amount of the credit purchase is added to the customer’s balance; for each inventory item, the quantity sold is subtracted from the quantity on hand). 3. Preparing and distributing shipping or billing documents.

Processing Integrity Controls using the example above: 1. When a user accesses the online system, logical access controls confirm the identity of the data entry device (personal computer, terminal) and the validity of the user’s ID number and password.

13-6 .

2. A compatibility test is performed on all user interactions to ensure that only authorized tasks are performed. 3. The system automatically assigns the transaction the next sequential sales order number and the current date as the date of the invoice. 4. To assist authorized personnel in entering sales data, the system prompts for all required input (completeness test). After each prompt, the system waits for a response. 5. Each response is tested using one or more of the following controls: validity checks (valid customer and inventory numbers), field and sign checks (only positive, numeric characters in the quantity, date, and price fields), and limit or range checks (delivery date versus current date). 6. When the customer number is entered, the system retrieves the corresponding customer name from the database and displays it on the screen (closed-loop verification). 7. When the inventory item number is entered, the system and the operator go through the same procedures as they do with the customer number. Processing Controls Updating files includes the customer and inventory database records. Additional validation tests are performed by comparing data in each transaction record with data in the corresponding database record. These tests often include the following: 1. Validity checks on the customer and inventory item numbers. 2. Sign checks on inventory-on-hand balance (after subtracting quantities sold). 3. Limit checks that compare each customer’s total amount due with the credit limit. 4. Range checks on the sale price of each item sold relative to the permissible range of prices for that item. 5. Reasonableness tests on the quantity sold of each item relative to normal sales quantities for that customer and that item. 13-7 .

Output Controls Output controls that can be utilized are as follows: 1. Billing and shipping documents are forwarded electronically to only preauthorized users. 2. Users in the shipping and billing departments perform a limited review of the documents by visually inspecting them for incomplete data or other obvious errors. 3. The control report is sent automatically to its intended recipients, or they can query the system for the report. Focus 13-1 on page 428 discusses some of the concerns involving the use of electronic voting machines. Voting software could use completeness checks to ensure that voters made choices in all races. This would eliminate the “hanging” problem created by failing to completely punch out the hole on a paper ballot. Limit checks could identify and prevent voters from attempting to select more candidates than permitted in a particular race. Some security experts suggest that election officials adopt the methods used by the state of Nevada to ensure that electronic gambling machines operate honestly and accurately, which include the following: 1. The Gaming Control Board keeps copies of all software. It is illegal for casinos to use any unregistered software. For electronic voting, the government should keep copies of the source code. 2. Frequent on-site spot checks of the computer chips in gambling machines are made to verify compliance with the Gaming Control Board’s records. Similar tests should be done to voting machines. 3. Extensive tests are conducted of the machine’s physical security, such as how it reacts to stun guns and large electric shocks. Voting machines should be similarly tested. 4. All gambling machine manufacturers are carefully scrutinized and are registered. Similar checks should be performed on voting machine manufacturers and software developers.

Multiple Choice 1 13-8 .

The COBIT control objective that addresses the threat of invalid input is: a. DSS 06 b. BAI 06 c. APO 06 d. APO 03 Multiple Choice 2 If an online file is damaged, the _____ can be used for reconstruction purposes. a. transaction log b. field check c. hash total d. record count Multiple Choice 3 _____ protects records from errors that occur when two or more users attempt to update the same record simultaneously. a. Cross-footing balance test b. Online processing controls c. Concurrent update controls d. Zero-balance test

Learning Objective Two Identify and explain controls designed to ensure systems availability by minimizing the risk of system downtime and enabling efficient recovery and resumption of operations.

Availability Reliable systems and information are available for use whenever needed. Threats to system availability originate from many sources, including: 1.

Hardware and software failures.

Natural and man-made disasters.

Human error.

Worms and viruses.

Denial-of-service attacks and other acts of sabotage.

Table 13-2 on page 429 summarizes the key controls related to ensure system availability which minimize system downtime and provide timely recovery.

13-9 .

Minimizing Risk of System Downtime The loss of system availability can cause significant financial losses. Organizations can take a variety of steps to minimize the risk of system downtime. The physical and logical access controls can reduce the risk of successful denial-of-service attacks. Good computer security reduces the risk of system downtime due to the theft or sabotage of information system resources. The use of redundant components, such as dual processors and redundant arrays of independent hard drives (RAID), provides fault tolerance, enabling a system to continue functioning in the event that a particular component fails. Surge protection devices provide protection against temporary power fluctuation that might otherwise cause computers and other network equipment to crash. An uninterruptible power supply (UPS) system provides protection in the event of a prolonged power outage.

Recovery and Resumption of Normal Operations Sr. Management must ask themselves two questions relating to the risk of downtime: 1. How much data are we willing to recreate from source documents (if they exist) or potentially lose (if no source documents exist)? 2. How long can the organization function without its information system? Figure 13-1 on page 431 shows the relationship of these two questions. Management’s answer to the first question determines the organization’s recovery point objective (RPO). RPO is inversely related to the frequency of backups. The answer to the second question determines the organization’s recovery time objective (RTO). Disaster recovery and business continuity plans are essential if an organization hopes to survive a major catastrophe.

13-10 .

Data Backup Procedures A backup is an exact copy of the most current version of a database, file, or software program. The process of installing the backup copy for use is called restoration. Several different backup procedures exist: A full backup is an exact copy of the data recorded on another physical media (tape, magnetic disk, CD, DVD, and so on). Full backups are time-consuming, so most organizations only do full backups weekly and supplement them with daily backups. Two types of partial backups are: 1. An incremental backup involves copying only the data items that have changed since the last backup. 2. Differential backup copies all changes made since the last full backup. 3. Deduplication is a process that uses hashing to identify and backup only those portions of a file or database that have been updated since the last backup. Management must establish an RPO, which represents the maximum length of time for which it is willing to risk the possible loss of transaction data. Real-time mirroring involves maintaining two copies of the database at two separate data centers at all times and updating both copies in real-time as each transaction occurs. Periodically, the system makes a copy of the database at that point in time, called a checkpoint, and stores it on backup media. An archive is a copy of a database, master file, or software that will be retained indefinitely as a historical record, usually to satisfy legal and regulatory requirements. Infrastructure Replacement A second key component of disaster recovery includes provisions for replacing the necessary computer infrastructure: computers, network equipment and access, telephone lines, other office equipment (e.g., fax machines), and supplies.

13-11 .

The RTO represents the time following a disaster by which the organization’s information system must be available again.

Organizations have three basic options for replacing computer and networking equipment: 1. The least expensive approach is to create reciprocal agreements with another organization that uses similar equipment to have temporary access to and use of their information system resources. 2. Another solution involves purchasing or leasing a cold site, which is an empty building that is prewired for necessary telephone and Internet access, plus a contract with one or more vendors to provide all necessary computers, and other office equipment within a specified period of time. 3. A more expensive solution for organizations, such as financial institutions and airlines, which cannot survive any appreciable time period without access to their information system, is to create what is referred to as a hot site. A hot site is a facility that is not only prewired for telephone and Internet access but also contains all the computing and office equipment the organization needs to perform its essential business activities. Documentation Documentation is an important, but often overlooked, component of disaster recovery and business continuity plans. The plan itself, including instructions for notifying appropriate staff and the steps to be taken to resume operations, needs to be well documented. Testing Periodic testing and revision are probably the most important component of effective disaster recovery and business continuity plans. Most plans fail their initial test because it is impossible to anticipate everything that could go wrong. Disaster recovery and business continuity plans need to be tested on at least an annual basis.

13-12 .

Focus 13-2 on page 434 describes how NASDAQ recovered from September 11. Because of their recovery plan, NASDAQ was up and running only six days after the 9/11/01 terrorist attack. Although the Manhattan office phone lines were out, NASDAQ still had offices in Maryland and Connecticut, which allowed it to monitor the regulatory processes. NASDAQ also had their executives carry more than one mobile phone in case one service provider went down.

Multiple Choice 4 Which of the following COBIT control objective addresses the importance of locating and designing the rooms housing mission-critical servers and databases? a. DSS 01 b. DSS03 c. DSS05 d. DSS 06 Multiple Choice 5 Full backups are time-consuming, so most organizations only do full backups _____ and supplement them with _____ partial backups. a. monthly; weekly b. quarterly; monthly c. annually; quarterly d. weekly; daily

Answers to Multiple Choice Questions: Multiple Choice Question Answers Number Answer 1 A 2 C 3 C 4 A 5 D

13-13 .

CHAPTER 14 THE REVENUE CYCLE: SALES TO CASH COLLECTIONS Instructor’s Manual Learning Objectives: 1. Describe the basic business activities in the revenue cycle and discuss the general threats to that process and the controls that can be used to mitigate those threats. 2. Explain the sales order entry process, the key decisions that need to be made, and threats to that process, and describe the controls that can be used to mitigate those threats. 3. Explain the shipping process, key decisions that need to be made, and threats to that process, and describe the controls that can be used to mitigate those threats. 4. Explain the billing process, key decisions that need to be made, and threats to that process, and describe the controls that can be used to mitigate those threats. 5. Explain the cash collections process, key decisions that need to be made and threats to that process, and describe the controls that can be used to mitigate those threats. Questions to be addressed in this chapter include: 1. How could AOE improve customer service? What information does marketing need to perform its tasks better? 2. How could AOE identify its most profitable customers and markets? 3. How can AOE improve its monitoring of credit accounts? How would any changes in credit policy affect both sales and uncollectible accounts? 4. How could AOE improve its cash collection procedures?

Introduction The revenue cycle is a recurring set of business activities and related information processing operations associated with providing goods and services to customers and collecting cash in payment for those sales. Refer to Figure 14-2 on page 454 for the context diagram of the revenue cycle.

Learning Objective One Describe the basic activities in the revenue cycle and discuss the general threats to that process and the controls that can be used to mitigate those threats.

14-1 .

Revenue Cycle Business Activities Figure 14-3 on page 455 shows the four basic business activities performed in the revenue cycle. 1. Sales order entry 2. Shipping 3. Billing 4. Cash collections The revenue cycle’s primary objective is to provide the right product in the right place at the right time for the right price. To accomplish that objective, management must make the following key decisions: 1. To what extent can and should products be customized to individual customers’ needs and desires? 2. How much inventory should be carried, and where should that inventory be located? 3. How should merchandise be delivered to customers? Should the company perform the shipping function itself or outsource it to a third party that specializes in logistics? 4. What are the optimal prices for each product or service? 5. Should credit be extended to customers? 6. How much credit should be given to individual customers? 7. What credit terms should be offered? 8. How can customer payments be processed to maximize cash flow?

General Threats and Controls General threats and controls throughout the revenue cycle include: 1. Threat: Inaccurate or invalid master data Control: Data processing integrity controls Restriction of access to master data Review of all changes to master data 2. Threat: Unauthorized disclosure of sensitive information Control: Access controls Encryption 14-2 .

Tokenization of customer personal information 3. Threat: Loss or destruction of data Control: Backup and disaster recovery procedures 4. Threat: Poor performance Control: Managerial Reports Multiple Choice 1 A general threat throughout the revenue cycle includes: a. Loss or destruction of data b. Invalid orders c. Theft of inventory d. All of the above e. None of the above Multiple Choice 2 The following are the business activities performed in the revenue cycle: 1. Shipping 2. Cash collections 3. Sales order entry 4. Billing The correct sequence in which these activities are performed is: a. 3, 2, 1, 4 b. 3, 4, 1, 2 c. 3, 1, 4, 2 d. 3, 4, 2, 1

Learning Objective Two Explain the sales order entry process, the key decisions that need to be made, and threats to that process, and describe the controls that can beSales used Order to mitigate Entry those threats.

The revenue cycle begins with the receipt of orders from customers. The sales order entry process involves four steps: 1. Taking the customer’s order 2. Approving customer credit 3. Checking inventory availability 4. Respond to customer inquiries Taking Customer Orders 14-3 .

Normally, this order document is electronically displayed on a computer monitor screen. Orders can be received in the store, by mail, by phone, over a website, or by a salesperson in the field. Websites provide another way to automate sales order entry. Online order information can be automatically routed to the warehouse to generate picking and shipping instructions. Figure 14-7 on page 460 provides a typical sales order entry screen (this is from NetSuite accounting software). Credit Approval Most business-to-business sales are made on credit. Credit sales should be approved before they are processed. Each customer will have a credit limit. Credit limit is the maximum allowable account balance for each customer based on the customer’s past credit history and ability to pay. Figure 14-8 on page 463 shows the information typically available for this purpose: the customer’s credit limit, current balance, and age of any outstanding unpaid invoices. An accounts receivable aging report as shown in Figure 14-9 on page 463 is a useful report that lists customer accounts and the length of time outstanding for each invoice. Checking Inventory Availability The next step is to determine if there is sufficient inventory available to fill the order. Figure 14-10 on page 464 shows an example of the information that is usually available to the sales order entry clerk. When there are not sufficient items on hand to fill the customer’s order, a back order is created. Once the item(s) become available, a picking ticket is created. The picking ticket authorizes the inventory control function to release merchandise to the shipping department. The accuracy of inventory records is important because customers may become justifiably upset when unexpected delays occur in filling their orders.

14-4 .

For Class Discussion: What example do you have if you place an order online and the website shows the item is available only to find out the next day that the item is back ordered? What has actually happened when you receive this notice is that the inventory system is not updating in real time and it is likely that updates are done overnight in a batch processing manner. Responding to Customer Inquiries Customer service is so important that many companies use special software packages, called Customer Relationship Management (CRM) systems, to support this vital process. The goal of CRM is to retain customers. This is important because a general marketing rule of thumb is that it costs at least five times as much to attract and make a sale to a new customer as it does to make a repeat sale to an existing customer. Transaction processing technology can also be used to improve customer relationships. For example, many commercial POS systems (point of sale) can link not only with the inventory file but also with the customer master file. This not only automatically updates accounts receivable balances but provides an opportunity to print customized coupons and personal messages on each sales receipt, such as “Thank you.” Information technology can be used to automate responses to many customer routine inquiries. Websites provide a cost-effective alternative to traditional toll-free telephone customer support, automating that process with a list of frequently asked questions (FAQs). Discussion boards can also be provided so that customers can share information and useful tips with one another. Websites also enable customers to use personal identification numbers (PINs) to directly access their account information and to check on the status of orders.

Sales Order Entry Threats and Controls The primary objectives of the sales order entry process are to accurately and efficiently process customer orders, ensure that the company gets paid for all credit sales and that all sales are legitimate, and to minimize the loss of revenue arising from poor inventory management.

14-5 .

The following are Threats 5 through 9 listed for sales order entry in Table 14-1 on page 457-458. Threat 5: Incomplete or Inaccurate Customer Orders Incomplete or inaccurate information about the customer and their order could prove embarrassing because most likely you will need to call that customer to get the correct information. Control: Data entry edit controls Restriction of access to master data Threat 6: Invalid Orders Sales orders must be properly authorized from the customer (this is usually a signature if on a written contract, or can be digitized for online orders authorizing the order). Control: Digital signatures or written signatures Threat 7: Uncollectible Accounts Another threat in sales order entry is the possibility of making sales that later turn out to be uncollectible. Control: Use credit limits Specific authorization to approve sales to new customers or sales that exceed customer's credit limit Management review of accounts receivable aging report Threat 8: Stockouts or Excess Inventory Sales could be lost due to stock outs. Excess inventory means additional carrying costs and potential markdowns. Control: Perpetual inventory control system Use bar codes or RFID Training Periodic physical counts of inventory Sales forecasts and activity reports Threat 9: Loss of Customers Control: CRM systems, self-help websites, and proper evaluation of customer service ratings

Multiple Choice 3 A useful report for management to control for the threat of uncollectible accounts is: a. Customer list 14-6 .

b. Accounts receivable aging report c. Sales order report d. Inventory report

Learning Objective Three Explain the shipping process, key decisions that need to be made, and threats to that process, and describe the controls that can be used to mitigate those threats.

Shipping The second basic activity in the revenue cycle is filling customer orders and shipping the desired merchandise. Refer to circle 2 in Figure 14-3 on page 455. The primary objective of the shipping function is to fill customer orders efficiently and accurately, and to safeguard inventory. Figure 14-12 on page 467 provides a data flow diagram for shipping. Shipping consists of the following two steps: 1.

Picking and packing the order

Shipping the goods

Pick and Pack the Order The picking ticket printed by sales order entry triggers the pick and pack process. Some of the investments companies have made are in an automated warehouse system that includes computers, bar-code scanners, conveyer belts, and communications technology. Radio-Frequency Identification (RFID) replaces the bar codes. The RFID tag eliminates the need to align items with scanners; instead, the tags can be read as the inventory moves throughout the warehouse. Ship the Order The shipping department compares the physical count of inventory with the quantities indicated on the picking ticket and with the quantities indicated on the copy of the sales order that was sent directly to shipping from sales order entry. 14-7 .

The packing slip lists the quantity and description of each item included in the shipment. An example of a packing slip is Figure 14-13 on page 469. The bill of lading is a legal contract that defines responsibility for the goods in transit. Figure 14-14 on page 470 provides a sample of a bill of lading. If the customer is to pay the shipping charges, the copy of the bill of lading may serve as a freight bill, to indicate the amount the customer should pay to the carrier. One major decision that needs to be made when filling and shipping customer orders concerns the choice of delivery method as this can be a major cost factor. Another important decision concerns the location of distribution centers. RFID systems can provide real-time information on shipping status and thus provide additional value to customers.

Threats to the shipping activity and controls: Threat 10: Picking the Wrong Items or Wrong Quantity Customers want what they ordered and do not want a surprise and hassle of returning something they did not order. Control: Bar-code and RFID technology Reconciliation of picking lists to sales order details Threat 11: Theft of Inventory This is the threat that an employee or customer could steal the merchandise. Also, inventory can be stolen in transit. Control:

Restrict physical access to inventory All inventory transfers should be documented RFID and bar-code technology Periodic physical counts of inventory and reconciliation to recorded quantities

Threat 12: Shipping Errors Shipping the wrong items or quantities of merchandise and shipping to the wrong locations are serious errors because they can significantly reduce customer satisfaction and thus future sales.

14-8 .

Control: Reconciliation of shipping documents with sales orders, picking lists, and packing slips. Use RFID systems to identify delays Data entry via bar-code scanners and RFID Data entry edit controls Configuration of ERP system to prevent duplicate shipments Multiple Choice 4 An important decision during the shipping stage is: a. Selecting a carrier b. Location of distribution centers c. All of the above d. None of the above Multiple Choice 5 The following lists the quantity and description of each item included in the shipment: a. Picking ticket b. Bill of lading c. Sales order d. Packing slip

Learning Objective Four Explain the billing process, key decisions that need to be made, and threats to that process, and describe the controls that can be used to mitigate those threats.

Billing The third basic activity in the revenue cycle, shown in circle 3.0 in Figure 14-3 on page 455, involves billing customers. The primary objectives of the billing and accounts receivable functions are to ensure that customers are billed for all sales, that invoices are accurate, and that customer accounts are accurately maintained. Figure 14-15 on page 472 provides a data flow diagram of invoicing and accounts receivable.

Invoicing The document created in the billing process is the sales invoice, which notifies customers of the amount to be paid and where to send payment. 14-9 .

Figure 14-16 on page 473 provides an example of an invoice. Maintain Accounts Receivable The accounts receivable function uses the information on the invoice to debit the customers’ accounts for credit purchases and credit the customers’ accounts when payment is received. Under the open-invoice method, customers normally pay according to each invoice. The customer is asked to return a copy of the invoice when mailing in their payment. This return copy is referred to as the remittance advice. Under the balance-forward method, customers typically pay according to the amount shown on a monthly statement. A monthly statement lists all transactions, including both sales and payments. Figure 14-17 on page 474 provides an example of a monthly statement. One advantage of the open-invoice method is that it is conducive to offering discounts for prompt payment, as invoices are individually tracked and aged. A disadvantage of the open-invoice method is the added complexity required to maintain information about the status of each individual invoice for each customer. Under cycle billing, monthly statements are prepared for subsets of customers at different times. For example, the customer master file might be divided into four parts, and each week monthly statements would be prepared for one-fourth of the customers. Exceptions: Account Adjustments and Write-offs This involves either the return of merchandise by customers for credit or the write-off of customers who do not pay their bill. Figure 14-18 on page 476 provides an example of a credit memo. After repeated attempts to collect payment have failed, it may be necessary to write-off a customer’s account. In such cases, the credit manager issues a credit memo to authorize the write-off.

14-10 .

Threat 13: Failure to Bill Customers Failure to bill customers for items shipped results in the loss of assets and erroneous data about sales, inventory, and accounts receivable. Control: Segregating the shipping and billing functions Periodic reconciliation of invoices with sales orders, picking tickets, and shipping documents Threat 14: Billing Errors Billing errors, such as pricing mistakes and billing customers for items not shipped or on back order, represent another potential threat. Controls: Configuration of system to automatically enter pricing data Restrict access to pricing master data Data entry edit controls Reconciling shipping documents to the sales order

Threat 15: Posting Errors in Accounts Receivable Control: Data entry controls such as the following edit checks should be used to ensure accuracy in updating customer accounts: 1. Validity checks on the customer and invoice numbers. 2. Closed-loop verification to ensure that the proper account is being credited. 3. A field check to ensure that only numeric values are entered for payment amounts. Reconciliation of batch totals Mailing of monthly statements to customers Reconciliation of subsidiary accounts to general ledger Threat 16: Inaccurate or Invalid Credit Memos Control: Segregation of duties of credit memo authorization. Returns must have proper authorization from management (RMA: Return Management Authorization) Multiple Choice 6 The two basic methods to maintain accounts receivable are: a. Real-time and open-invoice b. Real-time and balance-forward c. Open-invoice and balance-forward d. None of the above

14-11 .

Learning Objective Five Explain the cash collections process, key Cash Collections decisions that need to be made and threats to that process, and describe the controls that can be used to mitigate those threats.

The final step in the revenue cycle is cash collections. Refer to circle 4.0 in Figure 14-3 on page 455. The primary objective of the cash collections function is to safeguard customer remittances. The cashier handles customer remittances and deposits them in the bank. A remittance list provides the names and amounts of all customer remittances, and sends it to accounts receivable. A lockbox is a postal address to which customers send their remittances. The participating bank picks up the checks from the post office box and deposits them to the company’s account. Under an electronic lockbox arrangement, the bank electronically sends the company information about the customer account number and the amount remitted as soon as it receives and scans those checks. With electronic funds transfer (EFT), customers send their remittances electronically to the company’s bank and thus eliminate the delay associated with the time the remittance is in the mail system. EFT is usually accomplished through the banking system’s Automated Clearing House (ACH) network. EFT involves only the transfer of funds. Although every bank can do EFT through the ACH system, not every bank possesses the EDI capabilities necessary to process the related remittance data. Electronic data interchange (EDI) is the use of computerized communication to exchange business data electronically in order to process transactions. Financial electronic data interchange (FEDI) integrates the exchange of EFT with the exchange of the remittance data; electronic data interchange (EDI).

14-12 .

Figure 14-19 on page 478 provides a picture of the difference between EDI, EFT, and FEDI. When dealing with customers who are not FEDI capable, or with individual consumers, companies can also speed the collection process by accepting credit cards or procurement cards (a special type of credit card discussed in Chapter 13). Threat 17: Theft of Cash Control: The following segregation of duties should be used to reduce this risk. The person who handles (deposits) should not also: 1. post remittances to customer accounts 2. create or authorize credit memos 3. reconcile the bank account In general, the handling of money and checks within the organization should be minimized. The optimal methods are a bank lockbox arrangement or the use of EFT or FEDI for customer payments. Immediately upon opening mail, create a list of all customer payments received. Prompt, restrictive endorsement of all customer checks 2 people open mail Use cash registers Daily deposits Threat 18: Cash Flow Problems Control: Lockbox can help increase the posting of cash in a bank account. This is helpful when the organization has many transactions in a month. Discounts for prompt payment by customers Cash flow budgets Multiple Choice 7 The applicable control procedure for the threat of incomplete or inaccurate customer orders is: a. Data entry edit checks b. Segregation of duties c. Data entry edit controls d. Reconciliation of sales order with the picking ticket

14-13 .

Multiple Choice 8 The applicable control for theft of cash is: a. Lockboxes b. Segregation of duties c. Use of cash registers d. All of the above Multiple Choice 9 Operational data is needed to monitor performance and to perform the following recurring tasks: a. Respond to customer inquiries about account balances and order status b. Select methods for delivering merchandise c. Determine inventory availability d. B and C e. All of the above Multiple Choice 10 Aging of accounts receivable is based on the: a. sales order date b. picking ticket date c. invoice date d. bill of lading date

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number 1 A 6 2 C 7 3 B 8 4 C 9 5 D 10

14-14 .

Answer C A D E C

CHAPTER 15 THE EXPENDITURE CYCLE: PURCHASING TO CASH DISBURSEMENTS Instructor’s Manual Learning Objectives: 1. Describe the basic business activities and related information processing operations in the expenditure cycle, explain the general threats to those activities, and describe the controls that can mitigate those threats. 2. Explain the process and key decisions involved in ordering goods and services, identify the threats to those activities, and describe the controls that can mitigate those threats. 3. Explain the process and key decisions involved in receiving goods and services, identify the threats to those activities, and describe the controls that can mitigate those threats. 4. Explain the process and key decisions involved in approving supplier invoices for goods and services, identify the threats to those activities, and describe the controls that can mitigate those threats. 5. Explain the process and key decisions involved in making cash disbursements to suppliers, identify the threats to those activities, and describe the controls that can mitigate those threats. Questions to be addressed in this chapter include: 1. What must be done to ensure that AOE’s inventory records are current and accurate to avoid unexpected components shortages like those experienced at the Wichita plant? 2. How could the problems at the Dayton plant be avoided in the future? What can be done to ensure timely delivery of quality components? 3. Is it possible to reduce AOE’s investment in materials inventories? 4. How could the information system provide better information to guide planning and production? 5. How could IT be used to further reengineer expenditure cycle activities?

Introduction The expenditure cycle is a recurring set of business activities and related data processing operations associated with the purchase of and payment for goods and services.

15-1 .

Figure 15-1 on page 495 provides a context diagram of the expenditure cycle. Note that the expenditure cycle involves the revenue cycle, inventory cycle, various departments involved in requesting items to be ordered and receiving the items, and the production cycle. This chapter focuses on the purchase of raw materials, finished goods, supplies, and services. Chapters 16 and 17 will cover fixed assets and labor services, respectively. The primary objective of the expenditure cycle is to minimize the total cost of acquiring and maintaining inventories, supplies, and the various services the organization needs to function.

Learning Objective One Describe the basic business activities and related information processing operations performed in the expenditure cycle, explain the general threats to those activities, and describe the controls that can mitigate those threats.

Expenditure Cycle Business Activities Figure 15-2 on page 497 provides a level 0 data flow diagram for the expenditure cycle. Four basic business activities in the expenditure cycle: 1. Ordering goods, supplies, and services. 2. Receiving and storing goods, supplies, and services. 3. Approving supplier invoices. 4. Paying for goods, supplies, and services.

Expenditure Cycle Information Needs The following information is needed for the following operational tasks in the expenditure cycle: 1. Determine when and how much additional inventory to order. 2. Select the appropriate suppliers from whom to order. 3. Verify the accuracy of vendor invoices. 4. Decide if purchase discounts should be taken. 5. Monitor cash flow needs to pay outstanding obligations. 15-2 .

The AIS needs to provide information to evaluate the following: 1.

Purchasing efficiency and effectiveness

Supplier performance

Time taken to move goods from receiving to production

Percent of purchase discounts taken

Notice that these decisions require both financial and operating data. Because inventory represents a sizable investment of working capital, reports that help manage inventory are especially valuable. A key inventory measure is the inventory turnover.

Control Objectives, Threats, And Procedures In the expenditure cycle (or any cycle), a well-designed AIS should provide adequate controls to ensure that the following objectives are met: 1. All transactions are properly authorized. 2. All recorded transactions are valid. 3. All valid and authorized transactions are recorded. 4. All transactions are recorded accurately. 5. Assets are safeguarded from loss or theft. 6. Business activities are performed efficiently and effectively. 7. The company is in compliance with all applicable laws and regulations. 8. All disclosures are full and fair. Table 15-2 on pages 500-501 provides a detail of the threats and controls for the expenditure cycle. General Control Issues Threat 1: Inaccurate or invalid master data Controls: Data processing integrity controls, restriction of access to master data, review of all changes to master data. Threat 2: Unauthorized disclosure of sensitive information Controls: Access controls and Encryption

15-3 .

Threat 3: Loss or destruction of data Controls: Backup and disaster recovery procedures Threat 4: Performing Poorly Controls: Managerial reports Multiple Choice 1 The activities in the expenditure cycle in the correct order of activity is: a. order, storing, paying b. ordering, receiving, approving, paying c. identifying needs, approving, ordering, paying d. approving, receiving, paying

Learning Objective Two Explain the process and key decisions involved in ordering goods and services, identify the threats to those activities, and describe the controls that can mitigate those threats.

Order Goods The first major business activity in the expenditure cycle (circle 1.0 in Figure 15-2 on page 497) is ordering inventory or supplies. Key decisions in this process involve identifying what, when, and how much to purchase and from whom. Weaknesses in inventory control can create significant problems with this process as demonstrated in the introductory AOE case: 1. Inaccurate inventory records. 2. Inventory shorts resulting in production delays caused by late delivery or substandard components delivered. Alternative Inventory Control Methods One of the key factors affecting the ordering process is the inventory control method to be used. We will consider three alternate approaches to inventory control: Economic order quantity (EOQ); just-in-time inventory (JIT); and materials requirements planning (MRP). EOQ is the traditional approach to managing inventory. The goal is to maintain enough stock so that production does not get interrupted. An optimal order size is calculated by minimizing 15-4 .

the sum of ordering costs, carrying costs, and stockout costs. A reorder point is also calculated. 1. Ordering costs include all expenses associated with processing purchase transactions. 2. Carrying costs are those associated with holding inventory. 3. Stockout costs are those costs that result from inventory shortages, such as lost sales or production delays. 4. The reorder point is when to order based on delivery time and safety stock levels. 5. Optimal order size

EOQ =

2 DP C

D = Demand in units for a specified period P = Relevant ordering cost per purchase order C = Relevant carrying cost of one unit in stock for the time period used for D Materials requirement planning (MRP) seeks to reduce inventory levels by improving the accuracy of forecasting techniques to better schedule purchases to satisfy production needs. This schedule identifies the quantities of raw materials, parts, and supplies needed in production and the point in time when they will be needed. Just-in-time (JIT) systems attempt to minimize, if not totally eliminate, carrying inventory by purchasing and producing goods in response to actual sales. These systems have frequent, small deliveries of materials, parts, and supplies directly to the location where production will occur. A major difference between MRP and JIT is the production scheduling. 1. MRP systems schedule production to meet forecasted sales; thereby creating a stock of finished goods inventory. 2. JIT systems schedule production in response to customer demands; thereby virtually eliminating finished goods inventory. Purchase Requests Whatever the inventory control system, the order processing typically begins with a purchase request followed by the generation of a purchase order. The purchase requisition is 15-5 .

triggered by the inventory control function or an employee noticing a shortage. Advanced inventory control systems automatically initiate purchase requests when quantity falls below the reorder point. The purchase requisition is a paper or electronic form that identifies who is requesting the goods; where they should be delivered; when they’re needed; item numbers, descriptions, quantities, and prices; a suggested supplier; and the department number and account number to be charged. The purchase requisition is received by a purchasing agent in the purchasing department, who typically performs the purchasing activity. The purchase requisition is a document, or electronic form, that identifies the requisitioner; specifies the delivery location and date needed; identifies the item numbers, descriptions, quantity, and price of each item requested; and may suggest a supplier. Figure 15-5 on page 503 shows a typical purchase requisition data entry screen used in ERP systems. Generating Purchase Orders A crucial decision is the selection of supplier for inventory items. Several factors should be considered in making this decision: 1. Price 2. Quality of materials 3. Dependability in making deliveries Once a supplier has been selected for a product, their identity should become part of the product inventory master file. It’s important to track and periodically evaluate supplier performance. The purchasing function should be evaluated and rewarded based on how well it minimizes total costs, not just the costs of purchasing the goods. A purchase order (PO), shown in Figure 15-7 on page 506 is a document or electronic form that formally requests a supplier to sell and deliver specified products at specified prices. The PO is both a contract and a promise to pay. Multiple purchase orders may be completed for one purchase requisition if multiple vendors will fill the request. A blanket purchase order is a commitment to buy specified items at specified prices from a particular supplier for a set time period. Improving Efficiency and Effectiveness The major cost driver is the number of purchase orders processed. Using EDI is one way to improve the purchasing process. EDI reduces costs by eliminating the clerical work associated with printing and mailing paper documents. 15-6 .

The time between recognizing the need to reorder an item and subsequently receiving it also is reduced. Vendor-managed inventory programs provide another means of reducing purchase and inventory costs. Vendor-managed inventory essentially outsources much of the inventory control and purchasing. Suppliers are given access to point-of-sales and inventory data and are authorized to automatically replenish inventory. For example, Walmart uses vendor management systems with their vendors (e.g., Proctor & Gamble) to make sure that the store shelves are well-stocked. Reverse auctions provide another technique to reduce purchasingrelated expenses. In reverse auctions, suppliers compete with one another to need demand at the lowest price. One other way to reduce purchasing-related costs is to conduct a pre-award audit, normally involving large purchases that involve bids. The internal auditor verifies the accuracy of the bids.

Order Goods Threat 5: Stockouts or Excess Inventory Stockouts result in lost sales; excess inventory incurs higher than necessary carrying costs. Controls: Accurate inventory control and sales forecasting; use of perpetual inventory method; supplier performance reports; recording of inventory changes in real time; barcoding inventory; and periodic physical counts Threat 6: Ordering Unnecessary Items Companies must also beware of purchasing items that are not currently needed. Controls: Integrate databases of various divisions and produce reports that link item descriptions to part numbers to allow consolidation of orders Threat 7: Purchasing Goods at Inflated Prices The cost of purchased components represents a substantial portion of the total cost of many manufactured products. Controls: Price lists for frequently-purchased items; use of catalogs for low-cost items; solicitation of bids for high-cost and specialized products; review of purchase 15-7 .

orders; budgetary controls and responsibility accounting; and performance review Threat 8: Purchasing Goods of Inferior Quality Sometimes purchasing goods at the lowest possible price sacrifices quality of the goods. Controls: Use of approved supplier list; review of purchase orders; tracking of supplier performance; purchasing accountability for rework and scrap Threat 9: Purchasing from Unreliable Suppliers Require certification from suppliers (e.g., ISO 9000) and monitor supplier performance. Threat 10: Purchasing from Unauthorized Suppliers Purchasing from unauthorized suppliers can result in numerous problems. Items may be of inferior quality or overpriced. Controls: Review of purchase orders; restriction of access to supplier list; periodic review of supplier list; and coordination with procurement card providers to restrict acceptance of cards Threat 11: Kickbacks Kickbacks are gifts from suppliers to purchasing agents for the purpose of influencing their choice of suppliers. Controls: “No gift” policy for buyers; employee training on gift handling; job rotation and mandatory vacation; audits of buyers; review of conflict of interest statements; vendor audits EDI-Related Threats Controls: Restriction of EDI access; verification and authentication of EDI transactions; acknowledgment of EDI transactions; log and review EDI of transactions; encryption; digital signatures; EDI agreements with suppliers Types of issues that occur when suppliers are linked to the company’s POS system to automatically manage inventory: 1. At what point in the process can the order be canceled? 2. Which party is responsible for the cost of return freight if contract terms are not followed? 3. Which party is responsible for errors in bar codes, RFID tags, and labels? 15-8 .

4. What happens if errors in the purchasing company’s POS system cause additional errors in the amount of goods that suppliers provide? 5. Can suppliers ship more inventory than ordered if doing so reduces total freight costs by having a full, rather than partial, truckload? Purchases of Services Controls: Hold supervisors accountable for costs; compare actual to budgeted expenses; review and audit contracts for services Multiple Choice 2 The approach to managing inventory that is based on forecasted sales to schedule production is: a. IBM b. EOQ c. MRP d. JIT Multiple Choice 3 Crucial operating decisions when selecting suppliers for inventory items includes: a. price b. quality of materials c. dependability of making decisions d. all of the above Multiple Choice 4 The document used to request that an item be ordered is the: a. purchase order b. purchase requisition c. purchase advice d. purchase auction Multiple Choice 5 The major cost driver in the purchasing function is: a. the number of purchase orders processed b. the price of the items purchased c. the reputation of the supplier d. none of the above.

15-9 .

Learning Objective Three Explain the process and key decisions involved in receiving goods and services, identify the threats to those activities, and describe the controls that can mitigate those threats.

Receiving and Storing Goods The receiving department accepts deliveries from suppliers. The receiving department normally reports to the warehouse manager, who reports to vice president of manufacturing. The inventory stores department, which also reports to the warehouse manager, is responsible for the storage of the goods. The receipt of goods must be communicated to the inventory control function to update inventory records. The two major responsibilities of the receiving department are deciding whether to accept delivery (based on whether there is a valid purchase order) and verifying the quantity and quality of delivered goods. Verifying the quantity of delivered goods is important so the company pays only for goods received and inventory records are updated accurately. The receiving report is the primary document used in this process. The receiving report includes the date received, shipper, supplier, and purchase order number. For each item received, it shows the item number, description, unit of measure, and quantity. It also provides space for signature and comments by the person who receives and inspects the goods. A receiving report is not typically used for receipt of services. Receipt of services is typically documented by supervisory approval of the supplier’s invoice. When goods arrive, a receiving clerk compares the PO number on the packing slip with the open PO file to verify the goods were ordered. The receiving clerk counts the goods and examines them for damage before routing to the warehouse or factory. Three possible exceptions to this process are: 1. Receiving a quantity of goods different from the amount ordered. 2. Receiving damaged goods. 3. Receiving goods of inferior quality that fail inspection. In all three cases, the purchasing department must resolve the situation with the supplier. 15-10 .

In the case of damaged or poor quality goods, a debit memo is prepared after the supplier agrees to take back the goods or grant a price reduction. Improve Efficiency and Effectiveness One way to improve the efficiency of the receiving process is to require suppliers to bar code their products. Bar-coding enables receiving clerks to scan in the product number, description, and quantity of all items received, eliminating data errors. Radio frequency identification (RFID) tags are attached to each crate of goods and emit a signal that a receiving unit embedded in the gates near a company’s warehouse unit can read. EDI and satellite technology provide another way to improve the efficiency of inbound logistics. EDI advance shipping notices inform companies when products have been shipped. Finally, audits may identify opportunities to cut freight costs. For example, many companies have negotiated significant savings with specific carriers. Focus 15-1 on page 509 describes supplier audits as a tool for assessing expenditure cycle effectiveness.

Receive and Store Goods The primary objectives of this process are to verify the receipt of ordered inventory and safeguard the inventory against loss or theft. Threat 12: Receiving Unordered Goods Controls: Accept goods only when there is an approved purchase order Threat 13: Mistakes in Counting Received Goods Controls: Bar coding of ordered goods; quantities blanked out on receiving forms; signature of receiving clerks; bonuses for catching discrepancies; re-counting of items by inventory control Threat 14: Verify Receipt of Services Controls: Budgetary controls, audits Threat 15: Stealing Inventory Controls: Secure storage locations for inventory; documentation of intra-company transfers; periodic physical counts; segregation of duties Multiple Choice 6 15-11 .

A receiving report is typically not used for: a. low cost supply items b. items ordered on blanket purchase orders c. receipt of services d. reoccurring items

Learning Objective Four Explain the process and key decisions involved in approving supplier invoices, identify the threats to those activities, and describe the controls that can mitigate those threats.

Approve Vendor Invoices for Payment Approval of vendor invoices is done by the accounts payable department, which reports to the controller. The legal obligation to pay arises when goods are received; but most companies pay only after receiving and approving the invoice. This timing difference may necessitate adjusting entries at the end of a fiscal period. The objective of accounts payable is to authorize payment only for goods and services that were ordered and actually received. This requires information from purchasing about the existence of a valid purchase order and from receiving for a report that goods were received. There are two basic approaches to processing vendor invoices: 1. Non-voucher system—Each approved invoice is posted in the supplier’s records in accounts payable, filed, and is then stored in an open invoice file. When a check is written, the invoice is removed from the open invoice file, marked “paid” and then stored in a paid invoice file. Marking “paid” on the invoice is an act known as “cancelling the invoice” so the invoice cannot be paid twice. 2. Voucher system—A disbursement voucher is also prepared which identifies the supplier, lists outstanding invoices, and net amount to be paid after discounts and allowances. The disbursement voucher effectively shows which accounts will be debited and credited, along with the account numbers. There are three advantages for using disbursement vouchers: 1. Several invoices may be paid at once (reducing number of checks). 2. Vouchers can be prenumbered, which simplifies tracking all payables. 15-12 .

3. The voucher provides a record that a vendor invoice has been approved for payment and facilitates invoice approval separate from invoice payment. This makes it easier to schedule both activities to maximize efficiency. Accounting approves the invoice for payment by comparing the invoice to the purchase order and receiving report. A voucher package, which contains the approved invoice, supporting purchase order, and receiving report, is sent to the cashier. This voucher package authorizes issuance of a check or EFT to the supplier. Pay Approved Invoices The final activity in the expenditure cycle is the payment of approved invoices. The cashier reviews the voucher package, approves the payment, prepares the check for payment, and signs the check.

Improving Efficiency and Effectiveness The accounts payable process, which matches vendor invoices to purchase orders and receiving reports, is a prime candidate for automation. Processing efficiency can be improved by: Requiring suppliers to submit invoices by EDI and having the system automatically match invoices to purchase orders and receiving reports. Another option is to eliminate vendor invoices. This “invoiceless” approach is called evaluated receipt settlement (ERS). ERS replaces the traditional three-way matching process with a two-way match of the purchase order and receiving report. Procurement cards provide one way to eliminate the need for accounts payable to process many small noninventory invoices. A procurement card is a corporation credit card that employees can use only at designated suppliers to purchase specific kinds of items. Using corporate credit cards for travel expenses further reduces the number of invoices that need to be processed. Preparing careful short-term cash budgets is useful in taking advantage of early-payment discounts. For example, if the corporation purchased an item for $100,000 with the terms 2/10, n/30; the amount of the discount that could be realized by paying within 10 days is $2,000. Even more important, if the corporation did not pay within the ten days, the 2% discount represents an annual interest rate of 18% (2% × 360/20). Finally, financial data electronic interchange (FEDI) can cut the costs associated with paying suppliers by eliminating the need to prepare and mail checks.

15-13 .

Focus 15-2 on page 513 shows dramatic improvements can often be made simply by reengineering the accounts payable and cash disbursements processes. Medtronic had successfully used both Six Sigma and Lean principles to streamline its work-flow activities and improve product quality. Six Sigma is a philosophy that focuses on improving quality by reducing mistakes. Lean analysis seeks to improve efficiency by eliminating bottlenecks and redundancies. Medtronic initiated a series of intensive 5-day projects, called kaizen, to apply Six Sigma and Lean principles to improve accounts payable. Medtronic’s application of process improvement techniques yielded a dramatic improvement in the efficiency and effectiveness of its accounts payable function: 1. The time required to open the mail, sort, process, and record vendor invoices dropped from 3 days to 1 day. 2. The number of invoices for which discounts for prompt payment were taken increased by 15%. 3. Payment processing times were cut by 50%. Threat 16: Failing to Catch Errors in Vendors’ Invoices Controls: Check mathematical accuracy; verify procurement card charges; adopt ERS; train staff on freight terminology; use common carrier to take advantage of discounts Threat 17: Mistakes in Posting to Accounts Payable Controls: Reconciliations and data entry controls Multiple Choice 8 Which of the following statements is FALSE? a. Kickbacks are the most expensive form of employee corruption. b. RFID technology is more efficient than bar codes. c. The Bureau of Industry and Security maintains lists of individuals and companies with whom it is illegal to transact business. d. Competitive written bids should be solicited for high-cost and specialized products. e. All of the above. Multiple Choice 9

15-14 .

The following is (are) a red flag(s) that would identify suppliers likely to represent potential problems: a. The supplier’s address is on the invoices. b. Entertainment expenses are high in terms of a percentage of the supplier’s gross sales. c. A large percentage of the supplier’s gross sales were to one company. d. a and b e. b and c

Learning Objective Five Explain the process and key decisions involved in making cash disbursements to suppliers, identify the threats to those activities, and describe the controls that can mitigate those threats.

Cash Disbursements This is the final activity of the expenditure cycle. The cashier, who reports to the treasurer, is responsible for paying suppliers. This segregates the custodial function from the authorization and recording functions. Expenditures should be made by check or EFT. If minor purchases are paid for by cash, a petty cash fund is set up as an imprest fund. An imprest fund is a cash account with two characteristics: 1. 2.

It is set at a fixed amount. Vouchers are required for every disbursement.

At all times, the sum of cash plus vouchers should equal the preset fund balance. Threat 18: Failing to Take Available Purchase Discounts Controls: File and track invoices by due date; prepare cash flow budgets Threat 19: Paying for Goods not Received Controls: Compare invoice quantities to quantities reported by receiving and inventory control; use tight budgetary controls. Use of corporate credit cards for travel expenses. Requiring receipts for travel expenses Threat 20: Paying the Same Invoice Twice Controls: Approve invoices only with complete voucher package; pay only on original invoices; cancel invoices once paid; use 15-15 .

internal audit to detect and recover overpayments; control access to accounts payable master file Threat 21: Misappropriation of Cash, Checks, or EFT Controls: Restrict access to cash, checks, and check signing machines; use sequentially numbered checks and reconcile; segregate duties; two signatures on checks over a certain limit; restrict access to supplier list; cancel all documents; have independent bank reconciliation; use check protection measures or positive pay; provide strict logical and access controls for EFT; log, encrypt, stamp, and number all EFT transactions; monitor EFT transactions; and use embedded audit modules Threat 22: Check Alteration Controls: Check-protection machines, use of special inks and papers, “positive pay” arrangements with banks Threat 23: Cash Flow Problems Controls: Cash flow budget Multiple Choice 10 Imprest funds are used to make minor purchases with cash, the total sum of cash and _______________ should equal the preset fund balance. a. checks b. vouchers c. coins d. notes

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 B 6 C 2 C 7 E 3 D 8 E 4 B 9 B 5 A 10 B

15-16 .

CHAPTER 16 THE PRODUCTION CYCLE Instructor’s Manual Learning Objectives: 1. Describe the major business activities and key decisions that must be made in the production cycle, the threats to accomplishing production cycle objectives, and the controls that can mitigate those threats. 2. Explain the key decisions and information needs in product design, the threats to those activities, and the controls that can mitigate those threats. 3. Explain the key decisions and information needs in planning and scheduling production, the threats to those activities, and the controls that can mitigate those threats. 4. Explain the key decisions and information needs in production operations, the threats to those activities, and the controls that can mitigate those threats. 5. Explain the key decisions and information needs for accurate cost accounting, threats to those activities, and the controls that can mitigate those threats.

Introduction The production cycle is a recurring set of business activities and related information processing operations associated with the manufacture of products. Figure 16-1 on page 534 shows how the production cycle is linked to the other subsystems in a company’s AIS. A company’s AIS plays a vital role in the production cycle. Accurate and timely cost accounting information is essential input to decisions about the following: 1. Product mix (what to produce). 2. Product pricing. 3. Resource allocation and planning (e.g., whether to make or buy a product, relative profitability of different products). 4. Cost management (planning and controlling manufacturing costs, evaluating performance). This chapter examines the three major functions of the AIS in the production cycle: 1. Capturing and processing data about business activities.

16-1 .

2. Storing and organizing the data to support decision making. 3. Providing controls to ensure the reliability of data and the safeguarding of organizational resources.

Learning Objective One Describe the major business activities and key decisions that must be made in the production cycle, the threats to accomplishing production cycle objectives, and the controls that can mitigate those threats.

Production Cycle Activities Figure 16-2 on page 534 shows the four basic activities in the production cycle: 1. Product design 2. Planning and scheduling 3. Production operations 4. Cost accounting Figure 16-2 also depicts the principal information flows between each of those activities and the other AIS cycles. One popular approach to improving manufacturing performance, called Six Sigma, begins with careful measurement and analysis of current processes in order to find ways to improve them.

Control Objectives, Threats, and Procedures A second function of a well-designed AIS is to provide adequate controls to meet the following production cycle objectives: 1. All production activities and fixed asset acquisitions are properly authorized. 2. Work-in-process inventories and fixed assets are safeguarded. 3. All valid, authorized production cycle transactions are recorded. 4. All production cycle transactions are recorded accurately. 5. Accurate records are maintained and protected from loss.

16-2 .

6. Production cycle activities are performed efficiently and effectively. Wherever feasible, use of RFID tags or bar codes can further improve data entry accuracy. Table 16-1 on page 537 Lists the major threats and exposures in the production cycle and the additional control procedures, besides adequate documents, and records.

General Threats Threat 1-3: Loss, Alteration, or Unauthorized Disclosure of Data Loss or alteration of production data hinders the monitoring of inventory and fixed assets and makes it difficult to ensure that manufacturing activities are being performed efficiently and effectively. Inventory and work-in-process records must be protected from both intentional and accidental losses or damages. Regular back-up of all data files is important. Access controls are also necessary to protect production data because of the potential losses of production trade secrets. Unauthorized access also increases the risk of damage to important data files. Passwords and user IDs can limit access to sensitive files. It is important to enforce proper access controls and segregation of duties which requires the controller or CFO to review and suggest appropriate configuration of user rights in integrated AIS packages and ERP systems. Access and processing integrity controls are also needed to ensure the confidentiality and accuracy of production cycle data transmissions among different factories. Multiple Choice 1 The following are the basic activities in the production cycle: 1. production operations 2. product design 3. cost accounting 4. planning and scheduling Which of the following is the correct sequence of the basic activities? a. 2, 3, 1, 4 b. 2, 1, 4, 3 c. 2, 4, 1, 3 d. 2, 1, 3, 4

16-3 .

Learning Objective Two Explain the key decisions and information needs in product design, the threats to those activities, and the controls that can mitigate those threats.

Product Design The first step in the production cycle is product design (circle 1.0 in Figure 16-2). The objective of this activity is to design a product that meets customer requirements in terms of quality, durability, and functionality while minimizing production costs. Focus 16-1 on page 538 explains how simulation software is constantly improving the efficiency and effectiveness of product design. Product life-cycle management (PLM) software consists of three key components: 1. Computer-aided design (CAD) software to design new products. 2. Digital manufacturing software that simulates how those products will be manufactured. 3. Product data management software that stores all the data associated with products. GM estimates that it costs approximately $500,000 to run crash tests with real cars and hopes that CAD software can reduce the number of such tests by 85 percent. However, Airbus learned that the PLM software has pitfalls. In 2006, it announced that production of the A380 superjumbo airliner would be delayed by at least two years, costing Airbus approximately $6 billion in lost profits. The problem was using different versions of the same CAD software. A survey found that almost 50% of companies using CAD software had to redesign products because of incompatibilities between CAD software used by different design teams.

16-4 .

Key Documents and Forms The product design activity creates two main documents: 1. Bill of materials which specifies the part number, description, and quantity of each component used in a finished product. 2. An operations list, which specifies the sequence of steps to follow in making the product, which equipment to use, and how long each step should take. Role of the Accountant Accountants should participate in product design because 65 percent to 80 percent of product costs are determined at the product design stage. Production costs can be reduced by increasing the number of common components used for a line of related products. Accountants can add value if they not only design the AIS to measure and collect the relevant cost data, but also, if they help the design team to use that data proactively to improve profitability.

Threat 4: Poor Product Design Poor product design drives up costs in several ways to include using too many unique components and poorly designed products. Product design can be improved with accurate data about the relationship between components and finished goods. Multiple Choice 2 _____ percent to _____ percent of product costs are determined in the product design stage of the production process. a. 60; 80 b. 65; 80 c. 55; 70 d. 60; 70 Multiple Choice 3 Analysis of warranty and repair costs are a control for dealing with: a. disruption of operations b. poor product design c. excessive raw materials d. inaccurate cost data

16-5 .

Learning Objective Three Explain the key decisions and information needs in planning and scheduling, the threats to those activities, and the controls that can mitigate those threats.

Planning and Scheduling The second setup in the production cycle is planning and scheduling (circle 2.0 in Figure 16-2). Planning Methods Two common methods of production planning are management resource planning and lean manufacturing. Manufacturing resource planning (MRP-II) is an extension of materials requirements planning, covered in Chapter 15, that seeks to balance existing production capacity and raw material needs to meet forecasted sales demands. MRP-II systems are often referred to as push manufacturing, because goods are produced in expectation of customer demand. Lean manufacturing extends the principles of just-in-time systems to the entire production process. Lean manufacturing is often referred to as pull manufacturing, because goods are produced in response to customer demand. However, in practice, most lean manufacturing systems develop short-run production plans. Both MRP-II and lean manufacturing systems plan production in advance. MRP-II systems may develop production plans for up to 12 months in advance. Lean manufacturing systems use much shorter planning horizons. Key Documents and Forms The master production schedule (MPS) specifies how much of each product is to be produced during the planning period and when that production should occur (Refer to Figure 16-6 on page 540). The MPS is used to develop a detailed timetable that specifies daily production and to determine if raw materials need to be purchased. To do this, it is necessary to “explode” the bill of 16-6 .

materials to meet the production goals as listed in the MPS (see Table 16-2 on page 541). This figure shows that the planning and scheduling activity produces three other documents: 1. A production order which authorizes the manufacture of a specified quantity of a particular product. A sample of the production order is provided in Figure 16-7 on page 542. 2. A materials requisition authorizes the removal of the necessary quantity of raw materials from the storeroom to the factory location where they will be used. A sample of the materials requisition is provided in Figure 16-8 on page 542. 3. Subsequent transfers of raw materials throughout the factory are documented on move tickets, which identify the parts being transferred, the location to which they are transferred, and the time of transfer. A sample of the move ticket is provided in Figure 16-9 on page 543. Bar-coding improved the speed and accuracy of recording information about material movements and eliminating the need to manually enter data. More recently, radio-frequency identification (RFID) tags further improve efficiency by eliminating the need for any human intervention in the scanning process. This makes RFID scanners up to 40 times faster than bar-code scanners. Surveys estimate that as much as 10%–20% of handling materials in the warehouse is spent on looking for the right product. RFID technology can eliminate this cost. RFID tags have a scanner that broadcasts a signal to locate the desired product. Role of the Accountant The accountant must ensure that the AIS collects and reports costs in a manner consistent with the production planning techniques of the company. Lean manufacturing emphasizes working in teams and seeks to maximize the efficiency and synergy of all teams involved in making a particular product. Threat 5: Over- or Underproduction Two related threats in the planning and scheduling process are overproduction and underproduction. Overproduction can result in a supply of goods in excess of short-run demands, thereby creating potential cash flow problems. There is also a risk of carrying inventory items that become obsolete. Underproduction can result in lost sales and dissatisfied customers.

16-7 .

More accurate production planning can prevent over- and underproduction. Improvement requires accurate and current sales forecasts from the revenue cycle systems, and data about inventory stocks from the expenditure cycle. Proper approval and authorization of production orders is another control to prevent overproduction of specific items. Multiple Choice 4 A production planning method that is based on goods being produced based on customer demand is: a. pull manufacturing b. MRP-II c. push manufacturing d. lean manufacturing Multiple Choice 5 A _____ authorizes the removal of raw materials from the storeroom to the factory and a _____ documents the transfers of raw materials throughout the factory. a. materials requisition; moving ticket b. transfer voucher; moving ticket c. materials requisition; transfer voucher d. none of the above

Learning Objective Four Explain the key decisions and information needs in production operations, the threats to those activities, and the controls that can mitigate those threats.

Production Operations The third step in the production cycle is the actual manufacture of products (circle 3.0 in Figure 16-2). Using various forms of IT in the production process, such as robots and computer-controlled machinery, is referred to as computer-integrated manufacturing (CIM). Accountants are not required to be experts on every facet of CIM, but they must understand how it affects the AIS. In order to minimize inventory carrying costs, the AIS must maintain accurate perpetual inventory records. This requires integrating information about customer orders (from the revenue

16-8 .

cycle) with information about purchases from suppliers (from the expenditure cycle), along with information about labor available (from the HR/payroll cycle). Threats 6 and 7: Theft of Inventories and Fixed Assets To reduce the risk of inventory loss, physical access to inventories should be restricted and all internal movements of inventory should be documented. Proper segregation of duties is important to safeguard inventory. Maintaining physical custody of the raw materials and finished goods inventories is the responsibility of the inventory stores department. Department of factory supervisors have primary responsibility for workin-process inventories. Internal controls are also needed to safeguard fixed assets. Managers should be assigned responsibility and accountability for fixed assets under their control. Finally, inventories and fixed assets are also subject to loss due to fire or other disasters. Therefore, adequate insurance coverage should be maintained to cover such losses and provide for the replacement costs of these assets. Threat 8: Poor Performance Inefficiencies in production operations result in increased expenses. Thus, manufacturing activities must be closely monitored and prompt action taken to correct any deviations from standards. Threat 9: Suboptimal Investment in Fixed Assets Overinvesting in fixed assets can create excess costs and underinvestment can impair productivity. Both problems reduce profitability. Proper authorization of fixed-asset transactions is important. Holding managers accountable for their department’s return on the fixed assets provides additional incentive to control such expenditures. Due to the size of fixed-asset purchases, companies should invite several competing suppliers to provide bids. A document called a request for proposal (RFP), which specifies the desired properties of the asset, is sent to each vendor. Threat 10: Loss of Inventory or Fixed Assets Due to Fire or Other Disasters Insurance can mitigate this loss. Threat 11: Disruption of Operations The high level of automation in production cycle activities means that disasters that disrupt the functioning of information systems can also disrupt manufacturing activities. 16-9 .

Backup power sources and uninterruptible power supply devices are required to ensure that critical equipment and machinery are not damaged during a power loss. This will ensure that the production process can continue on schedule. Not only do companies need to have a disaster plan, but companies need to check on their supplier’s plan and come up with alternate sources for critical components. Multiple Choice 6 A form of IT that involves robots is: a. CIS b. MRP c. RFID d. CIM Multiple Choice 7 The formal request of a competitive bid for machinery and equipment from suppliers is a document called: a. RFP b. MRP c. CIM d. JIT

Learning Objective Five Explain the key decisions and information needs for accurate cost accounting, threats to those activities, and the controls that can mitigate those threats.

Cost Accounting The final step in the production cycle is cost accounting (circle 4.0 in Figure 16-2). The three principal objectives of the cost accounting system are: 1.

Provide information for planning, controlling, and evaluating the performance of production operations.

Provide accurate cost data about products for use in pricing and product mix decisions.

16-10 .

Collect and process the information used to calculate the inventory and cost of goods sold values that appear in the company’s financial statements.

Every firm requires cost accounting data about the following four facets of its production operations: 1. Raw materials used 2. Labor hours expended 3. Machine operations performed 4. Other manufacturing overhead costs incurred Types of Accounting Systems Most companies use either job-order or process costing to assign production costs. Job-order costing assigns costs to specific production batches, or jobs, and is used when the product or service being sold consists of discretely identifiable items. Process costing assigns costs to each process, or work center, in the production cycle, then calculates the average cost for all units produced.

Process Figure 16-10 on page 543 depicts a typical online AIS for the production cycle. Both systems require accumulating data about four basic kinds of costs: 1) raw materials, 2) direct labor, 3) machinery and equipment, and 4) manufacturing overhead.

Raw Materials Usage Data When production is initiated, the issuance of materials requisition triggers a debit to work-in-process for the raw materials sent to production, and a credit when raw materials are not used and returned to inventory. RFID tags improve the efficiency of tracking materials usage.

Direct Labor Costs As shown in Figure 16-10, a worker enters the data on time spent on each specific job task using online terminals at each factory workstation.

Machinery and Equipment Usage Companies implement CIM to automate the production process. 16-11 .

Data for machinery and equipment used at a workstation and the duration of such use is collected by wiring the factory so that each piece of equipment is linked to the computer. The wired connections are now being replaced with wireless technology. This enables the use of 3-D simulation software to evaluate the effects of modifying shop-floor layout and workflow to easily and quickly implement beneficial changes.

Manufacturing Overhead Costs Manufacturing costs that cannot be directly related to the production of a specific product is referred to as manufacturing overhead. Examples include factory costs of water, power, and other utilities; miscellaneous supplies; rent, insurance, and property taxes. Accountants can play a key role in controlling overhead costs by carefully assessing how changes in product mix affect total manufacturing overhead. Threat 12 Inaccurate Cost Data Diminishes the effectiveness of production scheduling and undermines management’s ability to monitor and control manufacturing operations. This threat is best controlled with using RFID technology, bar code scanners, badge readers, and other devices. Threat 13: Inappropriate Allocation of Overhead Costs Can lead to erroneous decisions, best mitigated by activity based costing. Threat 14: Misleading Reports Can lead to erroneous decisions, best mitigated by performance metrics. Activity-Based Costing refines a costing system by identifying individual activities as the fundamental cost objects. An activity is an event, task, or unit of work with a specified purpose such as designing products, setting up machines, operating machines, and distributing products. Note to Instructor: For the above definition, refer to page 170, Chapter 5, of the Prentice Hall Cost Accounting Textbook, 12th edition. Activity Based Costing versus Traditional Cost Systems

Following are three significant differences between ABC and traditional approaches to product costing: 1.

ABC systems attempt to directly trace a larger proportion of overhead costs to products. Advances in IT make this feasible.

16-12 .

ABC systems use a greater number of cost pools to accumulate indirect costs (manufacturing overhead). Whereas most traditional cost systems lump all overhead costs together. ABC systems distinguish three separate categories of overhead:



Batch-related overhead. Examples include setup costs, inspections, and materials handling.



Product-related overhead. These costs are related in the diversity of the company’s product line. Examples include research and development, expediting, shipping and receiving, environmental regulations, and purchasing.



Company-wide overhead. This category includes such costs as rent or property taxes. These costs apply to all products.

ABC systems attempt to rationalize the allocation of overhead to products by identifying cost drivers. A cost driver is anything that has a cause and effect relationship on costs. For example, the number of purchase orders processed is one cost driver of purchasing department costs.

Benefits of ABC Systems ABC systems cost more to run than traditional cost systems because they require the collection of more production-related data and in greater detail. They are also more complex. More accurate cost data results in better product mix and pricing decisions, and more detailed cost data to improve management’s ability to control and manage total costs. Better decisions. Traditional cost systems tend to apply too much overhead to some products and too little to others. This leads to two types of problems: 1. Companies may accept sales contracts for some products at prices below their true cost of production. Sales increase, but profits decline. 2. Companies may overprice other products. ABC systems avoid these problems. ABC also uses data to improve product design. Finally, ABC data improve managerial decision making by providing information about the costs associated with specific activities, instead of classifying those costs by financial statement category, which aids in managerial analysis by focusing attention on key processes. 16-13 .

The ABC analysis shows which activities (training, testing, and maintenance and system analysis) are running over budget and which are not. Improved cost management. Another advantage of ABC is that it clearly measures the results of managerial actions on overall profitability. ABC systems measure both the amount spent to acquire resources and the consumption of those resources. This distinction is reflected in the following formula: Cost of activity capability = Cost of activity used + Cost of unused capacity. To illustrate, consider the receiving function at a manufacturing firm such as AOE. Assume the following: 1. The salary expense for the receiving department is $100,000. 2. Receiving employees can handle 500 shipments. 3. The cost per shipment is $200. 4. Assume that 400 shipments are actually received. The cost of the receiving activity is $80,000 ($200 × 400 shipments). The remaining $20,000 ($100,000-$80,000) in salary expense represents the cost of unused capacity. Better Decisions CPAs have now added and supplemented the traditional financial statements with reports based on lean accounting. One suggested change involves assigning costs to product lines instead of departments. In addition to this change, accountants should also develop new measures that are designed to focus on issues important to production cycle managers. Throughput—A Measure of Production Effectiveness Throughput represents the number of good units produced in a given period of time. It consists of three factors as shown in the following formula: Throughput = (Total units produced/Processing time) × (Processing time/Total time) × (Good units/Total units) Productive capacity: The first term in the formula shows the maximum number of units that can be produced using current technology.

16-14 .

Productive processing time: The second term in the formula indicates the percentage of total production time used to manufacture the product. Yield: The third term in the formula represents the percentage of good units produced. Quality Control Measures Quality control costs can be divided into four areas: 1. Prevention costs are associated with changes to production processes designed to reduce the product defect rate. 2. Inspection costs are associated with testing to ensure that products meet quality standards. 3. Internal failure costs are associated with reworking, or scrapping, products identified as being defective prior to sale. 4. External failure costs result when defective products are sold to customers. They include such costs as product liability claims, warranty and repair expenses, loss of customer satisfaction, and damage to the company’s reputation. The ultimate objective of quality control is to “get it right the first time.” Some companies have found that the most important management decision involves switching from the traditional “management by exception” philosophy to a “continuous improvement” viewpoint.

Multiple Choice 8 The best control procedure to ensure that data entry is accurate is to automate date collection using: a. RFID technology b. badge readers c. ID cards d. a and b e. all of the above Multiple Choice 9 The number of goods produced in a given period of time is: a. processing b. production c. throughput d. productive processing Multiple Choice 10 The _____ overhead includes costs such as rent or property tax. a. batch-related 16-15 .

b. company-wide c. product-related d. none of the above

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 C 6 D 2 B 7 A 3 B 8 E 4 B 9 C 5 C 10 B

16-16 .

CHAPTER 17 THE HUMAN RESOURCES MANAGEMENT AND PAYROLL CYCLE Instructor’s Manual Learning Objectives: 1. Describe the major business activities, key decisions, and information needs in the HRM/payroll cycle, the general threats to those activities, and the controls that can mitigate those threats. 2. Explain the payroll cycle activities, key decisions and information needs, the threats to those activities, and the controls that can mitigate those threats. 3. Discuss and evaluate the options for outsourcing HRM/payroll cycle activities.

Learning Objective One Describe the major business, key decisions, and information needs in the HRM/payroll cycle, the general threats to those activities, and the controls that can mitigate those threats.

Introduction The human resources management (HRM)/payroll cycle is a recurring set of business activities and related data processing operations associated with effectively managing employee workforce. The more important tasks include: 1. Recruiting and hiring new employees 2. Training 3. Job assignment 4. Compensation (payroll) 5. Performance evaluation 6. Discharge of employees due to voluntary or involuntary termination Tasks 1 and 6 are performed once and tasks 2 through 5 are performed repeatedly. This chapter focuses primarily on the payroll system.

17-1 .

Overview The HRM provides information about hiring, termination, and pay-rate changes due to pay raises and promotions. The various departments provide data for the hours worked. The government provides the tax information and requirements. The principal output for the payroll cycle is checks. Although direct labor costs are a small portion of the total manufacturing costs, employees are a key cost driver when it comes to their performance which affects the quality of the products being manufactured. Some believe that the value of employees’ skills and knowledge is several times greater than the value of a company’s tangible assets. However, accounting and the AIS have not traditionally measured or reported this value of the employees. The only value of the employee has been the wage and salary expense for direct labor, which is included in the work-in-process inventory. Recognizing the value of employees’ knowledge and skills can help companies better understand the true costs associated with excessive turnover. Experts estimate that the cost of replacing employees is 1.5 times greater than that of an employee’s annual salary. For example, consider two companies with 1,500 employees earning on the average $50,000. One company has an employee turnover rate of 20% and the other only 8%. The company with the 20% rate would need to replace 300 employees each year (1,500 ˟ 20%). The company’s cost for each employee would be $75,000 ($50,000 ˟ 1.5). This would result in an annual cost of $22.5 million (300 employees ˟ $75,000) As for the company with the 8% turnover rate, they would only need to replace 120 employees; their annual cost would only be $9 million (75 employees ˟ $75,000). Employee morale is also important. A Gallup survey found that an employee’s attitude affects profitability. The survey found that there are four key attitudes: 1. Employees believe they have the opportunity to do what they do best.

17-2 .

2. They believe their opinions count. 3. They think that coworkers are committed to quality. 4. They understand the connection between their jobs and the company’s mission. Focus 17-1 on page 567 describes the value of understanding employee jobs and attitudes. Senior executives are now spending time in the trenches to better understand job duties and pressures. For example, the CEO of Loews Hotels spent time working as a bellman, pool attendant, and housekeeper. The vice president of DaVita Inc., spent three days working in one of the company’s clinics. Most important, these senior executives acted on their findings to improve working conditions. Figure 17-2 on page 565 provides the integration of Payroll and HRM functions in a typical ERP system.

Key Decisions and Information Needs The payroll system must be designed to collect and integrate cost data with other types of HR information to enable management to make the following kinds of decisions: 1. Future workforce staffing needs 

How many employees are needed in the next five years to accomplish the organization’s strategic plans?



Which employees possess the needed skills?



Which skills are in short supply?



Which skills are in oversupply?



How effective are current training programs in maintaining and improving employee skill levels?

2. Employee performance 

Which employees should be promoted or receive pay raises?



Who should be discharged?



Is overall performance improving or declining?



Is turnover excessive?

17-3 .



Is tardiness or absenteeism a problem?

3. Employee morale



What is the overall level of employee morale and job satisfaction?



How can the compensation scheme be used to improve morale, satisfaction, and performance?



What additional fringe benefits, if any, should be offered?

4. Payroll processing efficiency and effectiveness 

How frequently should employees be paid?



Are labor costs being accurately allocated to products and other cost centers?



Are all applicable tax reporting requirements being met?



How easily can employee requests for information be answered?

Internally and externally generated information is needed to make these decisions. Access to current, accurate information about employee skills and knowledge can also provide an organization with strategic benefits. A second strategic benefit of an integrated HRM/payroll data model is that staff can perform many HRM activities more efficiently, thereby reducing costs. Online resumes are being used for hiring new employees. A well-designed HRM database also can be used to reduce recruiting costs. General Controls: A second major function of the AIS in the HRM/payroll cycle is to provide adequate internal controls to ensure meeting the following objectives: 1. All payroll transactions are properly authorized. 2. All recorded payroll transactions are valid. 3. All valid, authorized payroll transactions are recorded. 4. All payroll transactions are accurately recorded. 5. Applicable government regulations regarding remittance of taxes and filing of payroll and HRM reports are met. 6. Assets (both cash and data) are safeguarded from loss or theft.

17-4 .

7. HRM/payroll cycle activities are performed efficiently and effectively. Simple, easy-to-complete documents with clear instructions facilitate the accurate and efficient recording of payroll transactions. Appropriate application controls, such as validity checks and field (format) checks, further increase the accuracy of data entry when using electronic documents. Providing space on both paper and electronic documents to record who completed and who reviewed the form gives evidence that the transaction was properly authorized. Prenumbering all documents facilitates checking that all transactions have been recorded. Restricting access to programs that create documents and, if paper documents are still used, to blank documents, reduces the risk of unauthorized transactions. Table 17-1 on page 568 lists the major threats in the HRM/payroll cycle and the applicable control procedures.

Employment Practices The objective of the HRM function is to efficiently hire, develop, retain, and dismiss employees.

General Controls Threats 1-5 As for other disbursements, there are two general threats: 1) the loss, alteration, or unauthorized disclosure of data and 2) poor performance. Threat 1-3: Loss, Alteration, or Unauthorized Disclosure of Data Backup and disaster-recovery procedures provide the best controls for reducing the risk of payroll data loss. Physical and logical access controls are important preventive measures to mitigate this threat. Access and processing integrity controls are also needed to ensure the confidentiality and accuracy of payroll cycle data transmissions. Use of encryption and tokenization. Finally, protecting the privacy of employee data also is important. Threat 4: Hiring Unqualified or Larcenous Employees Hiring unqualified employees can increase production expenses, and hiring a larcenous employee can result in theft of assets. Skill qualifications for each open position should be stated explicitly in the position control report.

17-5 .

It is especially important to verify a job application’s skills and references, including college degrees earned, because research shows that approximately 30% of resumes contain false information. Background checks should also be conducted. Threat 5: Violation of Employment Laws The government imposes stiff penalties on firms that violate provisions of employment law. The best control procedure is careful documentation of all actions relating to advertising, recruiting, and hiring new employees and dismissal of employees. Continuing education on changes in employment laws provides organizations with knowledge of upcoming changes and how to handle them from a process and systems perspective. Multiple Choice 1 Tasks performed in the HRM/payroll cycle that are performed repeatedly (for as long as the employee works at the company) include: a. Training b. Recruiting c. Compensation d. A and C e. B and C Multiple Choice 2 Experts have determined that the cost of replacing employees is 1.5 times that of an employee’s annual salary. Company A and B both have 10,000 employees that earn $60,000 each on the average. Company A has an employee turnover rate of 3% and Company B has a 12% turnover rate. What is the difference between Company A’s and Company B’s annual employer turnover cost? a. $27,000,000 b. $54,000,000 c. $74,000,000 d. $81,000,000 Multiple Choice 3 The questions asked for the future workforce staffing needs decision includes: a. How many employees are needed in the next 5 years to accomplish the organization’s strategic plans? b. Which skills are in short supply? c. How effective are current training programs in maintaining and improving employee skill levels? d. All of the above e. A and B

17-6 .

Learning Objective Two Explain the payroll cycle activities, key decisions and information needs, the threats to those activities, and the controls that can mitigate those threats.

Payroll Cycle Activities Figure 17-4 on page 570 shows the five basic activities performed in the payroll cycle: 1. Update payroll master file. 2. Validate time and attendance data. 3. Prepare payroll. 4. Disburse payroll. 5. Disburse payroll taxes and miscellaneous deductions.

Update Payroll Master File Updating the payroll master file includes changes such as 1) new hires, 2) terminations, 3) changes in pay rates, and 4) changes in discretionary withholdings (circle 1.0 in Figure 17-4). It is important that all payroll changes are entered in a timely manner and are properly reflected in the next pay period.

Threat 6: Unauthorized Changes to the Payroll Master File Unauthorized changes to the payroll master file can result in increased expenses if wages, salaries, commission, or other base rates are falsified. Proper segregation of duties is the key control procedure for dealing with this threat. Only the HRM department should be able to update the payroll master file for hirings, firings, pay raises, and promotions. Controlling access to the payroll system is also important. The system should be programmed to compare user IDs and passwords with an access control matrix that: 1. Defines what actions each employee is allowed to perform

17-7 .

2. Confirms what files each employee is allowed to access Threat 7: Inaccurate Updating of Payroll Master Data Inaccuracies in time and attendance records can result in increased labor expenses and erroneous labor expense reports. Automation can reduce the risk of unintentional inaccuracies. The data entry program should include the following data processing integrity controls: 1. Field checks for numeric data in the employee-number and hours worked fields 2. Limit checks on the hours worked field 3. A validity check of the employee number Proper segregation of duties can reduce the risk of intentional accuracies. Time clock data, used for calculating payroll, also should be reconciled to the job time ticket data.

Validate Time and Attendance Data This validation is shown in circle 2.0 in Figure 17-4. Pay Schemes Most employees are paid either on a fixed salary or on an hourly basis (wages). For those paid on an hourly basis, many companies use a time card which is used to record the hours worked. The time card also includes the total hours worked for a pay period. Employees who earn a fixed salary seldom record their labor efforts on a time card. Instead, their supervisors monitor their presence on the job. Sales staff often are paid either on a straight commission or on a salary plus commission basis. Nucor Corporation, a large steel company, pays its steelworkers an hourly rate at approximately 60% of the industrial average, plus a bonus based on the tons of steel (tonnage) they produce. It is important that incentive schemes such as the example with Nucor Corporation, require linking the payroll system with other information generated from the organization such as sales, production, etc. Efficiency Opportunities Using Information Technology

17-8 .

Payroll processing can be made more efficient by collecting employee time and attendance data electronically instead of on paper documents. Those data are then automatically fed to the payroll processing system. Also, electronic time clocks can transmit time and attendance data directly to the payroll processing system. Threat 8: Inaccurate Time and Attendance Data Automating source data to capture hours worked can prevent errors. Segregation of duties and reconciliation of job-time tickets to the time cards. Supervisory review can catch errors.

Prepare Payroll The third step in the payroll cycle is preparing payroll (circle 3.0 in Figure 17-4). Procedures 1. The payroll transaction file is sorted by employee number. 2. The sorted time-data file is then used to prepare employee paychecks. 3. Next, all payroll deductions are summed and the total is subtracted from gross pay to obtain net pay. 4. Once net pay is obtained, the year-to-date fields for gross pay, deductions, and net pay in the payroll master file are updated. 5. Finally, the payroll register and employee paychecks are printed. The payroll register is a report that lists each employee’s gross pay, payroll deductions, and net pay. Note that the employees who worked in excess of 40 hours received overtime pay of 1.5 times the hourly rate. As a result, you cannot multiply the “hours” times the “pay rate” to get the “gross pay.” Sometimes the payroll register is accompanied by a deduction register which lists the miscellaneous voluntary deductions for each employee. Figure 17-8 on page 575 provides an example of both reports. Employee paychecks also typically include an earnings statement, which lists the amount of gross pay, deductions, and net pay for the current period and year-to-date totals.

17-9 .

Table 17-2 on page 576 describes some of the additional reports produced by the payroll system; especially for government agencies. Figure 17-9 on page 576 shows that most payroll and HRM software provides extensive support for meeting the reporting requirements of federal, state, and local governments. Threat 9: Inaccurate Processing of Payroll The complexity of payroll processing makes it susceptible to errors. Processing errors can lead to penalties if the errors result in failure to remit the proper amount of payroll taxes due the government. Three types of control procedures address the threat of payroll errors: 1. Batch totals should be calculated at the time of data entry and then checked against comparable totals calculated during each stage of processing. Hash totals of employee numbers are particularly useful. If the original and subsequent hash totals of employee numbers agree, it means that: 

All payroll records have been processed.



Data input was accurate.



No bogus time cards were entered during processing.

2. Cross-footing the payroll register 3. A payroll clearing account The payroll clearing account is a general ledger account that is used in a two-step process to check the accuracy and completeness of recording payroll costs and their subsequent allocation to appropriate cost centers. The recordings for each pay period include: Debit to payroll account Credit to deductions payable Credit to cash for net pay Then when direct and indirect labor is used in manufacturing the recording is: Debit to work-in-process for direct labor Debit to manufacturing overhead for indirect labor Credit to payroll account The amount credited to the payroll account should be equal to the initial debit to the payroll account. This internal check is called a zero-balance check.

17-10 .

Companies hire temporary employees or outside help to get around a hiring freeze. The IRS provides a checklist of questions that can be used to determine if a worker should be classified as an employee or an independent contractor.

Disburse Payroll The next step is actual disbursement of paychecks to employees (circle 4.0 in Figure 17-4). Most employees are paid by either check or direct deposit. Procedures The following procedures are followed: 1. Once paychecks have been prepared, the payroll register is sent to the accounts payable department for review and approval. 2. A disbursement voucher is then prepared to authorize the transfer of funds from the company’s general checking account to its payroll bank account. 3. The disbursement voucher and payroll register are then sent to the cashier. 4. The cashier reviews the payroll register and disbursement voucher and then prepares and signs a check transferring funds to the company’s payroll bank account. The cashier also reviews, signs, and distributes the employee paychecks. 5. The payroll register is then returned to the payroll department. Efficiency Opportunity: Direct Deposit Direct deposit is one way to improve the efficiency and reduce the costs of payroll processing. Direct deposit provides savings to employers by eliminating the cost of purchasing, processing, and distributing paper checks, not to mention reducing bank fees and postage.

Disburse Payroll Taxes and Miscellaneous Deductions The final activity in the payroll process is paying the payroll tax liabilities and the other voluntary deductions of each employee (circle 5.0 in Figure 17-4). Companies either prepare checks or use electronic funds transfer to pay the taxes and deductions.

17-11 .

The employer pays some payroll taxes and employee benefits directly. The IRS Circular E, Employer’s Tax Guide, provides detailed instructions about employer’s obligations for withholding and remitting payroll taxes, and for filing reports. Employers often contribute some or all of the amounts to pay for their employee’s health, disability, and life insurance. Many employers also offer their employees flexible benefit plans, under which the employee receives some minimum coverage in medical insurance and pension contributions. Threat 10: Theft or Fraudulent Distribution of Paychecks Another major threat is the theft of paychecks or the issuance of paychecks to fictitious or terminated employees. The controls related to other cash disbursements, discussed in Chapter 11, also apply to payroll: 1. Access to blank payroll checks and to the check signature machine should be restricted. 2. All payroll checks should be sequentially prenumbered and periodically accounted for. 3. The cashier should sign all payroll checks only when supported by proper documentation (the payroll register and disbursement voucher). 4. Someone independent of the payroll process should reconcile the payroll bank account. A separate payroll bank account provides additional protection against forgery or alteration. It is also important that someone who does not authorize or record payroll should distribute paychecks and control the transfer of funds for direct deposit. Special procedures should be used to handle unclaimed paychecks because they indicate the possibility of a problem, such as a nonexistent or terminated employee. Multiple Choice 4 The third step in the payroll cycle is: a. validating time and attendance data b. updating the payroll master file c. prepare payroll d. calculating employer paid benefits and taxes Multiple Choice 5 Miscellaneous and voluntary payments on behalf of each employee from payroll is: a. payroll register 17-12 .

b. deduction register c. earnings statement d. payroll tax register Multiple Choice 6 The report that lists each employee’s gross pay, payroll deductions, and net pay is the: a. payroll voucher b. payroll register c. deduction register d. payroll transactions Multiple Choice 7 Which data processing integrity controls can mitigate payroll errors? a. Payroll clearing account b. Hash totals of employee numbers c. Cross-footing payroll register d. None of the above e. All of the above Multiple Choice 8 What control mitigates the threat of theft or fraudulent distribution of paychecks? a. Data processing integrity controls b. Prenumbering all paychecks c. Restricting access to blank payroll checks and the check signing machine d. Training Multiple Choice 9 The _____ is used to check numeric data and the _____ is used to check the hours-worked field. a. field check; validity check b. limit check; field check c. field check; limit check d. validity check; field check

Learning Objective Three Discuss and evaluate the options for outsourcing HRM/payroll cycle activities.

Outsourcing Options: Payroll Service Bureaus and Professional Employer Organizations (PEOs)

17-13 .

In an effort to reduce costs, many organizations are outsourcing their payroll and HRM functions. A payroll service bureau maintains the payroll master file for each of its clients and performs the payroll processing activities. A PEO not only processes payroll but also provides HRM services such as employee benefit design and administration. When organizations outsource payroll processing, they send time and attendance data along with information about personnel changes to the payroll service bureau or PEO at the end of each pay period. Payroll service bureaus and PEOs are especially attractive to small and midsize businesses for the following reasons: 1. Reduced costs 2. Wider range of benefits 3. Freeing up of computer resources Multiple Choice 10 Benefits of outsourcing payroll and HRM functions include: a. Allows small companies to provide benefits similar to large companies b. Reduces costs c. Companies can focus their resources on improving services related to their business d. None of the above e. All of the above

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 D 6 B 2 D 7 E 3 D 8 C 4 C 9 B 5 B 10 E

17-14 .

CHAPTER 18 GENERAL LEDGER AND REPORTING SYSTEMS Instructor’s Manual Learning Objectives: 1. Describe the activities, information needs, and key decisions made in the general ledger and reporting system, explain the general threats in the cycle, and describe the controls that can be used to mitigate those threats. 2. Explain the process for updating the general ledger, the threats to that process, and the controls that can be used to mitigate those threats. 3. Explain the purpose and nature of posting adjusting entries, the threats to that process, and the controls that can be used to mitigate those threats. 4. Explain the process of preparing financial statements, the threats to that process, the controls that can be used to mitigate those threats, and how IT developments such as XBRL can improve the efficiency and effectiveness of preparing financial statements. 5. Describe the process for producing various managerial reports, the threats to that process, and how tools like responsibility accounting and the balanced scorecard can help mitigate those threats.

Introduction This chapter discusses the information processing operations involved in updating the general ledger and preparing reports that summarize the results of an organization’s activities. Figure 18-1 on page 594 provides a context diagram of the general ledger and reporting system. One of the primary functions of the general ledger and reporting system is to collect and organize data from the following sources: 1. Each of the accounting cycle subsystems described in Chapters 14 through 17 provides information about regular transactions. 2. The treasurer provides information about financing and investing activities, such as the issuance or retirement of debt and equity instruments and the purchase or sale of investment securities. 3. The budget department provides budget numbers. 4. The controller provides adjusting entries.

18-1 .

The general ledger and reporting system must be designed to produce regular periodic reports and to support real-time inquiry needs.

Learning Objective One Describe the activities, information needs, and key decisions made in the general ledger and reporting system, explain the general threats in the cycle, and describe the controls that can be used to mitigate those threats.

General Ledger and Reporting System Activities Figure 18-2 on page 594 is a level 0 data flow diagram depicting the four basic activities performed by the general ledger and reporting system. Circle 1.0 Update general ledger Circle 2.0 Post adjusting entries Circle 3.0 Prepare financial statements Circle 4.0 Produce managerial reports Figure 18-3 on page 595 depicts a typical online system used to perform these activities. The first three activities in Figure 18-2 (Circles 1.0, 2.0, and 3.0) represent the basic steps in the accounting cycle, culminating in the production of the traditional set of financial statements. The control objectives in the general ledger and reporting system are similar to those in the other AIS cycles discussed in previous chapters. 1. All updates to the general ledger are properly authorized. 2. All recorded general ledger transactions are valid. 3. All valid, authorized general ledger transactions are recorded. 4. All general ledger transactions are accurately recorded. 5. General ledger data are safeguarded from loss or theft. 6. General ledger system activities are performed efficiently and effectively. Table 18-1 on page 596 lists the major threats and exposures in the general ledger and financial reporting system, along with applicable control procedures.

18-2 .

Threat 1: Inaccurate or invalid general ledger data Mitigation of this threat is through the use of data processing and integrity controls when posting journal entries. Restrict access to the general ledger, and a detective control is to review all changes to general ledger data. Threat 2: Unauthorized disclosure of financial statement This threat can occur when financial statements are prematurely released. Access controls (i.e. use of multifactor authentication and physical security) restrict access to the general ledger. Encrypting the database also provides additional protection. Threat 3: Loss or destruction of data Employ backup and disaster recovery procedures. Multiple Choice 1 The third basic activity in the accounting system which produces financial statements is: a. post adjusting entries b. prepare financial statements c. update general ledger d. produce managerial reports Multiple Choice 2 To minimize the risk of an unscrupulous manager that can conceal theft of assets or poor performance by altering information in the general ledger. Which of the following statement(s) is TRUE? a. Employ read-only privileges to portions of the system necessary to perform assigned duties. b. Employ an access control matrix designed to limit the functions that can be performed by users. c. Review all changes made to the general ledger data. d. All of the above are true.

Learning Objective Two Explain the process for updating the general ledger, the threats to that process, and the controls that can be used to mitigate those threats.

Update General Ledger Updating consists of posting journal entries that originate from two sources: 1. Accounting subsystems 18-3 .

Each of the accounting subsystems described in Chapters 14 through 17 creates a journal entry to update the general ledger. 2. Treasurer The treasurer’s office creates individual journal entries to update the general ledger for nonroutine transactions such as issuance or retirement of debt. Journal entries to update the general ledger may be documented on a form called a journal voucher. Figure 18-3 shows that the individual journal entries used to update the general ledger are then stored in the journal voucher file. Threats and controls Threat 4: Inaccurate Updating of General Ledger Errors made in updating the general ledger and poorly designed reports can lead to poor decision making and impair the quality of the decisions made. The controls for this threat fall into three categories: 1. Input edit and processing controls 2. Reconciliations and control reports 3. Maintenance of an adequate audit trail

Input Edit and Processing Controls The journal entries from the other AIS cycles comes from the output of a series of processing steps, which are subject to a variety of application control procedures. The journal entries made by the treasurer and controller are original data entry which needs input edit and processing controls. 1. A validity check to ensure that general ledger accounts exist for each account number referenced in a journal entry. 2. Field (format) checks to ensure that the amount field in the journal entry contains only numeric data. 3. Zero-balance checks to verify that total debits equal total credits in a journal entry. 4. A completeness test to ensure that all pertinent data are entered, especially the source of the journal entry.

18-4 .

5. Closed-loop verification matching account numbers with account descriptions to ensure that the correct general ledger account is being accessed.

6. A sign check of the general ledger account balance, once updating is completed. 7. Calculating run-to-run totals to verify the accuracy of journal voucher batch processing.

Reconciliation and Control Report Reconciliations and control reports can detect whether any errors were made during the updating of the general ledger. Another form of reconciliation is the trial balance which detects whether total debit balances in the general ledger are equal to total credit balances. Clearing and suspense accounts provide a means to ensure that the general ledger is always in balance. To illustrate, assume that one clerk is responsible for recording the release of inventory to customers and the other is responsible for recording the billing of customers. The journal entry made by the inventory clerk would be: Debit “Unbilled shipments” Credit “Inventory”

XXX XXX

The journal entry made by the billing clerk would be: Debit “Accounts receivable” XXX Credit “Unbilled shipments”

XXX

After both entries have been made, the special clearing account, unbilled shipments, should have a balance of zero. Another important reconciliation is comparing the general ledger control account balance to the total balance in the corresponding subsidiary ledger. Enterprise resource planning (ERP) systems provide a number of control reports to help identify the source of errors that occurred. 1. Listing journal vouchers by general account number helps identify the source of any errors affecting a specific general ledger account. 2. Listing the journal vouchers by sequence can indicate the absence of any journal entry postings. 3. The general journal listing shows the details, description, and amount debited or credited of each entry posted to the 18-5 .

general ledger. This report indicates whether total debits are equal to total credits.

The Audit Trail The audit trail depicts the path of a transaction through the accounting system. An audit trail facilitates the following tasks: 1. Tracing any transaction from the original source document to the journal entry that updated the general ledger and to any report or other document using that data. 2. Tracing any items appearing in a report back through the general ledger to its original source documents. The journal voucher file provides information about the source of all entries made to update the general ledger. The usefulness of the audit trail depends on its integrity. Therefore, it is important to periodically make backups of all audit trail components and to control access to them. Multiple Choice 3 The act of tracing any transaction from its original source document (whether paper or electronic) to the journal entry that updated the general ledger and to any report or other document using that data: a. Provides a means to verify that all transactions are recorded correctly b. Provides a means to verify that all transactions were authorized c. Provides a means to verify that all authorized transactions were recorded correctly d. All of the above Multiple Choice 4 A report that lists the balances for all general ledger accounts is called: 1. Balance Sheet 2. Trial Balance 3. Audit Trail 4. Journal entry control report

Learning Objective Three Explain the purpose and nature of posting adjusting entries, the threats to that process, and the controls that can be used to mitigate those threats.

18-6 .

Post Adjusting Entries These adjusting entries originate from the controller’s office. The trial balance is a report that lists the balances for all general ledger accounts. Adjusting entries fall into five basic categories: 1. Accruals represent entries made at the end of the accounting period to reflect events that have occurred but for which cash has not yet been received or disbursed. 2. Deferrals represent entries made at the end of the accounting period to reflect the exchange of cash prior to performance of the related event. 3. Estimates represent entries that reflect a portion of expenses that occur over a number of accounting periods. 4. Revaluations represent entries made to reflect either differences between the actual and recorded value of an asset or a change in accounting principle. 5. Corrections represent entries made to counteract the effects of errors found in the general ledger. Information about these adjusting entries is also stored in the journal voucher file.

Threats and Controls Threat 6: Inaccurate Adjusting Entries Data entry processing integrity controls as well as spreadsheet error protection controls minimize the risk of mistakes. Creating a standardized adjusting entry file eliminates the need to repeatedly key in the same types of journal entries at each month end close and can reduce the risk of forgetting to post an adjusting entry, ensuring completeness. Threat 7: Unauthorized Adjusting Entries Strong access controls reduce the risk while detective controls such as periodic reconciliations and audit trails provide a means to detect unauthorized or inaccurate adjusting entries.

Multiple Choice 5 The _____ posts the adjusting journal entries after the trial balance has been prepared. a. finance department 18-7 .

b. controller’s office c. treasurer’s office d. COO Multiple Choice 6 The _____ category includes adjusting entries to record the expensing of prepaid assets. a. estimates b. corrections c. deferrals d. revaluations e. accruals

Learning Objective Four Explain the process of preparing financial statements, the threats to that process, the controls that can be used to mitigate those threats, and how IT developments such as XBRL can improve the efficiency and effectiveness of preparing financial statements.

Prepare Financial Statements The third activity in the general ledger and reporting system is preparing financial statements (circle 3.0 in Figure 18-2). The income statement is prepared first. The balance sheet is prepared next. The third major financial statement is the statement of cash flows. Transitioning from GAAP to IFRS Although the requirement continues to be pushed back, organizations will need to plan in the future how their general ledgers and reporting can accommodate the change from GAAP accounting to IFRS. IFRS differs from GAAP in several ways: 1. Accounting for fixed assets—IFRS requires the componentization of fixed assets. Componentization requires companies to identify and disaggregate their fixed assets. Most organizations only have this recorded as a total (e.g. cost of the delivery vehicle); however, under IFRS that delivery vehicle would have the component of the cab and engine and the trailer as separate components. 2. Accounting for research and development costs, IFRS allows capitalization of R&D costs at an earlier stage than GAAP. 3. IFRS does not permit last in, first out (LIFO).

18-8 .

XBRL: Revolutionizing the Reporting Process Communications technology has long been used to reduce time and costs of preparing and distributing financial statements and managerial reports. Previously, electronic dissemination of reports containing financial and nonfinancial information was a cumbersome, inefficient process. The problem was that many recipients had different requirements concerning the manner in which information was to be delivered. For example, SEC filings include a lot of the information that is also found in financial statements. Figure 18-8 on page 603 shows the traditional electronic reporting process which contains much of the same information, but presented in many different ways. The underlying cause of these problems was the lack of standards for identifying the content data. The Extensible Business Reporting Language (XBRL) is a variant of XML, specifically designed for use in communicating the content of financial data. XBRL creates tags for each data item similar to that used by HTML. Refer to Figure 18-8 on page 603. Tag names are at the bottom of Figure 18-9 on page 604, such as <us-gaap:SalesRevenueGoodsNet>. The tags are used to describe the various line items in the financial statement. The other fields in each tag provide contextual information such as the year and the units of measurement. XBRL provides two major benefits to the creation and electronic dissemination of financial data. First, it enables organizations to publish information only once, using standard XBRL tags. The second benefit of XBRL is that the information that XBRL tags provide is interpretable. This means that recipients will no longer need to manually reenter data they acquired electronically so that decision support tools can analyze them. The benefits of XBRL are not limited to its use to exchange financial data with external parties. Internal reporting will also benefit because data from the organization’s AIS can be exported once and then reused by different managers in different applications. This eliminates the need to manually re-enter the same data.

18-9 .

XBRL is certainly an important IT development. It is also noteworthy because the accounting profession spearheaded its development (see Focus 18-1 on page 608).

Threats and Controls Threat 8: Inaccurate Financial Statements Data processing integrity controls and the use of packaged software used to produce financial statements minimize the risk of errors. Training and experience in applying IFRS and XBRL reduces the risk of errors. Audits provide a good detective control. Threat 9: Fraudulent Financial Reporting Independent review (audit) is the best control. Multiple Choice 7 The following are the three basic financial statements: 1. Balance sheet 2. Income statement 3. Statement of cash flows The correct order in preparing these financial statements is: a. 2, 1, 3 b. 1, 2, 3 c. 1, 3, 2 d. 2, 3, 1 e. 3, 1, 2 Multiple Choice 8 XBRL is a variant of _____. a. HTML b. NAARS c. EDGAR d. XML Multiple Choice 9 The power of XBRL lies in the information provided by its: a. edit checks b. tags c. data marks d. none of the above

Learning Objective Five Describe the process for producing various managerial reports, the threats to that process, and how tools like responsibility accounting and the balanced scorecard can help mitigate those threats. 18-10 .

Produce Managerial Reports The final activity in the general ledger and reporting system (circle 4.0 in Figure 18-2) is producing various managerial reports. Examples of these reports include budgets and performance reports.

Threats and Controls Threat 10: Poorly Designed Reports and Graphs Poorly designed reports and graphs can cause managers to make biased or erroneous decisions. Three controls that mitigate this threat are: responsibility accounting, balanced scorecard, and training on proper graph design.

Responsibility Accounting Budgets and performance reports should be developed on the basis of responsibility accounting. Responsibility accounting is reporting financial results on the basis of managerial responsibilities within an organization. Many production, service, and administrative departments are evaluated using cost centers. In contrast, sales departments are often evaluated as revenue centers. No matter which basis is used to prepare a unit’s budgetary performance report, the method used to calculate the budget standard is crucial. The easiest approach to developing a budgetary performance report is to establish fixed targets for each unit (referred to as a static budget). The drawback to this approach is that it does not consider any changes in the operation of the activity. These changes could include actual units produced being different then the fixed (static) budget amount. Another example would be a difference in the number of unit sales. A solution to such problems is to develop a flexible budget, in which the budgeted amounts vary in relation to some measure of organizational activity.

The Balanced Scorecard The balanced scorecard is a report that provides a multidimensional perspective of organizational performance. A balanced scorecard contains measures reflecting four perspectives of the organization: 1) financial, 2) customer, 3) internal operations, and 4) innovation and learning. Table 18-2 on page 612 provides an example of a balanced scorecard used by AOE. This provides the targeted goal, and the current period and prior period actual performance results. 18-11 .

Many companies have three key financial goals: 1. Increased revenue streams through sales of new products 2. Increased profitability as reflected in return on equity 3. Maintaining adequate cash flow to meet obligations For every organization, customers are the key to achieving financial goals. AOE’s balanced scorecard contains two key goals: 1) improve customer’s satisfaction and 2) become the preferred supplier for key customers. To continuously improve service and results, it is important to develop new products and to train the workforce. Hypothetically, increased employee training is expected to improve service quality, as reflected in the percentage of customer orders filled correctly. In turn, improved service quality is expected to result in increased customer satisfaction and in key customers making a greater share of purchases from AOE. Accountants and systems professionals should participate in the development of a balanced scorecard. Although the balanced scorecard was initially developed as a strategic management tool, it can also be used as a vehicle to better manage enterprise risk. The balance scorecard is usually depicted in a dashboard in an interactive display of real-time measures of key indicators of operating performance. Multiple Choice 10 In using a balanced scorecard, _____ is (are) the key for every organization to achieving financial goals. a. profitability b. internal controls c. innovation d. customers

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 B 6 C 2 D 7 A 3 C 8 D 4 B 9 B 5 C 10 D 18-12 .

CHAPTER 19 DATABASE DESIGN USING THE REA DATA MODEL Instructor’s Manual Learning Objectives: 1. Discuss the steps for designing and implementing a database system. 2. Explain the nature and use of Entity-Relationship (E-R) diagrams. 3. Explain the content and purpose of the REA data model. 4. Use the REA data model to design an AIS database. 5. Read an REA diagram and explain what it reveals about the business activities and policies of the organization modeled. Questions to be addressed in this chapter include: 1. What steps are followed to design and implement a database system? 2. How is the REA data model used to design an AIS database? 3. How is an entity-relationship REA diagram of an AIS database drawn? 4. How are REA diagrams read, and what do they reveal about the business activities and policies of the organization being modeled?

Introduction This chapter introduces the topic of data modeling, one aspect of database design that accountants should understand. We discuss entity-relationship (E-R) diagrams and the REA accounting model and demonstrate how to use these tools to build a data model of an AIS.

Learning Objective One Discuss the steps for designing and implementing a database system.

Database Design Process Figure 19-1 on page 628 shows the five basic steps in database design.

19-1 .

1. Systems analysis 2. Conceptual design 3. Physical design 4. Implementation and conversion 5. Operation and maintenance The first stage (systems analysis) consists of initial planning to determine the need for and feasibility of developing a new system. The second stage (conceptual design) includes developing the different schemas for the new system, at the conceptual, external, and internal levels. The third stage (physical design) consists of translating the internallevel schema into the actual database structures that will be implemented in the new system. The fourth stage (implementation and conversion) includes all the activities associated with transferring data from existing systems to the new database AIS, testing the new system, and training employees how to use it. The fifth and final stage is using and maintaining the new system. Accountants can and should participate in every stage of the database design process. Accountants may provide the greatest value to their organizations by taking responsibility for data modeling. Data modeling is the process of defining a database so that it faithfully represents all aspects of the organization, including its interactions with the external environment. Multiple Choice 1 Data modeling occurs at which stage of the database design process? a. Physical design b. Conceptual design c. Implementation d. Operation

Learning Objective Two Explain the nature and use of Entity-Relationship (E-R) diagrams.

19-2 .

Entity-Relationship Diagrams An entity-relationship (E-R) diagram is a graphical technique for portraying a database schema. An entity is anything about which the organization wants to collect and store information. In an E-R diagram, entities are depicted as rectangles. Figure 19-2 on page 629 shows various E-R diagrams Some data modelers use diamonds to depict relationships (panel A), whereas others do not (panel B). Sometimes the attributes associated with each entity are depicted as name ovals connected to each rectangle (panel C) whereas others associate attributes with each entity which are listed in a separate table (panel D). E-R diagrams can be used to represent the contents of any kind of database. In this book, our focus is on databases designed to support an organization’s business activities. Multiple Choice 2 Which of the following statement(s) is TRUE? a. An entity is anything about which the organization wants to collect and store information. b. Events are the various business activities about which management wants to collect information for planning or control purposes. c. Some data modelers, tools, and authors use diamonds to depict relationships. d. E-R diagrams can be used to represent the contents of any kind of database. e. All of the above are true.

Learning Objective Three Explain the content and purpose of the REA data model.

The REA Data Model The REA data model was developed for use in designing AIS. The REA data model focuses on the business semantics underlying an organization’s value chain activities.

19-3 .

Three Basic Types of Entities The REA data model is so named as it has three distinct categories: 1. R—resources the organization acquires and uses 2. E—events (business activities) in which the organization engages 3. A—agents participating in these events Resources are those things that have economic value to the organization. Events are the various business activities about which management wants to collect information. There are two event entities in Figure 19-3 on page 630: Sales and Receive Cash. Agents are the people and organizations that participate in the events. Figure 19-3 includes two types of agent entities: Employees and Customers.

Structuring Relationships: The Basic REA Template The essential features of the basic pattern are: 1. Each event is linked to at least one resource that it affects. 2. Each event is linked to at least one other event. 3. Each event is linked to at least two participating agents. Rule 1—Every Event Entity Must Be Linked to at Least One Resource Entity Events must be linked to at least one resource that they affect. The “Get Resource A” in Figure 19-4 on page 631 increases the quantity of a resource. For example, “Get” includes the receipt of goods from a supplier which increases the amount of inventory, and the receipt of payment from a customer increases the amount of cash. Relationships that affect the quantity of a resource are sometimes referred to as stockflow relationships. “Give” events include paying suppliers and selling merchandise which decreases the amount of cash and inventories respectively.

19-4 .

Not every event changes the quantity of a resource. For example, a customer’s commitment to purchase merchandise will not alter the quantity of a resource until the sale is actually made. The commitment of a company to purchase merchandise from a vendor will not change the quantity of a resource until the actual purchase is made and the items are received. Rule 2—Every Event Entity Must Be Linked to at Least One Other Event Entity Figure 19-4 on page 631 shows that the Get Resource A event is linked to the Give Resource B event in what is called an economic duality relationship. Figure 19-5 on page 632 shows that each accounting cycle can be described in terms of such give-to-get economic duality relationships. The accounting cycles include 1) revenue cycle, 2) expenditure cycle, 3) payroll cycle, 4) financing cycle, and 5) production cycle. Rule 3—Every Event Entity Must Be Linked to at Least Two Participating Agents For accountability, organizations need to be able to track the actions of employees. Figure 19-4 on page 631 shows each event linked to two participating agent entities. For events that involve external agents, the internal agent is the employee and the external agent is the outside party. For events that involve internal agents, the internal agent is the employee that is giving up a resource and the external agent is the employee who is receiving the resource. Multiple Choice 3 In regards to REA data modeling, some researchers have proposed a fourth type of entity, which they call _____. a. accounts b. locations c. data d. special agents Multiple Choice 4 The essential features of relationship patterns include: a. Each event is linked to at least two participating agents. b. Each event is linked to no more than one resource that it affects. c. Each event is linked to at least one other event. d. A and C e. All of the above. 19-5 .

Multiple Choice 5 In order for a manufacturer to Get inventory, they must Give: a. Cash b. Raw materials c. Machinery d. B and C e. A and C

Learning Objectives Four and Five Use the REA data model to design an AIS database. Read an REA diagram and explain what it reveals about the business activities and policies of the organization being modeled.

Developing an REA Diagram Figure 19-6 on page 633 shows the REA diagram Paul developed for the revenue cycle of Fred’s Train Shop. This chapter focuses on developing an REA diagram for an individual transaction cycle. Developing an REA diagram for a specific transaction cycle consists of the following three steps: 1. Identify the events about which management wants to collect information. 2. Identify the resources affected by each event and the agents who participate in those events. 3. Determine the cardinalities of each relationship. Step 1: Identify Relevant Events The first step in developing an REA model of a transaction cycle is to identify the events of interest to management. At a minimum, this must include two events that include the basic giveto-get economic exchange. Usually, there are other events that management is interested in planning, controlling, and monitoring that also need to be included in the REA model. From Chapter 14, the revenue cycle typically consists of four sequential activities: 1. Take customer orders. 19-6 .

2. Fill customer orders. 3. Bill customers. 4. Collect payment from customers. The first activity of taking the customer’s order does not involve the acquisition of resources (get) or provision of resources to an external party (give). The second activity of filling the customer’s order does involve the reduction of the organization’s inventory level; representing the Give Resource event. The third activity of billing customers also does not involve an increase or decrease of any economic resource. The fourth activity of collecting payments from customers does involve an increase in the cash resource. Figure 19-6 on page 633 shows that the basic business activities in the revenue cycle indicate that the basic give-to-get economic exchange consists of two events: 1) fill customer orders (referred to as the Sales event) and 2) collect payments from customers (referred to as the Receive Cash event). In drawing an REA diagram for an individual transaction cycle, it is useful to divide the paper into three columns, one for each type of entity. Use the left column for resources, the center column for events, and the right column for agents. After identifying the economic exchange events, it is necessary to determine which other business activities should be represented as events in the REA model. This requires understanding what each activity entails because only those activities that involve the acquisition of new information need to be included in the model. Refer to Figure 19-6 on page 633 that was for Fred’s Train Shop in which the REA diagram was designed by Paul. Paul notes that the Sales and Receive Cash reflects most in-store sales transactions in which the customer selects the items to buy and then pays for them. However, there are some customers that call the store and ask Fred to put items aside in which they will pick them up later during the week. So now Paul needs to add the commitment event Take Customer Order to the REA diagram before the Sales event. Fred does have credit sales to some customers such as shopping centers and hotels. However, billing customers only involves printing and mailing invoices. The customer’s obligation to pay arises from the 19-7 .

delivery of the merchandise, not from the printing of an invoice. Therefore, Paul does not need to add the billing event in the revenue cycle REA diagram. What about accounts receivable? How can you possibly monitor the accounts receivable balance sheet item? What information would the billing event add that you don’t already have? Answer: “Nothing.” You already have the information from the Sales event. Accounts receivable equals all sales in which customers have not yet paid. So again, Paul does not have to include the billing event. Finally, notice that there are no events that pertain to the entry of data. The reason for this is that the REA data model is used to design transaction processing databases. The objective is to model the basic value-chain business activities of an organization: 1) what it does in order to generate revenues and 2) how it spends cash and uses its other resources. Thus, what gets modeled in the REA diagram is the business event (e.g. the sales transaction) and the facts that management wants to collect about that event, not the entry of that data. Step 2: Identify Resources and Agents Next, the resources that are affected by those events need to be identified. This involves answering three questions: 1. What economic resource is reduced by the “Give” event? 2. What economic resource is acquired/increased by the “Get” event? 3. What economic resource is affected by a commitment event? Again, a solid understanding of business processes makes it easy to answer these questions. To continue with our example, Paul observed that the Sales event involves giving inventory to customers. The Cash Receipts event involves receiving cash from customers. Cash can be in the form of money, checks, credit cards, or debit cards. Paul added the Inventory resource and Cash resource entities to the REA diagram. Finally, the Take Customer Order event involves the setting aside of merchandise for customers. In addition to specifying the resources affected by each event, it is also necessary to identify the agents who participate in those events. There will always be at least one internal agent (employee) and, in most cases, an external agent (customer or vendor) who participate in each event. In the case of Fred’s Train Shop’s revenue cycle, a customer and a salesperson participate in each sales event. 19-8 .

For the Receive Cash event, the customer and cashier are the two agents. Both the revenue cycle and the Take Customer Order event involve customers and employees. Step 3: Determine Cardinalities of Relationships The final step in drawing an REA diagram for one transaction cycle is to add information about relationship cardinalities. Cardinalities describe the nature of the relationship between two entities by indicating how many instances of one entity can be linked to each specific instance of another entity. No universal standard exists for presenting information about cardinalities in REA diagrams. The text adopts the graphical “crow’s feet” notation style for representing cardinality information. Table 19-1 on page 636 explains the meaning of the symbols used to represent cardinality information. Focus 19-1 on page 637 compares the notation used in this book with other commonly used conventions. Figure 19-7 on page 638 depicts both minimum and maximum cardinalities for each entity participating in a relationship. Minimum cardinality indicates whether a specific instance of the entity next to the cardinality must be linked to at least one instance of the entity on the opposite side of that relationship. A minimum cardinality of zero means that an instance of the entity on this side of the relationship need not be linked to any specific instances of the other event. For example, in Figure 19-7 the minimum cardinality of 0 next to the Sales entity in the Customer-Sales relationship indicates that information about a new customer can be added to the Customer entity without any specific sales transaction. A minimum cardinality of one means that each instance of that entity must be linked to at least one instance of the other entity participating in that relationship. For example, in Figure 19-7 the minimum cardinality of 1 next to the Customer entity in the Customer-Sale relationship indicates that information about a new sale can be added only if it is linked to a specific customer. The maximum cardinality indicates whether one instance of that entity can be linked to more than one instance of the other entity participating in that relationship.

19-9 .

In Figure 19-7 the maximum cardinality next to Customer entity in the Customer-Sale relationship is 1. This means that each sales transaction can be linked to only one customer. Three Types of Relationships Figure 19-7 portrays these three types of relationships: 1. A one-to-one (1:1) relationship exists when the maximum cardinality for each entity in the relationship is 1. Panel A: one-to-one (1:1) relationship 2. A one-to-many (1:N) relationship exists when the maximum cardinality of one entity in the relationship is 1 and the maximum cardinality for the other entity in that relationship is many. Panel B: one-to-many (1:N) relationship Panel C: Opposite a one-to-many relationship is what is referred to as (N:1) 3. A many-to-many (M:N) relationship exists when the maximum cardinality for both entities in the relationship is many. Panel D: many-to-many (M:N) relationship Figure 19-7 shows that any of these possibilities might describe the relationship between the Sales and Receive Cash events. The cardinalities must reflect the organization’s business policies. Figure 19-7, panel A, represents the typical revenue cycle relationship for business-to-consumer retail sales. Note that it does not matter how customers pay for each sales transaction. If management is interested in tracking the frequency of different payment methods, this fact might be recorded as an attribute of the Sales event. Panel B and C of Figure 19-7 depicts two ways that one-to-many (1:N) relationships can occur. Panel B indicates that the organization has a business policy that allows customers to make installment payments to the selling organization. However, this does not mean that every sales transaction is paid for in installments. Panel C shows another type of 1:N relationship between Sale and Cash Receipts. This indicates that the organization has a business policy that does not permit customers to make 19-10 .

installment payments. This type is especially used for businessto-business sales of nondurable goods. Panel D of Figure 19-7 depicts a many-to-many relationship between the Sale and Cash Receipt events. This type represents an organization that has business policies that allow customers to make installment payments and also permit customers to accumulate a balance representing a set of sales transactions over a period of time. Some sales transactions may be paid in full in one payment and some customers may pay for each sales transaction separately. Multiple Choice 6 The second step in developing an REA diagram is: a. determine the cardinalities of each relationship. b. identify the events about which management wants to collect information. c. identify the resources affected by each event and the agents who participate in those events. d. None of the above. Multiple Choice 7 Which of the activities in a revenue cycle does not involve a Get or Give event? a. Bill customers b. Take customer orders c. Fill customer orders d. Collect payment from customers e. B and C Multiple Choice 8 Three types of relationships between entities include: a. 1:M b. N:M c. 1:N d. 0:1

Business Meaning of Cardinalities The information that reflects facts about the organization and its business practices is obtained during the systems analysis and conceptual design stages of the database design process. Let’s now examine Figure 19-6 to see what it reveals about Fred’s Train Shop. First, note that all of the agent-event relationships are 1:N. A particular agent often participates in many events. The minimum cardinalities associated with the agent-event relationships reflect typical business processes which shows that each event must be linked to an agent (e.g. a sale must involve a customer and a payment from a customer). 19-11 .

Figure 19-6 shows that the minimum cardinality on the event side of the agent-event relationship is 0. The organization may wish to store information about potential customers and alternate suppliers. Figure 19-6 depicts M:N relationships between the inventory resource and the various events that affect it. Most organizations track such inventory by an identifier such as part number, item number, or stock-keeping unit (SKU) number and do not attempt to track each physical instance of that product. When a sale occurs, the system notes which product number(s) were sold. The same inventory item may be linked to many different sales events. What if an organization sells unique, one-of-a-kind inventory, such as original artwork? Such items can only be sold one time; consequently, the maximum cardinality on the event side of the inventory-sales event would be 1. The minimum cardinalities on each side of the inventory-event relationships shown in Figure 19-6 reflect typical business practices; every order or sales event must be linked to at least one inventory item. Now consider the relationship between the cash resource and the Receive Cash event. Each cash receipt from a customer is deposited into one cash account. Then the treasurer transfers money from that account to other cash accounts. Each customer payment must be deposited into some account; hence the minimum cardinality is 1 on the resource side of the relationship. However, the minimum cardinality on the event side of the relationship is 0. Finally, let us examine the event-event relationship. Fred’s Train Shop ships each business customer order individually and waits until all items are in stock before filling an order. Thus, each order is linked to only one sales transaction and each sales transaction is related to only one order. The minimum cardinality on the sales side of the relationship is 0, meaning that orders may exist which are not linked to sales. Fred’s Train Shop extends credit to its business customers and mails them monthly statements. The business customers send Fred one check to cover all their purchases during a given time period. Therefore, one Cash Receipts event could be linked to many different Sale events. Because Fred’s Train Shop extends credit to some of its customers, at any point in time there can be Sale events that are not yet linked to any Receive Cash events. The minimum cardinality on the Receive Cash side of the relationship is 0. Fred’s Shop never requires customers to pay in advance for special orders. Thus, every Receive Cash event must be linked to a Sale event. The minimum cardinality on the sales side of the Sale-Receive relationship is 1. 19-12 .

Uniqueness of REA Diagrams Because each organization will have its own unique REA diagram, so will relationship cardinalities differ. An REA diagram will need to be changed for every change in an organization’s business practices. As such, data modeling is usually a complex and repetitive process. Thus, it is not unusual to erase and redraw portions of an REA diagram several times before finally producing an acceptable model. Focus 19-2 on page 642 highlights the importance of involving the eventual users of the system in the data modeling process so that terminology is consistent. Multiple Choice 9 The information about the choice of cardinalities is obtained during the _____ stage of the database design process. a. physical design b. implementation and conversion c. systems analysis and conceptual design d. operation and maintenance Multiple Choice 10 Most organizations track an inventory by an identifier such as: a. part number b. item number c. SKU d. All of the above e. A and B

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 B 6 C 2 E 7 E 3 B 8 C 4 D 9 C 5 D 10 C

19-13 .

CHAPTER 20 IMPLEMENTING AN REA MODEL IN A RELATIONAL DATABASE Instructor’s Manual Learning Objectives: 1. Integrate separate REA diagrams for individual business cycles into a single, comprehensive, organization-wide REA diagram. 2. Build a set of tables to implement an REA model of an AIS in a relational database. 3. Use the REA data model to write queries to retrieve information from an AIS relational database. Questions to be addressed in this chapter: 1. How to integrate the separate REA diagrams into a single,

comprehensive, enterprise-wide data model. 2. How to use the integrated data model to design a set of

relational database tables. 3. How to query the resulting database to generate both traditional

financial statements as well as any custom performance reports.

Introduction This chapter shows how to implement an REA diagram in a database. The REA data modeling can also be used to design object-oriented databases. We begin by showing how to integrate separate REA diagrams developed for individual transaction cycles into a single, comprehensive enterprise wide data model.

Learning Objective One Integrate separate REA diagrams for individual business cycles into a single, comprehensive, organization-wide REA diagram.

Integrating REA Diagrams Across Cycles Figures 20-1, 20-2, and 20-3 (pages 662-663) present REA diagrams of Fred’s Train Shop’s revenue, expenditure, and payroll cycles, respectively.

20-1 .

Figures 20-1 and 20-2 were explained in Chapter 19, so we focus in Chapter 20 on Figure 20-3 for the HR/payroll cycle activities. Fred’s Train Shop uses an electronic time clock to record the hours worked by each employee each day by marking the time each employee began and ended working. Each event must be linked to a particular employee and his or her supervisor. A paycheck is issued to a particular employee and signed by a particular cashier. The relationship among agents and events is 1:N. The minimum cardinality on the agent side of those relationships is always 1. The minimum cardinality on the event side of the relationships is always 0 in order to store data about new employees before they start to work. The relationship between the Time Worked and Disburse Cash events reflects the use of an employee’s time and paying for it. The relationship between these two events is 1:N. This is because each Disburse Cash event is linked to many daily Time Worked events. The Employee Time entity represents the fact that the resource being acquired by the Time Worked event is the use of an employee’s skills and knowledge for a particular period of time. Every organization needs to monitor how much time each employee works. The Time Worked event is an example of a “Get” resource event. How an employee uses their time is an example of a “Give” resource event. These two events capture all of the information used to collect and monitor each employee’s time. Each check or electronic funds transfer must be linked to at least one and only one cash account. However, the same cash account may be linked to many disbursement events.

Rules for Combining REA Diagrams Figures 20-1, 20-2, and 20-3 each contain some of the same entities. For example, the inventory resource appears in both Figures 20-1 and 20-2. The cash disbursements event appears in both Figures 20-2 and 203. Both the employee agent and the cash resource appear in all three diagrams. Such redundancies provide the basis for combining REA diagrams into a single, comprehensive, enterprise-wide REA model. Refer to

20-2 .

Figure 20-4 on page 664 which shows such a model for Fred’s Train Shop. Notice that the diagram merges copies of resource and event entities, but retains multiple copies of agent entities.

Merging Redundant Resource Entities Remember that REA diagrams for individual transaction cycles involve give-to-get economic exchanges. Figure 20-1 shows that inventory is reduced (Sales event) in exchange for cash (Receive Cash event). However, it does not show how the inventory was acquired or how the organization uses the cash it receives from customers. Figure 20-2 shows how the inventory was acquired by giving up cash. However, it does not show what the organization does with the inventory or how it acquired cash used to pay suppliers. These problems are eliminated by merging redundant resource entities as that shown in Figure 20-4.

Merging Redundant Event Entities REA diagrams for individual transaction cycles may include some events that also appear in the REA diagrams of another transaction cycle. For example, Figures 20-2 and 20-3 both contain the Disburse Cash event entity. Figure 20-4 shows that the Disburse Cash event is linked to both the Receive Inventory and the Time Worked events. Merging redundant resources does not affect any cardinalities. However, merging redundant events does alter the minimum cardinalities associated with the other events. In Figure 20-4, the cardinalities between the inventory resource and each of the four events (Order Inventory, Receive Inventory, Take Customer Order, and Sales) are the same as that in Figures 20-1 and 202. However, the cardinalities between the Disburse Cash event and the other two events (Receive Inventory and Time Worked) in Figure 20-4 are different from that in Figures 20-2 and 20-3. The reason for this difference lies in the underlying semantics about the nature of the relationship between the merged entity and other entities. In other words, the resource entity is linked to event entities in one cycle and to event entities in the other cycle. Because both are possible, none of the cardinalities need to be changed.

20-3 .

However, it is different when merging an event across transaction cycles. The event that appears in both individual transaction cycles can be linked to an event of one transaction cycle or to an event in another transaction cycle. However, the event cannot be linked to both events. Consequently, the minimum cardinality associated with the other event must be 0 in the integrated REA diagram. In addition, merging two transaction cycles on a common event may also affect the minimum cardinalities between the merged event and the agents participating in that event. For example, in Figure 20-4 the minimum cardinality between the Disburse Cash event and the Supplier entity is now 0 instead of 1.

Validating the Accuracy of Integrated REA Diagrams In Chapter 19 there were three basic principles for drawing REA diagrams for individual transaction cycles. There are now six rules for integrated REA diagrams: 1. Every event must be linked to at least one resource. 2. Every event must be linked to two agents who participate in that event. 3. Every event that involves the disposition of a resource must be linked to an event that involves the acquisition of a resource. (This reflects the economic duality underlying “give-to-get” economic exchanges.) 4. Every resource must be linked to at least one event that increments that resource and to at least one event that decrements that resource. 5. If event A can be linked to more than one other event, but cannot be linked simultaneously to all of those other events, then the REA diagram should show that event A is linked to a minimum of 0 of each of those other events. 6. If an event can be linked to any one of a set of agents, but cannot be simultaneously linked to all those agents, then the REA diagram should show that event is linked to a minimum off 0 of each of those agents. Multiple Choice 1 The REA diagram for Fred’s Train Shop’s individual expenditure cycle has _____ event entities. a. 2 b. 3 c. 4 d. 5

20-4 .

Multiple Choice 2 The REA diagram for Fred’s Train Shop’s individual revenue cycle has _____ resource entities. a. 2 b. 3 c. 4 d. 5 Multiple Choice 3 Merging redundant _____ does not affect any cardinalities, but merging redundant _____ alters minimum cardinalities. a. resources; agents b. events; resources c. resources; events d. agents; resources Multiple Choice 4 Whenever a merged event involves different agents in each of the individual transaction cycles being merged, the minimum cardinalities between that event and those agents changes from _____ to _____. a. 1; M b. 0; M c. 0; 1 d. 1; 0

Learning Objective Two Build a set of tables to implement an REA model of an AIS in a relational database.

Implementing an REA Diagram in a Relational Database Once the REA conceptual model is developed, it can be used to design a well-structured relational database that is not subject to the update, insert, and delete anomaly problems discussed in chapter 4. There are three steps to implementing an REA diagram in a relational database: 1. Create a table for each distinct entity in the diagram and for each many-to-many relationship. 2. Assign attributes to appropriate tables. 3. Use foreign keys to implement one-to-one and one-to-many relationships. Step 1: Create Tables for Each Distinct Entity and M:N Relationship A properly designed relational database has a table for each distinct entity and for each many-to-many relationship in an REA diagram. 20-5 .

Figure 20-4 has 13 distinct entities. We will not be implementing Employee Time in the database. Seven tables will represent the event entities in the diagram: Order Inventory, Receive Inventory, Disburse Cash, Time Worked, Take Customer Orders, Sales, and Receive Cash. Two tables will be used for resource entities: Inventory and Cash. Three tables are needed to implement the distinct agent entities: Employees, Customers, and Suppliers. In Figure 20-4 there are five M:N relationships. Three are from the revenue cycle: 1. Take Customer Orders-Inventory 2. Sales-Inventory 3. Sales-Receive Cash Two are from the expenditure cycle: 1. Inventory-Order Inventory 2. Inventory-Receive Inventory 17 Tables will be needed to implement Figure 20-4 into a relational database. Step 2: Assign Attributes to Each Table The next step is to determine which attributes should be included in each table. Identify Primary Keys Remember from Chapter 4 that every table in a relational database must have a primary key, consisting of an attribute, or combination of attributes, that uniquely identifies each row in that table. Fred’s Train Shop uses invoice numbers as the primary key of the sales table and customer number for the Customer table. M:N relationship tables consist of two primary keys. The SalesInventory table consists of both the invoice number and product number as primary keys. These multiple-attribute primary keys are called concatenated keys. Assign Other Attributes to Appropriate Tables

20-6 .

Other attributes included in a relational database table must be a fact about the object represented in the primary or foreign key. These other attributes could include such items as customer name and address. A foreign key is an attribute in a table that is a primary key in another table. Foreign keys are used to link tables. The 17 Tables needed to implement Figure 20-4 into a relational database are listed in Table 20-1. In addition to the name of the table, it lists the primary key, foreign keys, and other attributes. Note that the last five tables in Table 20-1 have concatenated keys (two primary keys). In Figure 20-4, four of these event entities (tables in Table 20-1) have a M:N relationship with the inventory resource entity. Note that the employee number primary key in the Employees table is the foreign key in seven other tables: 1) Order Inventory, 2) Receive Inventory, 3) Disburse Cash, 4) Take Customer Orders, 5) Sales, 6) Receive Cash, and 7) Record Time Worked. Table 20-1 also includes nonkey attributes in some of the M:N relationship tables. Nonkey attributes are items in a table that are neither a primary key nor a foreign key. All nonkey attributes in a table should describe a characteristic about the object identified by the primary key. Nonkey attributes are listed in Table 20-1 under the Other Attributes column. Price and Cost Data In Table 20-1, notice that information about prices and costs are stored as an attribute in several different tables. The Inventory table stores the suggested list price for the item. The Sales-Inventory stores the actual sales price. Cumulative and Calculable Data Notice that Table 20-1 does not contain cumulative data, such as “quantity on hand” in the Inventory table, or calculated data, such as “total amount of sale” in the Sales table. The reason this data is not provided in these two tables is because the information is already available: The inventory quantity on hand equals the quantity on hand 20-7 .

at the beginning on the current fiscal period (Inventory table) plus the total quantity purchased this period (total quantity purchased in Receive-Inventory table) minus the quantity sold in the Sales-Inventory table. The total amount of sale equals quantity sold by the actual sales price in the Sales-Inventory table. Step 3: Use Foreign Keys to Implement 1:1 and 1:N Relationships 1:1 and 1:N relationships are more efficiently implemented by means of foreign keys instead of being implemented as separate tables. Using Foreign Keys to Implement 1:1 Relationships In a relational database, 1:1 relationships between entities can be implemented by including the primary key of either entity as a foreign key in the other table. Careful analysis of the minimum cardinalities of the relationship suggests that this approach is more efficient. Consider the case of a 1:1 relationship between sales and customer payments (see Figure 19-7, panel A). The minimum cardinality for the Receive Cash event is 0. The minimum cardinality for the Sale event is 1. Using Foreign Keys to Implement 1:N Relationships 1:N relationships can also be implemented in relational databases with foreign keys. There is only one way to do this: The primary key of the entity that can be linked to multiple instances of the other entity must become a foreign key in that other entity. The primary keys of the Salesperson and Customer tables are included as foreign keys in the Sales table. Reversing this procedure would violate one of the fundamental rules of relational database design. M:N relationships must be implemented as separate tables. Because each entity can be linked to multiple occurrences of the entity on the other side of the relationship, it is not possible to make either entity’s primary key a foreign key in the other entity.

Completeness Check The list of attributes that users and management want included in the database provides a means to check and validate the implementation process. Checking this list against the table column names may reveal not only the fact that a particular attribute has not been assigned to the appropriate table in the database but may even indicate the need to 20-8 .

modify the REA diagram itself. Paul Stone double-checked the list of desired attributes; he found that he did not have any table to cover the attribute “product discussed during sales calls.” Paul realizes that this necessitates creating another entity “Call on Customers.” It is often useful to create tables even before completely finishing an REA diagram and assign attributes to them. Once all attributes have been assigned to tables, a final accuracy check of relational databases (basic requirements discussed in Chapter 4) is required: 1. Every table must have a primary key. 2. Other nonkey attributes in each table must be either a fact about the thing designated by the primary key or foreign keys used to link that table to another table. 3. Every attribute in every table is single-valued.

Multiple Choice 5 In implementing an REA diagram in a relational database, the _____ are used to implement 1:1 and 1:M relationships. a. primary keys b. foreign keys c. nonkeys d. database keys Multiple Choice 6 An example of a table that has concatenated keys is: a. Inventory b. Sales-inventory c. Disburse cash d. Receive inventory Multiple Choice 7 Which of the following statements is FALSE? a. The second step in implementing an REA diagram in a relational database is assigning attributes to appropriate tables. b. The primary key “Customer Number” in the Customers table is a foreign key in the Sales table. c. Tables should never be created before completely finishing an REA diagram. d. In a relational database designed according to the REA data model, event entities store information about transactions. e. All of the above are true.

20-9 .

Learning Objective Three Use the REA data model to write queries to retrieve information from an AIS relational database.

Using REA Diagrams to Retrieve Information from a Database In this section we refer to Figure 20-4 and Table 20-1 to show how to use completed REA diagrams to retrieve information to evaluate performance.

Creating Journals and Ledgers The traditional journals and ledgers can be created through the use of queries. Deriving Journals from Queries In a relational database, event entities store information about transactions. Information found in a journal is contained in the tables used to record data about events. For example, the Sales and Sales-Inventory tables contain information for sales transactions. Thus, a sales journal can be produced through sales queries. However, this would produce a list of all sales transactions (cash and credit sales). Sales journals include only credit sales. To be able to determine the credit sales, the REA model would create a new role “sale of merchandise to a customer” in the Sales table and “receipt of payment from a customer” in the Receive Cash table. For cash sales, both rows would have the same values in the date and customer number columns. Rows in the Receive Cash table with dates later than the date of the corresponding sales would present payments on credit sales. Ledgers In AISs, ledgers are master files that contain cumulative information about specific accounts. Resource and agent entities contain permanent information that is carried over from one fiscal year to the next. Information about an organization’s assets that is posted in ledgers is stored in Resource tables.

20-10 .

Each of the resource accounts is affected by increment and decrement events. For example, equipment is purchased and used, cash is received and disbursed, and inventory is purchased and sold. Queries to display the current cumulative balance for these accounts must reference not only the appropriate table for that resource entity but also the event tables that affect it. Many financial statement accounts are represented as resources in the REA model. An important exception is claims: Figure 20-4 does not include Accounts Receivable or Accounts Payable. Accounts Receivable represents sales transactions for which customer payments have not yet been received, and Accounts Payable represents purchases from suppliers that have not yet been paid for. Therefore, neither account needs to be explicitly stored as separate tables.

Generating Financial Statements It is possible to use a completed REA diagram to guide the writing of queries to produce the information that would be included in financial statements.

Creating Managerial Reports A major advantage of the REA data model is that it integrates nonfinancial and financial data in the AIS and makes both types of data easily accessible to management. For example, Table 20-4 show that the Sales table in Figure 20-4 includes an attribute to record the time that the sale occurred. This will allow the tracking of sales activity during different times of the day to better plan staffing needs at Fred’s Train Shop. The general ledger is normally designed in AISs using the chart of accounts based on the structure of financial statements. Therefore, the nonfinancial data needs to be stored in a separate database or information system. Multiple Choice 8 Sales and Sales-Inventory tables can be queried to produce a list of all sales transactions. However, to produce a sales journal would also include queries of the both the _____ and _____ tables. a. Receive Cash; Inventory b. Sales-Receive Cash; Cash c. Cash-Sales; Receive Cash d. Receive Cash; Sales-Receive Cash

20-11 .

Multiple Choice 9 A lot of the information about an organization’s assets that is posted in ledgers is stored in _____ tables. a. Resource b. Event c. Agent d. Activity Multiple Choice 10 Many financial statement accounts are represented as resources in the REA model except for: a. Cash b. Accounts Receivable c. Inventory d. None of the above

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 B 6 B 2 A 7 C 3 C 8 D 4 D 9 A 5 B 10 B

20-12 .

CHAPTER 21 SPECIAL TOPICS IN REA MODELING Instructor’s Manual Learning Objectives: 1. Create REA data models for the revenue and expenditure cycles of other types of organizations besides retail stores. 2. Extend REA diagrams to include information about employee roles, M:N agent-event relationships, locations, and relationships between resources and agents. 3. Understand and create an REA diagram for the production cycle. 4. Understand and create an REA diagram for the HR/payroll cycle. 5. Understand and create an REA diagram for the financing cycle. Questions to be addressed in this chapter: 1. How do you model the revenue cycle activities of a business that provides services, such as computer or automotive repairs? What about a business that rents items instead of selling them? 2. How do you model the production cycle activities of a manufacturer? 3. How do you integrate payroll activities with other HR processes, such as hiring and training employees? 4. How do you model financing transactions, such as the issuance of stock or debt?

Introduction This chapter extends the basic concepts to a variety of other types of businesses and transaction cycles.

Learning Objective One Create REA data models for the revenue and expenditure cycles of other types of organizations besides retail.

Additional Revenue Cycle Modeling Topics Figure 21-1 on page 686 presents a revenue cycle REA diagram that includes manufacturers, distributors, and other types of businesses. Table 21-1 on page 687 lists the tables and their attributes that would be required to implement this model in a relational database. 21-1 .

Additional Events Figure 21-1 separates the warehouse activity of filling an order from the activity of actually shipping or delivering that order to the customer. The relationship between the Take Customer Order and Fill Customer Order event is represented as being one-to-many (1:N). The minimum cardinalities reflect the fact that two events occur sequentially. The maximum cardinalities reflect the fact that sometimes the company may be out of stock of one or more items that were ordered. The maximum cardinality from the Fill Customer Order event to the Take Customer Order event is 1. The relationship between the Fill Customer Order and Ship Order events is 1:1. The minimum cardinalities reflect the fact that the two events are sequential. The maximum cardinality from the Fill Customer Order event to the Ship Order event is 1 because once all the items that were ordered and in stock have been picked and packed, that entire package is shipped intact to the customer. For proper accountability, each Ship Order event is linked to one, and only one, Fill Customer Order event.

Attribute Placement Table 21-1 shows that the primary key of the shipping event is the shipment number. The primary key for Call on Customer is the Call Number. The Call Number is also the foreign key for Take Customer Order. The primary key for Take Customer Order is the Sales Order Number. The Sales Order Number is also the foreign key for Fill Customer Order. The primary key for Fill Customer Order is the Picking Ticket Number. The Picking Ticket Number is also the foreign key for Ship Order. The primary key for Ship Order is the Shipment Number. The primary key for Receive Cash is the Remittance Number. Note that the unit cost for each item is an attribute in the Inventory Table.

21-2 .

The unit list price is an attribute in the Inventory Table and the Inventory-Take Customer Order Table.

New REA Feature—Employee Roles The REA diagram in Figure 21-1 provides the job roles of employees. The salesperson is involved in the Call on Customer and Take Customer Order events. The warehouse employee is involved in the Fill Customer Order event. The shipping employee is involved in the Fill Customer Order and Ship Order events. There is also an external agent, carrier, involved in the Ship Order event. The cashier is involved in the Receive Cash event.

Sale of Services Now we will switch from selling a product to providing a service. Figure 21-3 on page 690 provides an REA diagram of a partial revenue cycle for a service type business. The Service Table would provide a row for each type of service. For example, an automotive repair shop would have individual rows for such services as oil changes and brake replacement. The inventory involved would include oil and brake shoes. The relationship between the Sales and Services resources would be modeled as M:N because most businesses provide the same types of services to many different customers. The relationship between Sales and Inventory would also be M:N as there would be many types of parts used for the same types of services. For another example, a CPA firm could include rows for tax services, audits, consulting services, and financial planning. The firm could also breakdown audits into financial statement, compliance, and operational audits. The inventory in this case would not involve identifiable inventory parts. Only the professional and administrative labor would be mainly involved. The relationship between Sales and Services resources would remain the same as mentioned above at M:N. However, the relationship between Sales and Inventory would now be a minimum cardinality of 0.

21-3 .

Digital Assets What about digital assets? Companies sell software, music, or digital photographs over the Internet. These types of companies sell only the copies, but not the actual resource. You would still need an Inventory Table so that customers can see what products are available for sale. The Inventory table is almost the same as that for businesses that sell merchandise. The difference is that there is no need for attributes such as quantity on hand, quantity available, and reorder point and reorder quantity because they are only selling copies.

Rental Transactions Some businesses rent items rather than selling them. This involves only the temporary use of a resource. Thus, the rental transaction involves receipt of the returned item and receipt of cash. Figure 21-5 on page 692 provides an REA diagram for a partial revenue cycle for rental transactions. Businesses need to track each rental item or equipment separately. The primary key for rental equipment would be the serial number. Attributes in the Rental Inventory table would include the date and time it was rented, rental price, and terms of the rental agreement. Figure 21-5 shows that the Rent Item event is linked to both the Receive Cash and Return Item events. The minimum cardinality of 1 reflects that customers normally pay first. The maximum cardinality is N because there may be additional charges when an item is returned. The cardinality from the Receive Cash event to the Rent Item event is a minimum of 0 and maximum of 1. The relationship between the Rent Item and Return Item events is 1:1.

Additional Expenditure Cycle Modeling Topics Figure 21-2 presents an expanded expenditure cycle REA diagram that includes internal requests for purchases. Table 21-2 on page 689 provides the corresponding tables. Table 21-2 shows cost information is stored in several tables. By storing the cost of each order with the quantity purchased, the system can calculate the actual cost of ending inventory and the cost of goods sold according to any accepted inventory valuation method (LIFO, FIFO, weighted-average, or specific identification).

21-4 .

Additional Events Figure 21-4 on page 691 is similar to the REA diagram in 20-2, except that we have one new event, Request Inventory at the beginning of the REA diagram. There is also one new corresponding table, Request Inventory. Request Inventory event provides a way to collect data about the request sent by activities or departments to the purchasing department. The cardinality pair from the Request Inventory event to the Order event has a minimum cardinality of 0 and maximum of N. The 0 minimum reflects the fact that the purchase request occurs before the purchase order. The N maximum reflects the fact that some requests involve items from more than one vendor, requiring more than one purchase order. Going back to the Request Inventory event from the Order event also has a 0 minimum and N maximum.

Attribute Placement There is only one attribute, Quantity Requested, in the new table, Inventory-Request_Inventory. The unit costs and quantity-on-hand attributes are provided in the Inventory Table. The quantity ordered attribute is provided in the Inventory-Order_Inventory Table. This will be needed in calculating the cost of goods sold and the inventory value as various valuation methods (FIFO, LIFO, weighted-average, or specific identification).

New REA Feature—M:N Agent-Event Relationships Figure 21-2 depicts the relationship between the Receive Inventory event and employees as being M:N. This reflects the fact that many deliveries involve large quantities which will require several employees. Receiving inventory involves Receiving and Warehouse employees.

New REA Feature—Locations The locations involved include: 1. The activity or department where the order was requested 2. The purchasing department where the order was placed 3. The receiving department 4. The warehouse

21-5 .

The cardinality pair from the Warehouse to the Inventory resource has a 0 minimum and N maximum. If the same inventory items are stored in more than one warehouse, the maximum cardinality from Inventory to Warehouse is N. The minimum cardinality from the Cash Resource to Financial Institutions is 0; the maximum cardinality is 1.

New REA Feature—Relationships Between Resources and Agents Figure 21-2 includes a relationship between the Inventory resource entity and the Supplier agent entity.

Acquisition of Intangible Services Organizations acquire various intangible services, such as Internet access, telephone service, and utilities. Payments for these services are included in the Disburse Cash table. Acquisition of these services is included in the Acquire Services table. The relationship between the acquisition event and the resource entity is modeled as 1:N because in most cases each service is acquired from a different supplier.

Rental Transactions Many organizations rent office spaces and warehouses. Information about the payment event is included in the Disburse Cash table. A separate Rent Resource event may be created to represent the acquisition of the resource. Rented and owned resources may be represented in separate entities. In addition, if the rented resource must be returned, then another event will need to be included in the REA diagram. In that case, the Rent Resource event would be linked to two events: 1) Disburse Cash and 2) the Return of the resource. Multiple Choice 1 The relationship from Take Customer Order to Salesperson is a maximum cardinality of _____ and minimum cardinality of _____. a. 1; N b. 0; N c. M; N d. 1; 1

21-6 .

Multiple Choice 2 The Picking Ticket Number is the primary key in the _____ table and the foreign key in the _____ table. a. Take Customer Order; Fill Customer Order b. Fill Customer Order; Ship Order c. Ship Order; Fill Customer Order d. Call on Customers; Fill Customer Order Multiple Choice 3 In the REA diagram for services, the minimum cardinality from the Sales event to the Inventory Resource is _____ and the minimum cardinality from the Sales event to the Services entity is _____. a. 0; 0 b. 1; 0 c. 0; 1 d. 1; 1 Multiple Choice 4 For rental transactions, the primary key for the rental inventory table would be a(n) _____. a. inventory line number b. part number c. serial number d. A and C Multiple Choice 5 In the expenditure cycle, the relationship between the Receive Inventory event and receiving employee is: a. M:N b. 1:N c. 1:1 d. M:1

Learning Objective Two Extend REA diagrams to include information about employee roles, M:N agent-event relationships, locations, and relationships between resources and agents.

Additional REA Features Figures 21-1 and 21-2 also depict additional REA features: Employee Roles are identified in Figures 21-1 and 21-2; however, in Tables 21-1 and 21-2 there is only one employee entity. Information

21-7 .

about job role is simply an attribute (job title) in the Employee table. M:N Agent-Event Relationships occur whenever an activity is performed by more than one employee and management wants the ability to monitor each individual’s performance. An example is shown in Figure 21-2 with the relationship between Receive Inventory and Employees. Locations are shown in Figure 21-2 in two new entities: Warehouses and Financial Institutions. For example, linking the warehouse location in the Warehouse entity to the Receive Inventory event allows management to evaluate performance of different locations. A M:N relationship between the Inventory entity (Resource) and Supplier entity (Agent) is a way to identify preferred and alternative suppliers. Multiple Choice 6 In the expenditure cycle, a M:N relationship between Inventory and Supplier entities represents: a. Inventory can be purchased from preferred suppliers only. b. Inventory can be purchased from preferred suppliers or alternative suppliers. c. Inventory can be purchased from alternative suppliers only. d. None of the above.

Learning Objective Three Understand and create an REA diagram for the production cycle.

Production Cycle REA Model Figure 21-6 provides a partial REA diagram for the Production Cycle. Table 21-3 provides the corresponding tables. There are four main events in a production cycle REA diagram: 1. Issuance of raw materials 2. Use of labor in production 3. Use of machinery and equipment in production 4. Production of new finished products, represented by the work-inprocess event

Additional Entities—Intellectual Property

21-8 .

Figure 21-6 on page 694 includes three special types of resource entities; 1) the Bill of Materials, 2) the Job Operations List, and 3) the Machine Operations List. The Bill of Materials has relationships with Raw Materials and Finished Goods. The cardinality relationship from Bill of Materials to Raw Materials resource is a minimum of 1 and a maximum of 1. The cardinality relationship from Bill of Materials to Finished Goods Inventory resource is a minimum of 1 and a maximum of 1. The Job Operations List has relationships with Perform Job Operations event and Finished Goods Inventory resource. The cardinality relationship from Job Operations List to Perform Job Operations is a minimum of 0 and a maximum of N. The cardinality relationship from Job Operations List to Finished Goods Inventory is a minimum of 1 and a maximum of 1. The Machine Operations List resource has relationships with Perform Machine Operations event and Finished Goods Inventory resource. The cardinality relationship from Machine Operations List to Perform Machine Operations is a minimum of 0 and a maximum of N. The cardinality relationship from Machine Operations List to Finished Goods Inventory is a minimum of 1 and a maximum of 1. Note that Figure 21-6 also includes an entity titled “Employee Time.”

Production Cycle Events Data about actual raw materials used in production is stored in the Raw Materials Issuance entity. Information about the actual labor and machine operations performed are stored in the Job Operations and Machine Operations entities, respectively. The Job Operations event entity is an example of a Give Resource event. The Machine Operations event records information about the use of a specific piece of machinery or equipment. Note that the Machine Operations event is not used to record depreciation.

21-9 .

Figure 21-6 models the relationships between the Job Operations event and the Job Operations List entity, and between the Machine Operations event and the Machine Operations List entity, as being 1:N. The Work-in-Process entity is used to collect and summarize data about the raw materials, labor, and machine operations used to produce a batch of goods. The relationship between Work-in-Process and those three event entities are all 1:N. Thus, three Give Resource events are related to one Get Resource event. Note that Figure 21-6 shows only one agent associated with the Job Operations event.

New REA Feature—Relationships Between Agents There is a 1:N relationship between employees and supervisors. This reflects the fact that each employee is assigned to a specific supervisor and the fact that many employees are assigned to one supervisor. Relationships between internal agents may be created to model lines of responsibilities. There can also be relationships with external agents. For example, companies may assign customers to specific employees.

Multiple Choice 7 Which main event is not included in the production cycle REA diagram? a. Issuance of raw materials b. Allocation of factory overhead c. Use of machinery and equipment in production d. All of the above e. A and C Multiple Choice 8 For the production cycle, the Equipment ID number primary key in the Equipment table is also the foreign key in the _____ table. a. Job Operations List b. Perform Job Operations c. Perform Machine Operations d. Work in Process

Learning Objective Four Understand and create an REA diagram for the HR/payroll cycle.

21-10 .

Combined HR/Payroll Data Model Figure 21-7 integrates the payroll and HR activities. The Time Worked event is necessary to calculate payroll. The Time Used event is used for cost accounting, to properly assign labor costs. All other events represent HR activities.

HR Cycle Entities The Employee entity is linked to almost every other entity in the diagram. The Employee entity stores much of the data typically found in the employee master file. The Skills entity contains data about the different job skills of interest to the organization. The relationship between Skills and Employees is modeled as being M:N because one employee may possess a number of job skills and several employees may possess the same skill. The Training event entity represents the various workshops, training programs, and other opportunities provided for employees to develop and maintain their skills. The relationship between the Employees and Training entities is M:N. The relationship between the Skills and Training entities is 1:N. The Recruiting event entity stores data about activities performed to notify the public of job openings. The M:N relationship between Skills and Recruiting reflects the fact that each advertisement may seek several specific skills and that, over time, there may be several advertisements for a given skill. The relationship between the Recruiting event and Job Applicants is modeled as being M:N. The Interview event stores detailed data about each job interview. It is linked to the Hire Employees event in a 1:N relationship.

Tracking Employees’ Time It is instructive to compare the information provided by the Time Used event to that provided by linking specific business events to the employee agent who performed that task. Regular event-agent relationships, such as that between sales and employees, collect data to answer such questions as: How much did salesperson X sell this week?

21-11 .

How many sales did each salesperson make? The Time Used event provides the information needed to answer such questions as: How much time did a particular salesperson spend calling in customers, as opposed to providing customer service support via the telephone? Not every organization collects detailed data about their employees’ use of time. Moreover, even when such an event is included, the resource that is used (Employee Time) is seldom implemented because there are no meaningful attributes to describe. Multiple Choice 9 The relationship between the Skills and Training entities is a. M:N b. 1:1 c. 1:N d. 0:1

Learning Objective Three Understand and create an REA diagram for the financing cycle.

Financing Activities Data Model Figure 21-8 on page 699 provides a partial financial activities’ REA diagram. The event Issue Debt is connected to the Cash resource entity. It is often modeled as a separate event entity because it contains attributes different from those associated with cash receipts that arise from the Sales event. The Transfer Agent maintains the necessary information about individual creditors to direct the interest payments and payment of the principal. Issue Debt event contains data about the aggregate amount received from issuing a set of debt instruments. For example, the issuance of $10,000,000 5% bonds which were purchased for $9,954,000, constitutes on Issue Debt event. Usually, the organization writes one check for the total amount of interest owed and sends that to the transfer agent. The transfer agent then distributes individual checks to each credit holder. In our example, the company would send $125,000 to the transfer agent for the first quarter payment on the $10,000,000 bonds. 21-12 .

The transfer of funds would be recorded as one row in the Disburse Cash table. The cardinality of the relationship from the Disburse Cash event to the Issue Debt event has a 1 maximum. The minimum cardinality is 0. Equity transactions are modeled in a manner similar to debt transactions. Most companies do not deal direct with stockholders. Figure 21-8 shows that both types of equity transactions involve participation by an employee (the treasurer) and the external transfer agent. The Disburse Cash and Issue Stock events are modeled as being M:N. The minimum cardinalities are 0 in both directions.

Multiple Choice 10 The _____ in the financing activities REA diagram contains data about the aggregate amount received from issuing debt instruments. a. Transfer Agent b. Issue Debt c. Disburse Cash d. None of the above

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 D 6 B 2 B 7 B 3 C 8 C 4 C 9 C 5 A 10 B

21-13 .

CHAPTER 22 INTRODUCTION TO SYSTEMS DEVELOPMENT AND SYSTEMS ANALYSIS Instructor’s Manual Learning Objectives: 1. Explain the five phases of the systems development life cycle, and discuss the people involved in systems development and the roles they play. 2. Explain the importance of systems development planning, and describe the types of plans and planning techniques used. 3. Discuss the various types of feasibility analysis, and calculate economic feasibility using capital budgeting techniques. 4. Explain why systems changes trigger behavioral reactions, what form does this resistance to change take, and how to avoid or minimize the resulting problems. 5. Discuss the key issues, objectives, and steps in systems analysis. Questions to be addressed in this chapter include: 1. What process must be followed to obtain and implement a new system? 2. What planning is necessary to ensure the system’s success? Who will be involved, and how? Do special committees need to be formed? What resources are needed? How should the planning be documented? 3. How will employees react to a new system? What problems might this change cause, and how can they be minimized? 4. How should the new system be “sold” to top management? How can expected costs and benefits be quantified to determine whether the system will be cost-effective?

Introduction Companies in a very competitive global business world are constantly looking for new, faster, and more reliable ways of obtaining information. Companies usually change their systems for one of the following reasons: 1. Changes in user or business needs 2. Technological changes 3. Improved business processes

22-1 .

4. Competitive advantage 5. Productivity gains 6. Growth 7. Downsizing 8. Systems integration 9. Systems age and need to be replaced Developing quality, error-free software is a difficult, expensive, and time-consuming task. Most software development projects deliver less than one expects, and take more time and money than expected. Developers start cutting corners by omitting some of the basic systems development steps. Omitting these steps will only lead to disaster. This is illustrated by the following statistics: 1. An American Management Systems study revealed that 75% of all large systems are not used, not used as intended, or generate meaningless reports or inaccurate data. 2. A Standish Group International study found that 

More than 70% of software development projects are delivered late.



54% were over budget.



66% were unsuccessful.



30% were cancelled before they were completed.

Runaways can consume a great deal of time and money, and in the end produce no usable results, as illustrated by the following examples: 1. Pacific Gas & Electric (PG&E) pulled the plug on a client/server information system for all of its residential and commercial customers. People in and out of the utility labeled the system, five years in development, and a financial disaster with no end product. 2. California’s Department of Motor Vehicles decided to overhaul its system, which was originally developed in 1965. It took an equivalent of 18 programmers working for an entire year to add a Social Security number file to the drivers’ license and vehicle registration file. After seven years, $44 million, and not a single usable application, the state canceled the project.

22-2 .

Focus 22-1 on page 720 illustrates how the IRS made attempts to replace its aging system. The IRS concluded that it needed to modernize its 40-year-old computer system and operations. The system is responsible for processing and storing all taxpayer records and currently takes in more than $2 trillion a year. Critics claimed that the system had already been updated, fixed, and improved so many times that a software meltdown is a real possibility. What effect would this collapse have on the U.S. Government? In the worst case scenario: 1. The IRS would not be able to tell who had paid their taxes. 2. Tax revenues, hundreds of billions of dollars’ worth, would not be collected. 3. To meet its obligation, the government would have to borrow money, throwing the financial markets into a panic. A number of years ago, the IRS spent $3.3 billion on an upgrade effort that failed. In the late 1990s, the IRS embarked on an $8 billion effort called the Business Systems Modernization (BSM) program. The BSM spent almost $4 million on a project that was never finished and was eventually cancelled.

22-3 .

Learning Objective One Explain the five phases of the systems development life cycle, and discuss the people involved in systems development and the roles they play.

Systems Development Whether systems changes are major or minor, most companies go through a systems development life cycle.

The Systems Development Life Cycle Figure 22-1 on page 721 provides the five step process for the Systems Development Life Cycle (SDLC): 1. Systems Analysis 

The information needed to purchase or develop a new system is gathered.



Requests for systems development are prioritized.



If a project passes, the current system is surveyed to define the nature and scope of the project and to identify its strengths and weaknesses.



Then an in-depth study of the proposed system is conducted to determine its feasibility.



If the system is found feasible, the information needs of system users and managers are identified and documented.



A report based on the needs and systems requirements is prepared and submitted to the information systems steering committee.

2. Conceptual Design During the conceptual design, the company decides how to meet user needs. The first step is to identify and evaluate appropriate design alternatives: 

Purchase the software.



Develop the software in-house.



Outsource system development to someone else.

22-4 .

3. Physical Design 

Input and output documents are designed.



Computer programs are written.



Files and databases are created.



Procedures are developed.



Controls are built into the new system.

4. Implementation and Conversion Implementation and conversion constitute the capstone phase during which all the elements and activities of the system come together. New hardware or software is installed and tested. Standards and controls for the new system are established and system documentation completed. The final step is to deliver the operational system to the organization. A final report is sent to the information systems steering committee. 5. Operations and Maintenance Modifications are made as problems arise or as new needs become evident. It is important to note that throughout the SDLC three activities (planning, managing behavioral reactions to change, and assessing the ongoing feasibility of the project) are performed. Multiple Choice 1 Which activity is performed throughout the SDLC? a. Planning b. Budgeting c. Managing behavioral reactions to change d. B and C Multiple Choice 2 In the IRS’s attempts to replace its aging information system, it lost almost _____ million on the BSM project. a. $1.2 b. $2.5 c. $3.0 d. $4.0

22-5 .

Multiple Choice 3 The following are the five steps in the systems development life cycle: 1. Implementation and Conversion 2. Conceptual Design 3. Systems Analysis 4. Operations and Maintenance 5. Physical Design The correct order in which these steps occur is: a. 1, 2, 3, 4, 5 b. 2, 4, 3, 1, 5 c. 3, 2, 5, 1, 4 d. 4, 2, 3, 5, 1

The Players Management Top management’s most important roles are providing support and encouragement for the development projects. The principal roles of user management are to determine information requirements, to assist systems analysts, to assign key staff members to development projects, and to allocate appropriate funds. Users AIS users communicate their information needs to system developers. Users that are members of the project development team or steering committee help manage systems development. Accountants, as requested, have a role in designing system controls and periodically monitoring and testing the system. Information Systems Steering Committee The purpose of the information systems steering committee is to plan and oversee the information systems function. The steering committee sets policies that govern the AIS and ensures top-management participation, guidance, and control. Project Development Team Each development project has a team of systems specialists, managers, accountants and auditors, and users that guides its development. Team members plan each project, monitor the project, make sure proper consideration is given to the human element, and communicate project status to top management and the steering committee. 22-6 .

Systems Analysts and Programmers Systems analysts study existing systems, design new ones, and prepare specifications that are used by computer programmers. Computer programmers write programs using the specifications developed by the analysts. External players are customers and vendors who may play a role in the system development (e.g. EDI). Multiple Choice 4 Which of the following statement(s) is (are) TRUE? a. Management assists the project development team. b. The steering committee sets policies that govern the AIS. c. Accountants may play two roles during the systems design. d. The project development team designs new systems.

Learning Objective Two Explain the importance of systems development planning, and describe the types of plans and planning techniques used.

Planning Systems Development As shown in Figure 22-1 several activities must be performed at various times throughout the SDLC. One such activity is planning. Systems development planning is an important step for the following key reasons: 1. Consistency. Planning enables the system’s goals and objectives to correspond to the organization’s overall strategic plan. 2. Efficiency. Systems are more efficient, subsystems are coordinated, and there is a sound basis for selecting new applications for development. 3. Cutting edge. The company remains abreast of the ever-present changes in information technology. 4. Lower costs. Duplication, wasted effort, and cost and time overruns are avoided. The system is less costly and easier to maintain. 5. Adaptability. Management is better prepared for future resource needs, and employees are better prepared for the changes that will occur.

22-7 .

Poorly planned development efforts result in a company returning to the prior phase to correct errors and design flaws. This process is costly and results in delays, not to mention frustration and low morale. Figure 22-2 on page 723 lists reasons for returning to a prior SDLC phase. Two types of systems development plans are needed: 1) individual project plans prepared by project teams and 2) a master plan developed by the information systems steering committee. 1.

Project Development Plan The basic building block of information systems planning is the project development plan. Each project development plan contains 1) a cost/benefit analysis, 2) developmental and operational requirements, and 3) human resource, hardware, software and financial resource requirements.

The Master Plan A master plan is a long-range planning document that specifies: 

What the system will consist of



How it will be developed



Who will develop it



How needed resources will be acquired



Where the AIS headed

Focus 22-2 on page 724 explains why inadequate planning was one of the reasons why EDS lost a significant amount of money in its contract with the U.S. military. The U.S. military hired Electronic Data Systems to develop a secure, hacker-proof network to link almost 350,000 computers at more than 4,000 Navy sites. However, the almost $10 billion contract has resulted in significant headaches and losses at one point estimated to total almost $1.7 billion. EDS made the following mistakes: 1. Had little previous experience with the military and did not adequately plan for some of the requests 2. Did not verify Navy estimates 3. Did not properly plan and coordinate project tasks

22-8 .

4. Did not give the Navy adequate instructions 5. Did not track the inventory of computers

Planning Techniques Two techniques for scheduling and monitoring systems development activities are the program evaluation and review technique (PERT) and the GANTT Chart. The PERT requires that all activities and the precedent and subsequent relationships among them be identified. Completion time estimates are made, and the critical path—the path requiring the greatest amount of time—is determined. Below is an example of a PERT chart. The numbers represent weeks.

The critical path is A(5) + D(4) + G(9) = 18 weeks. A Gantt chart shown as Figure 22-3 on page 725 is a project scheduling technique that divides each project into activities with estimated start and completion times. Multiple Choice 5 The types of systems development plans that are needed include: a. Project development plan b. A master plan c. A recovery plan d. A and B e. B and C Multiple Choice 6 In a master plan, a planning horizon of approximately _____ years is reasonable, and the plan should be updated at least _____ a year. a. 3; 2 to 3 times b. 4; once c. 3; 1 to 2 times d. 4; 2 to 3 times 22-9 .

Learning Objective Three Explain the various types of feasibility analysis, and calculate economic feasibility using capital budgeting techniques.

Feasibility Analysis As shown in Figure 22-1, a feasibility study (also called a “business case”) is prepared during systems analysis and updated as necessary during the remaining steps in the SDLC. At major decision points (refer to Figure 22-1), the steering committee uses the study to decide whether to terminate a project, proceed unconditionally, or proceed if specific problems are resolved. Although uncommon, systems have been scrapped after implementation because they did not work or failed to meet an organization’s needs. For example, Bank of America hired a software firm to replace a 20-year-old batch system used to manage billions of dollars in institutional trust accounts. After two years the new system was implemented despite warnings that it was not adequately tested. Ten months later the system was scrapped, the bank’s top systems and trust executives had resigned, and the company had taken a $60 million write-off to cover expenses. During the ten months, the company lost 100 institutional accounts with $4 billion in assets. Focus 22-3 on page 726 describes a project at Blue Cross/Blue Shield that was scrapped after six years of work and a $120 million investment. Five important aspects to be considered during a feasibility study are as follows: 1.

Economic feasibility. Will system benefits justify the time, money, and other resources required to implement it?

Technical feasibility. Can the planned system be developed and implemented using existing technology?

Legal feasibility. Does the system comply with all applicable federal and state laws and statutes, administrative agency regulations, and the company’s contractual obligations?

Scheduling feasibility. Can the system be developed and implemented in the time allotted?

22-10 .

Operational feasibility. Does the organization have access to people who can design, implement, and operate the proposed system? Will people use the system?

Calculating Economic Feasibility Costs and Benefits The basic framework for feasibility analysis is the capital budgeting model, in which cost savings and other benefits as well as initial outlay costs, operating costs, and other cash outflows, are translated into dollar estimates. Some of the tangible and intangible benefits a company might obtain from a new system are cost savings; improved customer service, productivity, decision making, and data processing; better management control; and increased job satisfaction and employee morale. Equipment costs are an initial outlay cost if the system is purchased and an operating cost if rented or leased. The primary operating cost is maintaining the system. Studies show that between 65% and 75% of an organization’s systems efforts are spent in maintaining current information systems. Initial outlay and operating costs are summarized in Table 22-2 on page 727. 1.

Hardware

Software

Staff

Supplies and overhead

Maintenance/backup

Documentation

Site preparation

Installation

Conversion

10. Financial

Capital Budgeting Various feasibility measures are used to narrow the list of alternative approaches that meet system requirements. The following are three commonly used capital budgeting techniques: 1.

Payback period. This is the number of years required for the net savings to equal the initial cost of the investment.

22-11 .

Net present value (NPV). All estimated future cash flows are discounted back to the present, using a discount rate that reflects the time value of money.

Internal rate of return (IRR). The IRR is the effective interest rate that results in an NPV of zero. A project’s IRR is compared with a minimum acceptable rate to determine acceptance or rejection.

Multiple Choice 7 _____ project was scrapped after 6 years of work and a $120 million investment. a. Nike’s b. Bank of America’s c. Blue Cross/Blue Shield’s d. None of the above Multiple Choice 8 The capital budgeting technique that considers the time value of money is: a. Payback period b. IRR c. NPV d. SDLC

Learning Objective Four Explain why systems changes trigger behavioral reactions, what forms this resistance to change takes, and how to avoid or minimize the resulting problems.

Behavioral Aspects of Change The behavioral aspects of change are crucial, because the best system will fail without the support of the people it serves. Organizations must be sensitive to and consider the feelings and reactions of persons affected by change.

Why Behavioral Problems Occur To minimize adverse behavioral reactions, one must first understand why resistance takes place. Some of the more important factors include the following: 1. Fear. Many people fear the unknown and the uncertainty accompanying change. They also fear losing their jobs, losing respect or status, failure, technology, and automation.

22-12 .

2. Top-management support. Employees who sense a lack of topmanagement support for change wonder why they themselves should endorse it. 3. Experience with prior changes. Employees who had a bad experience with prior changes are more reluctant to cooperate when future changes occur. 4. Communication. Employees are unlikely to support a change unless the reasons behind it are explained. 5. Disruptive nature of the change process. Requests for information and interviews are distracting and place additional burdens on people. These disturbances can create negative feelings toward the change that prompted them to occur. 6. Manner in which change is introduced. Resistance is often a reaction to the methods of instituting change rather than to change itself. 7. Biases and emotions. People with emotional attachments to their duties or coworkers may not want to change if those elements are affected. 8. Personal characteristics and background. Generally speaking, the younger and more highly educated people are, the more likely they are to accept change.

How People Resist AIS Changes Focus 22-4 on Page 729 explains the resistance to change that the U.S. Department of Defense has experienced in trying to update its information systems. Major resistance often takes one of three forms: aggression, projection, or avoidance. 1. Aggression is behavior that is usually intended to destroy, cripple, or weaken the system’s effectiveness. It may take the form of increased error rates, disruptions, or deliberate sabotage. 2. Projection involves blaming the new system for any and every unpleasant occurrence. 3. Dealing with problems through avoidance is a common human trait. One way for employees to deal with a new AIS is to avoid using it in the hope that the problem can be ignored or that it will eventually go away.

Preventing Behavioral Problems People’s reactions to change can be improved by observing the following guidelines:

22-13 .

Obtain management support. When possible, a powerful champion, who can provide resources for the system and motivate others to assist and cooperate with systems development, should be appointed.

Involve users. Those that are affected by the system should participate in its development, making suggestions, and helping make decisions.

Allay fears, and stress new opportunities. The organization should provide assurances that no major job losses or responsibility shifts will occur.

Meet users’ needs. It is essential that the form, content, and volume of system output be designed to satisfy user needs.

Avoid emotionalism. When logic vies with emotion, it rarely stands a chance. Emotional issues related to change should be allowed to cool, handled in a nonconfrontational manner, or sidestepped.

Provide training. Effective use or support cannot be obtained if users are confused about or do not understand the system.

Reexamine performance evaluation. Users’ performance standards and criteria should be reevaluated to ensure that they are satisfactory in view of changes brought on by the new system.

Keep communication lines open. Managers and users should be fully informed of system changes as soon as possible.

Test the system. The system should be properly tested prior to implementation to minimize initial bad impressions.

10. Keep the system simple and humanize it. Avoid complex systems that cause radical changes. Make the change seem as simple as possible by conforming to existing organizational procedures. System acceptance is unlikely if individuals believe the computer is controlling them or has usurped their positions. 11. Control users’ expectations. A system is sold too well if users have unrealistic expectations of its capabilities and performance. Be realistic when describing the merits of the system. Multiple Choice 9 Some of the reasons why employees resist new systems include(s): a. Fear b. Communications c. Promotions d. All of the above e. A and B 22-14 .

Learning Objective Five Discuss the key issues, objectives, and steps in systems analysis.

Systems Analysis When a new or improved system is needed, a written request for systems development is prepared. The five steps in the analysis phase and their objectives are shown in Figure 22-4 on page 731 and discussed in this section.

Initial Investigation An initial investigation is conducted to screen projects. During the initial investigation, the exact nature of the problem(s) under review must be determined. The project’s scope (what it should and should not seek to accomplish) also must be determined. If a project is approved, a proposal to conduct systems analysis is prepared. Table 22-3 on page 731 provides the contents of the Shoppers Mart proposal, representative of the information in a proposal to conduct systems analysis.

Systems Survey During the systems survey, an extensive study of the current AIS is undertaken. The objectives of a systems survey are as follows: 1. Gain a thorough understanding of company operations, policies, and procedures; data and information flow; AIS strengths and weaknesses; and available hardware, software, and personnel. 2. Make preliminary assessments of current and future processing needs, and determine the extent and nature of the changes needed. 3. Develop working relationships with users and build support for the AIS. 4. Collect data that identify user needs, conduct a feasibility analysis, and make recommendations to management.

22-15 .

The advantages and disadvantages of four common methods of gathering data are summarized here and in Table 22-4 on page 732. 1. Interviews An interview helps gather answers to “why” questions:   

Why is there a problem? Why does the AIS work this way? Why is this information important?

2. Questionnaires Questionnaires are used when the amount of information to be gathered is small and well defined, and is obtained from many people. Questionnaires take relatively little time to administer, but are time consuming to develop. 3. Observation Observation is used to verify information gathered using other approaches and to determine how a system actually works, rather than how it should work. 4. Systems documentation Systems documentation describes how the AIS is intended to work. Document Findings and Model the Existing System The information gathered during the analysis phase must be documented so it can be used throughout the systems development project. Physical models illustrate how a system functions by describing the flow of documents, the computer processes performed and the people performing them, the equipment used, and any other physical elements of the system. Logical models illustrate what is being done, regardless of how the flow is actually accomplished. Table 22-5 on page 733 provides a list of system analysis and design tool techniques. Analyze the Existing System Once data gathering is complete, the survey team evaluates the AIS’s strengths and weaknesses to develop ideas for designing and structuring the new AIS. Prepare Systems Survey Report The systems survey culminates with a systems survey report. Table 22-3 shows the table of contents for the Shoppers Mart systems survey report.

22-16 .

Feasibility Study At this point in systems analysis, a more thorough feasibility analysis is conducted to determine the project’s viability.

Information Needs and Systems Requirements Once a project is deemed feasible, the company identifies the information needs of AIS users and documents systems requirements. Table 22-6 on page 734 is an example of systems requirements. Figure 22-5 on page 734 is a humorous view of the types of communication problems associated with this process. To illustrate the importance of accurately determining systems requirements, consider the example of Corning Corporation. The company began investigating the quality of the ophthalmic pressings it manufactures and sells to the makers of prescription lenses. It found that 35% of its drafting documents contained errors. It costs $250 if the errors were discovered before the tool makers cut the tools, $20,000 if discovered before the assembly line began production, and up to $100,000 after the tools were sent to the customer. Systems Objectives and Constraints Many organizations take a systems approach to determining information needs and system requirements. It is important to determine system objectives so that analysts and users can focus on those elements most vital to the AIS’s success. Table 22-7 on page 735 provides the list of AIS objectives. Organizational constraints usually make it impossible to develop all parts of a new AIS simultaneously. Therefore, the system is divided into smaller subsystems or modules. A system’s success often depends on the project team’s ability to cope with the constraints the organization faces. Common constraints include: 1. Governmental agency requirements 2. Management policies and guidelines 3. Lack of sufficiently qualified staff 4. The capabilities and attitudes of system users 5. Available technology

22-17 .

6. Limited financial resources Strategies for Determining Requirements 1.

Ask users what they need.

Analyze external systems.

Examine existing system use.

Create a prototype.

Documentation and Approval of User Requirements Detailed requirements for the new AIS that explain exactly what the system must produce should be created and documented. The requirements list should be supported by sample input and output forms, as well as charts, to make it easier for readers to conceptualize the system. When user requirements have been determined and documented, the project team meets with the users.

Systems Analysis Report Systems analysis is concluded by preparing a systems analysis report to summarize and document the analysis activities and serve as a repository of data from which systems designers can draw. A go/no go decision may be made up to three times during systems analysis: 1. During the initial investigation 2. At the end of the feasibility study 3. At the completion of the analysis phase

Multiple Choice 10 Questionnaires are conducted during the _____ step in systems analysis. a. feasibility study b. systems survey c. initial investigation d. None of the above

22-18 .

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 D 6 A 2 D 7 C 3 C 8 C 4 B 9 E 5 D 10 B

22-19 .

CHAPTER 23 AIS DEVELOPMENT STRATEGIES Instructor’s Manual Learning Objectives: 1. Describe how organizations purchase application software, vendor services, and hardware. 2. Explain how information system departments develop custom software. 3. Explain why organizations outsource their information systems, and evaluate the benefits and risks of this strategy. 4. Explain how business process management (BPM), prototyping, agile development, and computer-aided software engineering can help improve system development.

Questions to be addressed in this chapter include: 1. Can Ann buy the software she needs? If so, how should she buy hardware and software and select a vendor? 2. How do companies develop software in-house? Is this the best approach for SM? 3. How extensively should SM use end-user-developed software? 4. Should SM improve its existing system or redesign its business processes and develop a system to support them? 5. Is outsourcing the information system a viable alternative to obtaining a new system? Do the benefits of outsourcing outweigh its risks? 6. If SM decides to develop the system in-house, should it use technologies such as BPM, agile development, prototyping, or computer-assisted software engineering?

Introduction Traditionally, companies have experienced the following difficulties in developing an AIS: 1. Demands for development resources are so numerous that AIS projects can be backlogged for several years. 2. A newly designed AIS does not always meet user needs. 3. The development process can take so long that the system no longer meets company needs. 4. Users are unable to specify their needs adequately. 23-1 .

5. Changes to the AIS are often difficult to make after requirements have been frozen into specifications.

Learning Objective One Describe how organizations purchase application software, vendor services, and hardware.

Purchasing Software A Deloitte & Touche survey found that most chief information officers expect to replace their current systems with commercially available packages rather than use custom-developed software. Consider the following examples: 1. Hard Rock Café International wanted to get its customers to visit its cafes and website more often. It purchased customer relationship software from Epiphany, obtained 225,000 customer names from its fan club, and mailed special promotional offers. In less than a year, the profits from the increased traffic had more than paid for the hardware and software it purchased to run the promotions. 2. WellPoint Health Networks installed PeopleSoft’s payroll, benefits, and human resources software to allow its employees to manage their own benefit enrollments and changes. The new system is saving the company $400,000 a year. 3. Pacific Gas & Electric had to respond to the deregulation of California’s power industry. Rather than try and update its 37-year-old customer information system, it spent three years and invested $204 million in canned software. This project was the largest installation of customer information system software in the history of the utility industry. Written by software development companies, canned software is sold on the open market to a broad range of users with similar requirements. Some companies combine software and hardware and sell them as a package. These are called turnkey systems. A major problem with canned software is that it often does not meet all of a company’s information or data processing needs. The Internet has given companies a new way to acquire software. Application service providers (ASPs) host Web-based software on their computers and deliver the software to their clients over the Internet.

23-2 .

Selecting a Vendor Decisions to make or purchase software can be made independently of the decision to acquire hardware, service, maintenance, and other AIS resources. Vendors can be found by referrals, attending conferences, in industry magazines, and on the Internet.

Acquiring Hardware and Software Once AIS requirements have been defined, an organization is ready to purchase software and hardware. Companies that are buying large or complex systems, however, send vendors a request for proposal (RFP), which is an invitation to propose a system that meets the company’s needs by a specified date. A formal approach to acquiring system resources, such as an RFP, is important for the following reasons: 1. Saves time. The same information is provided to all vendors, eliminating repetitive interviews and questions. 2. Simplifies the decision-making process. All responses are in the same format and based on the same information. 3. Reduces errors. The chances of overlooking important factors are reduced. 4. Avoids potential for disagreement. Both parties possess the same expectations, and pertinent information is captured in writing. When an RFP is solicited based on exact hardware and software specifications, the total costs are usually lower and less time is required for vendor preparation and company evaluation. Generally speaking, the more information a company provides to a vendor, the better the company’s chances of receiving a system that meets its requirements.

Evaluating Proposals and Selecting a System Proposals that are missing important information, fail to meet minimum requirements, or are ambiguous should be eliminated. Proposals that pass this preliminary screening should be carefully compared with the proposed AIS requirements to determine: 1. If they meet all mandatory requirements 2. How many of the desirable requirements they meet Table 23-1 on page 757 presents criteria that can be used to evaluate hardware, software, and vendors.

23-3 .

One way to compare system performance is to use a benchmark problem—a data-processing task with input, processing, and output jobs typical of those the new AIS will be required to perform. Another approach is point scoring, which is illustrated in Table 23-2 on page 758. Requirements costing estimates the cost of purchasing or developing features that are not present in a particular AIS. Neither point scoring nor requirements costing is totally objective. In points scoring, the weights and the points used are assigned subjectively and dollar estimates of costs and benefits are not included. Once the best AIS has been identified, the software should be thoroughly test-driven. The lessons that Geophysical Systems Corporation (GSC) learned from its vendor selection process highlight the importance of a thorough vendor evaluation (see Focus 23-1 on page 758). GSC developed a device that uses sonar to analyze the production potential of oil and gas discoveries. GSC hired and paid Seismograph Service Corporation $20 million to write the software program to analyze the data. However, the software program did not accurately process the data and perform the computations. When the software program failed, GSC’s clients canceled their contracts. The result was that GSC went from sales of $40 million and profits of $6 million to filing for bankruptcy two years later. GSC sued Seismograph and was awarded more than $48 million as compensation for lost profits. Despite the availability of good software packages, many organizations meet their information needs by writing their own software.

Multiple Choice 1 Which of the following statements is FALSE? a. Canned software is sold on the open market to a broad range of users with similar requirements. b. A request for proposal saves time. c. A major problem with canned software is that it often does not meet all of a company’s information or data processing needs. d. WellPoint Health Networks saved $204 million a year with its new system.

23-4 .

Multiple Choice 2 One way to compare system performance is to use _____. a. requirements costing b. point scoring c. a benchmark problem d. turnkey systems

Learning Objective Two Explain how information system departments develop custom software.

Development by In-House IS Departments Developing custom software is difficult and error-prone and it consumes a great deal of time and resources. The U.S. Government Accountability Office (GAO) reported that 31% of the information system projects of the federal government, costing $12 billion (19% of its annual IT budget), are either poorly planned or not living up to their intended objectives. After end users define their requirements, analysts work with them to determine the format of paper and screen outputs. The analysts then identifies the data required for each input and the data to be retained in the files. Custom software is usually developed and written in-house. Chapter 22 discusses in more depth the process used to develop software. The following guidelines are recommended: 1. Carefully select a developer. The outside developer should have experience in the company’s industry, a good understanding of business in general, and an in-depth understanding of how the company conducts its business. 2. Sign a contract. The contract should place responsibility for meeting the company’s requirements on the developer and should allow the company to discontinue the project if certain key conditions are not met. 3. Plan and monitor each step. All aspects of the project should be designed in detail and there should be frequent checkpoints for monitoring the project. 4. Maintain effective communication. The relationship between the company and the developer should be rigorously defined. Frequent communication is necessary.

23-5 .

5. Control all costs. Cost should be tightly controlled and cash outflows minimized until the project has been completed and accepted. There is no single right answer to the build-or-buy decision. Different companies come to different conclusions. For example, Gillette once developed its own software but then decided to shift more from proprietary systems to off-the-shelf software when possible. Pepsi, on the other hand, has moved in the opposite direction. It once bought most of its mainframe software but, after moving to a client/server architecture, it could not find software sophisticated enough to meet its needs.

End-User-Developed Software End-user computing (EUC) is the hands-on development, use, and control of computer-based information systems by users. For example, a savings and loan in California wanted a system to track loan reserve requirements. Its information systems department said the system would take 18 months to develop. Rather than wait, the loan department used a PC and a database program to develop a functional program in a single day.

Appropriate End-User Development and Use End-user development (EUD) occurs when information users, such as managers, accountants, and internal auditors develop their own applications using computer specialists as advisors. The following are examples of appropriate EUDs: 1. Retrieving information from company databases to produce simple reports or to answer one-time queries. 2. Performing “what-if,” sensitivity, or statistical analysis. 3. Developing applications using prewritten software, such as a spreadsheet or a database system. 4. Preparing schedules and lists, such as depreciation schedules, accounts receivable aging, and loan amortizations.

Advantages of End-User Computing One reason EUC has increased so significantly is that it offers the following advantages: 1. User creation, control, and implementation 2. Systems that meet user needs 3. Timeliness 23-6 .

4. Freeing up systems resources 5. Versatility and ease of use

Disadvantages of End-User Computing There are some significant drawbacks to EUC and to eliminating analyst/programmer involvement in the development process. 1. Logic and development errors. End users have little experience in systems development and are more likely to make errors and less likely to recognize when errors have occurred. 2. Inadequately tested applications. Users are not as likely to rigorously test their applications, either because they do not recognize the need to do so or because of the difficulty or time involved. Users have grossly inflated opinions of how error-free their systems are. For example, one of the Big Four CPA firms found that 90% of the spreadsheet models it tested had at least one calculation error. 3. Inefficient systems. Most end users are not programmers and have not been trained in systems development. 4. Poorly controlled and documented systems. Many end users do not implement controls to protect their systems. 5. System incompatibilities. Some companies add end-user equipment without considering the technological implications. For example, Aetna Life & Casualty spent more than $1 billion a year on IT in an attempt to gain a competitive advantage. The result was 50,000 PCs, 2,000 minicomputers and servers, 108 word processing systems, 19 incompatible e-mail systems, and 36 different communications networks. Aetna realized it needed to shift its emphasis from trying to own the latest technology to the effective use of technology. Aetna now uses only a few different types of PCs, Microsoft software products, two electronic mail systems, and one network. 6. Duplication of systems and data and wasted resources. If end users are unaware that other users have similar information needs, duplicate systems occur. 7. Increased costs. A single PC purchase is inexpensive, but buying PCs for hundreds or thousands of workers is costly. 23-7 .

Updating the hardware and software every few years is also expensive.

Managing and Controlling End-User Computing Organizations use several different approaches to manage and control EUC. A help desk can encourage, support, coordinate, and control end-user activities. Duties of the help desk include the following: 1. Providing hotline assistance to help resolve problems 2. Serving as a clearinghouse for information, coordination, and assistance 3. Training end-users how to use specific hardware and software and providing corresponding technical maintenance and support 4. Evaluating new end-user hardware and software products 5. Assisting with application development 6. Developing and implementing standards for: 

Hardware and software purchases to ensure compatibility



Documentation and application testing



Controlling security issues such as fraud, software piracy, and viruses

7. Controlling corporate data so: 

Authorized end users can access and share it



It is not duplicated



Access to confidential data is restricted

Multiple Choice 3 The following is not an appropriate example of end user development: a. Statistical analysis b. Process payroll c. One-time queries d. None of the above Multiple Choice 4 An advantage of EUC is _____ whereas _____ is a disadvantage. a. development errors; logic errors

23-8 .

b. cost; timeliness c. timeliness; system incompatibility d. ease of use; user control Multiple Choice 5 Aetna Life & Casualty spent more than _____ which resulted in purchasing _____ PCs and _____ minicomputers. a. $1 billion; 50,000; 2,000 b. $1.4 billion; 62,000; 2,750 c. $2 billion; 70,000; 3,500 d. $2.5 billion; 82,000; 4,750

Learning Objective Three Explain why organizations outsource their information systems and evaluate the benefits and risks of this strategy.

Outsourcing the System Outsourcing is hiring an outside company to handle all or part of an organization’s data processing activities. In a mainframe outsourcing agreement, the outsourcers buy their client’s computers and hire all or most of the client’s employees. They then operate and manage the entire system on the client’s site, or they migrate the system to the outsourcer’s computers. In a client/server or a PC outsourcing agreement, an organization outsources a particular service, a segment of its business, a particular function, or PC support. Most Fortune 2000 companies outsource anywhere from 10% to 80% of their PC support functions.

The Growth in Outsourcing Applications Outsourcing was initially used for standardized applications (e.g. payroll). However, Eastman Kodak outsourced its data processing operation and sold its mainframes to IBM. It also outsourced its telecommunications and its PC operations. As a result, capital expenditures for computers fell 90% and operating expenses decreased between 10% and 20%. Kodak expected the annual AIS savings to reach approximately $130 million over a 10-year period.

23-9 .

Several years ago, Xerox signed what was then the largest outsourcing deal in history: a $3.2 billion, 10-year contract with EDS to outsource its computing, telecommunications, and software management in 19 countries. Many Fortune 500 companies outsource some or all of their information systems. Most companies do not outsource the strategic management of their IT environment, BPM, or IT architecture. Outsourcing is no longer confined to large organizations. As prices have come down, smaller companies are jumping on the outsourcing bandwagon.

The Benefits of Outsourcing There are a number of significant advantages to outsourcing: 1. A business solution. Outsourcing is a viable strategic and economic business solution because it allows companies to concentrate on their core competencies. 2. Asset utilization. Organizations with millions of dollars tied up in IT can improve their cash position and reduce expenses by selling those assets to an outsourcer. 3. Access to greater expertise and more advanced technology. Many companies cannot afford to retain a staff to manage and develop the increasingly complex networks required in today’s business. 4. Lower costs. Many companies outsource because skilled overseas providers can perform needed work at dramatically lower labor rates, resulting in significant savings. 5. Less development time. Experienced industry specialists often can develop and implement a system faster and more efficiently than can in-house staff. 6. Elimination of peaks-and-valleys usage. Many companies have seasonal businesses that require heavy computer power during part of the year, but very little the remainder of the year. 7. Facilitation of downsizing. Companies that downsize are often left with an unnecessarily large AIS function.

Risks of Outsourcing Although many outsourcing agreements are great success stories, studies show that anywhere from 25% to 50% of outsourcing agreements either fail or do not live up to significant agreement objectives. In one survey, 17% of outsourcing agreements were labeled as disasters. There are many reasons why outsourcing projects fail, including:

23-10 .

1. Not preparing properly 2. Lukewarm executive and company buy-in 3. Blind imitation of competitors 4. Thinking outsourcing will solve deeper problems 5. Shifting responsibility for a bad process to someone else 6. Entering into ill-defined agreements that do not meet expectations Companies that outsource often experience one or more of the following drawbacks: 1.

Inflexibility. Many outsourcing contracts are for 10 years and contracts are difficult or costly to break.

Loss of control. A company that outsources runs the risk of losing control of its system and data, and of its confidential data being shared with others.

Reduced competitive advantage. Companies can lose a fundamental understanding of their information systems needs and how the system can provide it with competitive advantages.

Locked-in system. It is expensive and difficult to reverse outsourcing. If the company is unable to buy back the dataprocessing facilities, it will have to buy new equipment and hire a new data-processing staff.

Unfulfilled goals. Critics point out that many outsourcing goals and benefits are never realized.

Poor service. Some companies complain of receiving poor service from their outsourcing company.

Increased risk. Outsourcing business processes can expose a company to significant risks, including operations, financial, technology, strategy, market position, human capital (personnel), legal, regulatory, and reputation impairment risks.

Multiple Choice 6 Outsourcing the system has the following advantages: a. Reduced competitive advantage b. Loss of control c. Inflexibility d. None of the above Multiple Choice 7 Organizations can improve their _____ and reduce ________ by selling assets to an outsourcer. 23-11 .

a. expenses; cash position b. cash position; expenses c. debt; costs d. services; personnel

Learning Objective Four Explain how business process management, prototyping, agile development, and computeraided software engineering can help improve system development.

Business Process Management Business process management (BPM) is a systematic approach to continuously improving an organization’s business processes. The four underlying principles of BPM are: 1. Business processes can produce competitive advantages 2. Business processes must be managed end to end 3. Business processes should be agile 4. Business processes must be aligned with organizational strategy and needs Business process management systems (BPMS) automate and facilitate business process improvements. A BPMS has the following four components: 1. A process engine to model and execute applications, including business rules 2. Business analytics to help identify and react to business issues, trends, and opportunities 3. Collaboration tools to remove communication barriers 4. A content manager to store and secure electronic documents, images, and other files Internal Controls in a Business Process Management System A BPMS can improve internal controls by: 1. Authorization: a BPMS uses the organization’s business process rules to determine the correct person to perform a task and authorizes that person to perform it. 2. Segregation of duties 3. Application controls 4. Audit trail

Prototyping Prototyping is an approach to systems design in which a simplified working model of a system is developed. A prototype, or first draft, is quickly and inexpensively built and provided to users for testing. 23-12 .

UNUM Life Insurance used prototyping to show how a new system using image processing would work. Middle managers at first had a hard time envisioning how they wanted to use image processing and understanding the issues involved in the change. After viewing a prototype, the managers caught on to the possibilities and issues associated with image processing.

Steps in Developing a Prototype As shown in Figure 23-1 on page 766, four steps are involved in developing a prototype: The first step is to identify basic system requirements. The second step is to develop an initial prototype. The third step is to use and experiment with a prototype in order to determine whether the prototype meets needs. The fourth step is to develop an initial prototype into a fully functional system.

When to Use Prototyping In most cases, prototyping supports rather than replaces the SDLC. Prototyping is appropriate when 1) there is a high level of uncertainty about the AIS, 2) it is unclear what questions to ask, 3) the final AIS cannot be clearly visualized, or 4) there is a high likelihood of failure. A summary of the conditions that make prototyping an appropriate design methodology is presented in Table 23-3 on page 767.

Advantages of Prototyping Prototyping has the following advantages: 1. Better definition of user needs 2. Higher user involvement and satisfaction 3. Faster development time Mutual Life Insurance developed the prototype of an executive information system in only one month, as described in Focus 23-2 on page 770. 4. Fewer errors 5. More opportunity for changes

23-13 .

6. Less costly

Disadvantages of Prototyping Prototyping has the following disadvantages: 1. Significant user time 2. Less efficient use of system resources 3. Inadequately testing and documentation 4. Negative behavioral reactions 5. Never-ending development

Computer-Aided Software Engineering The developers of software for others have failed to create software to simplify their own work. The development of powerful computer-aided software (or systems) engineering (CASE) tools, an integrated package of computer-based tools that automate important aspects of the software development process, has changed that. CASE tools are used to plan, analyze, design, program, and maintain an information system. CASE tools do not replace skilled designers. Instead, they are a host of well-integrated tools that give developers effective support for all phases of the SDLC.

Advantages and Disadvantages of CASE Technology CASE tools provide the following important advantages: 1. Improved productivity. Sony reported that CASE tools increased productivity by more than 600%. 2. Improved program quality. 3. Cost savings. Savings of 80% to 90% are possible. 4. Improved control procedures. CASE tools encourage the development of system controls, security measures, and system auditability and error-handling procedures early in the design process. 5. Simplified documentation. Some of the more serious problems with CASE technology include the following:

23-14 .

1. Incompatibility. Some CASE tools do not interact effectively with other systems. 2. Unmet expectations. According to a Deloitte & Touche survey, only 37% of the chief information officers using CASE believe they achieved the expected benefits. Multiple Choice 8 A BPMS can improve the following internal control: a. Authorization b. Application controls c. Segregation of duties d. All of the above Multiple Choice 9 The second step in developing a prototype is: a. To develop an initial prototype b. Develop an initial prototype into a fully functional system c. Specify basic needs d. Use and experiment with a prototype; determine whether the prototype meets needs Multiple Choice 10 CASE tools provide the following important advantage(s): a. Timeliness b. Cost savings c. Improved development time d. All of the above

23-15 .

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 D 6 D 2 C 7 B 3 B 8 D 4 C 9 B 5 A 10 B

23-16 .

CHAPTER 24 SYSTEMS DESIGN, IMPLEMENTATION, AND OPERATION Instructor’s Manual Learning Objectives: 1. Discuss the conceptual systems design process and the activities in this phase. 2. Discuss the physical systems design process and the activities in this phase. 3. Discuss the systems implementation process and the activities in this phase. 4. Discuss the systems conversion process and the activities in this phase. 5. Discuss the systems operation and maintenance process and the activities in this phase. Questions to be addressed in this chapter include: 1. Should her team develop what it considers to be the best approach to meeting SM’s needs, or should they develop several approaches? 2. How can she ensure that system output will meet user needs? When and how should input be captured, and who should capture it? Where should AIS data be stored, and how should it be organized and accessed? 3. How should SM convert from its current to its new AIS? How much time and effort will be needed to maintain the new AIS? In what capacity should Ann’s accounting staff participate?

Introduction Accountants should help keep the project on track by evaluating and measuring benefits, monitoring costs, and ensuring that the project stays on schedule. Effective systems analysis and design can ensure that developers correctly define the business problem and design the appropriate solution. This chapter discusses the other steps in the systems development life cycle: 1. Conceptual systems design 2. Physical systems design 3. Systems implementation 4. Systems conversion

24-1 .

5. Operation and maintenance

Learning Objective One Discuss the conceptual systems design process and the activities in this phase.

Conceptual Systems Design In the conceptual systems design phase, the developer creates a general framework for implementing user requirements and solving problems identified in the analysis phase. As shown in Figure 24-1 on page 786, there are three main steps in conceptual design: 1. Evaluating design alternatives 2. Preparing design specifications 3. Preparing the conceptual systems design report

Evaluate Design Alternatives There are many ways to design an AIS, so accountants and others involved in systems design must continually make design decisions. In addition, there are many different ways that a company can approach the systems development process: (1) purchase software from a vendor, (2) design the system in-house, or (3) outsource to develop and manage the information system. The design team should identify a variety of design alternatives and evaluate each with respect to the following standards: 1. How well it meets organizational and system objectives 2. How well it meets user needs 3. Whether it is economically feasible 4. What its advantages and disadvantages are Table 24-1 on page 786 presents examples of conceptual and physical design considerations and their corresponding design alternatives.

Prepare Design Specifications Once a design alternative has been selected, the project team develops the conceptual design specifications for the following elements:

24-2 .

1. Output. Because the system is designed to meet users’ information needs, output specifications must be prepared first. 2. Data storage. For Shoppers Mart, decisions included: 

Which data needs to be stored for the sales report



Whether the data should be stored in sequential or random order



What type of file or database to use



Which field size is appropriate for the data items

3. Input. Design considerations for Shoppers Mart include which sales data to enter, sales location and amount, and where, when, and how to collect data. 4. Processing procedures and operations. Design considerations for Shoppers Mart include how to process the input and stored data to produce the sales report and also the sequence in which the processes must be performed.

Prepare the Conceptual Systems Design Report At the end of the conceptual design phase, a conceptual systems design report is prepared to: 1. Guide physical systems design activities 2. Communicate how management and user information needs will be met 3. Help the steering committee assess system feasibility

Multiple Choice 1 In the conceptual design phase of the systems development life cycle, _____ specifications must be prepared first. a. input b. output c. data storage d. data processing Multiple Choice 2 Assumptions and unresolved problems are included in the following report(s): a. Conceptual systems design report b. Physical systems design report c. Post-implementation review report d. All of the above e. A and B

24-3 .

Learning Objective Two Discuss the physical systems design process and the activities in this phase.

Physical Systems Design During the physical systems design phase, the company determines how the conceptual AIS design is to be implemented. As shown in Figure 24-2 on page 787, physical system design phases include (1) designing output, (2) creating files and databases, (3) designing input, (4) writing computer programs, (5) developing procedures, and (6) building controls into the new AIS.

Output Design The objective of output design is to determine the nature, format, content, and timing of printed reports, documents, and screen displays. Some important output design considerations are summarized in Table 242 on page 788. Output usually fits into one of the following four categories: 1.

Scheduled reports have a prespecified content and format and are prepared on a regular basis.

Special-purpose analysis reports have no prespecified content or format and are not prepared on a regular schedule.

Triggered exception reports have a prespecified content and format but are prepared only in response to abnormal conditions.

Demand reports have a prespecified content and format but are prepared only on request.

File and Database Design Table 24-3 on page 789 summarizes some of the more important file and database design considerations: 1) medium, 2) processing mode, 3) maintenance, 4) size, and 5) activity level.

Input Design Considerations for input design are shown in Table 24-4 on page 789. 1. Medium 2. Source 3. Format 4. Type 5. Volume 6. Personnel 7. Frequency 8. Cost

24-4 .

9. Error detection and correction

Forms Design Table 24-5 on page 790 is a useful tool for evaluating existing forms and designing new ones: 1.

General considerations

Introductory section of form

Main body of form

Conclusion section of form

Computer Screen Design Computer screens are most effective when these procedures are followed: 1. Organize the screen so data can be entered quickly, accurately, and completely. 2. Enter data in the same order as displayed on paper forms used to capture the data. 3. Complete the screen from left to right and top to bottom. Group together logically related data. 4. Design the screen so users can jump from one data entry location to another or use a single key or go directly to screen locations. 5. Make it easy to correct mistakes. Clear and explicit error messages that are consistent across all screens are essential. 6. Restrict the amount of data on a screen to avoid clutter. Limit the number of menu options on a single screen.

Program Design Program development is one of the most time-consuming activities in the SDLC. Programs subdivided into small, well-defined modules are a process called structured programming. To improve software quality, organizations should develop programming standards. Although accountants need not be computer programmers, they should understand how software is created. Following are eight steps for developing software: Step 1 Determine user needs. Systems analysts consult with users and agree on software requirements. 24-5 .

Step 1 is performed as a part of the systems analysis phase of the SDLC. Step 2 Create and document a development plan. A development plan is produced and documented. Step 2 is done during conceptual systems design and may carry over to the beginning of physical design. Step 3 Write program instructions (code). This is when the computer code (or program instructions) is written. Step 4 Test the program. Debugging is discovering and eliminating program errors. After a program is coded, a visual and mental review, referred to as desk checking, is conducted to discover programming errors. The Gartner Group estimates that bugs that are not discovered until later in the SDLC cost 80% to 1,000% more to fix than those discovered earlier. Focus 24-1 on page 791 discusses the difficulty of testing software and the consequences of releasing software with undetected errors. Most of the tasks in steps 3 and 4 are done during systems design and are completed during systems implementation. Step 5 Document the program. Documentation explains how programs work and is used to help correct and resolve errors. Step 6 Train program users. Program documentation is often used to train users. Steps 5 and 6 are begun in systems design, but most of the work is done during systems implementation. Step 7 Install the system. All system components, including the programs, are combined and the company begins to use the system. Step 7 is completed during systems implementation and conversion. Step 8 Use and modify the system. Factors that require existing programs to be revised, referred to as program maintenance, include requests for new or revised reports; changes in input, file content, or values such as tax rates; error detection; and conversion to new hardware. Step 8 is part of the operation and maintenance phase.

Procedures Design Everyone who interacts with a newly designed AIS needs procedures that answer who, what, when, where, why, and how questions related to all AIS activities.

24-6 .

Controls Design The often-heard computer adage “garbage in, garbage out” emphasizes that improperly controlled input, processing, and database functions produce information of little value. Controls must be built into an AIS to ensure its effectiveness, efficiency, and accuracy. Some of the more important control concerns that must be addressed are summarized in Table 24-6 on page 792: 1. Validity 2. Authorization 3. Accuracy 4. Security 5. Numerical control 6. Availability 7. Maintainability 8. Integrity 9. Audit trail

Physical Systems Design Report At the end of this phase, the team prepares a physical systems design report that summarizes what was accomplished and serves as the basis for management’s decision whether or not to proceed to the implementation phase. Multiple Choice 3 The following consideration(s) is (are) involved in the file and database design. a. Use b. Operations c. Medium d. A and C Multiple Choice 4 “Is additional training necessary?” is a concern to be answered during _____ design. a. input b. output c. files and database d. program e. controls

24-7 .

Multiple Choice 5 _____ development is one of the most time-consuming activities in the SDLC. a. Input b. Output c. Files and database d. Program e. Controls Multiple Choice 6 _____ is done during systems design and is completed during systems implementation. a. Develop a plan b. Desk checking c. Write program instructions d. All of the above e. B and C

Learning Objective Three Discuss the systems implementation process and the activities in this phase.

Systems Implementation Systems implementation is the process of installing hardware and software and getting the AIS up and running. The state of Virginia has been especially successful in designing and implementing its AIS. Focus 24-2 on page 794 describes the improvements the state made to its AIS.

Implementation Planning An implementation plan consists of implementation tasks, expected completion dates, cost estimates, and the person or persons responsible for each task. One reason that Blue Cross/Blue Shield’s new $200 million system failed was because there was no organizational restructuring.

Site Preparation A large computer may require extensive changes, such as additional electrical outlets, data communications facilities, raised floors, humidity controls, special lighting, and air conditioning. Space is needed for equipment, storage, and offices.

24-8 .

Select and Train Personnel Employees can be hired from outside the company or transferred internally. Because effective training is time consuming and expensive, companies take shortcuts. They are busy trying to maintain and upgrade their new system. Effective AIS training must consist of more than just hardware and software skills. Employees must be oriented to new policies and operations, and training should be planned and scheduled so it occurs just before systems testing and conversion. Boots the Chemists at a London-based international pharmacy developed a new approach to training. Store employees that were nervous about the new computer system were invited to a party where a new POS system had been installed. They were asked to try to harm the new POS system. Employees quickly found out that they could not harm the system and learned that it was easy to use.

Complete Documentation Three types of documentation must be prepared for new systems: 1. Development documentation describes the new AIS. It includes: 

A system description



Copies of output, input, and file and database layouts



Program flowcharts



Test results



User acceptance forms

2. Operations documentation includes: 

Operating schedules



Files and databases accessed



Equipment security



File retention requirements

24-9 .

3. User documentation teaches users how to operate the AIS. It includes a procedures manual and training materials.

Test the System Inadequate system testing was one reason for the Blue Cross/Blue Shield system failure described previously. Documents and reports, user input, operating and control procedures, processing procedures, and computer programs should all be given a trial run in realistic circumstances. In addition, capacity limits and backup and recovery procedures should be tested. Following are three common forms of testing: 1. Walk-throughs are step-by-step reviews of procedures or program logic. 2. Processing test transactions determines if a program operates as designed. 3. Acceptance tests use copies of real transactions and files rather than hypothetical ones. Chemical Bank suffered the consequences of not adequately testing an upgrade to its ATM system. Customers in New York who withdrew money found that their accounts were debited twice. Before the problem was corrected, 150,000 withdrawals with a total value of $8 million were posted to customer accounts. Even software purchased from an outside vendor must be tested thoroughly before being installed.

Multiple Choice 7 New systems must have the following types of documentation: a. Development; Planning; User b. Planning; Budget; User c. Development; Operations; User d. Development; Programming; User

24-10 .

Learning Objective Four Discuss the systems conversion process and the activities in this phase.

Systems Conversion Conversion is the process of changing from the old to the new AIS. This includes converting hardware, software, data files, and procedures.

Conversion Approaches Four conversion approaches are used to change from an old to a new system: 1. Direct conversion immediately terminates the old AIS when the new one is introduced. Focus 24-3 on page 795 discusses the problems at Sunbeam Corp., in part caused by attempting a direct conversion with no backup system. Al Dunlap, a new CEO at Sunbeam Corp., made drastic costcutting moves in which many went too far and ended up hurting the company. His restructuring plan called for eliminating 87% of the company’s products and half of the 6,000 employees. Al terminated computer personnel who were earning $35,000 to learn that they could be making $125,000 a year elsewhere. He replaced the computer personnel with contract workers who made significantly more than $35,000 a year. Some of these contract workers were the computer personnel that he eliminated from the company previously. Al used the direct conversion approach to modernize its information system. Unfortunately, the new system did not work. Without any backup system the entire system was down for months. Orders were lost and some customers did not receive their shipments. Sunbeam had to manually bill its customers. The price of Sunbeam’s stock plummeted and in 1998 Al was fired.

24-11 .

The SEC began investigating Al to find out that $62 million of the $189 million in income for Sunbeam did not comply with accounting rules. Also, Arthur Andersen, Sunbeam’s auditors, paid out $110 million in damages to settle a shareholder class-action suit. In February 2003, Sunbeam filed for Chapter 11 bankruptcy protection. 2. Parallel conversion operates the old and new systems simultaneously for a period of time. 3. Phase-in-conversion gradually replaces elements of the old AIS with the new one. 4. Pilot conversion implements a system in just one part of the organization, such as a branch location. Data conversion can be time-consuming, tedious, and expensive. The difficulty and magnitude of the task can be easily underestimated. The first step in the data conversion process is to decide which data files need to be converted. Then they must be checked for completeness and any data inaccuracies and inconsistencies removed. Once the files and databases have been converted and tested for accuracy, the new system is functional. Multiple Choice 8 Walk-throughs are conducted by the: a. Development team b. System users c. Programmers d. All of the above e. A and B Multiple Choice 9 The first step in the data conversion process is: a. Check data for completeness, and any data inaccuracies, and remove any inconsistencies b. Decide which data files need to be converted c. Conduct data conversion d. Validate new files

Learning Objective Five Discuss the systems operation and maintenance process and the activities in this phase.

24-12 .

Operation and Maintenance The final step in the SDLC is to operate and maintain the new system. A post-implementation review should be conducted on a newly installed AIS to ensure it meets its planned objectives. Table 24-7 on page 796 provides a list of important factors to consider and questions to answer during the post-implementation review. Factors include: 1 2 3 4 5 6 7

Goals and objectives Satisfaction Benefits Costs Reliability Accuracy Timeliness

8 9 10 11 12 13 14

Compatibility Controls and security Errors Training Communications Organizational changes Documentation

When the review has been completed, a post-implementation review report is prepared. The table of contents of this report is provided in Table 24-8 on page 797. User acceptance of the post-implementation review report is the final activity in the systems development process. However, work on the new system is not finished. Studies show that over the life of a system, only 30% of the work takes place during development. The remaining 70% is spent on maintaining the system.

Multiple Choice 10 Studies have shown that _____ percent of the work takes place during development and _____ percent is spent maintaining the system. a. 30; 70 b. 70; 30 c. 65; 35 d. 35; 65

24-13 .

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 B 6 E 2 E 7 C 3 C 8 D 4 A 9 B 5 D 10 A

24-14 .

Online CHAPTER AUDITING COMPUTER-BASED INFORMATION SYSTEMS

This chapter was chapter 11 in the fourteenth edition and was removed from the fifteenth edition and made available online to students at the Student Download Page on www.pearsonglobaleditions.com. Additional instructor resources for this chapter can be downloaded from the Instructor Instructor’s Manual Resources Center page at www.pearsonglobaleditions.com under the fourteenth edition instructor resources. Learning Objectives:

1. Describe the scope and objectives of audit work, and identify the major steps in the audit process. 2. Identify the six objectives of an information system audit, and describe how the risk-based audit approach can be used to accomplish these objectives. 3. Describe computer audit software, and explain how it is used in the audit of an AIS. 4. Describe the nature and scope of an operational audit. Questions to be addressed in this chapter include: 1. How could a programming error of this significance be overlooked by experienced programmers who thoroughly reviewed and tested the new system? 2. Is this an inadvertent error, or could it be a fraud? 3. What can be done to find the error in the program?

Introduction This chapter focuses on the concepts and techniques used in auditing an accounting information system. This chapter is written from the perspective of internal auditors, who work for the organization. The chapter will first provide a general overview of auditing, the scope and objectives of internal audit work, and the steps in the auditing process.

Learning Objective One Describe the scope and objectives of audit work and identify the major steps in the audit process.

Online Chapter: AUDITING COMPUTER-BASED INFORMATION SYSTEMS .

The Nature of Auditing Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users.

Types of Internal Auditing Work Three Types of Audits 1. Financial audit: examination of the reliability and integrity of financial transactions, accounting records, and financial statements. 2. Information systems, or internal control audit: examination of the general and application controls of an IS to assess its compliance with internal control policies and procedures and its effectiveness in safeguarding assets. 3. Operational, or management, audit: examination of the economical and efficient use of resources and the accomplishment of established goals and objectives. 4. Compliance audit: examination of organizational compliance with applicable laws, regulations, policies, and procedures. 5. Investigative audit: examination of incidents of possible fraud, misappropriation of assets, waste and abuse, or improper governmental activities.

An Overview of the Auditing Process Figure 11-1 provides an overview of the auditing process. Four Auditing Stages and Activities 1.

Auditing planning. The purpose of audit planning is to determine why, how, when, and by whom the audit will be performed. Three types of risk when conducting an audit: 

Inherent risk. This is the susceptibility to material risk in the absence of controls.



Control risk. This is the risk that a material misstatement will get through the

Online Chapter: AUDITING COMPUTER-BASED INFORMATION SYSTEMS .

internal control structure and into the financial statements. 

Detection risk. This is the risk that auditors and their audit procedures will not detect a material error or misstatement.

Collection of audit evidence 

Observation of the activities being audited.



Review of documentation to understand how a particular accounting information system or internal control system is supposed to function.



Discussions with employees about their jobs and how they carry out certain procedures.



Questionnaires that gather data about the system.



Physical examination of the quantity or condition of tangible assets such as equipment, inventory, or cash.



Confirmation of the accuracy of certain information, such as customer account balances, through communication with independent third parties.



Reperformance of selected calculations to verify quantitative information on records and reports.



Vouching for the validity of a transaction by examining all supporting documents.



Analytical review of relationships and trends among information to detect items that should be further investigated.



Audit sampling.

Evaluation of audit evidence. Materiality and reasonable assurance are important when deciding how much audit work is necessary and when to evaluate the evidence. Determining materiality, what is and is not important in a given set of circumstances, is primarily a matter of judgment. The auditor seeks reasonable assurance that no material error exists in the information or process audited.

Online Chapter: AUDITING COMPUTER-BASED INFORMATION SYSTEMS .

Reasonable assurance is not a guarantee. 4.

Communication of audit results (the audit report). The auditor prepares a written (and sometimes oral) report summarizing the audit findings and recommendations to management, the audit committee, the board of directors, and other appropriate parties.

The Risk-Based Audit Approach Logical framework for carrying out an audit: 1. Determine the threats (fraud and errors) facing the accounting information system. 2. Identify the control procedures implemented to minimize each threat by preventing, detecting, or correcting the fraud and errors. 3. Evaluate internal control procedures. Reviewing system documentation and interviewing appropriate personnel to determine if the necessary procedures are in place is called a systems review. Then tests of controls are conducted to determine if these procedures are satisfactorily followed. 4. Evaluate control weaknesses to determine their effect on the nature, timing, or extent of auditing procedures and client suggestions. Control weaknesses may be acceptable if there are compensating controls that compensate for the internal control weakness deficiency. Multiple Choice 1 When auditors have recommendations in their report to management, they use: a. audit objectives b. established policies c. audit scope d. established criteria Multiple Choice 2 A typical audit has a mix of audit procedures, which of the following is not an audit procedure? a. Confirmation b. Vouching c. Analytical review d. Identify risk factors Online Chapter: AUDITING COMPUTER-BASED INFORMATION SYSTEMS .

Multiple Choice 3 Which type of audit risk involves the chance that there will be a material risk when the controls are absent? a. External risk b. Inherent risk c. Internal risk d. Control risk

Learning Objective Two Identify the six objectives of an information system audit and describe how the risk-based audit approach can be used to accomplish these objectives.

Information Systems Audits The purpose of an information systems audit is to review and evaluate the internal controls that protect the system. In conducting accounting information system audits, auditors should determine if the following objectives are met: 1. Security provisions protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction. 2. Program development and acquisition are performed in accordance with management’s general and specific authorization. 3. Program modifications have management’s authorization and approval. 4. Processing of transactions, files, reports, and other computer records is accurate and complete. 5. Source data that are inaccurate or improperly authorized are identified and handled according to prescribed managerial policies. 6. Computer data files are accurate, complete, and confidential.

Online Chapter: AUDITING COMPUTER-BASED INFORMATION SYSTEMS .

Figure 11-2 depicts the relationship among these six objectives and information systems components.

Multiple Choice 4 In performing an information systems audit, there are _____ audit objectives. a. 3 b. 4 c. 5 d. 6

Objective 1: Overall Security Table 11-1 contains a framework for auditing computer security; showing the following: 1. Types of security errors and fraud faced by companies. 2. Control procedures to minimize security errors and fraud. 3. Audit procedures: Systems review. 4. Audit procedures: Tests of controls. 5. Compensating controls.

Objective 2: Program Development and Acquisition Two things can go wrong in program development: 1. Inadvertent errors due to misunderstanding of system specifications or careless programming. 2. Unauthorized instructions deliberately inserted into the programs. The auditor’s role in systems development should be limited to an independent review of systems development activities. Auditors should also review the policies, procedures, standards, and documentation listed in Table 11-2. This table provides a framework for reviewing and evaluating the program development process.

Objective 3: Program Modification Table 11-3 presents a framework for auditing application programs and system software changes.

Online Chapter: AUDITING COMPUTER-BASED INFORMATION SYSTEMS .

When a program change is submitted for approval, a list of all required updates should be compiled and approved by management and program users. During systems review, auditors should gain an understanding of the change process by discussing it with management and user personnel. An important part of an auditor’s tests of controls is to verify that program changes were identified, listed, approved, tested, and documented. To test for unauthorized program changes, auditors can use a source code comparison program. There are three ways to detect unauthorized program changes: Source code comparison program to compare current version of the program with the source code (that auditors have a copy of); if there are differences, the changes should be authorized. The reprocessing technique also uses a verified copy of the source code. On a surprise basis, the auditor uses the program to reprocess data and compare that output with the company’s data. Parallel simulation is similar to reprocessing except that the auditor writes a program instead of saving a verified copy of the source code. The auditor’s results are compared with the company’s results and any differences are investigated.

Objective 4: Computer Processing Table 11-4 provides a framework for auditing computer processing controls. The focus of the fourth objective is the processing of transactions, files, and related computer records to update files and databases and to generate reports. Processing Test Data One way to test a program is to process a hypothetical series of valid and invalid transactions. The following resources are helpful when preparing test data: 1. A listing of actual transactions. 2. The test transactions the programmer used to test the program.

Online Chapter: AUDITING COMPUTER-BASED INFORMATION SYSTEMS .

3. A test data generator program, which automatically prepares test data based on program specifications. Disadvantages of processing test transactions: 1. The auditor must spend considerable time developing an understanding of the system and preparing an adequate set of test transactions. 2. Care must be taken to ensure that test data do not affect the company’s files and databases. Concurrent Audit Techniques Millions of dollars of transactions can be processed in an online system without leaving a satisfactory audit trail. The auditor uses concurrent audit techniques to continually monitor the system and collect audit evidence while live data are processed during regular operating hours. Concurrent audit techniques use embedded audit modules, which are segments of program code that perform audit functions. Auditors normally use five concurrent audit techniques: 1.

An integrated test facility (ITF) technique places a small set of fictitious records in the master files. The auditor compares processing with expected results to verify that the system and its controls are operating correctly.

The snapshot technique examines the way transactions are processed. Selected transactions are marked with a special code that triggers the snapshot process.

System control audit review file (SCARF) uses embedded audit modules to continuously monitor transaction activity and collect data on transactions with special audit significance.

Audit hooks are audit routines that flag suspicious transactions. This approach is known as real-time notification, which displays a message on

Online Chapter: AUDITING COMPUTER-BASED INFORMATION SYSTEMS .

the auditor’s terminal as these questionable transactions occur. Focus 11-1 State Farm Life Insurance Company In the regional offices, the system processes more than four million individual policyholder records. The system processes more than 30 million transactions per year and keeps track of policy funds valued at more than $7 billion. Anyone with access and knowledge of the system could commit fraud. The auditors were given the challenge of identifying all the ways fraud was possible. To do this the auditors came up with all the possible ways to defraud the system. Auditors had 33 embedded audit hooks to monitor 42 different types of transactions. The auditors were successful using audit hooks as they did catch an employee fraudulently obtaining cash by processing a loan on her brother’s life insurance policy. She then forged her brother’s signature and cashed the check. To cover up she had to repay the loan before the annual report was sent to her brother. She used a series of fictitious transactions involving a transfer account. She was investigated and the employee was terminated. 5.

Continuous and intermittent simulation (CIS) embeds an audit module in a database management system (DBMS). The CIS module examines all transactions that update the database using criteria similar to those of SCARF.

Analysis of Program Logic If an auditor suspects that a particular application program contains unauthorized code or serious errors, then a detailed analysis of the program logic may be necessary. Online Chapter: AUDITING COMPUTER-BASED INFORMATION SYSTEMS .

1. Automated flowcharting programs, which interpret program source code and generate a corresponding program flowchart. 2. Automated decision table programs, which generate a decision table representing the program logic. 3. Scanning routines, which search a program for occurrences of a specified variable name or other character combinations. 4. Mapping programs, which identify unexecuted program code. 5. Program tracing, which sequentially prints all application program steps executed during a program run.

Objective 5: Source Data Auditors use an input controls matrix, such as the one shown in Figure 11-3. The matrix shows the control procedures applied to each field of an input record. Table 11-5 shows the internal controls that prevent, detect, and correct inaccurate or unauthorized source data. Types of Errors and Fraud Control Procedures Audit Procedures: System Review Audit Procedures: Tests of Controls Compensating Controls

Objective 6: Data Files The sixth objective concerns the accuracy, integrity, and security of data stored in machine-readable files. Table 11-6 summarizes the errors, controls, and audit procedures for this objective. Multiple Choice 5 The compensating controls that compensate for an internal control efficiency include(s) a. information systems insurance b. preventive maintenance c. effective user controls d. all of the above

Online Chapter: AUDITING COMPUTER-BASED INFORMATION SYSTEMS .

Multiple Choice 6 The __________ audit procedure is used for the audit of __________. a. examine system access logs; program development b. review programming evaluation standards; overall computer security c. proper use of internal and external file labels; computer processing controls d. review program documentation standards; program modification Multiple Choice 7 An integrated test facility technique a. examines the way transactions are processed b. places a small set of fictitious records in the master files c. uses embedded audit modules to continuously monitor transaction activity and collect data on transactions with special audit significance d. searches a program for occurrences of a specified variable name or other character combinations Multiple Choice 8 The audit technique used to catch the State Farm Life Insurance Company employee fraudulently taking cash was a. audit hooks b. snapshot technique c. program tracing d. internal control testing

Learning Objective Three Describe computer audit software and explain how it is used in the audit of an AIS.

Computer Software There are a number of computer programs, called computer aided audit techniques (CAAT) also called general audit software, that have been written especially for auditors. CAAT or general audit software is software designed to read, process, and write data with the help of functions performing specific audit routines and with self-made macros. It is a tool in applying Computer Assisted Auditing Techniques. A function of generalized audit software includes importing computerized data; thereafter other functions can be applied. Two of the most popular are Audit Control Language (ACL) and IDEA.

Online Chapter: AUDITING COMPUTER-BASED INFORMATION SYSTEMS .

ACL is a data interrogation tool used by auditors to view, explore, and analyze data efficiently and cost effectively. ACL enables auditors to access data in diverse formats and on various types of storage devices. IDEA (Interactive Data Extraction and Analysis) is a generalized audit software. It is able to import a wide range of different types of data files. During the import, an IDEA file and its field statistics are created. The auditor’s first step is to decide on audit objectives, learn about the files and databases to be audited, design the audit reports, and determine how to produce them. The primary purpose of CAAT is to assist the auditor in reviewing and retrieving information in computer files. CAS cannot replace the auditor’s judgment or free the auditor from other phases of the audit. Multiple Choice 9 Two of the most popular audit software packages include: a. ITF b. ACL c. CIS d. SCARF

Learning Objective Five Describe the nature and scope of an operational audit.

Operational Audits of an Accounting Information System The techniques and procedures used in operational audits are similar to audits of information systems and financial statements. The basic difference is that the scope of the information systems audit is confined to internal controls, whereas the scope of the financial audit is limited to systems output. In contrast, the scope of the operational audit is much broader, encompassing all aspects of information systems management. The evidence collection, during the audit preliminary survey, includes the following activities: 1. Reviewing operating policies and documentation. 2. Confirming procedures with management and operating personnel. Online Chapter: AUDITING COMPUTER-BASED INFORMATION SYSTEMS .

3. Observing operating functions and activities. 4. Examining financial and operating plans and reports. 5. Testing the accuracy of operating information. 6. Testing controls. Multiple Choice 10 The first step in an operational audit is a. evaluating evidence b. collecting evidence c. communicating the results d. none of the above

Answer to Multiple Choice Questions: Multiple Choice Question Answers Number Answer Number Answer 1 D 6 C 2 D 7 B 3 B 8 A 4 D 9 B 5 C 10 D

Online Chapter: AUDITING COMPUTER-BASED INFORMATION SYSTEMS .