Accounting Information Systems, 10E George H Bodnar William S Hopwood Solution manual by Ace Test Banks

Accounting Information Systems, 10E By

George H. Bodnar William S. Hopwood

Email: Richard@qwconsultancy.com

Chapter 1 ACCOUNTING INFORMATION SYSTEMS: AN OVERVIEW TEACHING TIPS This chapter provides general coverage of many of the text's major themes. It's usually a good idea to indicate how the topics covered in this chapter will be covered in more detail later in the course. Many instructors will not assign any problem from the end of this chapter. This can be done without any loss of overall continuity in the course. If the course will emphasize internal controls, it might be desirable to cover in class one of the general cases on internal control from the back of Chapters 4, 7, or 8. This should be done to stimulate student interest, but the instructor should not worry if the students in the course fail to analyze the case correctly. In some ways, teaching systems can be more difficult than teaching other areas. In many cases there are no clear-cut debits and credits to be made, and judgment is often required. This can make some students feel uncomfortable. So it's usually good to emphasize this at the beginning of the course to properly set students' expectations. The point should also be made that systems are an important area of professional examinations. One of the biggest risks in teaching systems is that it can easily become dry and boring. I have found that the best way to overcome this is to generate as much class discussion as possible on many of the major points in the chapter. Accordingly, I always make class participation about one-fourth of the total course grade. I tell students on the first day of class that as a starting point I will give all students the same number of points (reflecting a class average) for participation. Then, at the end of the course, I will typically add or subtract 5, 10, or 15 points to/from each student's grade according to the participation. Many students typically stay at the average, so only noteworthy students end up with an adjustment. I always use a seating chart, unless the class is small. Many of my students have had jobs. So one question that I constantly ask throughout the term is "Has anyone experienced this before in their job or otherwise?" ACCOUNTING INFORMATION SYSTEMS AND BUSINESS ORGANIZATIONS An accounting information system is a collection of resources, such as people and equipment, designed to transform financial and other data into information. Accounting information systems perform this transformation whether they are essentially manual systems or thoroughly computerized. Information and Decisions. The users of accounting information fall into two broad groups: external and internal. Higher level managers require less information detail than lower level managers. A distinction might be drawn between two broad classes of accounting information: mandatory and discretionary. Conceptually, information should satisfy a cost-benefit criterion. In meeting mandatory information requirements, the primary consideration is minimizing costs while meeting minimum standards of reliability and usefulness. When the provision of information is discretionary, the primary consideration is that the benefits obtained exceed the costs of production. Information Systems. A "computer-based" information system is a collection of computer hardware and software designed to transform data into useful information. Electronic Data Processing (EDP or DP): the use of computer technology to perform an 1

2 1 Accounting Information Systems: An Overview organization's transaction-oriented data processing. Management Information Systems (MIS): use computer technology to provide decisionoriented information to managers. An MIS provides a wide variety of information beyond that which is associated with DP in organizations. MIS subsystems are not physically independent. Examples of MIS subsystems are as follows: Marketing information system Manufacturing information system Human resource information system Financial information system Decision Support Systems (DSS): process data into a decision-making format for the end user. DSS serve ad hoc, specific, non-routine information requests by management, including what-if analyses. Expert Systems (ES): knowledge-based information systems that use knowledge about a specific application area to act as an expert consultant to end users. An ES differs from a DSS in that a DSS assists a user in making a decision, whereas an ES makes the decision. Executive Information Systems (EIS): tailor information to the strategic information needs of top-level management. Accounting Information Systems (AIS): include transaction processing cycles, the use of information technology, and the development of financial information systems. ACCOUNTING INFORMATION SYSTEMS AND APPLICATION ARCHITECTURE Accounting information systems and information technology (IT) are strongly intertwined. The fundamental benefits of information technology are automation, information organization, and communication. Applications Architecture involves the process of ensuring the suite of organization’s applications work together as a composite application according to the goals and objectives of the organization. Architecture has evolved automating the traditional accounting cycle to enhancing functional planning and control within the organization. Material Requirements Planning (MRP) software assisted management in managing inventories and scheduling production. MRP evolved into MRP II, (Manufacturing Resource Planning II) which added new capabilities. MRP and MRP II paved the way for Computer Integrated Manufacturing (CIM) and Flexible Manufacturing Systems (FMS). In CIM, computers take control of the entire manufacturing process, and in FMS computers not only control production processes but can also be reprogrammed so that the same processes can produce entirely different products. Enterprise Resource Planning (ERP) involves the combining of the various functional information systems under the umbrella of a single software package and a single database. ERP II adds collaborative commerce to ERP. Collaborative commerce involves groups of organizations working together toward common goals, such as new products, new process methods, and human capital intelligence. In recent years the ERP system has given way to the Enterprise Application Suite (EAS). The EAS replaces one monolithic ERP software package with a group (i.e., a suite) of individual packages that work closely with each other and run in web browsers. BUSINESS PROCESSES A business process is an interrelated set of tasks that involve data, organizational units, and a logical time sequence. A key characteristic of business processes is that they are not necessarily limited to a single functional area of the information system or the organization chart.

Accounting Information Systems: An Overview 1

Business Process Reference Models. The basic business processes can be organized and grouped together according to various reference models, depending on the desired emphasis. The ERP Functional Model The Value Chain Model The Supply Chain Model The Operations Process Model The Transaction Cycle Model Transaction Processing Cycles Revenue cycle. Events related to the distribution of goods and services to other entities and the collection of related payments. Expenditure cycle. Events related to the acquisition of goods and services from other entities and the settlement of related obligations. Production cycle. Events related to the transformation of resources into goods and services. Finance cycle. Events related to the acquisition and management of capital funds, including cash. The transaction cycle model of an organization includes a fifth cycle - the financial reporting cycle. The financial reporting cycle is not an operating cycle. It obtains accounting and operating data from the other cycles and processes these data in such a manner that financial reports may be prepared. Internal Control Process The term internal control process suggests actions taken within an organization to regulate and direct the activities of the organization. Elements of Internal Control Process. An organization's internal control process consists of the policies and procedures established to provide reasonable assurance that specific organizational objectives will be achieved. An organization's internal control process consists of five elements: the control environment, risk assessment, control activities, information and communication, and monitoring. Internal control also calls for the maintenance of adequate records in an effort to control assets and analyze the assignment of responsibility. Segregation of Accounting Functions. Segregate record keeping, custody, and authorization. Internal Audit Function. Internal audit is charged with monitoring and assessing compliance with organizational policies and procedures. The internal audit function must be segregated from the accounting function and also have neither responsibility nor authority for any operating activity. ACCOUNTING AND INFORMATION TECHNOLOGY The term accounting information system includes the use of information technology to provide information to users. Computers are used in all types of information systems. Information technology includes computers, but it also includes other technologies used to process information. Technologies such as machine-readable bar codes and scanning devices, and communications protocols and standards such as ANSI X.12, are essential to office automation and quick response systems. The Information Systems Function Every organization that uses computers to process transactional data has an information systems function,

4 1 Accounting Information Systems: An Overview which is responsible for data processing (DP). Organizational Location. The head of the information systems function is typically called the Chief Information Officer and is advised by an advisory group called a steering committee. Functional Specialization. The most prevalent information systems departmental structure is the assignment of responsibilities and duties by area of technical specialization, that is, function. Sub-functions include the analysis function, the programming function, the operations function, the technical support function, and the user support function. Analysis and programming functions are typically organized by project. In project organization, analysts and programmers are assigned to specific application projects and work together to complete a project under the direction of a project leader. Quick Response Technology. Quick response systems are essential to the TQP (Total Quality Performance) movement in business. Quick response systems use several key technologies: Just-in-Time (JIT), Web Commerce, Electronic Data Interchange (EDI), Radio Frequency Identification (RFID), Computer-Integrated Manufacturing (CIM), Lean Manufacturing, and Electronic Funds Transfer (EFT). Lean Manufacturing (or Lean Production) is a general class of production improvement principles that focus on eliminating waste and improving the smoothness of the production flow. Retail EFT systems include the telephone wire transfers and telephone payment systems, preauthorized payment systems, point-of-sale (POS) applications, and automated teller machines (ATMs). THE ACCOUNTANT AND SYSTEMS DEVELOPMENT The term accounting information system includes systems development activities that an accountant or auditor might expect to encounter professionally. The Nature of Systems Development. A systems development project ordinarily consists of three general phases: systems analysis, systems design, and systems implementation. The systems approach is a process that consists of six steps: Statement of system objective(s) Creation of alternatives Systems analysis Systems design Systems implementation Systems evaluation Business Process Blueprinting. Blueprinting is the use of generic or industry standards for systems development, as opposed to the development of a new system. Behavioral Considerations in Systems Development The user cooperation needed to operate the system successfully should be ensured during the design of a system, not afterward. A philosophy of user-oriented design fosters a set of attitudes and an approach to systems development that consciously considers the organizational context. Green IT: Designing For Sustainability

Accounting Information Systems: An Overview 1

The term Green IT has become an acronym for utilizing information technology resources in an environmentally responsive manner. Energy Usage. Green data centers use energy-efficient cooling technologies, energy efficient equipment, and energy efficient building designs to reduce their environmental footprint. E-waste. E-waste is IT and other electronic products that are at or near the end of their useful life.

REVIEW QUESTIONS 1. An accounting information system is a collection of resources designed to provide data to a variety of decision makers according to their needs and entitlement. 2. The users of accounting information fall into two broad groups: external and internal. External users include stockholders, investors, creditors, government agencies, customers and vendors, competitors, labor unions, and the public at large. Internal users are the managers in an organization. 3. Electronic data processing (EDP) is the use of computer technology to perform an organization's transaction-oriented data processing. Management information systems (MIS) use computer technology to provide decision-oriented information to managers. In a decision support system (DSS), data are processed into a decision-making format for the end user. An expert system (ES) is a knowledge-based information system that uses its knowledge about a specific application area to act as an expert consultant to end users. 4. The four common operating cycles of business activity are the revenue cycle, expenditure cycle, production cycle, and finance cycle. 5. The term internal control suggests actions taken within an organization to regulate and direct the activities of the organization. 6. A controller is in charge of the accounting function. The treasurer is responsible for the finances of the business. 7. Internal audit is charged with monitoring and assessing compliance with organizational policies and procedures. 8. The most prevalent information systems departmental structure is the assignment of responsibilities and duties by area of technical specialization, that is, function. 9. The analysis function focuses on identifying problems and projects for computer processing and designing systems to satisfy these problems' requirements. The programming function is responsible for the design, coding, testing, and debugging of computer programs necessary to implement the system designed by the analysis function. The operations function is charged with data preparation, the operation of the equipment, and system maintenance. The technical support function allows specialization in areas such as operating systems and software, data management and database design, and communications technology. The user support function services end users, much as the technical support function services personnel of the information systems department. 10. In project organization, analysts and programmers are assigned to specific application projects and work together to complete a project under the direction of a project leader. Project organization focuses responsibility for application projects on a single group, unlike functional organization, in which

6 1 Accounting Information Systems: An Overview responsibility for a specific project is spread across different functional areas. 11. A steering committee is the means by which managers of other areas can influence the policies, budget, and planning of information services. 12. Blueprinting is the use of generic or industry standards for systems development, as opposed to the development of a new system. Blueprinting avoids the expense of 'reinventing the wheel'. 13. An accountant might access accounts receivable data from a company's centralized database, manipulate them, and then print a report using an on-line data terminal and query language software. 14. Several technologies important to quick response systems are EDI (Electronic Data Interchange), UPC bar code identification of products, and scanning technology. 15. EDI differs from electronic mail in that electronic mail messages are created and interpreted by humans (person-to-person), whereas EDI messages are created and interpreted by computers. 16. Components of a CIM system typically include computer-aided design (CAD) workstations, real-time production monitoring and control systems, and order and inventory control systems. CIM components are connected by a computer network and equipped with software systems designed to support distributed operation. 17.

The six steps in the systems approach are: Statement of system objective(s) Creation of alternatives Systems analysis Systems design Systems implementation Systems evaluation

18. A philosophy of user-oriented design fosters a set of attitudes and an approach to systems development that involves users in the design of applications. ANSWERS TO DISCUSSION QUESTIONS AND PROBLEMS 19. Nature of Transactions - 10 minutes Easy A credit sale is not complete until the subsequent billing and collection of funds from the customer. This question illustrates how a single transaction might consist of several events and also how a transaction might impact on several cycles (in this case both revenue and finance cycles as discussed in the chapter). The instructor might note the interdependencies between sales, billings, and cash collections, as well as the possibilities of sales returns, adjustments, and uncollectibility of accounts. 20. Organizational Location of Audit Function - 10 minutes Easy Internal auditing should be organizationally independent of the controller or similar office and should be administratively responsible to top management. The Securities and Exchange Commission and the major stock exchanges have endorsed this position, as have all of the professional accounting associations (AICPA, IIA, IMA). 21. Apply the Systems Approach - 20 minutes Easy The systems approach is a general procedure for the administration of a systems project. The systems approach can be viewed as a process that consists of several stages. Its purpose is to assist in the orderly

Accounting Information Systems: An Overview 1

development of effective systems. These steps can be described as: * Statement of system objective(s) * Creation of alternatives * Systems analysis * Systems design * Systems implementation * Systems evaluation The discussion of the systems approach to each of the given objectives could follow a format as presented in Figure 1.12 of the text. The instructor can stress the importance of defining objectives and plans in operational terms. 22. Nature of Accounting Function - 10 minutes Easy Some discussion areas for specific decisions follow: (1) Selection of the controller, technological configuration of the AIS, monitoring and setting budget for the AIS function. (2) Overall responsibility for lower-level personnel, procedures and methods, financial report preparation, budgeting, and tax-planning. Duties would depend on the size of the organization. (3) Various operating decisions relating to personnel and procedures: approval of journal vouchers, memos, and other such items; scheduling work assignments; handling of exceptions; monitoring of work load. 23. Communication in Systems Design - 10 minutes Easy Effective communication between all parties is essential to the system development process. Systems analysts must understand management's needs in order to integrate these needs into the system that they are designing. Likewise, management must be able to communicate their needs and desires to systems analysts for the same reason. Operating personnel must understand management's needs in order to properly operate the system, and the needs of operating personnel must be understood by analysts and management in order that the system operate effectively. 24. Internal Control - 20 minutes Easy a. This is an unsatisfactory situation. Purchase requisitions should be made in writing, not verbally, by departments to the purchasing agent. b. This is a satisfactory situation. There is a separation of duty between custody of assets and the related record-keeping responsibility. c. This is an unsatisfactory situation. There is not a separation of duty between the operation of receiving deliveries and custody of the assets. Receiving operations related to shipments from vendors should be handled by clerks who are not responsible for managing the storeroom where goods are kept. d. This is an unsatisfactory situation. There is not a separation of duty between the operation of preparing purchase orders and custody of the assets. Purchase orders should be prepared by clerks who are not responsible for managing the storeroom where goods are kept. e. This is a satisfactory situation. Blind counts should be performed in receiving operations. f. This is an unsatisfactory situation. There is not a separation of duty between the operation of taking the inventory and custody of the assets. A periodic physical inventory should be taken and reconciled to the materials inventory records by clerks other than those clerks who are responsible for managing the storeroom where goods are kept. g. This is a satisfactory situation. Purchase orders should be compared to receiving reports before payment is made to a vendor to ensure that the goods have been received. h. This is a satisfactory situation. Copies of purchase orders should be sent to the personnel who

8 1 Accounting Information Systems: An Overview made the original request for the material in order to inform them that the items are under order. i. This is a satisfactory situation. 25. Control Objectives - 30 minutes Medium a. Procurement b. Outbound sales logistics c. Outbound sales logistics d. Outbound sales logistics e. Organization and human resource management f. Operations g. Firm infrastructure h. Firm infrastructure i. Firm infrastructure j. Firm infrastructure k. Firm infrastructure l. Firm infrastructure m. Firm infrastructure 26. Steering Committee - 15 minutes Medium A steering committee is an organizational group which meets periodically to set and review important policy, budget, and project decisions relating to the information systems department in an organization. A steering committee is composed of high-level members of user functions as well as the head of the information systems department. Because members of a steering committee include users (i.e., consumers) as well as representatives of the information systems department, a steering committee provides user feedback in controlling the information systems department in an organization. An important aspect of a steering committee is that it allows for the exercise of organizational power and politics in decisions regarding the information systems department in an organization. This facilitates support for decisions made with respect to the allocation of information system resources. A steering committee would assume the overall responsibility for planning for the acquisition and use of computer resources at the Red Wine company. Members of the steering committee should include high-level officers from each of the company's business functions - manufacturing, marketing, finance, accounting, and general administration - as well as the manager of IS department. The steering committee should attempt to find the best allocation of resources to fit the needs of the company. The Red Wine company's rapid growth has strained the firm's computer resources, and the number of complaints concerning inadequate support and service from IS have increased dramatically in the past year. This indicates a lack of support for the current manner in which resource allocation decisions concerning computer equipment are being made. Currently IS itself has a budget, which apparently it administers itself, subject to the president's approval. But several users have recently made or are actively considering their own purchase of computer equipment. This situation could prove to be counterproductive for the company as a whole, and is a good reason why a steering committee is needed to centralize and control the responsibility for planning for the acquisition and use of computer resources at the company. A steering committee would allow for the exercise of organizational power and politics in decisions regarding the allocation of computer resources. This should tend to build support within the organization for decisions which are made with respect to the future allocation of computer systems resources.

Accounting Information Systems: An Overview 1 27. Information Systems Function - 30 minutes Medium Courtesy of Touche Ross Foundation

10 1 Accounting Information Systems: An Overview 28. Business Processes - 10 minutes Easy a. The fact that the business is Web-based has no real bearing to what are the company's basic business processes. The usual processes are involved: logistics, operations, marketing, service, procurement, technology development, organization and human resources management, and firm infrastructure. b. Logistics and procurement. c. The basic business processes would not change. Of course, specific sub-processes would change. d. The major business processes would remain essentially the same if a second product were added. 29. Procurement Process - 10 minutes Medium a. Rough sketch of procurement process: a) identify need to purchase tea, b) negotiate pricing and select vendor, c) generate order, d) take delivery, e) process delivery and perform necessary accounting functions b. The negotiation of pricing and selecting of a vendor would change. c. The answer to part 1 also serves to describe sub-processes. 30. Business Processes - 15 minutes Medium a. Start, end: Generate sales order, ship customer order. Trigger: customer. b. Start, end: acquire inventory, ship or use inventory. Trigger: customer or production order. c. Start, end: assemble shipment and paperwork, ship order. Trigger: customer order. d. Start, end: assemble order, generate order. Trigger: sales or production demand. e. Start, end: collection of hours worked, generation of payroll check. Trigger: end of work week. 31. Web Commerce - 10 minutes Easy At first glance Luxdale was purely an innocent victim. But on the other hand Luxdale was apparently unable to reassure the public with a published privacy policy that had been subject to some sort of audit. Luxdale might have obtained an AICPA Web Trust seal of approval before the problem occurred. Had it done this it would have been in a much better position to assure the public when the trouble arose. 32. Blueprinting Approach to Systems Development - 20 minutes Medium The company seems to have a truly amazing product, one that can forecast accurately up to 6 months in the future. Because of this, rapid growth is likely to continue. It is therefore imperative that a new system be implemented that will allow for future growth. So the blueprint approach makes a lot of sense if it will produce an integrated system that will handle the company's present and future needs. So the real question is not so much the viability of the blueprint approach but rather the quality of the work that might be performed by SysQuick. And then there is the issue of Blake being able to implement the blueprint once it is developed. If Barbara Conta signs on with SysQuick, she is in effect putting her future in their hands. So it would be imperative for her to thoroughly investigate this company and their success with other companies. 33. Systems Development in a Small Company - 15 minutes Medium Fancy Ropa’s situation is typical for a company that has grown without a comprehensive IS plan. The result is a system that is a patchwork of parts that are not well integrated with each other. The solution is to adopt a single, integrated enterprise-wide information system such as SAP Business One or Oracle Small Business Suite, which target small and medium size enterprises. These products could then be upgraded to the enterprise versions with continued expansion of the business. Switching to an ERP-type system can be fraught with many risks and a lot of pain and expense. For this reason, the best approach is to use a major accounting firm such as Accenture to assist with the project.

Accounting Information Systems: An Overview 1

WEB RESEARCH ASSIGNMENTS 34. In recent years the top focus has been on information security and privacy. The exact priorities change from year to year. Most students should have no problem completing this assignment. 35. Most students should have no problem with this assignment. It may be helpful to ask student to present summaries of their findings to the class. 36.

12 1 Accounting Information Systems: An Overview Across 1. TECHNICAL SUPPORT FUNCTION — specialists in areas of IT expertise 5. MATERIAL REQUIREMENTS PLANNING — software that assisted management in managing inventories and scheduling production. 6. FLEXIBLE MANUFACTURING SYSTEMS —programmable production processes 7. WEB TRUST — sometimes given to Web sites by certified public accountants 8. USER-ORIENTED — consciously considers organizational context. 9. TOTAL QUALITY PERFORMANCE — a philosophy that one should do the right thing right the first time. 10. INTERNAL CONTROL PROCESS — a process designed to provide reasonable assurance regarding the achievement of its objectives 11. ANALYSIS FUNCTION — focuses on identifying problems 12. TOTAL QUALITY MANAGEMENT — synonym for TQP (total quality performance). 15. STEERING COMMITTEE — high-level members of user functions 16. RADIO FREQUENCY IDENTIFICATION — small electronic tracking tags 18. ELECTRONIC DATA INTERCHANGE — electronic transactions between organizations 22. PROJECT ORGANIZATION — organization application projects rather than by organizational function. 26. SUPPLY CHAIN MANAGEMENT — operations planning 28. VALUE CHAIN — a way of viewing the company's activities in a manner suited to analyzing competitive advantages. 29. FINANCE CYCLE — the acquisition and management of capital funds, including cash. 32. SYSTEMS APPROACH — a general procedure for the administration of a systems project. 34. DATA PROCESSING — technology to transform data 37. ANSI X.12 — EDI standard 42. PROGRAMMING FUNCTION — design, coding, testing, and debugging of software 45. ELECTRONIC FUNDS TRANSFER — payment systems in which processing and communication are primarily or totally electronic. 52. ENTERPRISE RESOURCE PLANNING II — ERP plus collaborative commerce. 53. AS2 — securely exchanging messages 54. PRODUCTION CYCLE — the transformation of resources into goods and services. 55. CHIEF INFORMATION OFFICER — overall responsibility for the information system function. 56. MANAGEMENT INFORMATION SYSTEM — the use of computers to provide decision-oriented information to managers. 57. ENTERPRISE RESOURCE PLANNING — various functional information systems combined into one software package Down 2. COMPUTER INTEGRATED MANUFACTURING— electronic control the production processes. 3. TRANSACTION PROCESSING CYCLE — basic ones--revenues, expenditures, production, and finance 4. SUPPORTING BUSINESS PROCESS — nonoperational parts of the value chain 13. JUST-IN-TIME — seeks to minimize or totally eliminate inventories. 14. INFORMATION CENTER — a support facility for the computer users in an organization. 17. EXECUTIVE INFORMATION SYSTEM — an MIS tailored to the strategic information needs of top management. 19. DECISION SUPPORT SYSTEM — data are processed into a decision-making format for the end user. 20. EXPERT SYSTEM — a type of knowledge-based information system 21. EXTENSIBLE BUSINESS REPORTING LANGUAGE — a universal formatting language for ex-changing business documents via the Internet.

Accounting Information Systems: An Overview 1

23. MANUFACTURING RESOURCE PLANNING II — management of inventories and production and integration with the financial accounting system 24. ACCOUNTING INFORMATION SYSTEM — transforms data 25. CUSTOMER RELATION MANAGEMENT — manages contacts with customers. 27. BLUEPRINTING — customizing pre-packaged software 30. PRIMARY BUSINESS PROCESS — inbound logistics, outbound logistics, operations, marketing, and service. 31. INFORMATION SYSTEM FUNCTION — responsible for data processing (DP) 33. EXPENDITURE CYCLE — the acquisition of goods and services 35. REVENUE CYCLE — events related to the distribution of goods and services to other entities 36. ENTERPRISE APPLICATION SUITE — a group of software programs that work closely with each other and run in web browsers 38. APPLICATIONS ARCHITECTURE — the organization’s composite application 39. COLLABORATIVE COMMERCE — a feature of ERP II 40. GREEN INFORMATION TECHNOLOGY — uses virtualization, for example, to achieve its ends 41. EXTENDED ENTERPRISE — a group of loosely-connected companies that work together to maximize the value of their economic outputs. 43. OPERATIONS FUNCTION — charged with data preparation, operation of the data processing equipment, and system maintenance. 44. FUNCTIONAL MIS SUBSYSTEMS — specialized information systems 46. FINANCIAL REPORTING CYCLE — obtains accounting and operating data from the other cycles 47. END-USER COMPUTING — the direct, hands-on use of computers by end users to perform their own data processing. 48. USER SUPPORT FUNCTION — services end users 49. APPLICATION SYSTEM — processes logically related transactions 50. BUSINESS PROCESS — interrelated set of tasks 51. LEAN MANUFACTURING — its principles involve eliminating waste and smoothing and balancing production flows.

Chapter 2 SYSTEMS TECHNIQUES AND DOCUMENTATION TEACHING TIPS I normally introduce flowcharting symbols with simple examples on the board. I first introduce a very simple manual flowchart involving only three symbols. An example would be the preparation of a sales order. This would show a customer order coming into the process and a completed sales order coming out. Then I mention how computer symbols could be added. From experience I have discovered that the single most important thing for students to learn in analytical flowcharting is the sandwich rule. About 90% of all mistakes seem to involve a violation of this rule. The second largest problem involves separating various functions (e.g., sales, credit, shipping, and so on) into columns. I've discovered students all seem to do about the same when I place complicated flowcharting problems on exams. For this reason, I now ask mostly short answer questions about flowcharting on exams. I've found it important to emphasize the distinction between the types of documentation tools used by systems developers and auditors. With logical data flow diagrams (DFD) it's interesting to discuss how developers go from an existing system to a new system. They begin with an existing analytical flow chart, turn it into a DFD, modify the DFD, and then generate a new analytical flowchart. It’s worth taking some time to discuss the BPMN, as this is used Chapters 7-9 to document the basic transaction cycles. USERS OF SYSTEMS TECHNIQUES Systems techniques are tools used in the analysis, design, and documentation of system and subsystem relationships. They are used by accountants who do systems work, either internally for their company or externally as consultants or auditors. Most auditing engagements are divided into two basic components: the interim audit, which involves internal control evaluation, and the financial statement audit, which involves substantive testing. Substantive testing is the direct verification of financial statement figures, placing such reliance on internal control as the results of the interim audit warrant. Internal Control Evaluation. Analytic flowcharts, document flowcharts, and forms distribution charts may be used by auditors to analyze the distribution of documents in a system. Several other system techniques, such as questionnaires and matrix methods, might also be used in the evaluation of internal controls. Compliance Testing. Auditors undertake compliance testing to confirm the existence, assess the effectiveness, and check the continuity of operation of internal controls on which reliance is to be placed. Working Papers. Working papers are the records kept by an auditor of the procedures and tests applied, the information obtained, and conclusions drawn during an audit engagement. Auditors use systems techniques to document and analyze the content of working papers. Internal control questionnaires, analytic flowcharts, and system flowcharts appear frequently in working papers because they are commonly used by auditors in the evaluation of internal controls. Data flow diagrams, HIPO charts, program flowcharts, branching and decision tables, and matrix methods might appear in working papers if they are part of the documentation of a system that is being 14

Systems Techniques and Documentation 2 15 reviewed. Use of Systems Techniques in Systems Development A systems development project generally consists of three phases: systems analysis, systems design, and systems implementation. Systems Analysis. Logical data flow diagrams and analytic flowcharts are helpful in giving an overall picture with regard to transaction processing within the organization. Systems Design. Systems design formulates a blueprint for a completed system. Systems Implementation. Systems implementation involves the actual carrying out of the design plan. Use of Systems Techniques by Sarbanes-Oxley Act Compliance Participants System documentation is the underpinning support of the internal control and process documentation requirements that have been set by the Sarbanes-Oxley Act (SOX). SYSTEMS TECHNIQUES Flowcharts are probably the most common systems technique. A flowchart is a symbolic diagram that shows the data flow and sequence of operations in a system. Flowcharting Symbols. The basic symbols include the input/output symbol, the process symbol, the flowline symbol, and the annotation, comment symbol. The flowline symbol is used to link other symbols. Specialized input/output symbols may represent the I/O function and, in addition, denote the medium on which the information is recorded, or the manner of handling the information, or both. If no special symbol exists, the basic I/O symbol is used. Specialized process symbols represent the processing function and, in addition, identify the specific type of operation to be performed on the information. If no specialized symbol exists, the basic process symbol is used. The additional symbols are used to clarify a flowchart or to make the flowcharting of a complete process more convenient. Symbol Use in Flowcharting Normal direction of flow is from left to right and top to bottom. IPO and HIPO Charts IPO and HIPO charts are used primarily by systems development personnel. A HIPO chart contains two segments: the hierarchy chart that factors the processing task into various modules or subtasks and an IPO chart to describe the input-process-output requirements of each module. The hierarchy chart describes the overall system and provides a "table of contents" to the detailed IPO charts, usually through a numbering scheme. Systems and Program Flowcharts Systems flowcharts are associated with the analysis phase of a systems project and program flowcharts with the design phase. A program flowchart is the design step between overall system design and coding the system for computer processing. A systems flowchart identifies the overall or broad flow of operations in a system. A program flowchart (also called a block flowchart) is more detailed concerning individual processing functions than a systems flowchart. Each of the processing functions depicted in a systems flowchart is further detailed in a program flowchart, similar to the successive layering of

16 2 Systems Techniques and Documentation IPO charts in HIPO. Logical Data Flow Diagrams Logical data flow diagrams or data flow diagrams (both abbreviated as DFD) are used by systems analysts to document the logical design of a system to satisfy the user's request. There are four DFD symbols. The terminator is used to indicate a source or a destination of data. The process indicates a process that transforms data. The data store is used to indicate a store of data. The data flow is used to indicate a flow of data. Although these terms and symbols are representative, many variations exist. Structured Analysis. DFD typically shown in layers of increasing detail, with the DFD in each layer being linked to each other. Analytic, Document, and Forms Distribution Flowcharts Analytic flowcharts, document flowcharts, and forms distribution charts may be used to analyze the distribution of documents in a system. An analytic flowchart identifies all significant processing in an application, emphasizing processing tasks that apply controls. A document flowchart is similar in format to an analytic flowchart but contains less detail about the processing functions. A forms distribution chart illustrates the distribution of multiple-copy forms within an organization. Analytic Flowcharting Illustration Planning the Flowchart. Flow is from top to bottom and left to right. Symbol Selection. For manual system, only several symbols are needed; symbols for documents, files, and processes are the most commonly used symbols. System Analysis. One must first understand the system to be flowcharted. Drawing the Flowchart Sandwich Rule. Every process symbol should have its inputs and outputs clearly specified. Use of Connector Symbol. This symbol is used to terminate the flowchart and then continue it on another page or in a different column. Entity-Column Relations. Columns in the flowchart typically represent individuals or departments. This is something that beginners often have difficulty with. Unified Modeling Language (UML) UML is a technology that assists in the specification, visualization, and documentation of models developed to structure and design software systems. UML uses a variety of graphical techniques to model different aspects and views of software development projects at various levels of abstraction. In addition to techniques used to model the specifics of software development, UML includes techniques that are the functional equivalent of data flow diagrams, document flowcharting, and analytical flowcharting. UML version 2.0 defines thirteen types of diagrams, divided into three categories: structure diagrams, behavior diagrams, and interaction diagrams. When used to model business processes, the graphical techniques used in UML to prepare activity diagrams can result in diagrams that are very similar to analytic flowcharts. Business Process Diagrams The Business Process Diagram (BPD) is a graphical representation of a business process. It focuses on the sequence of activities that constitute a business process, and also on the related business logic that guides that sequence of activities. It differs from the analytical flow chart in that the analytical flowchart

Systems Techniques and Documentation 2 17 tends to focus more on the physical representation of business process. It differs from the data flow diagram in that the data flow diagram is not capable of depicting complex business logic. It differs from UML but shares many concepts and constructs with UML. Narrative Techniques Interviews are useful for familiarizing the analyst with decision makers and their problems. Depth interviews allow the systems analyst to establish a personal working relationship with the manager. Openended questionnaires are a fact-gathering technique where persons provide written answers to general, rather than specific, questions. Narrative techniques also include document reviews. Resource Utilization Analysis Flowcharts do not show the resources required to operate the system. Such resources must be considered both by the auditor and systems persons. Work Measurement Work measurement includes the variety of techniques used to model, measure, or estimate clerical or other activities in a production framework. In an accounting framework, work measurement is similar to the concept employed in standard cost systems. Work Distribution Analysis Work distribution analysis studies the assignment of specific tasks to employees. A task list is typically used to record each separate item of work performed by an individual and the average number of hours spent on each task per week. Decision Analysis Techniques Branching and Decision Tables are used primarily by systems development personnel. Often the decision logic required in a computer program is sufficiently complex to mitigate the usefulness of the standard decision flowcharting symbol. In such cases, a branching table may be used to depict a decision function. A decision table is a tabular representation of a decision-making process. It is similar to a branching table but more complex in that it incorporates multiple decision criteria. Decision tables are constructed on an IF-THEN premise and appear as a two-dimensional matrix in general form. Matrix Methods. Matrix methods are used by both auditors and systems personnel to present large volumes of data. The "work" or "spread" sheets used in accounting systems to spread or distribute account balances through different sub-classifications or to facilitate the closing process are common examples of matrix techniques. Software for Systems Techniques A variety of software tools can be used to create flowcharts and other graphical systems techniques. Microsoft Office® Applications. Microsoft Visio® is a Microsoft Office® application that is targeted at the creation of flowcharts and other graphical diagrams. Microsoft PowerPoint® is a general presentation tool that contains specific drawing features that may be used to create flowcharts and other graphical diagrams. These same drawing tools are also available in both Microsoft Word® and Microsoft Excel®, allowing either of these general software applications to be used to prepare graphical diagrams and flowcharts. Computer-Aided Software Engineering (CASE). Computer-aided software engineering (CASE) is the process of using computer software technology that supports an automated engineering discipline for software development and maintenance. UML Modeling Tools. A variety of software tools to draw UML charts are available from vendors. Professional UML software is similar to CASE in its objectives and its potential

18 2 Systems Techniques and Documentation benefits in that it integrates UML charts with other aspects of systems development, such as database design and code generation. REVIEW QUESTIONS 1. A flowchart is a symbolic diagram that shows the data flow and sequence of operations in a system. 2. The basic symbols include the input/output symbol, the process symbol, the flowline symbol, and the annotation, comment symbol. 3.

Flowchart symbols represent the physical aspect of a system.

4. An IPO chart provides very little detail concerning a processing function but is a useful technique for analyzing overall information requirements. Additional processing detail is provided by HIPO charts. A HIPO consists of a series of charts that represent systems at increasing levels of detail, where the level of detail depends on the needs of users. 5. An analytic flowchart is similar to a systems flowchart in level of detail and technique, but is organized by columns. 6.

A logical data flow diagram can be used to document the logical aspect of a system.

Auditors use analytic flowcharts in the evaluation of internal controls.

8. Organization of the chart by columns is common to analytic, document, and forms distribution charts. 9. There are four symbols. The terminator is used to indicate a source or a destination of data. The process indicates a process that transforms data. The data store is used to indicate a store of data. The data flow is used to indicate a flow of data. 10.

No, flowcharting is not useful in analyzing the resources required to implement a system.

11. Work measurement is useful in evaluating the technical feasibility or technical requirements of a system design. 12. A work distribution analysis requires detailed information about functions and responsibilities. A task list is used to record each separate item of work performed by an individual and the average number of hours spent on each task per week. Each employee (or department, and so on) is represented by a column; the work assignments are spread across the table to employees. The method of assignment should be rational; that is, employee qualifications, internal control, scheduling, timing of events, and so forth should be considered.

Systems Techniques and Documentation 2 19 ANSWERS TO DISCUSSION QUESTIONS AND PROBLEMS 13. - 18. Multiple-Choice (CPA) Varies 13. B 14. C 15. D 16. D 17. C 18. C 19. Systems Design - 30 minutes Hard This problem provides an opportunity for the student to appreciate the data processing requirements of transactional data. Many students will not appreciate the amount of effort necessary to manually develop the 21 desired subtotals. There are a variety of solutions, including going through the initial batch 21 times for 21 subtotals. The data processing steps required (and overall efficiency) depend on the approach taken. Experience has shown that many student-generated solutions are not effective: examined in detail they fail to generate the 21 subtotals. A suggested solution is as follows: (1) Sort the batch of invoices into 2 piles: invoices showing only product 1 sales and those invoices with product 2 and/or 3 sales. (2) Sort the pile of invoices containing only product 1 sales by customer. Calculate daily sales totals for each customer. Calculate the grand total. Post (transcribe) these subtotals to the worksheet. (3) Sort the pile of invoices with product lines 2 and/or 3 sales by customer. Either go through each customer pile twice, calculating each required subtotal; go through each pile once, accumulating two subtotals concurrently (this is not possible using a single calculator or with a single adding machine as two totals are being accumulated); or re-sort each pile into 3 piles: product 2 only, product 3 only, and mixed. Calculate subtotals for each customer and transcribe to the worksheets. (Note: the mixed invoices have to be examined when calculating both line 2 and line 3 subtotals.)

20 2 Systems Techniques and Documentation 20. Analytic Flowchart; Data Flow Diagram - 45 minutes Medium a. analytic flowchart

Systems Techniques and Documentation 2 21 b.

data flow diagram

22 2 Systems Techniques and Documentation 21. Use of Systems Techniques - 10 minutes Easy It is not uncommon to have to deal with difficult clients. If things are really difficult you can simply withdraw from the engagement. But if you are billing her by the hour, then you can politely remind her that she can save herself a lot of money by facilitating your work in a way that will permit you to finish at the earliest possible date. There is also the option of bypassing Marjorie Renwald and work directly with her two employees. As far as systems techniques go, the usual ones will be needed: narratives, questionnaires, flowcharts, and internal control summaries. 22. Data Flow Diagram - 10 minutes Easy 1. No source is indicated for the user ID. 2. There are two unlabeled flowlines in the diagram. 3. A direct access storage device symbol, which represents a physical storage medium, is used to represent the valid ID data in the diagram. 23. Flowchart Symbols; Technique - 30 minutes Medium (a) CPA Examination, Unofficial Answer 1. Time cards. 2. Prepare batch-control slips. 3. Batch-control slips (the numbers 1 and 2 should be added to indicate first and second copy). 4. Time cards. 5. Input. 6. Batch-control slip (the number 1 should be added to indicate first copy). 7. Time cards. 8. By batch. 9. Payroll transaction file. 10. Sort by employee number within batch. 11. Master employee file. 12. Edit and compare batch total hours and number of employees. 13. Batch listing and exception report. 14. Payroll transaction file. 15. Exceptions noted: a. Unbalanced batch b. Invalid employee number 16. Resolve differences. (b) 1. 2. 3. 4. 5.

6. 7.

Advantages of a flowchart: It insures a more comprehensive survey since incomplete information is more evident when it is being recorded on flowcharts. It is readily tailored to specific client system. It enables the system to be more quickly understood by the audit staff since the information is presented in a concise, graphic manner which is easy to comprehend and visualize. It creates more interest on the part of the audit staff because they can better appreciate the functioning of the system and hence the reasons for tests. It produces more valuable and realistic recommendations to clients on internal controls and system efficiency because of increased awareness of accounting systems, relationships, and document flows. It emphasizes those areas of the internal control system (and related accounts) which require more or less attention and therefore assists in better use of audit time. It increases client goodwill because new audit staff members usually require less time for system orientation, and interference with the client's staff is kept to a minimum.

Systems Techniques and Documentation 2 23 24. Analytic Flowchart - 30 minutes Medium

24 2 Systems Techniques and Documentation 25. Analytic Flowchart - 30 minutes Medium

Systems Techniques and Documentation 2 25 26. Analytic Flowchart - 30 minutes Medium

26 2 Systems Techniques and Documentation 27. Analytic Flowchart - 1 Hour Hard

Systems Techniques and Documentation 2 27 28. Analytic Flowchart Symbols - 15 minutes Medium CPA Examination, Unofficial Answer Flowchart Symbol Letter c. d. e. f. g. h. i. j. k. l. m. n. o. p. q. r.

Internal Control Procedure or Internal Document Approve customer credit and terms. Release merchandise to shipping department. File by sales order number. File pending receipt of merchandise. Prepare bill of lading. Copy of bill of lading to customer. Ship merchandise to customer. File by sales order number. Customer purchase order and sales order. File pending notice of shipment. Prepare three-part sales invoice. Copy of invoice to customer. Post to (or enter in) sales journal. Account for numerical sequence. Post to customer accounts. File (by payment due date).

29. Analytic Flowchart Symbols - 15 minutes Medium CPA Examination, Unofficial Answer A. Prepare purchase order B. To Vendor C. Prepare receiving report D. From Purchasing E. From Receiving F. Purchase order No. 5 G. Receiving report No. 1 H. Prepare and approve voucher I. Unpaid voucher file, filed by due date J. Treasurer K. Sign checks and cancel voucher package documents L. Canceled voucher package 30. Decision Table - 30 minutes Medium a. Limited Entry 1 2 3 Approved creditN Y Y Y Order < 25 units Y N Order is 26-50 units Y Reject order 1 Approve order 1 1 5% discount 2 10% discount 2

4 N N 1

28 2 Systems Techniques and Documentation b. Extended Entry Approved creditN Quantity ordered % discount Accept order Reject order

1 Y

2 Y 0-25 0 x

3 Y 26-55 5 x

4 >56 10 x

31. Decision Table - 30 minutes Medium a. Limited Entry 1 2 Is purchase less than $50 Y Is purchase between $50 and $100 Y Is purchase over $100 Approve with no action x Give authorization number Place hold on account

3 N N Y x x

b. Extended Entry 1 2 3 Is purchase less than $50 between $50 and $100 above $100 Approve with no action x Give authorization number x x Place hold on account x 32. Work Measurement - 15 minutes Medium Standard Time/check = (480 + 20 + 20) minutes / 570 checks = .912 minutes/check Rest/delay/check = (20 + 20) minutes / 570 checks = .070 minutes/check Rest/delay percentage = .070/.912 = 7.68% While the above calculations are straightforward, the instructor might wish to expand on some complexities related to the above type of calculations in actual practice, such as ensuring valid and accurate sample sizes, ensuring realistic test conditions, ensuring accurate count of rest and delay times, and the usefulness of such averages in general.

Systems Techniques and Documentation 2 29 33. Analytic Flowchart - 1 Hour Medium

30 2 Systems Techniques and Documentation 34. Program Flowchart - 30 minutes Medium

Systems Techniques and Documentation 2 31 35. Program Flowchart - 30 minutes Medium

32 2 Systems Techniques and Documentation 36. Identify Flowchart Symbols -25 minutes Easy Top Left to Right Symbol Name Process Alternate Process Decision Data Predefined Process Internal Storage Document Multidocument Terminator Preparation Manual Input Manual Operation Connector Off-page Connector Card Tape Summing Junction Or Collate Sort Extract Merge Stored Data Delay Sequential Access Storage Magnetic Disk Direct Access Storage Display 37. Prepare Flowcharts Using Microsoft Office Flowchart Symbols – Varies The solutions to the problem are the flowcharts in the textbook that the student is expected to reproduce using Microsoft Office flowchart symbols. These are Figure 2.17, Figure 2.18, and Figure 4.7. Figure 2.17 has 6 symbols and would not take very long to reproduce. The other two figures would take much more time as Figure 2.18 has 29 symbols in three columns and Figure 4.7 has 18 symbols in three columns. WEB RESEARCH ASSIGNMENTS 38. Both SmartDraw and and Visual-Paradigm Visual Architect support BPMN. SmartDraw, however, is part of a fairly strong suite of visual development tools, whereas SmartDraw is a generic drawing

Systems Techniques and Documentation 2 33 program. 39.The UML standard incorporates 13 different types of diagrams. One of those types, the Activity Diagram, is very similar to the BPMN diagram. BPMN has the specific advantage of being able to convert directly into program code using a Business Process Execution Language (BPEL). Otherwise, UML provides a much more comprehensive way to document information systems. 40. In recent CPA exams, the candidate has been called on to interpret analytic flow charts in dealing with case-type questions. 41. Crossword - see next page

34 2 Systems Techniques and Documentation

Systems Techniques and Documentation 2 35

Chapter 3 eBUSINESS and eCOMMERCE

TEACHING TIPS Many of the concepts in this chapter can be demonstrated in the computer lab. Ambitious instructors may want to assign students one of several projects: 1. Develop all or part of a commercial Web site. They might model their Web site after one already available on the Internet, such as www.barnesandnobles.com. 2. Develop a simple database using Microsoft Access or other product. 3. Design the enterprise architecture for a local business. 4. Set up a shopping cart program, such as osCommerce. INTRODUCTION: ELECTRONIC BUSINESS AND ELECTRONIC COMMERCE Electronic business (eBusiness) refers to the use of information technologies in any aspect of the business or organization. eCommerce is the use of information technologies in the exchange of products and services among organizations and individuals. Web Commerce involves using information technologies in the exchange of products and services among individuals and organizations and over the World Wide Web and the Internet. Web Commerce is a type of eCommerce, and eCommerce is a type of eBusiness. Electronic Networks Electronic networks are groups of computers that are connected together electronically. 3 categories of networks: LAN, MAN, and WAN. The Internet. The Internet is an electronic highway, consisting of various standards and protocols, that allows computers everywhere to communicate with each other. The Internet has no central command and control structure, and it operates more or less under the principle of anarchy. IP addresses: specify the location of a computer on the Internet. Fixed IP addresses are permanently assigned, and dynamic IP addresses are temporarily assigned. The domain name is simply an alias name that can be used in place of the IP number. Intranets and Extranets: Intranets are in-house networks that use Internet-type protocols. Extranets exist when the intranets of two or more companies are linked together, or when outsiders are able to access a company’s private intranet. Intranet Security Issues: Firewalls limit access to servers from the rest of the world. Proxy servers are typically used on the inside of a firewall and serve as filters for all outgoing requests for information. Client and Servers Client-Server Technology: A server is a robot-type of program that constantly runs on some computer and exchanges information with users who request it. Users' programs that access and exchange information with servers are called clients. Server environments provide several benefits: servers don't get paid by the hour and don't require fringe benefits; servers can, in some 36

eBusiness and eCommerce 3

cases, deal with hundreds or even thousands of users (clients) at one time; servers can be accessed at any time of day, anywhere in the world, with no per-minute communication charges. Types of servers: o mail servers are electronic post offices o file servers are for exchanging files o Web servers are for World Wide Web transactions o commerce servers are for business transactions o Application Servers and Database servers make applications and data in databases available to remote clients. E-BUSINESS AND ENTERPRISE ARCHITECTURE The evolution of enterprise applications architecture has involved not only changes in its structure but also a steady incorporation of major innovations in many disciplines: software engineering, accounting and reporting (e.g., lean accounting), management science (e.g., logistics, and production management), technology (e.g., networking and the Internet), and even general management (with new business models such as the Internet business and the extended enterprise). The result is that AIS application architecture is built on concepts from many disciplines. Enterprise Architecture involves four enterprise architectural domains (i.e., broad views of the enterprise). The Business Architecture. The Business architecture defines the human resources, processes, and infrastructure that a business needs to accomplish its business strategy. The business architecture is the primary architecture in the sense that the data, application, and technology architectures are all structured to support the business structure. The Data Architecture. The data architecture defines the needed data, how it is to be stored, how it is to be processed, how it is to be utilized, and how it integrates with the other main architectural domains. The primary concept in data architecture is the database. The Corporate Information Factory provides a logical architecture for the enterprise information system. The architecture is based on data being acquired from business operations, transformed to support business management and business intelligence, and then delivered to management. The Applications Architecture. The applications architecture defines the applications needed to run the business and how the applications communicate with each other through intranets (to communicate with insiders), extranets (to communicate with outsiders), and Electronic Data Interchange (EDI). Service Oriented Architecture (SOA) is an applications architecture design framework that facilities the development of application suites (groups of different applications that share information with each other using some common communications frame-work.) SOA services are independent software units of functionality. The major Enterprise Application Suites integrate their applications using service-oriented architecture. Middleware refers to software that serves as a go-between for two applications, enabling communications between them that would otherwise be impossible can connect to it. The Enterprise Service Bus (ESB) is middleware that serves as a central switchboard for communications between all enterprise services and applications. The ESB serves as a universal translator between services and applications in the organization. The Technical Architecture. The technical architecture describes the structure and behavior of

38 3 eBusiness and eCommerce

the IT infrastructure and de-fines standards, principles, procedures, and best practices to govern the IT architecture. Its scope includes, for example, hardware, hardware configuration, the network, network protocols, and software. The main function of the technical architecture is to support the business, data, and application architectures. Enteprise Architecture Frameworks Various frameworks have been published that define systems for transforming (i.e., developing) enterprise architectures. The Zachman Framework is based on defining models applicable to a given organization. The models are defined by answering 6 basic questions (What, How, Where, Who, When, and Why) in relation to each of 6 stakeholder groups (Planner, Owner, Designer, Builder, Implementer, and Worker). Carefully document each question-stakeholder combination leads to a complete understanding of the company, and hence its enterprise architecture. Various other frameworks exist.. Business Process Frameworks And Reference Models Business process frameworks focus on transforming business processes (i.e. making them better). A business process reference model is a set of best practices for a given business process or group of processes. Value Chain Frameworks. eBusiness can be viewed in terms of using information technology in support of value chain activities. The value chain refers to a series of activities that add value to the product. The 5 primary value chain activities include inbound logistics, outbound logistics, manufacturing, marketing, and sales and service. Supply Chain Frameworks. The activities that relate to moving the product (inbound logistics, outbound logistics, procurement, manufacturing, and sales and service) are often referred to as supply-chain activities. The science of optimizing supply-chain activities is referred to as supply chain management. Coordinating and optimizing the many supply-chain processes is nearly an impossible task without sophisticated software. EAS and ERP systems support all specific aspects of the value chain and information system, as well as all forms of eCommerce and web commerce. E-Business Architectures A give e-Business can be viewed as particular enterprise architecture; that is, a give set of specifications for the four architectural domains. These specifications will in turn depend on the enterprise’s business model and related strategies. The Osterwalder Reference Model defines the typical business model in terms of 4 major domains: infrastructure, offering, customers, and finance, all which have a major impact on the extent to which a given organization engages in eBusiness. E-COMMERCE TECHNOLOGIES Encryption involves using a password or digital key to scramble a readable (plaintext) message into an unreadable (ciphertext) message. Types of Encryption Systems Secret Key Encryption: the same key is used for both encrypting and decrypting a message.

eBusiness and eCommerce 3

Public Key Encryption: two keys are used in association with each encrypted message, one key to encrypt the message and another key to decrypt it. Hybrid Systems and Digital Envelopes: both public key and secret key encryption are used. Digital Signatures: occurs when someone encrypts a message with their own private key. In practice, digital signatures are applied to message digests rather than the messages themselves. Message digests are created by hashing functions. The Legality of Digital Signatures: all parties may agree to be bound by their digital signatures. Digital Time-Stamping: a digital time-stamping service (DTS) adds digital timestamps to documents. SECURITY ISSUES FOR PUBLIC KEY ENCRYPTION SYSTEMS Cryptanalysis involves techniques for analyzing encrypted messages for purposes of decoding them without legitimate access to the keys. The simplest possible attack on a message encrypted with public key encryption is the guessed plaintext attack. Factoring Attacks: the private key can be deduced by factoring the public key into prime numbers. Key attacks: most attacks against public key systems are likely to be made at the key management level. Key Management Creating and Distributing Keys. Each user should create his or her own public and private keys. Verification of Public Keys through Digital Certificates: Digital Certificates (or digital IDs) are digital documents that attest to the fact that a particular public key belongs to a particular individual or organization. Digital certificates are issued by some certifying authority (CA). The CA creates a digital certificate by digitally signing a document that includes the name of the person being certified, that person's public key, the name of the CA, the expiration date of the key being certified, and the expiration date of the certificate Certificate Revocation Lists (CRL). A certificate revocation list (CRL) is a list of public keys that have been revoked before their expiration dates. Certificate Chains: certificates can be linked together in chains. Certificate Signing Units: protect private keys. Key Expirations: all keys should have an associated expiration date. ELECTRONIC COMMERCE TECHNOLOGIES: ISSUES AND APPLICATIONS Privacy Issues Most electronic transactions are traceable, and this may be true even with encryption. Electronic Payment Systems Electronic Bill Payment Systems. The payer sends electronic instructions to his or her bank.

40 3 eBusiness and eCommerce

Credit and Debit card systems. The payer transmits a credit or debit card number to a secure server. A secure server is one in which the communications link between the client and server is protected by encryption. Payment Intermediaries. This type of payee serves as an intermediary between a payer and a payee. PayPal™ is a good example. Digital Cash: a bank digitally signs an electronic bank note. Blinded Digital Cash: a bank issues digital cash so that it is unable to link the payer to the payee. Virtual Cash on the PC. Most electronic cash systems on personal computers are based on the concept of an electronic wallet. Virtual Cash in Electronic Cards. Smart cards are hand-held electronic cards that are used for payments. Memory cards contain microchips that are only capable of storing information. They are not very secure. Shared-key cards overcome the weakness of memory cards by using encryption for all communications between the card and the cash register (or other point-of-payment device). Signature-transporting cards carry essentially the same hardware as shared-key cards. The main difference is the software: signature-transporting cards allow the user to spend digital cash notes. Signaturecreating cards are similar to signature-transporting cards but are capable of generating their own digital signatures. The Internet Store. This section describes the typical Internet store and brings together many of the concepts discussed in this chapter. Integrating The Web Store With The Accounting System. Enterprise Resource Planning (ERP) systems integrate all the major accounting functions, as well as the web store, into a single software system. In effect, such systems treat web-store sales the same as sales made in retail stores. Web 2.0 In Web 2.0 web surfers interact with web sites. A wiki is a type of collaborative web site in which users not only browse content, but also add and modify content as well. Other Web 2.0 innovations included blogs, RSS news feeds, and mashups. A blog (short for web log) is a web site to which individuals regularly posts news stories. RSS (Really Simple Syndication) is a technical means for publishing blog and other news stories to the web in XML format. Mashups are web pages that are collages of other web pages, RSS feeds, and other in-formation. Rich Internet Applications are web applications that look, feel, and act like desktop applications. Trust in e-Commerce: Privacy, Business Practices, and Transaction Integrity Privacy problems include spam (unsolicited e-mail), telephone solicitations, credit card fraud, and identity theft. It is in the merchant’s best interest to assure its customers that it will protect their privacy. This is usually accomplished by the merchant obtaining some third-party seal of approval, audit, or limited endorsement. One example of such a program is the AICPA’s Web Trust attestation program, by which specially trained CPAs provide a seal of assurance after a special audit. Transaction integrity involves proper user identification, validation, data accuracy, completeness, and timeliness, as well as complete disclosure of all terms relating to billing and shipping.

eBusiness and eCommerce 3

REVIEW QUESTIONS 1. Wide-area networks (such as the Internet) span very large areas. Metropolitan-area networks span sites in the same city or nearby cities. Local-area networks span a single site. 2. The Internet was developed in a loosely-coupled fashion, so that a failure in one part will have a minimal impact on other parts. 3.

The main risk particular to an intranet is an attack from someone outside the company.

4. Each client or server on the Internet is assigned a unique IP address. Alias names are usually registered for use in place of IP addresses. 5. Firewalls limit incoming traffic to the company's intranet. Proxy servers limit outgoing traffic. 6. The commerce server might receive incoming or outgoing transactions from other EDIenabled commerce servers. 7. File/FTP servers (for receiving and distributing files to clients), Web server (for document distribution and basic user interaction), commerce servers (for interaction with banks and company accounting databases). 8. A hacker might break into secret files (such as credit card numbers). A hacker might also input fraudulent transaction information. 9. To be very safe, they should exchange certificates with each transaction. One part might be an imposter. 10. Public key encryption solves the problem of how to securely distribute secret keys in secret-key systems. With the public-key system, no secret keys need to be distributed. 11. It would be very difficult for a hacker to forge a digital signature by simply breaking the encryption. The most likely approach to such a hack would be for the hacker to steal someone's private key. 12. This is probably the case because most individuals on the Internet use the same basic digest function. (Recall that both the sender and the recipient must use the same digest function.) Making the digest a fixed length simplifies things. 13.

Breaking the digest function would allow someone to forge a digital signature.

14. Digital signatures are more difficult to forge. Further, they not only attest to the identity of the signer, but they also guarantee that the signed document has not been modified. 15.

Someone in possession of a compromised key could get away with using it if he or she

42 3 eBusiness and eCommerce

could keep it off revocation lists. For this reason, revocation lists must be guarded carefully. 16. A three-tiered application architecture contains three tiers (i.e., parts): the presentation tier, the logic tier, and the data tier. The presentation tier merely receives input from the user and displays output in responses to the user’s input. The typical presentation tier is the user’s web browser. The logic tier processes commands, evaluates logical decisions, and makes calculations. Finally, the data tier stores all data relevant to the application. In a web environment, the three tiers are typically the web browser, application server, and database. This is a “tiered” system because the web browser (and hence the end user) communicates only with the application server. The application server communicates in turn only with the database. 17. Supply chain is a subset of value chain. The five primary value chain activities include inbound logistics, outbound logistics, manufacturing, marketing, and sales and service. Support activities include human resources, procurement, technology, and firm infrastructure. The activities that relate to moving the product (inbound logistics, outbound logistics, procurement, manufacturing, and sales and service) are often referred to as supply-chain activities. 18. Yes, a small business might want to use a data warehouse. For example, Intuit Quickbase (www.quickbase.com) charges monthly fees mostly by the amount of storage used. A small business with a lot of transactions might therefore find it economical to offload stale transaction data to a data warehouse. Also, some data might be stored directly the small-business data warehouse. Data in the data warehouse comes from both stale operational data as well as data gathered from nontransactional sources, such as data relating to industry or competitor performance. 19. An API is a way of connecting one piece of software to another. For example, a small business might want to access Google's Adwords marketing system (adwords.google.com) using an API interface in a product such as Apex Pacific's PPG Bid Max software (www.apexpacific.com). Another example, a company might have a independent helpdesk system that it wishes to interface with its accounting system. This might be accomplished using the API of either product, if one exists. 20. HTML is for displaying static data in web pages. On the other hand, XML is used for transmitting and displaying dynamic data on web pages. For example, XML might be used to transmit and display customer order data in a web browser. The data is dynamic because it is subject to change (at least from one customer to the next). ANSWERS TO DISCUSSION QUESTIONS AND PROBLEMS 21. Risks of Technology - 30 minutes Medium This problem demonstrates the risks inherent in automatically implementing the latest in information technology. Information technology can be very expensive to start up and maintain, so careful consideration of both its costs and benefits is always essential. Regarding the case in hand, several observations can be made: The present system seems to be meeting the company's information needs. Yes, files are having to be translated from one format to another, but this system seems to be working well.

eBusiness and eCommerce 3

The cost of express mailing of disks is trivial and should not be a consideration in the larger scheme of things. Implementing Betty's new system would require a considerable and costly development effort. Further, ongoing maintenance expenses could be high. In proposing a new system, the burden of justifying the system must fall on the one making the proposal. In this sense, Betty's arguments fail. However, this does not mean that other arguments couldn't be made for the new system. Perhaps a tighter integration of the information system components would lead to better reporting and decision making. Perhaps there could be some cost savings by eliminating some positions relating to the current system. But arguments such as these would need to be made if the new system were to be justified. A related issue is that of timing. There is no question that Betty's ideas would make sense for the long run. In the long run, most companies implement newer technology. But particular technology costs (such as those associated with implementing intranets) tend to decrease over time, so companies can save a considerable amount of money by deferring some projects to future dates. A large number of issues would be involved in the implementation. Overall, the new system would need to be subject to a careful cost and benefit analysis, and it would then need to pass through the usual phases of systems analysis, systems design, and systems implementation. In particular, various databases would need to be designed, and these would need to be implemented in a client-server environment, along with the needed controls and security measures. Everything would need to be carefully documented, and a considerable amount of employee training would probably be required. 22. Servers - 10 minutes Easy Most commerce servers utilize some type of language that forms an interface between the server and the accounting program. One example is CGI. Information is collected when users enter data into forms through the web server. The server then passes the user data to the accounting program through CGI. CGI is one of the oldest and simplest methods to pass data from the server to an external program. More sophisticated methods exist, but the important thing is that web servers must have some means to transfer data to and from accounting programs. 23. Risks of Technology - 30 minutes Medium It appears that the order was entered correctly but subsequently changed by some unknown person, perhaps a hacker who broke into the company's accounting databases associated with its web/commerce server. The problem is that there is no surefire method to protect against hackers. In this case, it appears that the hacker directly attacked the sales order file. This must be the case, since there is obviously no possibility of someone using a web browser to change an existing order, and no such capability is mentioned in the case. The best defense against such an attack would be to keep the sales order file in encrypted format. Thus, anyone breaking into the file wouldn't be able to make anything of its contents. 24. Servers/ Systems Design - 45 minutes Medium Information collected by the server customer information (name, address, and so on) order information (items, quantity, credit card information, and so on)

44 3 eBusiness and eCommerce

Means for organizing electronic documents (Assume that ACE's catalog will consist of approximately 2,000 documents.) some sort of database management system will be required interface (such as CGI) between the server and the database management system Security issues encrypted link between customer and server good password protection for access to server files protection against fraudulent orders Payment methods credit card electronic cash - this method would be preferred for very small transactions, say those less than a dollar or two, since many banks frown on processing small credit card transactions The overall structure of ACE's web site, and any necessary and related hyperlinks general front page screens to browse the catalog screen to order publications screens to download purchased publications 25. Payments Technology - 45 minutes Medium Traditional electronic bill payment system Useful in situations in which customers establish credit accounts with the merchant. The merchant would bill the customer for purchases, and then customer would pay within the prescribed time limits using a traditional electronic bill payment system. This type of system has the disadvantage of not permitting instantaneous transactions between an unknown customer and merchant. Traditional credit card system It would not be appropriate for customers to supply credit card information over a non-secure communications link. But, in some cases, merchants set up credit card accounts over non-secure networks, but then take the credit card information over the telephone. Secure Electronic Transaction System This type of system is appropriate for almost any kind of electronic transaction. Such a system can be very secure, and if the SET protocol is used security will be so high that the merchant will process the customer's credit card without actually learning the credit card number. One possible disadvantage of this type of system is that it may be possible for merchants to profile their customers, thus invading their privacy. Virtual cash system This type of system can be very secure and protect the customer's privacy, if anonymous electronic cash is used. Further, this type of system conveniently handles small transactions, some as small as $.10. 26. Encryption - 60 minutes Medium a. number of keys that will be needed, and the number of departments that will need them In order to implement the system as proposed, a digital certificate would need to be issued to the purchasing department. This would be accomplished by the company as a whole creating its own digital certificate, signed by its private key. The company would then, in turn,

eBusiness and eCommerce 3

certify the public key of the purchasing department. Alternatively, the company could certify the public key of the treasury division, which in turn could certify the public key of the purchasing department. The purchasing department would then digitally sign all purchase orders with its private key. Vendors could then use the purchasing department's public key to verify the authenticity of its digital signature. Then same vendors could verify the authenticity of the purchasing department's public key by way of the certification from the company or treasury department. The company's public key might, in turn, be certified by some third-party known and trusted certification authority. b. who will issue keys Each department and/or division should issue its own keys for security reasons. The public keys can then be certified by the company using its digital signature. The expiration dates to be used for keys would depend on the length of the keys. A five-year expiration date would probably be acceptable for keys at least 2,048 bits long. Each department could issue its own digital certificates. But in each case a higher certification authority in the company would be required to attest to the authenticity of the department's public key. The structure of the company's certificate chains would most likely follow the organizational structure of the company. But it might also be possible for the company to have some central certifying authority, perhaps the Treasurer. c. security measures that will need to be adopted The most important security measures will involve protecting each department's private keys. Ideally, these keys should be protected by certificate signing units (CSUs). The CSUs would allow authorized individuals to digitally sign documents with their private keys, but at the same time these individuals would be prevented from either displaying, duplicating, or copying them. 27. Security - 30 minutes Medium There is no reason that each department couldn't issue its own digital credentials. But some department/division in the company would need to attest to the authority of each department's public key. In this respect, it seems that the Treasurer would be in the best position to certify the pubic keys of individual departments, if some central person needs to be in charge. The real issue is who will be the highest-level certifying authority for the company. In one sense, it seems that the CEO should be the central certifying authority. But the problem is that other corporate officers might also have equal authority under the company's bylaws. In fact, separation of duties suggest that accounting, treasury, and management be somewhat autonomous in their own areas. Perhaps the best solution, then, might for the board of directors to separately certify the public keys of each of these three functions. For the best control, the procedures for credentialing should require the authorization from Human Resources. Human Resources traditionally maintains the database on individual job positions and descriptions. Individuals' credentials should be kept in line with their job descriptions. For example, a stock manager should not be given the credentials of purchasing agent. The company should maintain a central revocation list, and when employees change positions or depart from the company, their existing credentials should be entered into the revocation list.

46 3 eBusiness and eCommerce

28. Credentials - 10 minutes Easy The credentials should also include the following: an expiration date a reference to a higher certifying authority in the company 29. Payment System - 15 minutes Easy GGG's payment system might work, if certain issues were adequately dealt with: The private keys would need the highest level of security, for it would be a major disaster for the company if any of them were compromised. The notes might be duplicated, and someone might attempt to present them for payment a second time. This might reflect badly on GGG's reputation. GGG would need some system for proof of payment. For this, it would be necessary that the company presenting the notes to the bank for payment produce some sort of positive identification. This approach would be somewhat contrary to the issuing of bearer notes, which is the approach described in the present system. 30. Digital Cash - 35 minutes Medium Arguments for accepting digital cash in this case: more business lower costs of transaction processing Arguments against accepting digital cash in this case: possible fraud due to delays in verification lack of marketing information collected The company might consider ignoring the fraud risks. After all, individual losses might seem to be small, amounting to a mere order of flowers. The problem, however, is that a single hacker could exploit the delay (in processing and verification) in such a way as to mount a massive attack on the company. For example, the attacker could send the company very large numbers of orders paid with fake digital notes, all at one time. The company would have no way to distinguish good orders from fraudulent ones. It seems unlikely that any attacker would stand to gain much personally by entering a large number of fraudulent orders for flowers. The company could catch the bad orders right away if they all indicated shipping to the same address. For this reason, the attacker would need to use many different addresses, and for this reason he would have a very difficult time collecting all the flowers. Unfortunately, personal gain isn't the only possible motive for an attacker. Some hackers will exploit weaknesses merely for the pleasure of sabotage. For this reason, the system should not be operated in its present form. The company might improve things somewhat by barring anonymous transactions. It could further require that those placing orders provide positive proof of identification (that includes a real name and address) via a digital certificate authenticated by some trusted certifying authority. But even this procedure would likely be too risky, for it would effectively amount to granting credit to anyone with no questions asked. 31. Payment Systems - 45 minutes Medium Systems similar to the one described have already been implemented in European countries.

eBusiness and eCommerce 3

a. procedures for issuing and accounting for cards The cards would need to be sold through authorized sales offices. All cards would need to be serialized, with both internal (software) and external serial numbers. Actual card usage would be reconciled against cards issued. b. procedures for accounting for card usage In theory, if the cards were truly smart they would keep track of their own usage, and would no longer be valid when used up. But, in practice, to guard against fraud, some analysis of usage would need to be done by the toll collection agency. One simple approach would be for the agency's computers to keep track of how many times each card is used. There could be a limit on the number of times that a card could be recognized, or cards could have expiration dates. Individual cards would be recognized by their serial numbers. A more sophisticated, and more secure, approach would be for the agency's computers to keep track of all card usage, and then terminate any cards that are used up. If cards could be trusted to be truly tamper proof and not subject to being duplicated, then it would be possible to completely avoid any accounting for individual card usage by the toll collection agency. The cards could be trusted to keep track of their own usage and quit operating when they are used up. c. security measures Protection against fraudulently created cards: Each card would carry a unique serial number, and only cards with preauthorized serial numbers would be recognized. These numbers might be long and random so as to prevent their easily being counterfeited. Radio communications between the card and the toll booth would need to be encrypted, preferably using a public-key system. This would prevent unauthorized interception/interference for transmissions to and from the card. The cards would need to be either absolutely tamper proof, or all transactions would need to be subject to on-line verification. Specifications for the types of smart cards to be used: The cards would preferably be at least signature transporting. Simple memory cards would not be acceptable. Procedures for communicating between the toll booth and the central office: If there is more than one toll booth, there would need to be direct communication links between the toll booths and the central office. This would permit on-line verification of all card transactions. This step would not be necessary if the cards could be trusted to be absolutely tamper proof. 32. Security - 15 minutes Medium The stated policies are very weak. It says that information collected will not be rented or given away. That doesn't preclude information being sold. The phrase "legitimate business purposes" is nearly meaningless and permits to company to contact the customer for almost any reason it wants to. The shipping and billing policies are equally weak. There are no assurances that the customer will be billed for items not shipped. Further, no clear return policy is stated. The policies for transaction integrity are only mildly reassuring. 33. Web Commerce - 15 minutes Medium 1. Linjin might use one of the many web marketing companies who rent web storefronts. 2. Tinjin might accept digital cash or direct debits from customer accounts. There are also marketing companies who will handle the sale via credit card for a percentage of the proceeds.

48 3 eBusiness and eCommerce

The integration of Tinjin's web site and accounting systems might be difficult. This is because low development budgets don't normally permit such integration. So Tinjin might need to do something like use a spreadsheet program to reformat the web data for the accounting system.

34. Credentials - 10 minutes Easy Ramwood could purchase a digital certificate and tell all it's customers to insist on seeing the digital certificate before entering orders. It should also report the problem to those maintaining the domain servers. 35. Credentials - 10 minutes Easy The CEO is probably right, and the best thing to do is to just take the loss quietly and move on. But in the future, the company needs to set up a mechanism to immediately verify the digital notes with the bank. 36. Database Design Concepts - 30 minutes Hard This mini-case basically requests that the student prepare a database design for an accounting system. This means tables to store data relating to customers, sales, receivables, inventories, payables, and so on. The case specifically mentions accounting for sales of shoes and accounts receivable. Various tables and relations are therefore suggested. A Customer table would likely exist and have relational children, namely Orders and Invoices, where each customer could have many orders and many invoices (i.e., many-to-one relationships). Similarly, suppliers would have many orders and invoices. Customer (supplier) records would not only identify customers (suppliers) but also contain credit terms. Accounts receivables (payables) for individual customers (suppliers) would simply be their balances of unpaid invoices. This, of course, assumes, an invoiced-based accounts receivables (payables) system. The accounting system might also have an inventories table, but such a table might not be necessary, since the inventory record could be represented by the shoes indicated in purchase invoices less shoes indicated in sales invoices, adjusted for any losses due to theft or other causes. 37. Enterprise Architecture Concepts - 15 minutes Medium The following EA domains apply: Business, Information, Application, and Technical. Various business processes exist: acquire supplies, open the lemonade stand, sell lemonade, collect cash, record sales, clean up, and close the stand. The information domain might include a sales database that records the sales transaction plus additional data relating to the customer (e.g., male/female, walking/in-car, and so on). The Application domain might involve a simple spreadsheet used to track sales. The technical domain might simply involve a notebook computer that is wirelessly connected to the internet, with all data constantly being backed up to a remote server (e.g., Mozy.com). Tom’s supply chain is very simple: he buys lemons, sugar, bottled water, and cleaning supplies from a local supermarket. His main problem is that depending on the season lemons might not be available from a given supermarket. So he keeps in contact with many produce managers in the area.

eBusiness and eCommerce 3

38. Web 2.0 Concepts - 15 minutes Easy Tina might set up online discuss groups for those interested in sharing their bicycling experiences. A group planner might also be helpful for those wishing to plan group trips over weekends. Regarding integration with the accounting system, discussion group profiles and activities might, for example, be linked to sales histories. This linking could be used to get a better understanding of purchasing preferences for individual customers, which in turn could be used to target specific promotions or marketing campaigns. Of course, a proper privacy disclosure would need to be included in the web site. WEB RESEARCH ASSIGNMENTS

39. In theory, osCommerce (www.oscommerce.com) will run on either a Windows or Linux system. But in practice, 99% of osCommerce application will run on a Linux server, using Apache Web Server and MySQL database. osCommerce is extremely popular because it is open source, and anyone can use it without paying any license fees. Further, it’s supported by a wide range of add-ons that support things like catalog management and various electronic payment methods. To make the Authorize.net (www.authorize.net) payment gateway work with osCommerce, one would first need to set up a credit card merchant account with some bank for financial institution. Then one would need to set up an authorize.net account. The Authorize.net authentication information would then need to be entered into the osCommerce module for Autorize.net. A PCI compliance certificate can be obtained from one of the many services that audits web sites for PCI compliance. For sites with a low volume of transactions, one only needs to complete a questionnaire. For relatively high-volume sites, a security scan is required. 40. The Ruby on Rails application could interface with Quickbase via the Quickbase API. REST simply means http-type calls to the API. In other words, the Ruby application might retrieve a student record using a http call like that looks something like this: http://www.quickbase.com/db/databaseid123? act=API_DoQuery&username=test&password=secret&query= ….. Do a web search for “quickbase API” for more information. 41. Crossword – next page

50 3 eBusiness and eCommerce

eBusiness and eCommerce 3

Across 1. PUBLIC-KEY ENCRYPTION — uses two keys in association with each encrypted message. 7. BUSINESS DOMAINS — groups of business functions and business processes 8. MASHUPS — collages of web pages. 14. SERVER-SIDE SCRIPTING LANGUAGES — examples include Perl, PHP, and VBScript. 15. GUESSED PLAINTEXT ATTACK — the simplest possible attack 16. CORPORATE INFORMATION FACTORY — a logical architecture for the enterprise information system. 19. SERVER — constantly runs. 21. SOAP — a protocol for communication between services. 22. FIREWALL — limits access to information 23. DIGITAL CERTIFICATE — attests to the ownership of a public key 25. DATA MINING WAREHOUSE — contains copies of other data 33. CLIENT — accesses and exchanges information with a server. 37. MESSAGE DIGEST — meaningless fixed-length hash. 39. FTP SERVER — commonly used for file servers. 41. XSLTS — transform XML data into HTML or other format. 42. BUSINESS ARCHITECTURE — it defines what a business needs to accomplish its business strategy. 45. ENTERPRISE SERVICE BUS — middleware switchboard 47. SMART CARD — a wallet-sized electronic card that is used for payments. 48. DATABASE SERVER — remote access to one or more databases. 50. ONLINE ANALYTICAL PROCESSING — for very large databases. 52. RIA FRAMEWORK — examples Adobe Flex(TM), Ajax, and Microsoft Silverlight(TM). 54. SIGNATURE-TRANSPORTING CARD — a type of smart card that stores digital cash. 57. ETL — move data from outside sources into the data warehouse. 58. APPLICATION — a software program for some functional use 60. APPLICATIONS INTERFACE — a set of commands to integrate software 63. ONLINE TRANSACTION PROCESSING — the processing of transactions in real time. 65. INTRANET — self-contained in-house internet. 66. APPLICATION SERVER — supports remote access to one or more applications. 68. RSS — for publishing blog and other news stories to the web in XML format. 70. STRUCTURED QUERY LANGUAGE — SQL. 73. RELATIONAL DATA MODEL — two-dimensional tables. 74. SHARED-KEY CARD — uses encryption for all communications between the card and the point-of-payment. 78. DISTRIBUTED APPLICATION — different services in different places. 79. CLIENT-SIDE SCRIPTING LANGUAGES — software that runs in the Web browser 80. CERTIFICATE REVOCATION LIST — undone before their expiration dates. 81. COMMERCE SERVER — a specialized type of Web server 82. WEB SERVICE SPECIFICATIONS — for documenting web services. 83. ENCRYPTION — uses a digital key to convert plaintext into a unreadable text. 84. ENTERPRISE ARCHITECTURE — the joint structure and behavior of the enterprise and its information system. 85. ELECTRONIC NETWORKS — groups connected together electronically. 86. CERTIFYING AUTHORITY — individual or organization that issues digital certificates.

52 3 eBusiness and eCommerce

87. THE OPEN GROUP ARCHITECTURE FRAMEWORK — an enterprise architectural framework. 88. CERTIFICATE-SIGNING UNIT — a tamper-proof box for storing private keys. 89. ELECTRONIC BUSINESS — use of information technologies in any aspect of the organization. Down 2. BUSINESS PROCESS FRAMEWORKS — transform business processes 3. SECRET-KEY ENCRYPTION — use one key is used for both encrypting and decrypting 4. EXTRANETS — can link companies with suppliers 5. DIGITAL TIME-STAMPING SERVICE — an organization that adds digital time-stamps to documents. 6. FIXED IP ADDRESS — permanently assigned. 9. APPLICATIONS ARCHITECTURE — defines the applications needed to run the business 10. JAVASCRIPT — runs inside the client's web browser. 11. COOKIES — small amounts of information placed on a user's computer by a Web site. 12. DATA WAREHOUSE — current and historical data 13. FEDERAL ENTERPRISE ARCHITECTURE — produced by the Office of Management and Budget. 14. SOA SERVICES — independent software units of functionality. 16. CGI — software that helps Web clients communicate with programs 17. WEB SERVICE — a service that is accessible via the Web. 18. DATA MODELING — 3 phases: conceptual, logical, and physical. 20. DOMAIN NAME — used in place of the IP address. 24. DIGITAL CASH — created when a bank attaches its digital signature to a note 26. BUSINESS PROCESS REFERENCE MODEL — best practices for a business process 27. RICH INTERNET APPLICATIONS — like desktop applications. 28. SERVICE ORIENTED ARCHITECTURE — an applications architecture design framework. 29. MIDDLEWARE — works to help applications exchange data with each other. 30. BLINDING — unable to link the payer to the payee. 31. WEB SERVICES DESCRIPTION LANGUAGE WSDL — a language used describe Web services in an SOA environment. 32. FILE SERVER — retrieve files from libraries 34. OSTERWALDER REFERENCE MODEL — 4 major domains: infrastructure, offering, customers, and finance. 35. WEB TRUST — provides assurances. 36. ELECTRONIC COMMERCE — involves the exchange of products and services 38. JAVA — extends the functionality of Web clients 40. MEMORY CARD — smart card that only capable of storing information. 43. BLINDED DIGITAL SIGNATURE — a type of digital signature 44. WEB 2.0 — characterized by Web users interacting with web sites. 46. DATABASE — an organized collection of data 49. BLOG — regular posts of news stories. 51. AJAX — a combination of JavaScript and XML used to develop RIA's. 53. ORCHESTRATION — sequencing services 55. SUPPLY-CHAIN ACTIVITIES — relate to moving the product.

eBusiness and eCommerce 3

56. ACTIVEX — Microsoft's alternative to JAVA. 59. OPERATIONAL DATABASES — get updated 61. WEB SERVER — allows a user access documents and run computer programs that reside on remote computers. 62. DATA MODEL — determines the operations that can be performed on its data. 64. DATA MARTS — subsets organized for use by specific functions. 67. WEB COMMERCE — the exchange of products and services over the World Wide Web. 69. SIGNATURE-CREATING CARD — capable of generating digital signatures. 71. DOMAIN NAME SERVER — associates names with IP addresses. 72. ZACHMAN FRAMEWORK — based on answering 6 basic questions in relation to each of 6 stakeholder groups. 75. DATA ARCHITECTURE — major domain of the EA 76. LOCAL AREA NETWORKS — span a single site 77. DATABASE DRIVER — connects applications to databases. 80. CRYPTANALYSIS — decoding messages

Chapter 4 TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS TEACHING TIPS Many of the definitions in this chapter (especially those relating to internal control) are taken word for word from the auditing standards. Therefore, students should learn the exact terminology, such as reasonable assurance, responsibility, and so on. I highly recommend that the instructor work all the multiple choice questions at the end of the chapter. For each question, read the question out loud, then call on one student and ask him or her if answer (a) is an acceptable answer. See if others agree/disagree. Ask them why they think it is a good or bad answer. Then do this for all the remaining answers. This can be one of the most valuable exercises in the entire course. The important thing is that students be able to explain why each answer is good or bad. For some questions, more than one answer might be correct. Ask students to focus on ways to determine which answer is the best answer. I suggest giving students the problems that follow the multiple exam questions at the end of the chapter. This will help students develop skills for taking the professional exams. It might be helpful to ask students to read some of the free documents in the Resources section of WWW.COSO.ORG. The free executive summaries in the Guidance section can also be helpful. A major theme relating to internal control is Enterprise Risk Management (ERM). This theme will recur throughout the text, not only in the area of internal control but also in information security and risk-based auditing. THE NECESSITY FOR CONTROLS Enterprise Risk Management The Committee of Sponsoring Organizations of the Treadway Commission (COSO), defines this as follows: Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Controls and Exposures Controls are needed to reduce exposures. Common Exposures. examples include excessive costs, deficient revenues, loss of assets, inaccurate accounting, business interruption, statutory sanctions, competitive disadvantage, fraud and embezzlement. Fraud and White-collar Crime. White-collar crime describes a grouping of illegal activities that are differentiated from other illegal activities in that they occur as part of the occupation of the offender. Three basic forms of theft occur in white collar crime. Management fraud may involve diversion or misrepresentation of assets from either employees, third-party outsiders, or both. Fraudulent financial reporting is intentional or reckless conduct, whether by purposeful act or omission, that results in materially misleading financial statements. Corporate crime is white-collar crime that benefits a company or organization, rather than the individuals who perpetrate the fraud. 54

Transaction Processing And Internal Control Process 4 55 Forensic Accounting. Forensic accounting is one of several terms used to describe the activities of persons who are concerned with preventing and detecting fraud. The National Association of Certified Fraud Examiners (NACFE) provides bona fide qualifications for Certified Fraud Examiners through administration of the Uniform CFE Examination. Seriousness of Fraud. Fraud is a serious problem that occurs in almost every large company to some extent. Computer Processing and Exposures. Many aspects of computer processing tend to significantly increase an organization's exposure to undesirable events. Control Objectives and Transaction Cycles. Each transaction cycle will have exposures. Management should develop detailed control objectives for each transaction cycle. COMPONENTS OF INTERNAL CONTROL Internal control is a process affected by an entity's board of directors, management, and other personnel. It is designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) reliability of financial reporting, b) effectiveness and efficiency of operations, and c) compliance with applicable laws and regulations. An organization's internal control process consists of five elements: the control environment, risk assessment, control activities, information and communication, and monitoring. The concept of internal control is based on two major premises: responsibility and reasonable assurance. The first premise, responsibility, has to do with management and the board of directors being responsible for establishing and maintaining the internal control process. The second premise, reasonable assurance, has to do with the relative costs and benefits of controls. External Influences Concerning an Entity and Internal Control. The Securities and Exchange Commission (SEC) is active in the area of financial accounting, as is the Financial Accounting Standards Board (FASB). The Federal Foreign Corrupt Practices Act of 1977 (FCPA) requires all companies who are subject to the Securities Exchange Act of 1934 to A. make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer; B. devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that 1. transactions are executed in accordance with management's general or specific authorization; 2. transactions are recorded as necessary (i) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements and (ii) to maintain accountability for assets; 3. access to assets is permitted only in accordance with management's general or specific authorization; 4. the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences. Noncompliance with these provisions could result in $10,000 fines for both the corporation and its officials, along with five years imprisonment for those executives involved.

56 4 Transaction Processing And Internal Control Process The Sabranes-Oxley Act of 2002 For public companies, this Act (SOA) imposes certain requirements and restrictions on management, auditors, and company audit committees. Severe financial and criminal penalties may apply. The SOA: • establishes the 5-member Public Company Accounting Oversight Board • substantially increases criminal penalties for various types of white-collar crimes. • expands the scope of laws relating to obstruction of justice. Special provisions in the act provide whistleblower protection to employees who disclose private employer information in certain judicial proceedings involving claims of fraud against the company. Whistleblowers may collect • attorney's fees and damages from the company. • places restrictions on non-audit Services • Increases the role of the Audit Committee. • restricts conflicts of interest. The CEO, Controller, CFO, Chief Accounting Officer or person in an equivalent position cannot have been employed by the company's audit firm during the 1-year period proceeding the audit. • Establishes Corporate Responsibility For Financial Reports. The CEO and CFO must prepare a statement to accompany the audit report to certify the "appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer." An intentionally false certification may result is penalties as large as a $5 million fine and 20 years in prison. • Restricts Insider Trades. • Prohibition on Personal Loans to Executives and Directors. Companies are barred from lending money to directors or executive officers. • Code of Ethics. Companies are required to disclose whether they have adopted a code of ethics for senior financial officers, and they also must disclose the content of the code. • Management Assessment of Internal Controls. The SOA requires the annual report to contain an internal control report that 1) states the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and 2) contains an assessment, as of the end of the company's fiscal year, of the effectiveness of the internal control structure and procedures of the company for financial reporting. The auditor shall attest to, and report on, the assessment. An attestation made under this section shall be in accordance with standards for attestation engagements issued or adopted by the PCAOB The company is required to disclose whether it has adopted a code of ethics for its senior financial officers and the contents of that code. Compliance with SOX Section 404. Managers must look to various authoritative sources for guidances, such as the following: • COSO Reports • COBiT (Control Objectives for Information and related Technology) • ISO 27002 (Code of practice for Information Security Management) • The United States Federal Sentencing Guidelines. The Impact of the Business Environment on Internal Control. An entity's internal control process will vary depending on the context of its size, organizational structure, ownership characteristics, methods of transmitting, processing, maintaining and assessing information, legal and regulatory requirements, and the diversity and complexity of its operations.

Transaction Processing And Internal Control Process 4

Five Components of the Internal Control Process Control Environment. The control environment is the collective effect of various factors on establishing, enhancing, or mitigating the effectiveness of specific policies and procedures. In other words, the control environment sets the overall tone of the organization and influences the control consciousness of the employees. Factors included in the control environment: • integrity and ethical values • commitment to competence • management philosophy and operating style • organizational structure • attention and direction provided by the board of directors and its committees • selection and supervision of internal and external auditors • manner of assigning authority and responsibility • budgeting • human resource policies and procedures • segregation of duties • job rotation • forced vacations • dual control • supervision. Risk Assessment. Risk assessment, the second of the five components of internal control, is the process of identifying, analyzing, and managing risks that affect the company's objectives. Control Activities. The policies and procedures established to help ensure that management directives are carried out. There are many potential control activities that may be utilized by organizations. These include accounting controls designed to provide reasonable assurance that the following specific control objectives are met for every significant application system within an organization: The plan of organization includes segregation of duties that reduce opportunities to allow any person to be in a position to both perpetrate and conceal errors or irregularities in the normal course of his or her duties. (Segregate custody, record keeping, and authorization.) Procedures include the design and use of adequate documents and records to help ensure the proper recording of transactions and events. Access to assets is permitted only in accordance with management's authorization. Independent checks and reviews are made on the accountability of assets and performance (includes taking inventories). Information processing controls are applied to check the proper authorization, accuracy, and completeness of individual transactions. Information and Communication. Information refers to the organization's accounting system, which consists of the methods and records established to identify, assemble, analyze, classify, record, and report the organization's transactions and to maintain accountability for the related assets and liabilities. Communication relates to providing a clear understanding regarding all policies and procedures relating to controls.

58 4 Transaction Processing And Internal Control Process Documentation of the Accounting System. Accounting procedures should be set forth in accounting procedure manuals so that policies and instructions may be explicitly known and uniformly applied. Double-entry System of Accounting. An audit trail exists if a financial total that appears in a general ledger account can be supported by evidence concerning all the individual transactions that comprise that total, and vice versa. Monitoring. Monitoring, the fifth component of internal control, involves the ongoing process of assessing the quality of internal controls over time and taking corrective actions when necessary. Monitoring is accomplished through ongoing activities, separate evaluations, or some combination of the two. An internal audit function is common in large organizations to monitor and evaluate controls on an ongoing basis. The scope of auditing activity undertaken by a modern internal audit function is broader than just the financial activities of the organization. The terms management audit and operational audit describe internal audit services to management that extend beyond the financial activities of the organization. A report from COSO, Guidance on Monitoring Internal Control Systems, presents a three-phase model for monitoring: 1. Establish foundation for monitoring. 2. Design and execute monitoring procedures that are based on risk. 3. Assess and report the results TRANSACTION PROCESSING CONTROLS Transaction processing controls consist of general controls and application controls. General controls affect all transaction processing. Application controls are specific to individual applications. General Controls. General controls concern the overall environment of transaction processing. General controls comprise: The plan of data processing organization General operating procedures Equipment control features Equipment and data-access controls Preventative, Detective, and Corrective Controls. Preventative controls act to prevent errors and fraud before they happen. Detective controls act to uncover errors and fraud after they have occurred. Corrective controls act to correct errors. Communicating the Objectives of Internal Control. The system must be designed such that each employee is convinced that controls are meant to prevent difficulties or crises in the operation of the organization that could otherwise affect him or her very personally. Goals and Behavior Patterns. A common behavior caused by this goal conflict is the omission of an internal control duty (such as counting documents) in the interest of increasing production. Collusion is agreement or conspiracy among two or more people to commit fraud. ANALYSIS OF INTERNAL CONTROL PROCESSES

Transaction Processing And Internal Control Process 4 59 Analytical Techniques. The internal control questionnaire is a common analytical technique used in internal control analysis. An application controls matrix provides a structured form of analysis that is particularly relevant to internal control reviews of information systems. The rows of the matrix consist of various control techniques. The columns of the matrix consist of activities or data values in the system under review. Internal Control and Compliance in Small Business and Small Public Companies. Although SOX compliance applies only to public companies, but both public and private small companies face similar problems in developing their internal control processes. Both small and large companies can gain cost efficiencies by using the following approaches: • Apply a Top-Down Risk Assessment (TDRA) approach to Internal Control Assessment • Focus on Changes • Manage Reporting Objectives • Right-Size Documentation. Illustration of an Internal Control Analysis. The chapter provides a CPA examination question in which one is expected to evaluate internal controls. The published unofficial answer is provided. REVIEW QUESTIONS 1. An exposure consists of the potential financial effect of an event multiplied by its probability of occurrence. The term "risk" is synonymous with "probability of occurrence." Thus, an exposure is a risk times its financial consequences. 2. Excessive costs, deficient revenues, and loss of assets, and inaccurate accounting are common business exposures. 3. Corporate crime is white-collar crime that benefits a company or organization, rather than the individuals who perpetrate the fraud. 4.

Management fraud concerns diversion of assets or misrepresentation of assets by management.

5. Many aspects of computer processing tend to significantly increase an organization's exposure to undesirable events. Some aspects of computer processing increase either the risk and/or potential dollar loss of exposures that would exist in an organization regardless of whether computer processing was employed. Other aspects of computer processing create their own types of exposures. 6. An organization's internal control process consists of five elements: the control environment, risk assessment, control activities, information and communication, and monitoring. 7. General controls affect all transaction processing. Application controls are specific to individual applications. 8.

Written manuals are control tools as they formally specify organization policy and procedure.

9. Preventative controls (e.g., secure custody) act to prevent errors and fraud before they happen. Detective controls (e.g., batch totals) act to uncover errors and fraud after they have occurred. Corrective controls (e.g., audit trail) act to correct errors. 10. Job rotation and forced vacations allow employees to check or verify the operations of other employees by performing their duties for a period of time.

60 4 Transaction Processing And Internal Control Process 11. Batch control is any type of control total or count applied to a specific number of transaction documents or to the transaction documents that arrive within a specific period of time. 12. Segregation of duties is consistent with good internal control only if the probability of collusion between two or more duly segregated employees is low. 13. People are an essential element in every internal control structure. The principal function of internal control is to influence the behavior of people in a business system. 14. Procedures do not fail; the people who administer them fail. As long as people have access to valuables there will be the possibility of theft, sabotage, and serious error. 15. Physical security devices are important, but it is the procedures that surround security devices that determine their effectiveness. 16. The increased reliance on accounting data that is necessary in management of a large organization, coupled with the increased possibilities of defalcations and improperly maintained accounting records, have created the need for continuous auditing. 17. The audit committee is usually charged with overall responsibility for the organization's financial reports, including their compliance with existing laws and regulations. The audit committee nominates public accountants, discusses the scope and nature of audits with public accountants, and reviews and evaluates reports prepared by the organization's public accountants. 18. Questionnaires serve both as a guide and documentation that a review was undertaken. Questionnaires are necessarily standardized and therefore are not equally applicable in all circumstances. Their use must often be supplemented with other forms of analysis. 19.

No. The essence of a review is the analyst's analysis of his or her findings.

20. An analytic flowchart uses columns to organize processing functions. An applications control matrix is a structured form of analysis that utilizes a matrix of application controls. ANSWERS TO DISCUSSION QUESTIONS AND PROBLEMS 21. - 46. Multiple-Choice 21. B 22. B 23. B 24. B 25. B 26. C 27. B 28. D 29. A 30. B 31. D 32. A 33. B

Varies

Transaction Processing And Internal Control Process 4 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. 45. 46.

B B D D D B B C D A D D A

47. Posting Media - 10 minutes Easy The extra clerical effort required to prepare remittance advices increases the reliability of the posting procedure in that it allows a separation of bookkeeping duties from cash handling. This reliability can only be obtained with the preparation of remittance advices - a clerical step that is not directly productive in terms of increased output. 48. Segregation of Duties - 15 minutes Medium (a) Approval from generation of write-off memo. Posting from each of the above. (b)

Timekeeping from payroll preparation. Payment from payroll preparation. Timekeeping from distribution of payment.

(c)

Receiving from custody. Authorization from posting. Preparation of credit memo from posting.

(d)

Requisitioning and ordering. Receiving from custody. Payment from each of the above.

49. Internal Control - 20 minutes Medium CIA Examination, Unofficial Answer Recommendations to prevent the falsifying of time records are: Require that posting to time cards be in ink. Permitting the use of pencil makes it easy to erase and change figures without detection. Require that all changes to time-card posting be initialed by the supervisor. Supervisory review and approval is an internal control to prevent unauthorized changes to posting on time cards. Require a supervisor's approval of overtime hours appearing on time cards. Supervisory review and approval is an internal control to prevent unauthorized overtime. Maintain security of time cards until they are picked up by the timekeeper. Unattended time cards are easy for employees to retrieve and alter.

62 4 Transaction Processing And Internal Control Process Maintain a record of approved overtime hours and balance this record with the total of overtime hours on time cards. Publicize this policy to discourage employees from falsifying their time records. 50. Internal Control - 45 minutes Medium a. An organization chart documents the plan of organization and assignment of responsibilities. b. This ensures separation of custody of financial assets from record-keeping responsibilities. c. Insurance for the company and a notice to employees that their behavior must conform to company policies. d. Timely, independent bank reconciliations are essential to the control of cash disbursements. e. A complete record of fixed assets is essential to accounting control. f. Approval of transactions by responsible officials is an essential feature of accounting control. g. Necessary to review the status of past-due accounts and ensure that appropriate actions (no further sales or follow-up) may be taken. h. Control requires the comparison of actions with plans to uncover the cause of discrepancies. i. Essential to ensure that the accounting system is in balance. j. Separation of custody from record keeping. k. Recorded accountability of assets should be compared with existing assets at reasonable intervals and appropriate action taken with respect to any differences. l. This allows an independent reconciliation of remittances to the amounts posted to customer accounts. m. The objectives of internal control are to protect the resources of an enterprise and to assure that the financial records properly reflect business transactions and the results of those transactions. A system of budgetary control would help to assure that expenditures were made for approved purposes only and that unapproved expenditures would not be made. A system of budgetary control also provides cost and revenue estimates for operating activities. Such estimates are commonly used in a variance analysis of actual costs and revenues. Variance analysis shows how actual costs and revenues varied from budget. Large variations from budget indicate activities which warrant investigation. n. Internal control involves not only control of cash, but also control of other assets. Perhaps no other asset is more difficult to control nor more susceptible to loss or misappropriation than postage stamps. A postage meter machine affords the means of real control over postage. The meter imprint should be valid only on envelopes which bear the business return address. A day-to-day record of postage used is maintained, and a clear accountability for postage may be established. Centralized control under lock and key is easily established. o. Monthly statements of account serve the same purpose as an auditor's confirmation requests. This is especially true if the statements are checked and mailed and complaints are handled by someone who is independent of the accounts receivable department. Fictitious accounts might be uncovered, and differences between the company's records and those of its customers would be brought to light for investigation, correction, or adjustment. p. A purely arithmetical reconciliation will give only an arithmetical check on accuracy. Nonarithmetical procedures greatly extend the usefulness of the reconciliation as an element of internal control. Examination of the endorsement is an important non-arithmetical procedure to be followed when reconciling bank accounts. It is usually expected that a cancelled check will serve as a receipt and no other receipt is usually obtained. If the endorsement is irregular, the canceled check is not a satisfactory receipt. A second endorsement on a check suggests the possibility of fraud. This is particularly true if the second endorsement is that of an employee of the company. Most companies use a rubber stamp to endorse checks. Such an endorsement indicates that the check was deposited, not cashed. A handwritten endorsement on a check to a corporation should be questioned, as should any other unusual endorsements.

Transaction Processing And Internal Control Process 4 63 In instances where an employee desires to defraud the company, he is faced with the problem of getting usable assets. Various schemes which might be worked out by an employee would result in the receipt of a check made out to the company. If the employee is unable to cash such a check, he must obtain access to cash in some other manner. The cashier is also handicapped in any attempts to carry on lapping if he cannot cash checks.

51. Ethics in Control Systems - 15 minutes Easy This case raises an ethical question concerning the design and operation of internal control systems. Mary worked in a traditional cash receipts system, one where she had access to remittance advices but not to the associated payments. Control over unauthorized inputs arises in the independent reconciliation of payments received to remittance advices which have been processed. We may assume that Mary was unaware of the design of the system, at least to the extent that she was unaware that she could not do what she did and get away with it. The question is whether this lack of knowledge on Mary's part contributed to her dishonesty. If she had been made aware of the design of the system as a matter of company policy, perhaps she would have avoided this action and the subsequent problems and embarrassments which it created. If employees are unaware of controls, then the controls can only be corrective and not preventative in operation. As Mary's plight suggests, it is not clear that this type of company policy is ethically desirable. The risk is the feeling that if employees are aware of the operation of controls, then they might use this knowledge to circumvent these controls. The point is that one should address this question rather than ignore it completely. 52. Internal Control - 30 minutes Medium a. Supervision and/or dual control when the mail is opened. There is no record of cash to be received which would assist in the control process. b. Supervision of employees. Postal expense should be monitored with a budget to keep such activities to a minimum. c. Reconciliation of total posting to the ledger to the batch total of the remittances which were posted. This reconciliation could be performed by the clerk. If the error is not detected by the clerk, then the error should be detected when general ledger performs the same reconciliation, balancing the total posted by accounts receivable to the total received by the cashier. d. Same as (c) immediately above, except that one would not expect the clerk to correct the error. This illustrates the importance of segregation of duties. e. Orders should be entered by sales, and bills should be prepared by a separate billing function which prepares bills on the basis of documentation (such as a bill of lading) received from the shipping department. f. Similar to (e) immediately above. Bills should be prepared on the basis of data received from shipping. This serves to validate data that billing receives from the sales department. g. Invoices should be canceled immediately upon approval of payment to avoid duplicate payment. Documents should be canceled by perforation or some other method that is not easily altered. h. Material requisitions should be prepared and/or independently authorized by an independent production control function. Material usage control is based on information contained in the bill of materials for a product. i. Periodic reconciliation (tracing) of bills of lading (shipping documentation) to invoices prepared by billing. j. Receiving reports should be validated by stores or some other department which is independent of shipping. 53. Internal Control/Flowchart - 30 minutes Medium CIA Examination, Unofficial Answer Deficiencies/Omissions - Recommendations for Improvement

64 4 Transaction Processing And Internal Control Process 1. Invoices are originated by accounts receivable. Invoices should originate in a separate sales or order-writing department which is independent of accounts receivable and the billing function. 2. There is no credit check of customers. Credit orders should be reviewed and approved by an independent credit function. 3. Stores does not keep a record of actual quantities shipped or not shipped. The actual quantities shipped should be entered on invoice copy number 5 by stores. 4. A record does not accompany the goods from stores to shipping. A properly annotated invoice number 5 (or similar record) should accompany the goods and be signed by shipping to record the receipt of goods. 5. There is no mention of posting goods movement to a perpetual inventory record. The manufacturer should maintain a perpetual inventory records system for control of the inventory. 6. Billing operations are not separate from accounts receivable functions. Billing functions should be independent of sales order and accounts receivable functions. 7. There is no indication that prices and terms are based on approved standards. Master price lists should be used to complete invoices. 8. There should be an independent check of invoice extensions. Procedures should be in place for the independent verification of invoice calculations. 9. No accounting for the sequence of prenumbered invoices or bills of lading. Billing should account for the sequence of invoices and bills of lading to maintain control of the order flow. 10. Goods not shipped are not automatically backordered. Procedures should be devised to allow automatic backordering of unfilled orders. 54. Internal Control - 30 minutes Medium CIA Examination, Unofficial Answer 1. d 2. f 3. i 4. a 5. j 6. e 7. b 8. c 9. h 10. g 11. k 12. l 55. Internal Control - 30 minutes Medium CPA Examination, Unofficial Answer The more important deficiencies in internal control and the remedies are: (1) The bank apparently has not been instructed to refuse to accept checks payable to the company for deposit in the petty cash fund bank account. It should be so instructed, and the account should be in the name of the company, with the cashier as agent-custodian. (2) The cashier processes the monthly statements to customers. He should not be permitted to have access to the customers' statements. (3) The cashier apparently opens or has access to incoming mail containing customer's remittances. Cashiers should never open or have access to incoming mail. The mail should be opened by

(4) (5)

(6)

Transaction Processing And Internal Control Process 4 65 someone not connected with the cashier's office or the receivable ledgers. The person opening the mail should make an independent listing in triplicate of all remittances received in detail, one copy going to the cashier for entry in the cash records, one copy going to the bookkeeper for entry in accounts receivable ledgers, and one copy going to the treasurer's office for subsequent comparison to the duplicate deposit slip. The cashier, who has access to cash funds, reconciles the bank account. This should be done by some person not connected with the cashier's office. The cashier, who has access to general cash funds of the company, is custodian of the petty cash fund. The custodian of the petty cash fund should be a person who does not have access to other funds of the business. The amount of the $500 check may indicate that disbursements from the petty cash bank account have not been limited to relatively small amounts. Consideration should be given to establishing a limitation on the size of a check that might be drawn.

56. Internal Control - 30 minutes Medium CIA Examination, Unofficial Answer Risk Control Transaction Execution 1) Unauthorized Action Play of games Machine counter Manager on duty Use of token system Collection of coins

Two-key system Dual collection system Dual custody of cash receipts

Record of collection

Record of cash Dual signature on cash summary

Deposit of coins

Record of deposit Copies of deposit slips

2) Theft or loss

Bonding of employees of cash Segregation of duties

Transaction Recording Incorrect account classification

Chart of accounts

Incorrect time period

Prenumbered documents Prompt recording

Incorrect amount

Compare to deposit slip Independent verification by another clerk Independent verification

Omit transaction Access to Assets Theft of games

Manager on duty Use of token system

66 4 Transaction Processing And Internal Control Process Theft of machines Physical control safe, locks, keys, building security Damage to machines

Physical control (above) Manager on duty Employee training

Theft of money

Security of deposits in transit Dual custody Separation of control over records Rotation of duties Bonding of employees

Loss of money

Same as above

Periodic Comparisons of Accountability All risks previously discussed Segregation of duties Bank reconciliations Surprise inspections and/or surprise audits Analytic management reviews by machines, time, location, etc. Discussion of cost benefit compared to controlling risks 57. Procurement of Services - 15 minutes Medium Weakness Recommendation 1. No control exists over the Reviewers should be selected selection of qualified from an approved list of reviewers. reviewers. 2. No control exists over Fees to be paid for manuscript the fees to be paid for reviews should be approved by management. manuscript reviews. 3. No control exists over Copies of signed review letters signed review letters should be forwarded to Accounts Payable. returned to the Editors. 4.

No control exists over the receipt of authorized reviews. No control exists over payment for reviews. No control exists over the accuracy of recorded manuscript review expense. Accounts Payable forwards checks to the Editor for delivery to the professor.

No control is exercised over manuscript review

Reviews received should be matched to outstanding requests for manuscript reviews. The review should be attached to the payment memo which is forwarded to Accounts Payable. Accounts Payable should verify the account number charge. Accounts Payable should prepare checks for signature by the cashier, and then the cashier should mail the checks directly to the professor. The Editor should not receive the checks. Actual results should be compared to yearly budgets on

expense.

Transaction Processing And Internal Control Process 4 a periodic basis.

58. Internal Control - 30 minutes Medium CIA Examination, Unofficial Answer The internal control weaknesses in the registration procedure are: (1) The Mail Room does not retain remittance advices and listings which would provide a ready means for matching against deposits and for ensuring that the Cashier received all remittances from the Mail Room. (2) The Cashier does not retain the original, daily receipt records which would support receipts and deposits made. (3) There is no independent check (which preferably should be made by the Cashier) of the accuracy of the fee calculation. (4) The Accounts Receivable Clerk does not post the accounts receivable subsidiary ledger detailed accounts from the remittance advices. Thus, there is no assurance that the remittance listings are complete and accurate. (5) A monthly trial balance is not prepared. Thus, there is no assurance that the detailed ledger agrees with the control account. (6) The receivable balances are not aged. Thus, there is no visibility to past-due accounts. (7) There is no independent check (which preferably should be made by the General Bookkeeper) to reconcile the deposits made with the amounts shown by the daily receipt records. 59. Internal Control Analysis - 1 Hour Medium Courtesy the Touche Ross Foundation Part 1. See solution to problem 27 in Chapter 2.

68 4 Transaction Processing And Internal Control Process Part 2. Collateral Withdrawal Applications Control Matrix Activities Key A customer B loan officer C vault custodian D vault attendant E collateral clerk Numbers in cells refer to steps in flowchart. Activities A B C D E PREVENTATIVE CONTROLS Reliability of Personnel ? ? ? ? Segregation of Duties 2 5 18 22 28 Definition of Responsibilities 7 13 ? ? Rotation of Duties ? ? ? ? Training of Personnel ? ? ? ? Competence of Personnel ? ? ? ? Secure Custody 10 18 29 Dual Access/Dual Controls 17 21 Standardization 4 Mechanization Forms Design ? Prenumbered Forms 4 10 Precoded Forms ? Authorization 1 11 Endorsement 5 15 22 Cancellation Simultaneous Preparation 5 Documentation 2 5 11 19 24 Formatted Input Detective Controls Accountability of Input Anticipation 2 11 26 Transmittal Documents 8 11 19 24 Batch Serial Numbers Control Register 25 Completeness of Input Amount Control Total Document Control Total Line Control Count Hash Total Batch Totals Batch Balancing Visual Verification 2 3 14 20 27 Turnaround Document Passwords

Transaction Processing And Internal Control Process 4

A Correctness of Input Format Check Completeness Check Check Digit Reasonableness Test Limit Check Validity Check Read Back Dating Expiration Key Verification Approval Exception Input Default Option Labeling Completeness of Processing Run-to-Run Totals Balancing Reconciliation Aging Suspense File Suspense Account Matching Clearing Account Tickler File Periodic Audit Activity Log Correctness of Processing Redundant Processing Summary Processing Sequence Checking Overflow Checks Scan before Distribution Trailer Label Corrective Controls Discrepancy Reports Transaction Trail Error-Source Statistics Automated Error Correction Upstream Resubmission Backup and Recovery

Activities C

26 14

27 29 25

70 4 Transaction Processing And Internal Control Process (Part 2 - Problem 59) Weaknesses: Separation of duties might be enhanced if someone other than the loan officer prepared and distributed the collateral receipt form while the loan officer accepted collateral. Why is the yellow copy discarded? Loan officer should get signature of vault custodian for receipt and keep this copy for his own reference and protection. Vault custodian should have a copy of the collateral receipt, possibly the white copy, in exchange for the blue copy. Internal Audit should regularly check to see if all listings of collateral correspond to what is in the vault. Collateral should be clearly identified. It is not clear whether the value of the collateral is validated when it is accepted by the loan officer. Collateral should be validated by the custodian before being placed in the vault. Nobody seems to check what is actually in the sealed bag when it is transferred to the vault. Perhaps a copy of the collateral receipt should be attached to the loan document itself. The independence of the loan officer in resolving differences may be questioned. It might better be brought to the attention of the auditor or someone at a higher level. Customer signature on the collateral receipt form might help improve control. Failure to regularly notify the loan officer when deposit is complete forfeits an opportunity for follow up. Interchange of the blue and white copies might enhance reliability. 60. Internal Control - 1 Hour Hard Courtesy the Touche Ross Foundation a.

Flowchart - see next page.

Transaction Processing And Internal Control Process 4

72 4 Transaction Processing And Internal Control Process b. Collateral Withdrawal Applications Control Matrix Activities Key A Initiate Withdrawal B Transmit Request C Record Transaction D Transmit Request E Select Collateral

F Transmit Collateral G Transmit Collateral H Transmit Blue Copy I Transmit Pink Copy

Numbers in cells refer to steps in flowchart.

Preventative Controls Reliability of Personnel Segregation of Duties Definition of Responsibilities Rotation of Duties Training of Personnel Competence of Personnel Secure Custody Dual Access /Dual Controls Standardization Mechanization Forms Design Prenumbered Forms Precoded Forms Authorization Endorsement Cancellation Simultaneous Preparation Documentation Formatted Input Detective Controls Accountability of Input Anticipation Transmittal Documents Batch Serial Numbers Control Register

A 1 ? 1

B 3 ? 3

C 6 6

D 9 ? 9 11

? ? ? 12

Activities E 17

F 20

G 27

? ? 16 14

20 15

4 ? 5 2

14 18

4 6

25 26

H 31

I 32

Transaction Processing And Internal Control Process 4 Activities Key A Initiate Withdrawal F Transmit Collateral B Transmit Request G Transmit Collateral C Record Transaction H Transmit Blue Copy D Transmit Request I Transmit Pink Copy E Select Collateral Activities A B C D E F G H I Completeness of Input Amount Control Total Document Control Total Line Control Count Hash Total Batch Totals Batch Balancing Visual Verification Turnaround Document Passwords Correctness of Input Format Check Completeness Check Check Digit Reasonableness Test Limit Check Validity Check Read Back Dating Expiration Key Verification Approval Exception Input Default Option Labeling Completeness of Processing Run-to-Run Totals Balancing Reconciliation Aging Suspense File Suspense Account Matching Clearing Account Tickler File Periodic Audit Activity Log Correctness of Processing Redundant Processing

? ?

11 11

11 ?

8 ? 19

? 7

23 25

74 4 Transaction Processing And Internal Control Process Activities Key A Initiate Withdrawal F Transmit Collateral B Transmit Request G Transmit Collateral C Record Transaction H Transmit Blue Copy D Transmit Request I Transmit Pink Copy E Select Collateral

Summary Processing Sequence Checking Overflow Checks Scan before Distribution Trailer Label Corrective Controls Discrepancy Reports Transaction Trail Error-Source Statistics ? Automated Error Correction Upstream Resubmission ? Backup and Recovery

Activities E

? 6

? 18 35

? 35

? ?

Weaknesses:

Very little can be discerned about the reliability, training, or competence of the personnel involved in the collateral process. There is no indication whether record keeping duties are rotated. We know nothing about the quality of forms or their design. It is not clear whether the collateral clerk takes advantage of the prenumbering of the forms to account for all documents in the series. There is no indication of any periodic inventory of the vault's contents and a comparison of the results with the collateral clerk's records. The resolution of discrepancies is placed in the hands of the loan officer who initiated the receiving transaction. Differences might better be brought to the attention of the auditors or someone at a higher level. 61. Internal Control - 2 minutes Medium Answer is choice a. The key word in the question is "directly." Substantive testing and flowcharting are also affected, but much more indirectly. 62. Internal Control and Forms Design - 15 minutes Medium a. Well-designed computer forms should be simple and uncluttered. Each data item (e.g., last name, first name, street address, city, state, zip, phone, and so on) should be captured in a separate data field. Each field should, to the extent possible, be formatted as needed for the individual data item. For example, a social security number might be formatted as xxx-xx-xxxx. Finally, error checking and validation should be applied to all input data. b. The design of an electronic form is similar to that of a paper form, with some key differences.

Transaction Processing And Internal Control Process 4 75 Electronic forms are often designed to fit on single screen, and computer screens provide more options for colors and special effects. Forms can enhance control by validating all input data.

63. Internal Control - 45 minutes Medium a. Document Flowchart (See following page.) b.

Weakness

1. Credit sales are not authorized.

2. Production is not authorized.

3. Production is not scheduled.

4. Material requisitions are not authorized. 5. The accountant computes sales prices. 6. The accountant both prepares invoices and records the receivables. 7. Craftsmen turn in their own time for payroll. 8. The accountant both prepares payroll and distributes the payroll.

Improvement Credit sales should be authorized by a credit manager. Production should be authorized by issuance of production orders. There should be an authorized production schedule. Bills of material should be prepared and used to control materials requisitions. Billing and/or management should authorize sales prices. Separate the responsibility for invoicing and recording the receivables. There should be a separate timekeeping function. Separate the responsibility for payroll preparation and payroll distribution.

76 4 Transaction Processing And Internal Control Process

Transaction Processing And Internal Control Process 4

64. Internal Control - 45 minutes Medium a. Document flowchart (See following page). b.

Weakness

1. Credit sales are not authorized. 2. Production is not authorized. 3. Production is not scheduled. 4. Material requisitions are not authorized. 5. Material requisitions are not recorded. 6. The accountant bills customer on oral notification. 7. Checks are not deposited daily. 8. The accountant both prepares invoices and records the receivables.

Improvement Credit sales should be authorized by a credit manager. Production should be authorized by issuance of production orders. There should be an authorized production schedule. Bills of material should be prepared and used to control materials requisitions. Material requisition forms should be prepared and used to control materials requisitions. Billing should be authorized in writing by the foreman. Checks should be deposited daily. Separate the responsibility for invoicing and recording the receivables.

65. Internal Control - 1-2 hours Hard There are several potential control weaknesses in the procedures as described; furthermore, there is almost a total absence of a formal production control system. This solution shall provide a listing of several potential control weaknesses, and some major areas that should be addressed to implement a formal production control system. (1)

Potential control weaknesses in present system: The raw material and finished goods perpetual records should be reconciled with the related financial control accounts; independent test counting of the perpetuals should be instituted.

The perpetual inventory records maintained on the card files (raw materials) and the time-sharing system (finished goods) are used in scheduling production and purchasing, and, as a result, are an important source of management information. In order to control the accuracy of the data and to insure the reasonableness of the financial information, the perpetual records should be reconciled on a regular basis with the financial control accounts. Procedures should be established to prevent the buildup of scrap and variances in the work-in-process (WIP) inventory account; job lot controls over WIP should be established and reconciled with the financial records. The WIP control account is charged at actual costs and relieved at standard. In order to prevent an excessive buildup of variances or scrap in inventory, procedures must established to adjust the WIP financial account to the value of good production currently in process. Internal controls over the preparation and revision of the standard or predetermined costs should be improved.

78 4 Transaction Processing And Internal Control Process

Transaction Processing And Internal Control Process 4

The standard product costs are the basis for valuing inventories and evaluating product line profitability. In order to improve their accuracy, the product costs should be accumulated from files or listings of approved cost components including: • • • •

Bills of material, routings, and product structures approved by production; Raw material costs approved by purchasing and accounting; Piece rates approved by production and accounting; and Burden rates approved by accounting.

The process of accumulating and summarizing the cost components should provide for both detail and overall controls to insure the clerical accuracy and reasonableness of the product costs; sufficient supporting documents and files should be retained for verifying and auditing the calculated costs. Procedures for taking physical inventories should be strengthened. Watt Co. should undertake an immediate reorganization of the warehouse. This reorganization should provide for the establishment of fixed locations for unique product types, adequate material movement lanes, a staging area for raw materials scheduled into production, and an organized staging area for work-in-process in an intermediate stage of completion. Cycle counts should be used to verify inventory records on a continuous basis. The hours worked and quantities produced on each job as reported by the employee should be independently verified; the approvals should be indicated on the time sheets. In order to control the payment of employee wages, it is important that the information used as a basis for determining the amount of pay be initiated by someone who could not benefit from misstating the figures. The piece rates should be reviewed for reasonableness by management and should then be formally published and approved as the official rates; formal control procedures should be developed for revising the rates. This weakness is a result of not having a formalized production control system. The payroll accounting procedures should provide for additional verification of the propriety of employee time sheets. Presently, the payroll clerk calculates the piece work and makeup pay, but does little verification of the reported information. In order to provide an added level of control over the employee payroll, the payroll clerk should perform the following verification steps: (1)

Authorized approvals are indicated on time sheets for quantities produced and hours worked;

(2)

Match total hours reported on time sheets with clock card hours;

(3)

Match reported piece rates and employee hourly rates with listings of official rates. Batch totals of time sheets should be prepared and then verified with payroll journal totals.

The transmittal sheets forwarded with the time sheets to the bank service bureau contain spaces for indicating batch totals of the gross wages within specified earnings categories. Presently, these batch totals

80 4 Transaction Processing And Internal Control Process are not being calculated. As a result, the bank has no total to verify the calculated gross wages against. When the checks and payroll journals are returned, the gross wages of each individual are reviewed by the controller. If any errors are found, the check is cancelled, a new check is typed for the corrected amount and the payroll records are corrected in the following period. More effective control and timely correction could be achieved through the use of the batch totals. (2)

Production Control System Features

A formal production control system would incorporate the following basic features: Master production schedules, Job-lot loading techniques, Job status reporting, Scrap feedback mechanisms (reports), Formal bills of materials for products, Operations routing sheets for products, Stage of completion reporting, Accurate production standards, A priority job processing system, and Production performance reports. Implementation of the above would require the reorganization of the warehouse, the design of documents and reports, and integration of production data into a revised and expanded chart of accounts. A mini-computer system should be considered to implement the production control system. A longer term consideration should be the introduction of scientific inventory management techniques to optimize the level of inventory investment. Some inventory management techniques (such as ABC analysis and a fixed reorder point concept) can be implemented in a relatively short period of time. Others, such as the use of EOQ formulas, require a sophisticated inventory environment with good cost controls and inventory information. The volume of raw materials, labor operations, and products warrant the use of a computer database to hold labor standards and activities, raw material costs, product structures, and burden rates. These files should be used to produce bills of materials, production routing sheets, and standard cost sheets. Computerization of the production control function would facilitate the following enhancements: Integration of payroll and production reporting. This step would provide for the collection of payroll data through the production reporting system and could eliminate the need for time sheets. Techniques to accomplish this task include an expansion of the routing

Transaction Processing And Internal Control Process 4 81 card to incorporate payroll information or the use of separate job tickets collected by shop foremen. Introduction of an on-line data collection system is also a possibility. Determination of actual versus standard cost by job or operation. By collecting detailed information on routing cards and forwarding completed job cards to accounting, a reconciliation to the payroll records and summarization by job or operation can be performed. Introduction of forecast requirements to production runs. This additional consideration in the development of the master schedule will provide the production supervisor with an improved approach to determine build quantities without the concern for building excessive finished goods inventory levels. Use of economic lot sizes for production runs. The introduction of routine production runs in economic lot sizes can reduce manufacturing costs and improve shop floor loading. Note that the production control features which have just been discussed are typical of those which are found in application software packages for computer-based production control. 66. Internal Control - 45 minutes Medium a. Total postal expense doubled in three years, increasing from about $100,000 to about $200,000. The large increases in postal expense occurred at the same time that there was a significant decrease in proposal activity (down about 50% in the same three-year period), which accounted for approximately 80% of the documents which passed through the mailroom. Thus the large increases in postal expense were not due to increased volume of items mailed. Rather, as the discussion near the end of the case indicates, the increases were due to a significant increase in the per unit postal expense of items mailed which was occurring because of the heavy use of express mail services (other than that offered by the U.S. Postal Service). The use of express mail came about because of a change in management policy. Investigation (discussed in the case) revealed that within two months of the establishment of express mail service approximately 65% of all proposals were sent via express mail, and that within six months approximately 85% of all proposals were being sent via express mail. The large increases in postal expense escaped the scrutiny of management for one obvious reason. Postal expense was not identified as a line item expense in quarterly expense reports. Instead, it was included under the expense category of miscellaneous administrative expenses, consisting of postal expenses, office supplies, and printing costs. These expenses decreased about 50% over the threeyear period, about which one would expect given the 50% decrease in proposal activity over the same three-year period. Apparently, decreases in office supplies expense and printing costs had more than offset the significant increases in postal expenses. Thus the quarterly expense summary reports did not bring this issue to light.

82 4 Transaction Processing And Internal Control Process b.

The obvious change is to make postal expense identified as a line item expense in quarterly expense reports instead of including it under the expense category of miscellaneous administrative expenses, consisting of postal expenses, office supplies, and printing costs. But there is more to it than this. All expenses should be reviewed by someone. Expenses which are summarized on one report should always be reviewed in detail by some lower manager. This is the basic notion of responsibility accounting. It seems that postal expenses are recorded in a separate account, but that a detailed review of all expenses was not occurring. This suggests a weak budgeting process. If expenses were budgeted in detail, then significant variations from budget to actual could be pinpointed for review.

Several steps could be taken to bring postal expense under control. The first is to make postal expense a line item expense in quarterly expense reports instead of including it under the expense category of miscellaneous administrative expenses. A second step might be to review the budgeting process for the type of weakness discussed in part b., immediately above. A policy might be established such that 10% (or some other percentage set by management) overruns from budget are subject to review. These two changes help to identify the problem, but not to necessarily bring it under control. Controlling an expense means setting objectives for it and then modifying the behavior of people to attain these objectives. Discussion in the case revealed several reasons why the express service was being used. Perhaps these are valid reasons, and the use of the service should continue. But perhaps the service is used because things are being mailed (unnecessarily) at the last possible moment when better management could have avoided the extra expense of express mail. Who should set objectives concerning expenses like these; who should make the trade-offs between the additional expense of express mail and the perceived advantages of using express mail? The best person is probably the individual manager in the proposal area. Accordingly, the best control device would be to implement a responsibility accounting system. Rather than attempt to control line item expenses by techniques such as restricting access to express mail envelopes or requiring specific approval for the use of express mail, management should control proposal activities through responsibility accounting.

67. SOX Compliance - 15 minutes Medium Compliance with Sarbanes-Oxley means much more than just implementing internal effective control processes. It also means being able to document them, which requires a systematic approach across the entire organization. As such, many companies have adopted control frameworks such as COBIT (www.isaca.org) or the ISO 27000 family of standards. WEB RESEARCH ASSIGNMENTS 68. This information is presently available at http://www.pcaob.org/Rules/Rules_of_the_Board/Auditing_Standard_5.pdf . See paragraphs 9-20. The Standards index page is located here: http://www.pcaob.org/Standards/ . 69. There are many things that need to be done to prevent fraud. The organization should begin with an Enterprise Risk Management (ERM) program that identifies the major risks and vulnerabilities. Then good basic internal control principles must be applied. Finally, some standardized framework such as COBIT should be adopted.

Transaction Processing And Internal Control Process 4 70. Crossword

84 4 Transaction Processing And Internal Control Process Across 3. INTERNAL CONTROL PROCESS — provides reasonable assurance 5. SUSPENSE FILE — unprocessed or partially processed items awaiting further action. 6. MANAGEMENT FRAUD — diversion of assets or misrepresentation of assets by key employees. 7. ENDORSEMENT — restricts further processing. 10. APPROVAL — after a transaction is initiated. 12. GENERAL CONTROLS — affect all transaction processing. 14. AMOUNT CONTROL TOTAL — relates to a group of transactions or records 16. PREVENTATIVE CONTROLS — before errors occur 18. RUN-TO-RUN TOTALS — output control totals resulting from one process 19. ISO 27002 — code of practice 20. ANTICIPATION — a particular time. 28. CLEARING ACCOUNT — Net control value should equal zero. 35. AUDIT TRAIL — evidence supporting transactions 36. CONTROL REGISTER — a log or register indicating the disposition and control values of batches or transactions. 37. COLLUSION — conspiracy 39. TICKLER FILE — items sequenced by age 40. COBIT — best practices in IT management. 41. WHITE-COLLAR CRIME — deceitful diversion of assets from proper use or deceitful misrepresentation of assets 42. SUPERVISION — the direct monitoring of performance 45. INPUT CONTROLS — prevent or detect errors in the initial stage of data processing. 47. BATCH SERIAL NUMBERS — relates to documents that are numbered consecutively 49. FORENSIC ACCOUNTING — deals with preventing and detecting fraud. 50. CORRECTIVE CONTROLS — repair errors. 51. APPLICATION CONTROLS — specific to individual applications. 52. INTERNAL CONTROL QUESTIONNAIRE — items pertaining to internal controls in an application area. 53. AUTHORIZATION — limits certain things from happening 54. INTERNAL ACCOUNTING CONTROL — concerned with the safeguarding of assets and reliability of financial statements. 55. OPERATIONAL AUDIT — management audit. Down 1. ENTERPRISE RISK MANAGEMENT ERM — defined by COSO 2. SUSPENSE ACCOUNT — relates to items awaiting further processing. 4. SEGREGATION OF DUTIES — authorization, custody, and record keeping 8. AUDIT COMMITTEE — responsibility for the organization's financial reports. 9. APPLICATION CONTROLS MATRIX — form of analysis 11. RESPONSIBILITY — management and the board of directors are accountable for the internal control process. 13. REASONABLE ASSURANCE — costs and benefits in balance 15. FIDELITY BOND — a contract with an insurance company 16. PROCESSING CONTROLS — ensures compliance with intended specifications 17. FRAUDULENT FINANCIAL REPORTING — may be by purposeful act or omission 21. AGING — items in files according to their date 22. MANAGEMENT AUDIT — services that extend beyond the financial activities of the organization. 23. ACCOUNTING SYSTEM — Maintains accountability for assets and liabilities. 24. BATCH CONTROL LOG — a type of register.

Transaction Processing And Internal Control Process 4 25. BATCH TOTALS — batch control. 26. BATCH SEQUENCE — relates to serial numbers. 27. BATCH CONTROL TICKET — relates to items being transmitted 29. CANCELLATION — prevent their further use 30. OUTPUT CONTROLS — reports are properly distributed. 31. DUAL CONTROL — perform the same work task in unison. 32. DOCUMENT CONTROL TOTAL — the number of documents. 33. DETECTIVE CONTROLS — after errors occur 34. CONTROL ENVIRONMENT — enhances the effectiveness of specific policies and procedures. 38. CORPORATE CRIME — doesn't directly benefit the individuals who act 43. RISK — the probability of occurrence of an event. 44. HASH TOTAL — useful for control purposes only. 46. EXPOSURE — gets multiplied by its probability of occurrence. 48. BATCH CONTROL — can sometimes be a count

Chapter 5 INFORMATION SECURITY TEACHING TIPS Preferably, if this chapter is covered, Chapter 3 should also be covered. I often cover this chapter without assigning any of the problems at the end. Students especially enjoy this chapter, and I often cover it at the end of the semester to end the course on an upbeat note. I always bring in examples from a current disaster when discussing disaster planning and recovery. Many students can supply interesting examples of computer-related fraud, based on their readings from newspapers and magazines. Here are a couple of especially interesting stories: One man went into a bank lobby and substituted the generic deposit slips with his own account number encoded on them. A couple of people put a fake ATM machine in a shopping mall. When people put in their ATM cards, the fax machine recorded their account numbers and PIN numbers. The thieves used the information to steal from the victims' accounts. A man went to a night depository at a bank near the drive-through windows. He stood wearing a guard uniform and a satchel handcuffed to his wrist, and placed an out-of-order sign next to the deposit box. He generously collected everyone's deposits! Many students will begin this chapter thing that information security is about firewalls or antivirus software. While these are important tools, they pale in number compared to the 5000+ controls listed in ISO 27001. So it’s helpful to emphasize that information security requires taking a systematic approach across the entire organization. It’s also helpful to emphasize that information security is an issue of risk management. One can perhaps eliminate all security risks by shutting down the company, turning off all its computers, and surrounding it by electric fences and armed guards. So it’s a question of risk management and costs versus benefits. Students also typically begin with the false notion that information security is mostly about applying technical measures. The fact is that the human factor is often weak point. For example, the strongest password system in the world may be of little value if employees share their passwords. AN OVERVIEW OF COMPUTER AND INFORMATION SYSTEMS SECURITY The term “computer security” is often used interchangeably with “information security,” but in fact information security is relatively a much broader concept in that it deals with the security of all information in the organization and not just computerized information. The information security management system is an organizational internal control process that controls the special risks associated with information within the organization. The Information Security Management System Life Cycle. As the Information Security Management system is an information system, its development requires application of the life cycle approach, including systems analysis, systems design, systems implementation, and systems operation, evaluation, and control. The objective of the first phase of the life cycle is to produce a vulnerability and threat analysis report. The objective of the second phase is to design a comprehensive set of risk-control measures, including both security measures to prevent losses and contingency plans to deal with losses should they occur. Collectively, all four phases are referred to as information system risk management. 86

Information Systems Security 5

International Standards for Information Security. Various international standards are promulgated for information security. The most prominent of these standards is the International Standards Organization (ISO, www.iso.org) 27000 family of standards: ISO 27000, ISO 27001, ISO 27002, ISO 27003, ISO 27004, and ISO 27005. Other guidelines and standards that are important to ISMS security include the COSO reports entitled “Internal Control — Integrated Framework,” “Enterprise Risk Management — Integrated Framework,” and “Guidance on Monitoring Internal Control Systems.” Also important is Control Objectives for Information and related Technology (COBIT) published by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). The Information Security System in the Organization. The information security system must be managed by a Chief Security Officer (CSO), who should report directly to the Board of Directors. Analyzing Vulnerabilities and Threats. In the quantitative approach to risk assessment, each loss exposure is computed as the product of the cost of an individual loss times the likelihood of its occurrence. In the qualitative approach, the system's vulnerabilities and threats are subjectively ranked in order of their contribution to the company's total loss exposures. Both the qualitative and quantitative approaches are used in practice, and many companies mix the two methods. In practice, exposures can be difficult to estimate, making the quantitative approach difficult to implement. If the quantitative approach is used, costs might be estimated using one of many methods, including replacement cost, service denial, third-party liability (resulting from the company's inability to meet contracts), and business interruption. VULNERABILITIES AND THREATS A vulnerability is a weakness in a system, and a threat is a potential exploitation of a vulnerability. There are two categories of threats: active and passive. Active threats include computer fraud and computer sabotage, and passive threats include system faults, as well as natural disasters, such as earthquakes, floods, fires, and hurricanes. System faults represent component equipment failures such as disk failures, and power outages. The Seriousness of Information Fraud. Corporate losses due to fraud and embezzlement exceed total losses due to bribery, burglary, and shoplifting by a wide margin. The Computer Fraud and Abuse Act of 1986 makes it a federal crime to knowingly and with intent fraudulently gain unauthorized access to data stored in the computers of financial institutions, and computers owned or used by the federal government. Management fraud is deliberate fraud committed by managers with the intent of deceiving investors and creditors using materially misleading financial reports. The Treadway Commission defined fraudulent financial reporting as intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements. Individuals Posing a Threat to the Information Systems Network Computer and Information Systems Personnel. Systems personnel include computer maintenance persons, programmers, computer operators, computer and information systems administrative personnel, and data control clerks. 87

88 5 Information Systems Security Intruders and Hackers. Anyone who accesses equipment, electronic data, or files, or any kind of privileged information without proper authorization is an intruder. Hacker Methods. Social engineering involves manipulating victims in order to trick them into divulging privileged information. Pretexting is a form of social engineering in which the perpetrator impersonates another, typically in a phone call or electronic communication. Phising differs from pretexting in that it is aimed directly at its victims, at tricking them into giving information (e.g., passwords), money, or other valuable assets to the perpetrator. Social engineering can be used to trick victims into accepting and installing Trojan horses, a class of malware (malicious software) that comprises the security of the victim’s computer. Other types of malware that are delivered through social engineering include viruses, spyware, worms, and logic bombs. Spyware collects and relays to the perpetrator personal information about the victim. A worm is any type of Trojan that silently spreads from one computer to next over a network, without the intervention of any individual or server. Direct Observation. In many cases, hackers don’t even need to use deception. Shoulder surfing involves the surreptitious direct observation of confidential information. Dumpster diving involves sifting through garbage to find confidential information such a discarded bank statements, department store bills, utility bills, and tax returns. Electronic Interception. Information processed by computers and telephones travels over wires, cables, and airwaves. These lines of communication are vulnerable to wiretapping and interception. Encryption is the best defense against electronic interception. Exploits. An exploit occurs when a hacker takes advantage of a bug, glitch, or other software or hardware vulnerability to access the software or hardware, or related data or other resources, in an unauthorized manner. The best defense against exploits is to use certified technicians to install and configure all hardware and software. Methods of Attack by Information Systems Personnel and Users Input Manipulation. This method requires the least amount of technical skill and is the most common in practice. Program Alteration. Program alteration is perhaps the least common method used to commit computer fraud. This is because it requires programming skills that are possessed only by a limited number of people. A trapdoor is a portion of a computer program that allows someone to access the program while bypassing its normal security systems. Direct File Alteration. In some cases, individuals find ways to bypass the normal process for inputting data into computer programs. Data Theft. In many highly competitive industries, both quantitative and qualitative information about one's competitors is constantly being sought. Sabotage. Physical damage can occur in many ways. A logic bomb involves a dormant piece of code placed in a program for later activation by a specific event. Misappropriation or Theft of Computer Resources. Misappropriation of computer resources exists when employees use a company's computer or computers for their own business or personal use. THE INFORMATION MANAGEMENT SECURITY SYSTEM

Information Systems Security 5

The Control Environment Management Philosophy and Operating Style. The first and most important activity in information security is creating high morale and an atmosphere conducive to security. Organizational Structure.Error! Bookmark not defined. One individual must be in charge of the computer security system. Board of Directors and Its Committees. Ideally, the internal auditor should have a good background in computer security and serve as the chief computer security officer. Methods of Assigning Authority and Responsibility. The responsibilities of all positions should be carefully documented. Management Control Methods. Budgets should be established for the acquisition of equipment and software, for operating costs, and for usage. Internal Audit Function. The computer security system must be constantly audited and then modified to meet changing needs. Personnel Policies and Practices. Probably the most important rule is that the duties of computer users and computer systems personnel should be separated. Employees should be laid off and fired with the greatest care, since terminated employees account for a significant portion of all sabotage incidents. External Influences. The company's information systems must be in compliance with all federal, state, and local laws and regulations. Controls for Active Threats The philosophy behind the layered approach to access control involves erecting multiple layers of controls that separate the would-be perpetrator from his or her potential targets. Three such layers are: site-access controls, system-access controls, and file-access controls. Site-access controls. The objective of site-access controls is to physically separate unauthorized individuals from computer resources. This physical separation must especially be applied to hardware, data-entry areas, data-output areas, data libraries, and communications wiring. System-access controls. The objective of system-access controls is to authenticate users by using such means as account numbers, passwords, and hardware devices. File-access controls. File-access controls prevent unauthorized access to both data and program files. The most fundamental file-access control is the establishment of authorization guidelines and procedures for accessing and altering files. Special restrictions should be placed on programmers who have the specific knowledge to make program changes. They should not be permitted access to any of the company's computer files without written approval. All important programs should be kept in locked files. This means that the program can be run but not looked at or altered. Controls for Passive Threats Passive threats include problems like power and hardware failures. Fault-tolerant Systems. If one part of the system fails, a redundant part immediately takes over, and the system continues operating with little or no interruption. Such systems are called faulttolerant systems. Fault tolerance can be applied at five levels: to network communications, CPU processors, DASDs, the power supply, and individual transactions. DASDs are made fault tolerant by several methods, including read-after-write checks, bad-sector lockouts, and disk mirroring. Disk mirroring or disk shadowing involves writing all data in parallel to two disks. If one disk fails, the application program can automatically continue, using the good disk. There are also software programs helpful in recovering data from damaged files or 89

90 5 Information Systems Security disks. Fault tolerance for power failures can be achieved with an uninterruptable power supply. Fault tolerance applied at the transaction level involves rollback processing and database shadowing. With rollback processing, transactions are never written to disk until they are complete. If the power fails or another fault occurs while a transaction is being written, at its first opportunity the database program automatically rolls itself back to its prefault state. Correcting Faults: File Backups. A full backup backs up all files on a given disk. In most systems each file contains an archive bit that is set to 0 during the backup process. The operating system automatically sets this bit to 1 whenever a file is altered. An incremental backup backs up all files whose archive bit is set to 1. Each file's archive bit is then reset to 0 during the backup process. An incremental backup, therefore, backs up only those files that have been modified since the last full or incremental backup. Finally, a differential backup is the same as an incremental backup, only the archive bits are not reset to 0 during the backup process. Internet Security--Special System and Configuration Considerations Internet-related vulnerabilities may arise from weaknesses in six areas: Operating System Vulnerabilities. One way to minimize some of the risks associated with operating systems is to use to run different software programs in different virtual machines, using virtualization. Virtualization involves running multiple operating systems, or multiple copies of the same operating system, all on the same machine. Web Server Vulnerabilities. Web servers are similar to operating systems in that it is necessary to constantly monitor advisory bulletins for security updates and information on configuration issues. Private Network Vulnerabilities. Special risks are created when a Web server is placed on a host computer connected to other various users’ computers via a local area network, and hackers may attack one computer through another. Vulnerabilities from Various Server and Communications Programs. Each additional server poses additional security risks, and a security flaw relating to any one server can open a door for hackers to attack all the other servers and all the files on the computer, even other computers that may be on the same local area network. Cloud and Grid Computing. Cloud is another name for the Internet, and the use of Cloud-based services and data storage is refereed to Cloud computing. Cloud computing requires that the remote user place a tremendous amount of confidence in the service provider. Grid computing involves clusters of interlinked computers that share common workloads. Grid processing can involve many different computers located in many different places, and insecurity in any one computer has the potential to result in a major security leak. General security procedures. A good overall security atmosphere is essential. DISASTER RISK MANAGEMENT Disaster risk management concerns prevention and contingency planning. Preventing Disasters. Studies have shown the following frequencies of disaster causes: Natural disaster 30% Deliberate actions 45% Human error 25% Careful consideration should be given to natural-disaster risks associated with prospective building sites. Concentrations of computer equipment and data should be located in parts of buildings least exposed to

Information Systems Security 5

storms, earthquakes, floods, and fire, as well as deliberate acts of sabotage. Adequate electronic and mechanical systems for fire, flood, and intrusion are important. Water-based sprinkler systems can be harmful to electronic components. Many companies use fire-extinguishing systems that rely on something besides water, such as gas, foam, or powder. Contingency Planning for Disasters. A disaster recovery plan must be implemented at the highest levels in the company. The design of the plan should include three major components: an evaluation of the company's needs, a list of priorities for recovery based on these needs, and a set of recovery strategies and procedures. Emergency Response Center. When disaster strikes, all authority for data processing and computer operations is transferred to the emergency response team, headed by the emergency operations director. These individuals direct the execution of the recovery plan from the emergency operations center, a predesignated site. Escalation Procedures. The escalation procedures state the conditions under which a disaster should be declared, who should declare it, and who that person should notify when executing the declaration. Alternate Processing Arrangements. The most important part of a disaster recovery plan is the specification of a backup site to be used if the primary computing site is destroyed or unusable. Three types of backup sites are possible: cold sites, hot sites, and flying-start sites. A cold site is an alternate computing site that contains the wiring for computers but no equipment. A hot site is an alternate site that contains the wiring, and the equipment as well. A flying-start site is an alternate site that contains the wiring, the equipment, and also very up-to-date backup data and software. A service bureau specializes in providing data processing services to companies who choose not to process their own data. A shared contingency agreement or reciprocal disaster agreement is an agreement between two companies in which each company agrees to help the other if the need arises. In a variation on this agreement, the companies share a common hot site through joint ownership. The Personnel Relocation Plan The Personnel Replacement Plan The Salvage Plan The Plan for Testing and Maintaining the System COMPLIANCE STANDARDS Business is being increasingly pressed to comply with various standards relating to internal control and information security. Some of the standards are discussed here. Information Security Standards. The main group of international standard for information security is ISO/IEC 27000 series published by standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). At the heart of this group of standards is ISO/IEC 27002, entitled Information technology - Security techniques - Code of practice for Information Security Management. This standard sets an auditable code of practices by which companies can seek voluntary certification. COBIT is another standard or framework that defines a set, or code, of best practices. ISO/IEC 27002 and COBIT are similar in that they both target IT professionals. COSO Internal Control - Integrated Framework: Guidance on Monitoring Internal Control, 91

92 5 Information Systems Security on the other hand, is a more abstract, general framework targeted more toward management in general. Business Continuity Planning and Disaster Recovery Standards. Some make a distinction between the term business continuity planning (BCP) and disaster recovery. In general, these two terms tend to mean the same thing, but when there is a distinction BCP tends to emphasize minimizing any business-process interruption resulting from possible adverse events. Specifically BCP is likely to specify a predetermined time for recovery from a process interrupted from an adverse event. The U.S. Office of Management and Budget (OMB) provides various BCP directives. There are also various presidential orders and directives that require BCP compliance with agencies and offices of the federal government. In the financial sector, The Gramm-Leach-Bliley Act (Section 501(b)) Financial Institutions Safeguards, requires federal agencies that oversee the financial sector to implement regulatory standards aimed aid protecting the security of critical information resources. Within the health-care sector, the Insurance Portability and Accountability Act (HI-PAA) requires that health-care providers, insurance companies, and payment clearinghouses to adopt standardized processes for processing electronic payments and claims. In the utilities industry, Governmental Accounting Standards Board (GASB) Statement No. 34 requires utility companies to main BCPs. Similarly, the Federal Energy Regulatory Commission (FERC) RM01-12-00 (Appendix G), 2003 require many utility companies to maintain functional recovery plans. With respect to international standards, BSI British Standards promulgates its Business Continuity Management Code of Practice as BS 25999-1. Similarly, BS 25999-2 (Specification for Business Continuity Management), provides specifications for implementing, operating and improving a documented Business Continuity Management System (BCMS). REVIEW QUESTIONS 1. Several problems and risks associated with computerized information systems are business interruption, loss of software, loss of data, loss of hardware, and loss of facilities. 2. The computer security system is the subsystem of the organization that controls the special risks associated with computer-based information systems. The computer security system has the basic elements of any information system, such as hardware, databases, procedures, and reports. 3. Since the computer security system is an information system, its development requires application of the life cycle approach. 4.

Risk management is the process of assessing and controlling computer system risks.

5. The qualitative approach lists system's vulnerabilities and threats, subjectively ranking them in order of their contribution to the company's total loss exposures. In the quantitative approach, each loss exposure is computed as the product of the cost of an individual loss times the likelihood of its occurrence. 6. Active threats include computer fraud and computer sabotage, and passive threats include system faults, as well as natural disasters, such as earthquakes, floods, fires, and hurricanes. 7.

No, it is not possible to rigorously identify characteristics of the white-collar criminal.

Three groups of individuals--computer systems personnel, users, and intruders-- pose a threat.

9. Intruders who attack computer systems for fun and challenge are known as hackers. Other types of intruders include unnoticed intruders, wire tappers, piggy-backers, impersonating intruders, and

Information Systems Security 5

eavesdroppers. 10. Methods that might be used are input manipulation, program alteration, direct file alteration, data theft, sabotage, and misappropriation or theft of computer resources. 11. A logic bomb involves a dormant piece of code placed in a program for later activation by a specific event. 12. A virus program is similar to a Trojan horse but can spread itself to other programs, "infecting" them with the same virus. The Ambulance virus causes the image of an ambulance to move across the bottom of the display. The Ogre virus causes a sudden reformatting of the hard disk. 13. The control environment is basic to effectiveness of the overall control system. The first and most important activity in computer security is creating high morale and an atmosphere conducive to security. The Board of Directors must appoint an audit committee. The audit committee must in turn appoint or approve the appointment of an internal auditor. 14. The layered approach to access control involves erecting multiple layers of controls that separate the would-be perpetrator from his or her potential targets. Three such layers are: site-access controls, system-access controls, and file-access controls. 15. In fault-tolerant systems, if one part of the system fails, a redundant part immediately takes over, and the system continues operating with little or no interruption. a. Networks can be made fault-tolerant by introducing duplicate communication paths and communications processors. b. CPU can be made fault-tolerant with consensus-based protocols and a watch-dog processor. c. DASDs are made fault tolerant by several methods, including read-after-write checks, badsector lockouts, and disk mirroring. d. Fault tolerance for power failures can be achieved with an uninterruptable power supply. e. Fault tolerance applied at the transaction level involves rollback processing and database shadowing. 16. A full backup backs up all files on a given disk. An incremental backup backs up all files whose archive bit is set to 1. A differential backup is the same as an incremental backup, only the archive bits are not reset to 0 during the backup process. 17. The first steps in developing a disaster recovery plan should be obtaining the support of senior management and setting up a planning committee. When completed, the disaster recovery plan should be thoroughly documented and approved by these same individuals. The design of the plan should include three major components: an evaluation of the company's needs, a list of priorities for recovery based on these needs, and a set of recovery strategies and procedures. 18. Recovery strategies and procedures include detail concerning the emergency response center, the emergency response team, the emergency operations director, escalation procedures, and alternate processing arrangements. 19. A cold site is an alternate computing site that contains the wiring for computers but no equipment. A hot site is an alternate site that contains the wiring, and the equipment as well. A flyingstart site is an alternate site that contains the wiring, the equipment, and also very up-to-date backup data 93

94 5 Information Systems Security and software. ANSWERS TO DISCUSSION QUESTIONS AND PROBLEMS 20. Computer Security - 15 minutes Medium The specialist should not be allowed to "edit" the data file. This makes it possible for this individual to make unauthorized credits to specific individual accounts. It is desirable to generate a batch control total of the input file to ensure that all dollar amounts are adequately accounted for. The accounts receivables updating software should validate the input data file and generate an exceptions report. It is mandatory that accounting receive a copy of this report. It is then possible for them to verify that the updates to accounts receivables plus the exceptions equal the batch control total. Editing the transaction file is an accounting function and all such changes should be adequately supported by documentation and initiated by accounting. 21. Program Maintenance - 10 minutes Easy There is no evidence of written authorization, formal review, nor verification of a master version working copy. 22. Computer Security - 10 minutes Easy This is a very difficult problem. The first step is to define security classification level controls for the entire project. The first requirement is that a complete project plan be developed. The plan should include a listing of major activities, a detailed timetable, a budget, and a listing of personnel requirements for each activity. The project plan can then be used as a basis for developing a security system. All relevant databases should be identified and assigned classification levels. Such levels might range from top secret to non-sensitive. Some databases will invariably contain some fields that are classified and some that are not. In these cases, the software must be able to restrict access to users who are valid based on a security level criterion. All project activities should be evaluated and classified in terms of their required security. Given the above, it is possible to assign individuals to tasks. This solution describes the basic approach that has to be used. Classifying data and activities is essential. This is also true in the corporate environment where many companies have secret projects, trade secrets, etc. 23. Access Control - 15 minutes Medium Operators serve as security risks in many systems. This is because some computers assign many functions to the operator's console that are restricted in the general user community. A defense strategy against operator foul play might include: (1) Rotate operator shifts. This increases the chances that one operator might discover foul play of another. (2) Keep secure copies of software and databases on file. Periodically compare these to the working versions. (3) Have operators monitored by closed circuit television. (4) Have the computer keep an operator's run log. This log should not be alterable by the operator. 24. Computer Security - 30 minutes Medium There are a number of possibilities for this problem. The large number of networked PCs, coupled with a high turnover rate, suggest that an ex-employee may be invading the Rauls' computer system. One very likely explanation is that an ex-employee is working for the competitor, but still has access to the Rauls' company computer. There are several measures that can be taken to avoid this problem:

Information Systems Security 5 (1) (2) (3) (4)

Make sure that an employee's account is deactivated upon termination of employment. Frequently have the system change all passwords and notify users of the new passwords. Have a strict policy about giving out passwords over the telephone. Set a company policy on the use of passwords. (a) Do not allow users to use family names or birthdates for passwords. Most thieves know that these are frequently used passwords. (b) Require that passwords consist of two unrelated words separated by something other than a letter of the alphabet.

25. Computer Security - 10 minutes Easy This is a true story. This case demonstrated the need for good program controls. 26. Computer Networks - 15 minutes Medium One simple solution is encryption. There are many programs available to encrypt and decrypt data. However, it should be noted that no encryption system is foolproof. In general, encryption systems require that the user inputs a ciphering key, which is then used to encrypt the data. The general rule is that the more digits in the key, the more difficult it is to decipher the key. Data doesn't have to be transmitted over a public network. It is a simple matter to transmit data over a private communications line. 27. Computer Security - 15 minutes Medium In small systems it is often not possible to maintain a well-guarded tape library. This poses a very serious threat. Companies have gone out of business because of loss of data files. Furthermore, the ready accessibility of the tapes is an invitation to theft by file alteration. Therefore, this problem should be taken very seriously and immediate action should be taken to correct the situation. One simple solution is to keep the critical tapes under lock and key. Also, it would be advisable to keep backup copies at some other site than the company computer library. This would insure against loss due to theft, vandalism, flood, or fire. 28. Computer Security - 15 minutes Medium One solution to the problem is to avoid sharing terminals. A lot of companies will resist this solution, either because of cost or inconvenience. Security-related costs are often viewed by management as an unnecessary burden. Nevertheless, there is a real possibility of the sort of thing happening that occurred in this case. Employees can be required to enter a password with all transactions. This password should not be echoed onto the screen, since this would make it possible for someone to see and remember it. This solution has its problems. Someone might simply watch and see what password is typed (by looking at the keyboard). It is extra work for the salesperson. The goods should be released only with a validated copy of the sales order. The problem is that the person accessing the terminal illegally might generate a sales order. A terminal such as in this case must be treated like a cash register, where access is carefully restricted. The problem is that management often doesn't see this. 29. Computer Security - 15 minutes Medium The potential for a virus to spread involves the ability of an executing program to access the job control area of another executing program. Standard operating system security makes this difficult to do. However, some systems do allow such events to occur. In such cases, the executing job has to be able to obtain access to the disk file containing the program code for the program to be infected. This requires fairly sophisticated programming and security system penetration. 95

96 5 Information Systems Security This case stresses the need to maintain tight control of software operating on the system. This is the best way to prevent potential problems from occurring. Any unauthorized software running on a computer has to be viewed as a potential security risk. Therefore the company should set general guidelines for installing software on its system. 30. Computer Security - 15 minutes Medium This problem could have just as well occurred in a manual system. This case makes two major points: (1) One has to apply all of the same controls in a computer system as in a manual system. (2) Exceptions have to be very carefully investigated. The observed irregularity might only represent "the tip of the iceberg." 31. Computer Security - 15 minutes Medium See the solution to problem 23 (operator controls). The person signing the checks should require copies of the original source documents before signing the checks. The accounts payable program can require that a valid purchase order be on file before accepting a request for payment. The program could then print the name of the vendor already on file on the check. This would make it more difficult for someone to divert a check to personal use. Daily trial balances might detect this problem, depending on how the accounting system operates. 32. Computer Security - 15 minutes Medium Programmers should not be able to directly modify operating programs. Institute a system for documentation, approval, and implementation of program changes. 33. Computer Security - 15 minutes Medium There is little defense against collusion between accounting and computer programming. If there are enough key people involved in the collusion, it is unlikely that they will be discovered. Collusion between these two departments is especially damaging, since it becomes possible to completely cover up almost anything. It is a logical policy to separate accounting and computer programming. This can be done in several ways: (1) Keep the two departments at different physical locations. (2) Don't allow individuals in one department to have relatives in another. (3) Have separate lunch hours for the two departments. 34. Computer Security - 15 minutes Medium This case makes the point that a security system is of little value unless company employees take it seriously. The single most important factor in computer security is a positive attitude on the part of all employees towards the system. Employees need to believe that security-related losses cost everyone in the company. 35. Computer Security - 15 minutes Medium This case makes the point that there is no such thing as a fool-proof system. Some time ago a major computer manufacturer in the western part of the U.S. announced its new high-security operating system. The United States government sent a couple of representatives of its Department of Defense's "Tiger Team" to view a demonstration of the system. After returning to their home base, back on the East Coast, this team proceeded to dial into the computer manufacturer's own computer system and proceeded to penetrate the new operating system. The employees of the computer company were surprised to find messages displayed on their consoles that they were being "visited" by the Tiger Team. Absolute security can never be obtained. Computer programmers, by profession, enjoy solving

Information Systems Security 5

challenging problems. The primary line of defense is therefore developing the right attitudes on the part of employees, not technical measures. Technical measures play an important role in overall security, but it is a mistake to place complete reliance on them. 36. Computer Security - 15 minutes Medium It is bad policy to locate a computer in the front window. The computer system is often the lifeline of a company and should be carefully protected. A preferable place to locate a large computer is in the center of a large building, maybe even in a basement. There should be a very small number of doors that permit entrance to the system. Fire exit doors can exist in abundance, but an alarm should sound when one of them is opened. Only individuals with proper validation should be permitted to enter. There are a number of approaches to restricting access: (1) programmable locks, that can be programmed to reject a particular key; (2) security guards; (3) closed circuit television monitors. 37. Computer Security - 15 minutes Medium The approach used in this fraud could very well actually be used. The main problem here is wiretapping. This is an especially sensitive risk, since all information required to defraud the company is transmitted over the wire. This includes not only passwords, but the exact commands to enter and operate the accounts payable system. There are several defenses to wiretapping: (1) make the wiring unavailable: (a) bury it deeply underground; (b) maintain an unobtrusive wiring plan. (2) use automatic data encryption. Note the company's probable use of an imprest bank account. This effectively puts a limit on the amount of damage that a defrauder can do. The telephone number of the computer should be unlisted. In addition, it should not be easy to guess. 38. Computer Fraud - 30 minutes Medium a. One factor which contributed to the success of the fraud that was perpetrated at The Base Level National Bank of Washington D.C. was the ability of the person(s) to obtain fraudulent deposit slips which were exact duplicates of those which were normally placed on the bank's customer counters. A related factor was the ability to MICR-encode each fraudulent bank deposit slip with the account number of the checking account which had been previously opened under a false name. The person(s) also had to have had some degree of understanding of the bank's operating procedures to be able to think that there was a reasonable chance of success for the scheme to work. However, the biggest factor in the success of the scheme was the unwitting compliance of bank employees. Normally, only checkbook deposit slips contain the customer's account number in MICR (magnetic ink character recognition) format to facilitate computer processing. The two different types of deposit slip are similar in appearance but distinguishable as to either type. When batches of deposit slips are processed in the computer department one of the first steps is to enter both the customer's account number and the amount of the deposit in MICR format at the bottom of each deposit slip using a special machine. The blank-form type of deposit slip does not normally contain any pre-entered data. In particular, the customer or the cashier must manually enter the customer's account number on these types of deposit slips. The two different types of deposit slip are similar in appearance but distinguishable as to either type. However, during the day in question, a large number of the blank-form type fraudulent deposit slips were routinely processed by bank personnel, both cashiers and the overnight data input 97

98 5 Information Systems Security personnel. This must have been unusual, but apparently nobody raised any questions. Even though this real-life incident is characterized as a computer crime, the Bank's computer system actually played a very minor role in the perpetration of this fraud. While it did the actual processing of the fraudulent account, it did so only after the fraudulent inputs had been approved and processed by the bank's personnel. What role it did play is an illustration of perhaps the most basic point an instructor can make to students concerning the effect of computer processing in control systems: it removes the human element. A human clerk would have probably realized that there was something unusual happening, because a lot of deposits were being credited to the same account. b. The basic point of this case is that well-designed control systems can be defeated by the actions of complacent employees. As discussed above, it is hard to believe that somebody did not notice the oddity of so many blank-form deposit slips being MICR-encoded. If somebody did, they chose not to create a fuss. Perhaps they saw this situation as not being their problem. The bank probably had reasonably good input controls on paper. One type of control which might have prevented this fraud would be programmed edits of posting activity during the processing run. This would compensate for the human element which has been lost. A human clerk would have probably realized that there was something unusual happening because a lot of deposits were being credited to the same account. The computer could be programmed to perform the same task. Some type of standard, say ten postings a day, could be compared to an account's actual activity and exceptions flagged for review. Another possibility would be a scan of the customer file for unusually large balances after a processing run. Unfortunately, these are the types of controls which people think about only after they have experienced the need for them. 39. Security Review of Facility - 1 Hour Medium 1. Exposure from destruction of EDP equipment and resources is relatively insignificant compared to the exposure that can result from loss of data or the ability to process it. Possible areas for control include: Security against unauthorized access, fire, flood, and serious variations in the computer room environment. Alternative backup facilities and off-site storage of important records and files. Plans detailing the procedures necessary to recover and restart after experiencing any interruption due to a disaster. The case text identifies several controls in each of the above areas. Others which might be mentioned include: The NCCC should be located in an area that is free from possible hazards (i.e., not located next to a river that floods). The building that houses the NCCC should be constructed of protective materials that limit the spread of fire and allow control over access. Redundant peripheral equipment should be maintained to provide adequate backup capability. Backup facilities may also be needed if the current processing facility is destroyed. Arrangements must be made in advance so that recovery will not be hindered.

Information Systems Security 5

Full backup and recovery plans should be made for all software, including operating system, utilities, and applications programs (object and source code). There should be a limited number of entrances and only authorized persons should be allowed to enter the facility. Separation of duties within the NCCC is essential if fraudulent activities are to be prevented. The media library in the NCCC should be limited to authorized personnel. The library's storage location should provide physical security against unauthorized access. The releasing of media should be closely monitored. Adequate protection against environmental conditions, such as fire and water, must be maintained. Regular analysis in the form of reports should be reviewed by the management of the NCCC concerning operations. Every abnormal situation should be recorded and sent to the proper person to review. Procedures should be developed to resolve all problems during operations within the NCCC. 2.

The general security and recovery procedures as described at NCCC are good. areas which might warrant consideration are:

Some other

Hiring and training practices. It is important that competent personnel be hired and that they be trained properly to perform their duties. Improperly trained or incompetent personnel could destroy data and/or cause a business interruption. Security checks should be conducted on employees at the time of their hiring and periodically during their employment. A bonding program can help reduce the loss caused by an employee's fraudulent actions. Insurance coverage should be adequate in type and amount to permit recovery from a disaster. The disaster recovery plan should be tested. If the plan is not periodically tested employees will not become familiar with it and implementation may be impossible. Testing the plan may also reveal serious flaws that would prevent its successful use. All files should be prioritized according to their relative importance and economic effect on operations. 40. Compliance with Security Procedures - 30 minutes Medium 1.

The visitors' log should be signed by everyone. No exceptions should be made. The computer room door should never be unlocked. The back door of the computer room should never be left open. This could permit unauthorized access. The holiday banners hanging from a fire detector and a halon gas register may be a fire hazard. 99

100 5 Information Systems Security

Valuable processing and employee time should not be used to play video games (there might be a trade-off concerning employee morale).

All files should be properly identified and not misplaced. All files should be accounted for, especially when they are necessary for the reconstruction of processing activities in the event of a disaster. There should be no "extra" keys to the file storage vault. Cleaning crews and CPU technicians should not be permitted access to the computer room unless accompanied by a responsible employee. Tapes should be taken to off-site storage every day. Failure to do this may disrupt disaster plans. Programmers should not be allowed access to the tape library. This is a violation of one of the most important internal controls, separation of duties. By not maintaining a separation of duties, unauthorized program changes could be performed by the programmer. The heat and humidity in the off-site storage facility may have a bad effect on file media, which are heat sensitive. Inadequate control of inventory records exists at the off-site storage facility. This is a potentially serious problem. Backup arrangements with vendors seem to be tenuous. This reinforces the need to test the disaster recovery plan. 2.

This case stresses the need for compliance tests. There can be a considerable difference between controls on paper and those in operation. As indicated, "people failure" is a major contributor to security problems. Security procedures may look good on paper (as they do at NCCC), but they will be ineffective if employees do not follow prescribed procedures.

41. Network Security - 15 minutes Medium Denial of service (DOS) attacks can be very serious. This particular type of DOS attack is called an IP flood attack. In it's distributed form, the bogus IP requests will come from possibly hundreds or more IP addresses. The attackers first take over various machines with weak security and then use these machines as robots to conduct the attack. The best means of control involve careful real-time monitoring of server activity levels and immediately squelching any suspicious IP addresses. But there is little that can be done if the attack is distributed widely enough. One possibility is to set up IP filtering so that a given IP address is permitted only so many requests from the server per day. 42. Network Security - 15 minutes Medium In all probability someone has done something to cause all requests to his site to be directed to some other web site (IP address). Further, the other web site probably has nothing to do with the problem; they are likely an innocent victim too.

Information Systems Security 5

101

The attack has been carried out by illegally causing changes in the DNS (distributed name server) system, where web site names are associated with IP addresses. This poses a difficult problem, since the DNS system is really out of the company's direct control. So the main thing that can be done is to detect the problem as quickly as possible, which requires continual monitoring of the web site. This way the problem can be corrected quickly. 43. Computer Security - 20 minutes Medium The front line in encryption is SSL (secure sockets layer) security, which encrypts all communications between the server and the client web browser. So, setting up SSL would be the first priority. But communications security is only one part of the larger security system. There must also be adequate separation of duties among the employees, proper safeguarding of critical files on the company's network, adequate password control, and so on. 44. Computer Security - 15 minutes Medium The web server should be on a dedicated machine that is not accessible over the local area network. If it is on a shared machine, as it is in this case, any outside attacker might get to the server by first breaking into one of the user machines on the local area network, and from the user machine launching an attack on the server. One way to stage such an attack is to send one of the users an e-mail message with a Trojan horse attachment. The attachment surreptitiously installs a program that allows the attacker to control the user's machine remotely over the Internet. Once the user has control of the user's machine, he or she then accesses the server machine over the local area network. 45. Computer Security - 15 minutes Medium See the solution for problem 5-44. This situation is similar to the one posed in that problem. 46. Computer Security - 15 minutes Medium The answer depends on the purpose of the individual key. If, for example, the key relates to signing checks, then the treasury function would be responsible. On the other hand, if the key related to signing a purchase order, than the purchasing function would be responsible. It's probably best that no central repository of keys be kept. 47. Computer Security - 20 minutes Medium This case shows some of the many things that can go wrong with a dot com business. In this case, the Rodriguezes placed too much trust in the wrong developer. They should have checked the person out very carefully before committing the fate of their entire business to him. The second major mistake is that they allowed themselves to become completely dependent on one person. It's much better to be set up so that many possible consultants could help with a problem. Finally, they should have insisted on having copies of all their critical files. 48. Computer Security - 20 minutes Medium There are several issues at work here. First, in many cases no one anti-malware program will catch and repair all malware. So it’s a good idea to at least do nightly scans with a second product. Second, when new malware emerges, it may escape detection for a time until anti-malware vendors have time to update their databases. For this reason, employees should be taught safe computing practices. Finally, there’s always a possibility that employees might be turning off their anti-malware software. Some anti-malware software is capable of being configured with a password that prevents turning it off or uninstalling it. 101

102 5 Information Systems Security WEB RESEARCH ASSIGNMENTS 49. Certification can lend confidence in a company to suppliers, customers, investors, and other groups. Certification is obtained through an Accredited Registrar (also called an accredited certification body). The web site http://www.compliancesforum.com/ provides a list of Accredited Registrars for ISO 27001. 50. The Common Maturity Model (CMM) rates a system as to its degree of organization, from a totally disorganized system to a system that is well integrated with company goals and objectives and undergoes constant self-improvement. One major difference between COBIT and the ISO 2700 family is that COBIT relies on the CMM. 51. As discussed in the chapter, the Common Criteria provide seven levels of assurance. * 1.1 EAL1: Functionally Tested * 1.2 EAL2: Structurally Tested * 1.3 EAL3: Methodically Tested and Checked * 1.4 EAL4: Methodically Designed, Tested, and Reviewed * 1.5 EAL5: Semiformally Designed and Tested * 1.6 EAL6: Semiformally Verified Design and Tested * 1.7 EAL7: Formally Verified Design and Tested There are also various eclectic approaches to evaluating systems. One example (discussed in the text) is penetration testing. 52. Certification is a form of assurance. It applies not only to certified individuals but to the deliverable that they produce. CISSP’s are certified proficient in 10 domains: * Access Control * Application Security * Business Continuity and Disaster Recovery Planning * Cryptography * Information Security and Risk Management * Legal, Regulations, Compliance and Investigations * Operations Security * Physical (Environmental) Security * Security Architecture and Design * Telecommunications and Network Security 53. Crossword – see next page

Information Systems Security 5

103

104 5 Information Systems Security

Chapter 6 ELECTRONIC DATA PROCESSING SYSTEMS TEACHING TIPS One useful exercise is to have students flowchart the systems described in this chapter. It is expected that one cover this chapter without covering the chapter on databases and files, but the instructor might wish to begin with an overview of sequential versus random file processing. THE INPUT SYSTEM Manual Input Systems Preparation and Completion of the Source Document. The source documents, such as sales orders, are filled in manually. Transfer of Source Documents to Data Processing. Batch control totals and data transfer registers are fundamental controls over data transfer between user departments and data processing. Submission of input data should be accompanied by the completion of an input document control form. Information in the input document control form is typically entered in a data transfer log to provide a control over the disposition and use of these data. Data Entry. After the source documents such as invoices are received by data processing, they are manually key-transcribed or keyed (i.e., typed) using a data terminal or personal computer, and then stored on disk. Next, the input file is key verified. In key verification, each source document is key-transcribed a second time. The keyverification software compares the re-transcribed data as it is being entered, key by key, to the input data already on the disk file. Program Data Editing. Program data editing is a software technique used to screen data for errors prior to processing. The edit program may compare the actual value of each field to the acceptable values in the table. This is called a table lookup. Checking numeric data as being within certain limits requires a check only against extreme values of the range. This is called a limit test. The use of programmed edit tests to discriminate among acceptable data so that some items are either held in suspense of processing until audited or collected for audit after processing is called continuous operations auditing. Numeric codes can be verified by using a check digit. A check digit is an extra, redundant digit added to a code number much as a parity bit is added to a byte. Electronic Input Systems. In electronic input systems, sometimes called on-line input systems, transactions are input directly into the computer network, and the need for keying in source documents is eliminated. The loss of manual internal controls can be compensated for by using transaction logs. Transaction logs or transaction registers are created by logging all inputs to a special file that automatically contains tags to identify transactions. Tagging means that additional, audit-oriented information is included with original transaction data. Such information as date and user authorization codes can be included to provide an extensive audit trail. Transaction logs also provide an important backup, as well as a source for control totals.

105

106 6 Electronic Data Processing Systems Electronic Input Systems Requiring Human Intervention. In on-line manual data entry systems, users manually type transactions into the computer system. In automatic identification systems, merchandise and other items are tagged with machine-readable codes. One example of automatic identification is the automated POS system in which salespersons use an optical scanner to scan the bar-coded merchandise for sale, as well as the customer's credit card. Electronic Systems Requiring No Human Intervention. In some systems, transactions are processed from beginning to end without any human intervention. REA and the Structure of Input Data. The Resources-Events-Agent (REA) Model provides a very general model for capturing and recording events and their related attributes. The model stipulates that for each event there are two general categories of related attributes: resources and agents. In practice, and within the context of the traditional computerized accounting system, event attributes may be included within hierarchical account or transaction codes. A single code can indicate the type of event and the resources and agents involved. THE PROCESSING SYSTEM Types of Files. A transaction file is a collection of transaction input data. Transaction files usually contain data that are of temporary rather than permanent interest. A master file contains data that are of a more permanent or continuing interest. A reference file, also known as a table file, contains data that are necessary to support data processing Generic File Processing Operations. There are several basic types of file processing that are common to many computer applications. Sorting is a processing operation that arranges items into a predetermined order. Merging is a processing operation that combines two or more files that are already arranged in the same order into a single file that contains all of the records from these files. Extraction is a processing operation that copies selected records in a file into a new file for further processing. Updating is a processing operation that applies changes pertaining to the records in a file to the file itself, producing a new file that reflects all of the changes. Manual Processing Systems. Virtually all manual systems for processing transactions are batch oriented. In batch-oriented processing systems, transactions are entered into the computer (as was discussed above) in batches. Batch Processing with Sequential File Updating. Many manual, batch-oriented systems use sequential file processing to update the master file. Processing in such a system usually involves the following steps: Preparing the transaction file. First, any additional data editing and validation is performed. Then the records in the transaction file are sorted into the same sequence as the master file. Updating the master file. The records in both the transaction and master files (i.e., subsidiary ledgers) are read one by one, matched, and written to a new master file that reflects the desired updates. Updating the general ledger. The general ledger is updated to reflect changes in the master files.

Electronic Data Processing Systems 6

107

Preparing general ledger reports. Trial balances and other reports are produced. In addition to financial reports and schedules, common reports from a general ledger system would include the journal voucher in sequence, journal voucher within general account, general ledger by account, general ledger summary, and the working trial balance. Batch Processing with Random-Access File Updating. Random-access updating is also possible, even desirable, with batch processing. With random-access updating, it is not necessary to sort the transaction file into the same order as the master file, and there is no need to generate a new master file. Instead, individual records are read one by one from the transaction file and used to update the related records in the master file in place. Electronic Processing Systems. In electronic processing systems, either batch or real-time processing is possible. With real-time processing, sometimes called on-line real-time processing, transactions are processed as they are input into the system. Batch Processing in Electronic Processing Systems. Batch processing in electronic systems is similar to batch processing in manual systems. The main difference is that journal vouchers are replaced by their electronic equivalents, and the general ledger is updated automatically in periodic batch runs. Either sequential or random-access file updating is possible. Real-Time Processing in Electronic Processing Systems. The processing of individual transactions as opposed to groups of transactions is called immediate, direct, or real-time processing. Immediate processing is the primary characteristic of OLRS. Master files are always up-to-date because they are updated as soon as transaction data are input. In inquiry/response systems, users do not input data for processing; rather, they only request information. In data entry systems, users interactively input data. The data are stored by the OLRS but are processed periodically in batches. In file processing systems, users also interactively input data as they do in data entry systems. However, file processing systems differ from data entry systems in that they go one step further and immediately process the data against the relevant master files. In full processing systems, or transaction processing systems, users also interactively input transactions. However, full processing systems differ from file processing systems in that they go even further and complete the entire transaction when it is input. Real-time Sales Systems Purchase orders for inventory items are made on a "demand-pull" basis rather than a fixed interval (e.g., monthly or weekly) "push" basis to restock inventory levels. New goods arrive when they are needed, that is to say, "just in time." Current sales demand pulls (i.e., automatically generates) orders for inventory. A significant degree of cooperation among trading partners is required to implement realtime sales systems. Companies, their suppliers, and buyers often enter into close, noncompetitive trade partnership agreements. Components of Real-time Sales Systems. The POS System. The UPC bar code scanned by POS technology at the check-out counter of a retail store is the initial event in a chain of events that ends with the right item being quickly replenished in the store's inventory so that it can be sold again. The Internet has enhanced the real-time sales system by extending it to customers who are off-site. Bar Coding Technology. Automatic identification of sales input is essential to a real-time

108 6 Electronic Data Processing Systems system; thus machine-readable bar codes and scanner technology are critical components of real-time retail sales systems. The EDI Ordering System The EDI link between the retailer's computer system and the vendor's computer system allows near instantaneous placing and processing of the purchase order, facilitating quick shipment. Transaction Processing in EDI-Based Sales Systems • Sending the Customer an Electronic Catalog. • Forecasting the Customer's Sales Order • Receiving and Translating the Incoming Order. • Physical Receipt of the Order. • Validation, Decryption, and Authentication. • Sending an Acknowledgment • Sending the Order to Production/Inventory. • Generating and Transmitting an Advance Shipping Notice • Shipping the Goods Special Internal Control Considerations. The various special control problems in real-time systems can be compensated for by careful program data editing checks and transaction logs, and also by good computer security. THE OUTPUT SYSTEM Output controls are designed to check that processing results in valid output and that outputs are properly distributed. Typically an output distribution register is maintained to control the disposition of reports. This register and its attendant documentation should be periodically reviewed in the internal audit function. REVIEW QUESTIONS 1. Batch control totals and data transfer registers are fundamental controls over data transfer between user departments and data processing. The absence or inadequacy of procedures for the control of data transmitted between user departments and the data processing department could represent a significant weakness, since it presents an opportunity for unauthorized and/or fraudulent transactions to be introduced into the processing system. 2. Key verification is a control procedure that detects errors in the keying operation. An error might occur, for example, when a customer account number is mistyped because the data entry clerk presses the wrong key or misinterprets a character on a source document. 3. Program data editing is a software technique used to screen data for errors prior to processing. Input errors can occur that will pass verification. 4. A valid code check is a table-lookup procedure in which the table file consists of valid data codes. Program data editing is a software technique used to screen data prior to computer processing. 5.

The loss of manual internal controls can be compensated for by using transaction logs.

A point-of-sales (POS) system is an example of automatic identification in an electronic

Electronic Data Processing Systems 6

109

input system that requires human intervention. 7. The networked vending machine (NVM) is an example of an electronic input system that requires no human intervention. 8. Transactions are entered into the computer in batches. These batches are then processed periodically to update master files. Batch processing is economical when large numbers of transactions must be processed. 9. The control report which is printed at the completion of the processing is reconciled with the batch totals/control report produced by the edit program. These control totals must be reconciled to user-supplied batch-control totals before any output is returned to the user. Reconciliation must allow for any transactions that were rejected by data editing. 10. The old master file that is used as input to a file update is the "father." Processing yields a "son"--the new master file. The "son" file then becomes the input master for the next file update. Thus, the "son" file becomes a "father;" there is a new "son;" and the old master file that is the backup master from the previous file update becomes a "grandfather" file. 11. A journal voucher is a form that documents general journal entries. Journal vouchers are batched as a transaction file, edited for validity, and processed against the previous month's general ledger master file in order to update that file and produce the current period's general ledger register. 12.

Common reports from a general ledger system would include the following five items: journal voucher in sequence journal voucher within general account general ledger by account general ledger summary working trial balance

13. With random-access updating, it is not necessary to sort the transaction file into the same order as the master file, and there is no need to generate a new master file. Individual records are read one by one from the transaction file and used to update the related records in the master file in place. 14. In inquiry/response systems, users do not input data for processing; rather, they only request information. In data entry systems, users interactively input data. In file processing systems, users input data as they do in data entry systems. However, file processing systems differ in that they go one step further and immediately process the data against the master files. 15. Output controls are designed to check that processing results in valid output and that outputs are properly distributed. Reports should be reviewed critically by supervisory personnel in user departments for general reasonableness and quality in relation to previous reports. Control totals should be balanced to control totals generated independently of the data processing operation.

110 6 Electronic Data Processing Systems

ANSWERS TO DISCUSSION QUESTIONS AND PROBLEMS 16 .- 45. Multiple-Choice Time Varies 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. 45.

D C D A B C C B C D B A D C A B B A B D D C A B D D A D B C

Electronic Data Processing Systems 6

46. Check Digit - 20 minutes Medium a. 4388 x5432 (2+0)+(1+2)+(2+4)+(1+6) = 18 27 - 18 = 4 (check digit) 5100 x5432 (2+5)+(4)+(0)+(0) = 11 11 - 11 = 0 (check digit) 9106 x5432 (4+5)+(4)+(0)+(1+2) = 16 22 - 16 = 6 (check digit) b.

Each of the calculated check digits does not match. 10307 x5432 (5)+(0)+(9)+(0) = 14 22 - 14 = 8 (check digit) 50008 x5432 (2+5)+(0)+(0)+(0) = 7 11 - 7 = 4 (check digit) 22222 x5432 (1+0)+(8)+(6)+(4) = 19 22 - 19 = 3 (check digit)

47. Controls - 20 minutes Easy a. Hash Totals: Account Number Total 16,010 Invoice Number Total 1,018 Financial Totals:

Gross Amount 694,560 Discount 53,630 Net Amount 640,930

Record Count is 3 b.

Edit Tests: Label check for transaction file. Check that all fields are present. Test each field for only numeric characters. Check sign of each numeric field. Test discount for reasonableness or exact percentage as appropriate. Check the combination field

111

112 6 Electronic Data Processing Systems Net Amount = Gross Amount - Discount. Check account number sequence. (Note: Invoice number sequence has no meaning in this illustration.) Verify batch totals (hash, financial, record count). This problem is simplistic with its few fields and all numeric data. Editing transactional data for overall validity can be quite complex. A test of a medical payment system found that the system made reimbursement for obviously erroneous claims such as birth control pills for men and dental work for newborn babies. The program manager argued that the existing editing features were adequate. His claim has merit in the sense that all controls are subject to cost/benefit considerations. Consider the enormous variety of medical claims which are possible; exhaustive editing may not only be costly but impossible. 48. Normal Form - 15 minutes Medium No, the relation is not a flat file. A record in the file contains a code, a description, and a list of accounts to be debited or credited. A relation is normalized if it is a flat file, i.e., if it does not contain any repeating groups. To make the STANDARD-ENTRIES file a flat file, the list of accounts and debit or credit indicators would have to be removed from STANDARD-ENTRIES and set up as a separate file. 49. Control Weaknesses - 20 minutes Medium a. Review and approval are basic to accounting control. Failure to review and approve all systems design work may result in systems which are not responsive to and/or desired by the end users. Systems work is also susceptible to situations where inadequately supervised personnel work on personal projects, quit the firm at or near completion, and then start a business to market what they developed on company time. b. In either case it makes it likely that the backup procedures would fail if needed. Maintenance of backup controls is an important yet often neglected area. c. Necessary to document and implement organizational independence within the function. d. Same objective as job rotation in manual systems; to have a period of operation during which a consistently covered irregularity might be discovered by the substitute operator. e. f.

g. h. i.

Backup and recovery considerations if a person quits or is not available at a time of program failure. The objective is to edit files, for validity. Otherwise a program could accept an improper file as input, wasting the run. Worse than this, if the file is on a DASD, the program may update and thus destroy the original contents of the file which was inadvertently processed. Check digits are a basic numeric data editing technique which should be employed whenever possible. Both review and approval are basic to accounting control in any type of system. A user-audit of the EDP function. The person who collects printouts does not review the contents. Both format considerations and overall content of output should be reviewed by users prior to usage.

50. Controls - 30 minutes Medium a. Limit access to system programs through passwords (if on-line) or library procedures (if off-line). Operators should not have access to program documentation. Review console log for unauthorized activity. b. Key verification of input; batch control totals. c. Enforce documentation standards by regular review of the work of programmers.

Electronic Data Processing Systems 6 d. e. f. g. h. i. j. k. l.

113

Internal label check. Limit or unreasonable testing to edit payroll data. Fireproof storage and maintenance of duplicate files at remote site. External file labels; enforce and review file access procedures and documentation. Batch control totals. Check digit. A field check to ensure that all characters are numeric. Enforcement and review of program change procedures; programmer should not have access to active programs unless this is subject to supervisory review. Feedback to the person supplying the input. The system should respond after each input line: "You have just ordered item "x", is this correct?" and require a yes/no response before allowing the operator to proceed. The user must assist in editing data input, particularly in on-line systems. Data editing of output.

51. Control Analysis - 30 minutes Medium CPA Examination, Unofficial Answer a. The internal controls pertaining to input of information that should be in effect because an on-line, real-time computer processing system is employed should include: (1) A self-checking digit or some other check should be used with every account number to prevent an entry to a wrong account. (2) A daily record of all transaction inputs from each input terminal should be produced as a by-product of the computer processing so as to provide this supplemental record. (3) EDP personnel should not initiate inputs to the computer except for testing purposes so that a proper segregation of duties is maintained. Any testing should be done after regular processing is completed and should be recorded in the computer log. (4) The internal audit staff should not initiate input to the computer in order that the auditors will not be checking their own work. (5) Computer file security should be provided to assure entries are not made to the accounts except during normal processing periods. b. (1) (2)

(3)

(4)

(5)

(6)

The internal controls which should be in effect pertaining to matters other than information input are as follows: Account balances should be printed out or dumped on magnetic disk at regular intervals to provide for record reconstruction and testing. Policy tests should be included in the computer program to permit ready identification of obvious exceptions, e.g., a withdrawal from an account should not exceed the balance on deposit in the account. The internal audit staff should have the responsibility for testing accounts and transactions and checking error listings. Adjustments to the accounts proposed by the internal audit staff should first be approved by a responsible official and then be recorded in the normal manner so as to provide proper segregation of work. Account balance printouts and transaction records necessary to reconstruct the accounts should be maintained in a separate location from the computer file storage as a precaution against simultaneous destruction. There should be provision for continued operation to avoid a time loss in case of computer failure, e.g., each terminal should have mechanical registers in addition to the computer's electronic registers. Security should be provided at each terminal to assure that certain operations could be initiated only by authorized supervisory personnel.

114 6 Electronic Data Processing Systems

52. Control Procedures - 30 minutes Medium CMA Examination, Unofficial Answer a. The following steps have been omitted from the flowchart of the company's inventory and purchase order system: General Omissions: 1. All input should be verified (daily procedure and data entry prior to Run 4). 2. The disposition of all paper documents and reports should be indicated at each step of the system. 3. Exception reports should be prepared for each computer run; such reports were not prepared for Runs 1, 4 and 5. Procedures for handling any exceptions should be indicated. Specific Omissions: 4. Purchases and purchase returns and allowances of inventory items have been omitted. There should be a daily activity for purchasing and filing these activities as there is for sales. 5. No provision is made for additions, deletions, and changes to the inventory file. These would be prepared daily so that they could be processed during Run 2. 6. The conversion of input data to magnetic disk (Run 1) should include an edit run; a procedure to correct any errors discovered during this edit run should be indicated. 7. The files used in Run 2 have not been sorted properly. a. The weekly transactions (sales and returns, the omitted purchases and returns) should be sorted into the same sequence as the Master Inventory File. b. The Items Ordered Previous Week should be sorted in the same sequence as the Master Inventory File (this sort could be done after Run 5). 8. The Updated Master Inventory File has not been shown as an output to Run 2; this file should also be shown as an input for the next week by a broken line and arrow. 9. The Exception Report prepared in Run 2 requires review. Necessary corrections should be prepared and run on Monday in a supplementary run to update the Master Inventory File. 10. The Items to Order This Week should be sorted into the same sequence as the Master Vendor File prior to Run 3. 11. The changes that are input prior to Run 4 have to be sorted by vendor number in order to be processed in Run 4. 12. Output disk from Run 5 (Items Ordered This Week) should be shown as being an input to Run 2 (Items Ordered Previous Week) by broken line and arrow. b.

Listed below are control procedures the company could employ to assure proper functioning of its system.

The input prepared from the source documents should be verified before the documents are filed; all other input should be verified also. All conversion of input should include an edit routine. Transmittal tapes should accompany each batch (i.e., batch totals) of source documents from the Sales Department and the Receiving Department. Other control totals should be employed throughout the system where applicable. For example: Record counts: Daily transactions should be counted to guard against lost transactions. Hash totals: Identification numbers (e.g., inventory codes, vendor codes) can be added as

2. 3. 4. a. b.

Electronic Data Processing Systems 6

6. 7. 8.

115

a check to determine if all items have been processed (all runs). Financial totals: Totals of financial items can be accumulated to determine if all items have been processed (all runs). These control totals would be compared against the appropriate transmittal tapes and other control totals prepared prior to processing. A control report should be prepared at Run 2. This report would include such items as records input, new records added, old records deleted, and updated inventory counts. The control reports are used to assure that all records are accounted for and are used in conjunction with the control totals discussed above (items 3 an 4). Similar reports should be prepared for Runs 3, 4 and 5. Check digits can be employed to verify the inventory part numbers and vendor numbers in Runs 2 and 3 respectively. All disk files should contain external and internal labels. The preparation of exception reports implies that reasonableness tests and sequence checking are being accomplished (see Runs 2 and 3). However, management should be sure that these tests are being accomplished in the other runs also.

53. Control Procedures - 30 minutes Medium CMA Examination, Unofficial Answer (adapted) The systems controls which should be instituted in Music Now's new system are listed below. Batch totals are accumulated prior to input but there is no indication that they are used. These batch totals should be compared to output to be sure all data is entered and processed. All input should be verified to eliminate any mistakes in key transcription. Separate item codes should be used for sales, cash, credit, and new customers. This will permit priority updating, i.e., enter new customer before sales. A validation or edit routine should be included in Run 1. Field checks, limit checks, valid transaction codes, and check digits are some of the tests which could be used. Control totals (both record counts and dollar amounts) should be generated at Run 1 and be output for comparison to the batch total transmittal tapes received. These control totals should then continue to be accumulated and compared at each computer run. Error listings should be output from all computer runs. These listings should be used to correct mistakes. An administrative control should be established to ensure that only properly approved credit memorandums and authorizations to write-off bad accounts are processed. This assures that credit department personnel are not adjusting or writing-off accounts without proper authority. Batch totals should be prepared for the delinquencies and write-offs and compared to the computer output after Run 5. 54. Controls Analysis - 30 minutes Hard The following describes procedures that might be utilized. The instructor should stress the similarity of these options with those of a manual system. Note, however, the increase in control which is possible when these options are subject to machine control. For illustration, the instructor could review the section of the text discussion of the terminal operators function which

116 6 Electronic Data Processing Systems discusses application controls in effect to prevent the lapping of customer payments. For processing remittances with multiple or no invoice payments referenced on them, the terminal operator has the following options available for entering data. He can enter: (1) One of the invoice numbers and the remittance check amount. (2) The customer's number, if it is on the remittance advice, and the check amount. (3) The customer's name and the check amount. Depending on the option selected by the operator, the system will process the input as follows: If the entered invoice number and check amount do not match a record on the open item accounts receivable file and there are multiple unpaid customer invoice numbers on the files, the system will display to the terminal operator all the unpaid invoice numbers and invoice amounts. The terminal operator then keys into the terminal the invoice number(s) to be applied against the check remittance, and the system applies the cash remittance to these invoices. If, after applying the cash amounts, the system determines that cash still remains to be applied, the system displays the remaining amount on the terminal. The terminal operator then selects one of the three alternatives outlined below. When the system makes a match on the invoice number, but the check amount does not match, and there are no other unpaid invoices for the customer, the system applies the check amount to the open invoice items and displays the calculated differences between the invoice amount and the check amount to the terminal operator. The terminal operator then selects one of the following alternatives which: a. Requests a display of associated customer accounts (affiliates, subsidiaries, etc.) to determine if the following check amount should be applied to an unpaid invoice number. b. Indicates to the system that the remaining check amount should be applied as balance on account to the customer. (The system will assign a sequential invoice number for the remaining check amount.) c. Establishes an invoice number based on the customer's remittance advice and enters it and the remaining check amount into the system as a balance on account for the customer. When invoice numbers are not identified on the customer's remittance, the terminal operator may enter the customer number and the check amount. The system then displays a list of all unpaid invoices for the customer, and the terminal operator, using previously described procedure, selects the invoices to which the check amount should be applied. If the customer's name and check amount are entered by the terminal operator, the system will search the customer master file and display the customer name and address, the customer number, and a list of unpaid invoices. The terminal operator, after verifying the customer name and address, will apply the check remittance as previously described. 55. Controls Analysis - 20 minutes Medium CMA Examination, Unofficial Answer a.

Flowchart--see next page

Electronic Data Processing Systems 6

117

118 6 Electronic Data Processing Systems

b. Yes, the new cash receipts procedures have created some internal and systems control problems. 1. There are some potential control problems in the data entry procedures. The CRT operator should be restricted to cash receipts processing activities. There should be safeguards to detect or prevent unauthorized entries to the system. 2.

The old master file records are destroyed in the update process. The company should keep a backup of the accounts receivable file in case the file is destroyed. This can be accomplished by periodically dumping the accounts receivable file on magnetic tape or another disk.

There is no assurance that all cash receipts have been entered correctly into the system. There should be some independent computation of batch and/or hash totals involving the remittance advices and the number of transactions so that a comparison at the conclusion of processing would reveal omissions or errors.

The remittance advices are destroyed at the next day which probably is too soon. Any errors or operator alterations not discovered by the end of the next business day would be difficult to trace and correct.

56. Controls Analysis - 20 minutes Medium a. Deficiency/Weakness b. Improvement Suggested 1. No input control totals. 1. Batches should be totaled before being input. 2. Checks are not 2. Checks should be restrictively endorsed. restrictively endorsed. 3. A remittance list is 3. A remittance list should be not prepared. prepared to enhance control. 4. Operators have access 4. Operators should post from a to checks. remittance list. 5. No reconciliation of 5. Control totals for each batch input totals to should be reconciled to processing. computer-generated totals. 6. No reconciliation of 6. The Payments Received Report the Payments Received should be reconciled to a Report to changes in control report prepared by the master file. EDP at the end of processing. 7. The deposit should be 7. Reconcile the deposit to the reconciled to the Payments Received Report. Payments Received Report. 57. Controls Analysis - 45 minutes Medium a. The Magic Rock Company might utilize some or all of the following types of data edits and application processing controls in its computer based inventory control system. Data Editing of Transaction Records Prior to Processing. 1. Validate all fields for valid characters. 2.

Validate records for required fields (This would depend on the value of field 1, the transaction code).

Electronic Data Processing Systems 6

119

Validate the values in fields as reasonable or acceptable. Examples include: Valid Transaction Code Valid Product Number Reasonable Quantity Valid Vendor Number Valid Customer Number Valid Salesman Number

Validate that the transaction file is sorted into ascending sequence on product number prior to processing against the inventory master file. Note that the transaction file should be further sorted into ascending sequence on transaction code (as a secondary sort key) for each product number (primary sort key) prior to processing against the inventory master file. It is important that transaction code 2 be processed after transaction code 1, and that transaction code 3 be processed after codes 1 and 2.

Application Processing Controls. 1.

Master File Header Label Processing: Validate File Identification Number Input Record Count Validate Last Posting Date (for correct version)

Transaction File Header label Processing: Input Hash Total of the transaction file Validate Current Processing Date

Transaction processing: Transaction code 1: Delivery From Vendor Check that the quantity on hand is reasonable and that the reduction in the quantity on order from vendor field does not result in a negative value. Transaction code 2: Inventory Status Check Edit any discrepancy between the actual quantity on hand and that which is recorded in the related inventory record. If a large or unreasonable discrepancy is found, output a special message to this effect. Transaction Code 3: Customer Order Validate that the update of the quantity on hand field does not result in a negative number. Transaction Code 4: End of Job processing:

120 6 Electronic Data Processing Systems

The program should accumulate a master file record count and a hash total of field 3 of the transaction file during processing and provide a reconciliation of these control totals to those which were input from the header labels. Any summary processing totals (such as total shipments or total orders) should be output. b.

From a control viewpoint, there are two distinct types of data fields contained in the master inventory file. Fields 1 (Product Number), 2 (Quantity on Hand ), and 3 (Unit Cost) are accounting data and must be kept as accurate as possible through exhaustive data editing and periodic auditing. These values directly impact the firm's financial statements. Fields 4 (Reorder point), 5 (Quantity On Order From Vendor), 6 (Reorder Quantity), 7 (Current Shipping Rate), and 8 (Current Return Rate) are not accounting data but operational data. Although it is desirable that such data be accurate, such data is subjective in nature and does not directly impact the firm's financial statements. Thus data editing and periodic audit of these values need not be as thorough.

58. Controls Analysis - 30 minutes Medium The preliminary survey of Circle Company's database system indicates that the general controls are weak while the application controls are, subject to verification of existence and compliance, strong. Specific general control weaknesses include: (1)

(2) (3) (4)

There is no database administrator who is separate from EDP operations and computer programmers. The database dictionary was established and is controlled by the manager of computer programming. Access to on-line data terminals is not restricted. The system documentation is not available on a "need-to-know" basis only. Complete system documentation is available to users and to EDP personnel. Distribution of printed output is uncontrolled. Printed output is placed in a bin outside the EDP room where users pick it up at their convenience.

The majority of the controls in operation are application controls. Several controls which are apparent from the results of the preliminary survey include: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12)

Documentation of the database system is extensive. The database software maintains a user authorization table. There is an approval process for passwords. The database software maintains a transactions-conflict matrix. User requests for data are validated by the system. Users must use passwords to log onto the system. Terminal activity logs are maintained. Terminal input is edited for reasonableness and completeness. Transaction control totals are developed and reconciled. Processing control totals are developed and reconciled to changes in the database. Output is reconciled to transaction and input control totals. Backup copies of the database are made daily and stored in the file library area.

Thus there appears to be sufficient controls over input, processing, and output to warrant a preliminary opinion that the application controls are strong. Strong application controls are necessary but insufficient if weak general controls exist. Subject to further investigation, it

Electronic Data Processing Systems 6

121

appears that the general controls over the database need to be strengthened. WEB RESEARCH ASSIGNMENTS 59. The privacy issue arises in various contexts. Some have expressed concern that RFID tags attached to merchandise might be surreptitiously scanned after customers leave the store in which the goods are purchased. RFID tags in passports, credit cards, or identification cards might be read at a distance. Encryption might be the best solution to these concerns. 60.Lean accounting involves optimizing the extended supply chain across suppliers and buyers. Optimizing the extended supply chain requires a common standard of communication between suppliers and buyers. EDI and ebXML provide such a common standard. 61. Various companies, including http://www.personable.com, provide Quickbooks as a software sevice (SaaS). Yes, Quickbooks performs real-time transaction processing. Yes, an extranet can be created by giving clients limited access. 62. William McCarthy, one of the fathers of the REA model, has been an active member of the OASIS and UN/CEFACT ebXML development teams. It is expected that ebXML will support the REA model. 63. Crossword - see next page

122 6 Electronic Data Processing Systems

Across 2. CONTINUOUS OPERATIONS AUDITING — discriminate between acceptable and nonacceptable data values. 3. VALID CODE CHECK — a table-lookup procedure in which the table file consists of valid data codes. 9. TAGGING — audit-oriented information that is included with original transaction data when they are recorded. 12. KEY VERIFICATION — accuracy of key-transcribed input data. 14. OUTPUT DISTRIBUTION REGISTER — controls the disposition of reports. 16. LIMIT TEST — numeric data field as being within a range. 17. OUTPUT CONTROLS — ensure that certain things are distributed properly to users. 20. TABLE LOOKUP — compares the value of a field with the acceptable values contained in a table file. Down 1. ON-LINE REAL-TIME SYSTEMS — immediate processing.

Electronic Data Processing Systems 6

123

4. SON-FATHER-GRANDFATHER RETENTION — backup. 5. REFERENCE FILE — lookup data. 6. PROGRAM DATA EDITING — screens data prior to computer processing. 7. REAL-TIME PROCESSING — immediate or fast-response processing. 8. TRANSACTION PROCESSING SYSTEM — a system that collects and processes transactions and provides immediate output concerning processing. 10. POINT-OF-SALE SYSTEM — cash register. 11. INPUT DOCUMENT CONTROL FORM — documents batch control totals. 13. LINE CODING — assigning codes to items in the general ledger that indicate the item's use and placement in financial statements. 15. BATCH PROCESSING — groups on a periodic basis. 18. CHECK DIGIT — involves mathematical calculations. 19. TABLE FILE — contains data that are necessary to support data processing.

Chapter 7 REVENUE CYCLE PROCESSES TEACHING TIPS I prefer to start out by walking students through the customer order business process. I begin by asking the class if anyone can tell me what happens first in a sales transaction. Eventually, someone says that a customer order is received. Then I ask what happens next. Eventually someone says that a sales order is prepared. I continue on until I have completed the entire customer order business process this way. While I'm walking the students through the customer order business process, I will mention that when I'm done I will call on someone to repeat the whole thing at the end. This gives students an incentive to pay more careful attention. After I'm done with the walk through, I'll go through the whole thing again, asking students to name possible internal controls at each step. For example, prenumbering would be an important control for the preparation of the sales order. A credit check would be another control. By the time I'm done with the whole exercise, most students in the class can describe the entire process with the appropriate control points. The discussion of SAP ERP is highly detailed, and it is not expected that anyone could remember all of the details described. However, ask students what information input and processed by SAP ERP seems to be not useful. The answer should be that all of the information is potentially useful. ERP collect and process vast amounts of information in order that companies can micro-manage their business processes and provide customized service to their customers. I highly recommend covering the multiple-choice question in the end-of-chapter materials. SALES BUSINESS PROCESS Overview: The sales business process includes: • inquiry (optional) • contract creation (optional) • order entry • shipping • billing Order fulfillment is the primary function of the sales business process. Orders are created when a customer requests goods or services from a firm. Inquiry: A quotation is a document that is prepared and sent to a potential customer to inform them of product prices, product availability, and delivery information. A quotation is prepared when a potential customer has made a fairly specific request for details concerning a potential order. An inquiry is similar to a quotation, but an inquiry does not contain delivery information. Contract Creation: Some companies require that contracts (legal agreements) be prepared before selling to customers as a matter of company policy. A contract is an outline agreement to provide goods or services to a customer. A contract usually specifies quantities and a general time frame for deliveries. A contract to provide goods over a period of time is sometimes called a blanket order. 124

Revenue Cycle Processes 7

125

Order Entry: Order entry prepares the sales order document. Order entry usually involves pricing and availability checking. Many companies perform a credit limit check on the customer once pricing is complete and before the order is released for fulfillment. Shipping: A delivery document is created to arrange for the delivery of goods to the customer. A picking list is prepared to guide picking activities. A packing list is prepared for each shipment and a copy is usually included in the shipment to document what has been shipped. A bill of lading is prepared to document the loading of goods onto vehicles for transportation to the customer. Billing: Deliveries are included in the billing work schedule and are invoiced. An invoice for the shipment is prepared and issued to the customer. The issuing of the invoice is the end of the sales business process. SAP ERP Illustration ERP systems are capable of storing and processing a vast amount of information pertaining to the sales business process. This section provides an overview of the data that is stored and processed in the sales business process by SAP ERP. Customer Master Records: Customer master records contain all of the information that pertains to a customer. Customer master records have to be created before processing sales orders in SAP ERP as the information in customer master records is used in sales order processing. Data Fields: Customer master records are created by inputting information into SAP ERP. SAP ERP guides the input process by displaying a series of screens on a video monitor which prompt the user to input the necessary data. Each screen collects a category of data pertaining to a customer. The Create Customer input screens in SAP ERP facilitate input through the use of list boxes and search facilities. The following input screens are described: • Initial Screen • Address Screen • Control Data Screen • Marketing Screen • Payment Transactions Screen • Unloading Points Screen • Foreign Trade Screen • Contact Person Screen • Account Management Screen • Payment Transaction Screen • Correspondence Screen • Insurance Screen • Sales Screen • Shipping Screen • Billing Screen • Taxes Screen • Output Screen • Partner Functions Screen

126 7 Revenue Cycle Processes

One-time Customers: Due to complexity of creating customer master records, SAP ERP allows for the creation of a single master record 'dummy' for one-time or infrequent customers. All of these customers are passed through this one-time record. Standard Order Processing in SAP ERP: This section provides an overview of standard order processing in SAP ERP. Standard order processing is a term that describes the sales business process in which customer orders are filled from an inventory of finished goods. A customer master record has to exist before a sales order can be created. Each activity in the sales business process - quotation, order, delivery, invoice, etc. - generates a document. SAP ERP's document flow feature lets one track and view these documents. A query is a request for information in a database. SAP ERP features powerful query capabilities. Transaction Cycle Controls in Order Processing Transaction cycle controls are based on a separation of functions within a business process. Order Entry: The order entry function initiates the processing of customer orders with the preparation of the sales order document. Prices entered on sales orders should be approved by management or an organizational function that is independent of the sales order function. An independently prepared master price list contains the prices authorized by management and in effect at a particular date and is the source of prices used in the preparation of sales orders. Credit: A customer's credit standing should be verified prior to the shipment of goods. Inventory: Inventory picks the order as described on a picking list. The picking list is prepared from the delivery document that is prepared by the order database to process the approved order. Shipping: Shipping accepts the order for shipment after matching the order as described on the picking list that accompanies the goods to the order as it is described on the packing work list. The order information contained in the packing work list is independently prepared as it is based on the orders prepared by the order entry function and approved by the credit function. Shipping typically prepares a bill of lading for the delivery. Billing and Accounts Receivable: Billing completes the order process by preparing invoices for orders that appear on the billing work list. The distinction between billing and accounts receivable is important to maintain separation of functions. SOX Compliance: Sales Business Process. Risk assessment of the sales business process will be necessary for compliance with SOX. CUSTOMER ACCOUNT MANAGEMENT BUSINESS PROCESS The customer account management business process includes accounts receivable processing through the collection of customer payments on account. We include a brief discussion of the cash sales business process, as it is often integrated with the process for the collection of customer payments on account. Accounts Receivable. A subsidiary ledger of individual accounts is maintained, with a control account in the general ledger. In open-item processing, a separate record is maintained in the accounts receivable

Revenue Cycle Processes 7

127

system for each of the customer's unpaid invoices. As customer remittances are received, they are matched to the unpaid invoices. In balance-forward processing, a customer's remittances are applied against a customer's total outstanding balance rather than against a customer's individual invoices. Many businesses use a cycle billing plan, in which the accounts receivable file is subdivided by alphabet or account number. The idea is to distribute the preparation of statements over the working days of the month. Transaction Controls in the Accounts Receivable Business Process Cash Receipts. Customer remittance slips are forwarded to accounts receivable for posting from cash receipts. Accounts receivable does not have access to the cash or checks that accompany customer remittances. Billing. Invoices, credit memos, and other invoice adjustments are routed to accounts receivable for posting to the customer accounts. This maintains a separation of functions. Billing does not have direct access to the accounts receivable records. Accounts Receivable. Accounts receivable is responsible for maintaining the subsidiary accounts receivable ledger. A control account is maintained in the general ledger department. Debits and credits are posted to the customer accounts from the posting media - remittance advices, invoices, and so on - received from billing and cash receipts. This maintains separation of functions. Credit. Credit department functions in an accounts receivable application system include the approval of sales returns and allowances and other adjustments to customer accounts, the review and approval of the aged trial balance to ascertain customer's creditworthiness, and the initiation of write-off memos to charge accounts to bad debt expense. General Ledger. General ledger maintains the accounts receivable control account. Sales Returns and Allowances. Allowances and returns should be reviewed and approved by an independent party (usually the credit department); when authorized, billing issues a credit memorandum to document the reduction to the customer's account. Error! Bookmark not defined. Write-off of Accounts Receivable. The central feature in a write-off procedure is an analysis of past-due accounts, usually done with an aged trial balance. The credit manager initiates a write-off, which is approved by the treasurer. SOX Compliance: Accounts Receivable Business Process. Risk assessment of the sales business process will be necessary for compliance with SOX. CASH-RECEIVED-ON-ACCOUNT BUSINESS PROCESS. A cash-received-on-account process is used when there is an established customer account balance. The major feature is separation of the following functions. Mailroom. A remittance list of the payments received is prepared. Cash Receipts. Checks received from the mailroom are combined with cash receipts, and a deposit slip is prepared in three copies. The remittance list and control total received from the mailroom are balanced to the deposit slip, and the agreement of these amounts is approved. The remittance list is then used to post the amount of the payments received from the mailroom into the cash receipts journal. A journal voucher is prepared and forwarded to the general ledger. The remittance list, control total, and a copy of the deposit slip are filed by date. The deposit is forwarded intact to the bank.

128 7 Revenue Cycle Processes

Accounts Receivable. The remittance advices are posted to the accounts receivable ledger. The postings to the ledger are totaled. The control total is balanced to the remittance list. The agreement of these amounts is approved. The remittance advices are sorted and filed by customer. The remittance list and a copy of the control total of postings is filed by date. A copy of the control total is forwarded to the general ledger. General Ledger. The journal voucher from cash receipts and the control total received from accounts receivable are compared. The amounts are then posted to the general ledger. Bank. The validated copy of the deposit slip is returned to internal audit and filed by date. Internal Audit. Internal audit receives the periodic bank statement. Lock-Box Collection Systems. Using a lock-box deposit system reduces float. Cash Sales Business Process. The significant difference between a cash sales business process and a cash-received-on-account business process is that there is no previous asset record (customer account balance) in a cash sales business process. The generation of initial documentation of cash sales is thus the focal point of the control system. Once a record has been prepared, cash sales are subject to accounting control. Customer audit is a general term used to describe procedures in which the customer acts as a control over the initial documentation of a transaction. REVIEW QUESTIONS 1. The steps in the sales business process are inquiry (optional), contract creation (optional), order entry, shipping, and billing. 2. Order entry usually involves pricing and availability checking of goods in the order, and also checking the customer's credit after the order has been priced. 3. A delivery document is created to arrange for the delivery of goods to the customer. A picking list is prepared to guide picking activities. A packing list is prepared for each shipment and a copy is usually included in the shipment to document what has been shipped. A bill of lading is prepared to document the loading of goods onto vehicles for transportation to the customer. 4.

The four types of master records that are used in SAP ERP are: • sold-to-customer records • ship-to-customer records • bill-to-customer records • payee customer records

5. The "Create Customer: Output Screen" is used to change the default output specifications for various documents that can be produced for customers. Fields collect data concerning details such as output type (quote, invoice, etc.), language to be used, transmission medium (paper, fax, EDI), send time (immediately or next batch run), and number of copies produced. Items can be changed, added, or deleted. 6. A customer master record has to exist before a sales order can be created. SAP ERP can copy information form the master record into the sales order as necessary.

Revenue Cycle Processes 7

129

7. Each transaction in the sales business process - quotation, order, delivery, invoice, etc. - generates a sales document. SAP ERP's document flow feature lets one track and view these documents. A query is a request for information in a database. SAP ERP features powerful query capabilities. One can display an order by inputting the order number. One can display a list according to a criteria. For example, one can list all of the orders for a particular customer or for a particular product number. The system allows one to 'drill-down' to more detail, for example, more detailed information concerning a line item on an order. 8. Billing is responsible for invoicing individual sales transactions, while accounts receivable maintains customer-accounts information and sends periodic statements of account to customers. 9.

Debit Accounts Receivable. Credit Sales More detailed accounts may be used, but the above entry indicates the essential accounts.

10. An acknowledgment copy of the sales order may be sent to the customer to inform the customer that the order has been received and is in process, but shipment cannot be made immediately. 11. An independently prepared master price list contains the prices authorized by management and in effect at a particular date. It provides an independent basis for validating that the prices used in billing have been authorized by management. 12.

A customer's credit should be verified prior to the shipment of goods.

13. In cycle billing, the processing of accounts receivable is subdivided by alphabet or account number in order to distribute the preparation of statements over the working days of the month. 14. Cycle billing reduces the need for resources as the preparation of statements is distributed over the working days of the month. Cycle billing often has a beneficial effect on cash flow, since consumers generally pay bills shortly after receiving them. 15. A dunning procedure is the action taken to collect payments from customers who are late in making payments on their accounts. 16. Periodic statements inform customers of their balances. This both asks for payment and also serves as a check on the customer's book balance. 17. In open-item processing, a customer's remittances are applied against individual invoices rather than a customer's outstanding balance. In balance-forward processing, a customer's remittances are applied against a customer's outstanding balance rather than against individual invoices. 18. The major features of control in a sales return and allowance process concern that two independent parties are required to approve the transaction, while a third party maintains the records. 19. An employee might intercept a customer's payment on account and then arrange for the account to be written off, so that the customer does not continue to be billed for the amount. 20.

The basic objective in any cash receipt business process is to minimize exposure to loss.

21.

The most critical phase of cash receipts is the initial documentation evidencing a receipt. Customer

130 7 Revenue Cycle Processes audit techniques, supervision, and imprest techniques are used to control cash receipts. 22. A remittance advice documents a remittance. Checks and remittance advices are separated and processed independently to ensure control. 23. The major features of control in a cash receipts process are the separation of functions and the generation of initial documentation. 24. A lock-box collection system can usually reduce float--the time between the signing of the payment check by the customer and the moment the firm has use of the funds. 25. A professional shopper is a person hired to purchase goods in a retail environment for the specific purpose of observing the recording of sales transactions. ANSWERS TO DISCUSSION QUESTIONS AND PROBLEMS 26.-50. Multiple-Choice Varies 26. A 27. D 28. C 29. B 30. C 31. A 32. A 33. B 34. D 35. A 36. A 37. B 38. D

39. 40. 41. 42. 43. 44. 45. 46. 47. 48. 49. 50.

C A A A A C D D C D B A

51. Internal Controls - 20 minutes Easy a. Avoid the possibility of a shortage being temporarily covered by an employee at the time of a scheduled reconciliation. b. Independent count of cash; otherwise, cashiers may be able to extract cash overages to coincide with the register total. c. Independent reconciliation of receipts and deposits. Also to review that deposits are made daily intact. d. Separates cashiers and allows them to be held individually responsible for cash in their use. e. Customer audit technique. 52. Sales - 45 minutes Medium CPA Examination, Unofficial Answer a. Logical Data Flow Diagram (see next page) b. The internal control weaknesses in the company's procedures related to customer billings and remittances include the following: (1) No evaluation is made of the customer's credit rating. Substantial bad debts may be incurred by selling an open account to existing customers delinquent in their remittances or to new customers in weak financial positions.

Revenue Cycle Processes 7 (2)

The functions of authorizing shipment (preparation of the sales invoice with copies to the shipping department) and of billing should be separated to preclude the possibility of an individual initiating a shipment to a personal account and later, after shipment, destroying the

131

132 7 Revenue Cycle Processes

Revenue Cycle Processes 7

(3)

(4)

(5)

(6)

(7)

(8)

(9)

(10)

133

shipping notice (copy no. 3) and the invoicing copies (no. 1 and no. 3). The sales invoices are not prenumbered and their numerical sequence is not accounted for. The use of prenumbered invoices and accounting for their numerical sequence provides a means for ascertaining that all invoices prepared are included in the totals posted to the general ledger control accounts and in the details posted to the accounts receivable ledger cards. Such prenumbering and accountability would also serve to thwart the potential fraudulent practice outlined in no. 2 above. Accounting for all numbers should be done by an individual independent of the billing function after the invoices have been posted. Invoices are not checked for accuracy of quantities, prices, extensions, discounts, or totals. Unless the invoices are checked, undue reliance is placed on the work of only one person who is subject to human fallibility. There is no follow-up of unprocessed sales invoices held by the accounts receivable clerk. Other sales invoices for which notices of shipment have not been received should be investigated to ensure that orders are filled and invoiced promptly. Collections on account are not restrictively endorsed at the earliest possible time upon receipt by the Company. To ensure the deposit of the funds to the credit of the Company, checks should be endorsed with the Company endorsement stamp at the earliest possible time, preferably by the clerk opening the mail. The accounts receivable clerk performs the billings, posts the accounts receivable ledger card, and receives the remittances prior to endorsement. This mingling of the functions of billing and posting of billings and collections is unwise because it permits the possibility of the clerk's not recording a sale to a customer and later diverting the collection. Best internal control over collections is obtained by having the funds deposited intact and as quickly as possible with as few people as possible having access to the receipts. The internal control can be strengthened by having the clerk opening the mail prepare a list of collections which, together with the accompanying correspondence and vouchers, would be the basis of posting receivables and receipts. Checks, restrictively endorsed, should be forwarded directly to the cashier for deposit. Authority for approval of customer deductions for freight and advertising allowances, returns, etc., should be vested in a person of authority because unauthorized deduction and operating inefficiencies of the company would be otherwise undetected. Furthermore, to place this authority with the person doing the posting of cash receipts leaves open the opportunity for diverting a cash collection and subsequently authorizing a credit of like amount for an allowance or returned goods. The preparation of the monthly trial balance of open accounts receivable and comparison of the resultant total with the general ledger control account for accounts receivable should be done by someone other than the accounts receivable clerk. The purpose of this separation of duties, which would disclose an out-of-balance condition, is to prevent the protracted concealment of posting errors by the accounts receivable clerk who may be attempting to avoid personal criticism. Although the posting errors can lead to no direct material benefit to the accounts receivable clerk who would not handle cash under the revisions suggested by no. 7 and no. 8 above, the errors can result in losses for the company where an individual account balance is understated and the customer remits for the lesser amount appearing on his monthly statement. On the other hand, if posting errors result in an overstatement of his account, the customer may become dissatisfied.

134 7 Revenue Cycle Processes 53. Sales - 30 minutes Medium CIA Examination, Unofficial Answer a. Flowchart.

b. Internal control deficiencies: (a) There is no mention of how the Shipping department is instructed to ship. As a result, there may not be a form of control over revealing failure of it to ship or over inability to make shipments because of a lack of product. (b) There is no mention that the shipping order forms and the sales invoice forms are or are not prenumbered for control. (c) There is no mention of a sales journal nor of who prepares the accounts receivable control account. This fails to disclose whether there is adequate control over the posting made by the accountant to the accounts receivable ledger. (d) The accountant seems to be in a position to suppress the posting copy of the billing, presumably without detection. (e) The Billing Department should retain a copy of the billing, and the Shipping Department should retain a copy of the shipping order. (f) There is no reference to customers' purchase orders. (g) There is no reference to monthly customer's statements.

Revenue Cycle Processes 7

135

54. Internal Control - 15 minutes Easy CIA Examination, Unofficial Answer The control functions performed by each of the following departments when processing complaints and issuing credit memos are: (a) Receiving Department (a) attests to receiving the returned merchandise (b) determines the condition of the returned merchandise (b) Sales Department (a) reviews the original terms of the order (b) agrees to the return of merchandise (c) approves any price allowance (d) fulfills the customer service function of working to keep a satisfied customer (e) discusses a replacement item with the customer (c) Production Department (a) takes any steps to prevent repetition of the problem (b) determines if the returned merchandise has an alternative use (c) processes any further changes to the returned merchandise (d) returns the merchandise to stock if necessary (d) Customer Service Department (a) approves the merchandise return (b) coordinates the basic control data of credit returns (c) coordinates and arranges the adjustment (d) communicates with the customer (e) obtains the proper approvals for the adjustment (f) issues credit advices to all the concerned departments (e) Accounts Receivable Department (a) reconciles detailed credit memorandum listings to posting in the subsidiary ledger (b) reconciles the subsidiary ledger to the general ledger control (c) posts to the subsidiary ledger 55. Analytic Flowchart - 30 minutes Medium CPA Examination, Unofficial Answer The weaknesses in internal accounting controls are these. Warehouse Clerk . Release lumber prior to authorization, for example, approval of customer's credit. . Copies of shipping advice should be prepared and forwarded to Bookkeeper #1. . Lacks documentation that lumber was given to the carrier. Bookkeeper #1 . Credit authorized by bookkeeper and not a responsible officer. . Prepares and mails invoice without knowledge of what was shipped. Bookkeeper #2 . Bookkeeper who maintains general ledger should not be responsible for footing and crossfooting of journals, that is, sales and cash receipts journals. . Subsidiary accounts receivable ledger should be reconciled to general ledger. Collection Clerk . Collection clerk should not maintain sales journal. . Collection clerk should not maintain accounts receivable subsidiary ledger. . Remittance advice not used as the basis for posting collections.

136 7 Revenue Cycle Processes . Checks are not promptly endorsed by the mail clerk. . Cash receipts are not promptly deposited. . Deposit slips are not reconciled to cash receipts journal or debits to general ledger. 56. Lock Box Systems - 20 minutes Easy (a) Average daily sales = $21,600,000 / 360 days = $60,000 Current float = 8 days x $60,000 = $480,000 Lockbox float = 2 days x $60,000 = $120,000 Reduction in float = $360,000 Less: minimum balance 70,000 Net Cash Freed = $290,000 (b) $,1200 / $290,000 = .413% 57. Internal Controls - 15 minutes Easy a. Checks provide a physical record to document expenditures. b. Separation of duties: record keeping (review and accounting for NSF checks, etc.) should be independent of cashier operations. c. Segregation of duties. d. Recording income in advance of collection serves as a control by anticipating the amounts to be received. Income from operations is generally subject to various application system controls. Nonoperating income is generally outside the normal business routine, and it is possible that such income might be lost through inadvertence or fraud. e. This helps prevent alteration of petty cash slips and/or amounts by the petty cash custodian.

Revenue Cycle Processes 7

137

58. Cash Sales - 1 Hour Medium CPA Examination, Unofficial Answer (a) Flowchart (See following two pages) (b)

Weaknesses

Corrective Action

No control over opening of mail to prevent abstraction of receipts at that point.

The employee opening mail receipts should be supervised. An alternative procedure would be to utilize a bank "lock box" system.

Checks and remittance advices are not separated.

Remittance advice should not stay with remittances after preparation. Cash should go directly to a cashier and then to bank.

The credit function (review for past-due accounts) should not be in the accounting department.

This function should be coupled with the credit-granting function which is usually placed under the treasurer.

Customer remittances should not come to the accounting department.

This violates a necessary separation of functions.

Accounts receivable clerk is overworked and has incompatible duties.

Aside from handling cash, this employee maintains the accounts receivable ledger, the cash receipts journal, and the sales journal. Some of these duties should, if possible, be given to other employees.

There are two separate cash receipts flows.

Counter receipts and mail receipts should be coordinated and sent directly to the cashier.

The "cashier" is in the sales department and performs a credit granting rather than a cashier's function.

The cashier's function should be transferred to a position under the treasurer and handle all cash. Credit should not be approved in the sales department if it appears there could be a conflict of interest.

138 7 Revenue Cycle Processes

Revenue Cycle Processes 7

139

140 7 Revenue Cycle Processes 59. Cash Receipts - 30 minutes Medium CPA Examination, Unofficial Answer Weaknesses/ Corrective Action (1) There is no segregation of duties between persons responsible for inspecting actual usage and for authorizing usage. Residents should apply to the town hall to obtain parking stickers. The town hall should establish and maintain control over their distribution. The guard on duty should be responsible solely for overseeing the parking lot. (2) The current system does not allow for a proper test or proof of the accuracy of amounts said to be collected. The guard on duty at each shift should complete a physical count form that shows the number of cars parked in the lot. The form should be sent to the town accounting department where the "expected daily cash receipts" can be computed and eventually compared to the actual amount deposited. Discrepancies should be investigated and resolved immediately. The minimum and maximum daily receipts should be established and an overall review of the reasonableness of actual receipts should be made. (3) The current system does not allow for a proper test for possible unauthorized usage or unpaid parking meter fees. Town internal auditors, inspectors, police, or other independent persons should make periodic unannounced inspections to verify that only autos with stickers are parked in the lot and that the time has not expired on the meter. (4) The cash collection procedures are not adequately controlled. Coins should be collected daily with dual-participation in opening the meters by a special uniformed collector and the guard on duty. Each individual should have a key and meters should be such that both keys are required to open them. If practicable, as an alternative to dual participation, mechanical equipment should be used so that the collector does not have to touch the coins in order to extract them from the meters. In addition, internal auditors, inspectors, or other independent persons should observe the collection procedures on a periodic, surprise basis. (5) Initial cash receipts records are not promptly prepared, and responsibility for the amount of cash received is not clearly defined. In the absence of meter readings, which would be costly and probably impractical, the cash count should be recorded by the individual collectors immediately after it is taken from the meter. This recording should be made on a permanent record that will serve as the first record of accountability. (6) There is no timely deposit of cash receipts. Cash should be deposited immediately and should not be left undeposited overnight. When necessary, night deposits should be made. (7) There is no adequate test of amounts deposited. The initial record and the authenticated bank deposit slip should be compared by personnel in the town accounting department. Discrepancies should be promptly investigated and resolved. (8) In place of the above recommendations, the town might consider monthly billings to residents. This would eliminate the coin collection problem since residents would mail their monthly check directly to the town. Additional records might be required but control could be strengthened. Another alternative would be the use of tokens. The token should be sold at a central location by a person other than the guard. This would eliminate the meter cash collection problems.

Revenue Cycle Processes 7

141

60. Controls Analysis - 45 minutes Medium CMA Examination, Unofficial Answer a. Fraud by lapping of accounts receivable could occur in the new system by an individual in the cashier's office who could take customer payments and not immediately credit the payments to the customers' accounts. Later, other payments would be credited to these accounts instead of the proper accounts. This would continue until the person in the cashier's office replaced the cash or the company discovers the fraud. Because the cashier's office has control over the checks (the physical asset), the remittance advices (R/A) and customer accounts (the records), a person in the cashier's office is in a very good position to commit fraud. The basic step to minimize the possibility of this type of fraud is to segregate the control over cash receipts from control over the accounts receivable file. That is, the cashier's function should be limited to comparing R/As to cash receipts (including making any necessary corrections), forwarding the R/As to an accounts receivable clerk for account posting, and forwarding the cash to the bank along with a deposit slip. Furthermore, control over the billing process should be separated from the application of cash receipts even when R/As only are used. The billing process should provide for regular mailing of statements to customers and independent reconciliation of differences. If mailing statements to customers is too costly, then at least late payments and past due accounts should be investigated by someone other than the person who maintains the accounts. b. Other Defects/ Solutions There is unlimited access to the programs and files by the systems development and operating personnel. Operating people should not be given access to programs for purposes of modification. Likewise, systems and programming people should not have access to files with operating data or on-line programs. Special codes for limited entry should be established. The system should be modified to prevent any on-line modification of any program in the library. Hard copy of remittance advices (R/As) are maintained by cashier. These should be maintained by general accounting. There does not appear to be any reconciliation between the accounts receivable control account and the subsidiary file. The accounts receivable control account and the subsidiary file should be reconciled monthly at the same time aging is completed. No control tapes of cash receipts or invoices are being made. Consequently, no reconciliation between detail posting to accounts receivable files and the transactions totals is being made. Control tapes for cash receipts and invoices should be made. Reconciliation between these tapes and totals of accounts receivable detail posting should be made by general accounting. The validated deposit slip that is returned by the bank is never compared with the retained copy of the deposit slip or the amount posted to accounts receivable control. The validated deposit slip should be compared to the copy of deposit slip retained in the cashier's office and the amount posted to the accounts receivable control; this comparison should be done by someone outside the cashier's office. Apparently, copies of invoices are not being maintained or are not being incorporated into the cash

142 7 Revenue Cycle Processes receipts system. An invoice file should be maintained; invoices should be prenumbered and accounted for. 61. Controls Analysis - 20 minutes Medium CPA Examination, Unofficial Answer 1. 7. 13.

M O Y

2. 8.

Z U

3. 9.

L I

4. 10.

B Q

5. 11.

H N

6. 12.

S T

62. SAP Data Fields - 20 minutes Medium There are several order input data and/or customer master file fields that are necessary for international business transaction. Create Customer Address Screen: A country field indicates the country. A code indicating the language to be used must be entered in the communication section of this screen. Create Customer: Sales Screen: One must specify a currency for the settlement of accounts. One can enter a code that identifies how to determine the currency exchange rate. Create Sales Order Screen: The optional pricing screen allows editing of pricing conditions, which includes currencies. Create Customer: Output Screen: This input screen is used to change the default output specifications, which includes the language to be used. Create Customer: Billing Screen: The Incoterms field identifies international trading terms. 63. SAP - 10 minutes Easy Due to complexity of the process for creating customer master records, SAP ERP allows for the creation of a single master record 'dummy' for one-time or infrequent customers. All of these customers are passed through this one-time record. The master record has minimal information. Only the Address, Sales, Shipping, Billing, Taxes, and Output Create Customer screens are completed. For these screens, only fields that will apply to all of the customers who use this record are input. Additional specific information for shipping is added when orders by specific customers are placed. This process saves the trouble of creating detailed records for one-time customers. WEB RESEARCH ASSIGNMENTS 64. The Collaboration Protocol Profile (CPP) is part of the OASIS ebXML Collaboration Protocol and Agreement (CPPA) standard, which describes how trading partners engage in electronic business collaborations through the exchange of electronic messages. Specifically, the CPP provides detailed attributes about a trading partner. These attributes include, for example, delivery channels and transport protocols (e.g., HTTP and SMTP), security constraints (e.g. digital certificates), and information regarding the trading partner’s business roles and capabilities. Companies can publish their CPPs to ebXML Registries or Repositories. Such registries can be hosted privately or though services that facilitate ebXML collaboration.

Revenue Cycle Processes 7

143

65. SAP’s financial supply chain management includes credit management, electronic invoicing and payments, dispute management, and collections management. 66. In addition to the functions provides by Quickbooks itself, various 3rd party vendors offer SCM and EDI-type products that integrate with Quickbooks. One example, is eBridge (www.ebridgesoft.com), which provides SCM and ebXML services to Quickbooks. 67. Crossword

144 7 Revenue Cycle Processes

Across 3. FACTORING — involves a collection agency. 4. IMPREST TECHNIQUES — involves accountability to a specified total amount. 7. REMITTANCE LIST — records customer payments and is prepared for control purposes. 12. GOODS ISSUE NOTICE — evidences a shipment to a customer. 15. BILL OF LADING — the invoice received from a carrier for shipments. 16. CREDIT MEMO — reductions to a customer's accounts. 18. BALANCE-FORWARD PROCESSING — payments are applied directly to customer's outstanding balance. 19. PROFESSIONAL SHOPPERS — observing the recording of transactions. Down 1. LOCK-BOX DEPOSIT SYSTEM — certain items sent directly to a bank. 2. INQUIRY — similar to a quotation but does not contain delivery information. 5. CYCLE BILLING PLAN — accounts receivable subdivided. 6. QUOTATION — sent to a potential customer. 8. SALES ORDER — initiates the shipment of goods to a customer. 9. SHIPPING ADVICE — goods issue notice. 10. CUSTOMER AUDIT — an additional control over the initial documentation of a transaction. 11. INVOICE — informs customer of charges. 13. OPEN-ITEM PROCESSING — remittances are not applied directly against the customer's outstanding balance. 14. BLANKET ORDER — involves several shipments to the same customer over a specific time

Chapter 8 PROCUREMENT AND HUMAN RESOURCE BUSINESS PROCESSES TEACHING TIPS I emphasize the voucher system. I tell students not to worry too much who gets a copy of what. Just sending a copy of everything to accounting takes care of the issue. In covering the voucher system, I begin my discussion in Accounting, and ask students what documents should be required before Accounting approves a disbursement voucher. Just answering this question (with purchase order, vendor invoice, receiving report, and possibly an approved requisition) effectively teaches students the flow of documents through the entire system. The discussion of SAP ERP is highly detailed, and it is not expected that anyone could remember all of the details described. However, ask students what information input and processed by SAP ERP seems to be not useful. The answer should be that all of the information is potentially useful. ERP collect and process vast amounts of information in order that companies can micro manage their business processes and provide customized service to their trading partners. The detailing of infotypes and personal events in SAP's human resource modules illustrates how data structures organize data that is presented to users. I highly recommend covering the multiple-choice question in the end-of-chapter materials. THE PROCUREMENT BUSINESS PROCESS Procurement is the business process of selecting a source, ordering, and acquiring goods or services. Purchasing is a synonym for procurement. The general steps in the procurement process are: • requirement determination • selection of source • request for quotation • selection of a vendor • issuing of a purchase order • receipt of the goods • invoice verification • vendor payment. SAP ERP provides an online, fully-integrated system for the creation and exchange of the documents that are required in the procurement business process. The fully integrated nature of the system reduces errors and speeds the business process. Documents in SAP ERP are 'online documents': they are created online and may be processed entirely as electronic documents. Requirement Determination: A purchase requisition is an internal document created to request the procurement of something in order that it is available at a certain point in time. A purchase requisition is an optional step in procurement in SAP ERP. Selection of Source(s): SAP ERP maintains lists of approved and disapproved sources of supply. SAP ERP can select vendors that will be invited to bid on the requisition, basing its recommendations on data that has been saved concerning previous sourcing for the item. Request for Quotation: After vendors have been selected, SAP ERP is used to generate a request for quotation document. A request for quotation is a document sent to vendors inviting them to confirm a price and payment terms for the supply of a product or service. 144

Procurement and Human Resource Business Processes 8

145

Selection of a Vendor: SAP ERP compares procurement needs with vendor's quotes as they have been recorded in quotation documents and identifies the most suitable quotation for the requisition. SAP ERP sends rejection letters to vendors whose bids were not accepted. Vendor evaluation often requires expertise or experience. SAP ERP offers an automatic vendor evaluation function to assist an organization in the procurement business process. Issuing of a Purchase Order: A purchase order document identifies a vendor, confirms goods ordered, quantity, price, delivery date, terms of delivery, and payment terms. A purchase order can be created from 'scratch' or by reference to an existing document. The purchase order can be sent as paper, as a fax, or electronically as an EDI document. Receipt of the Goods: When the vendor makes delivery, a goods receipt document is prepared in SAP ERP. This type of document is often called a receiving report. After a goods receipt is posted, SAP ERP makes an inventory document that documents the effect on inventory. It also produces an accounting document to show the general ledger transaction. Invoice Verification: Invoices must be checked against goods receipt documents and original purchase orders prior to payment. This business process - known as invoice verification - ensures that cost and quantity requirements have been met. SAP ERP has an Invoice Verification component. Vendor Payment: Once an invoice is posted, payment can take place. Payment is made according to the payment terms and conditions specified in the purchase order or the vendor master record. Master Records: SAP ERP maintains a centralized database. Each master record is accessible by every module in SAP ERP, but every module can only 'see' different areas of each master record. Procurement accesses vendor master records and material master records. Transaction Cycle Controls over Procurement Transaction cycle controls are based on a separation of functions. A procurement process includes five basic functions (All documents should be prenumbered.): • Someone outside the purchasing department determines that materials are needed; a purchase requisition is prepared and approved. • Bids are requested, a vendor selected, and a purchase order is issued by purchasing. • When the materials are received, a receiving report is prepared by the receiving department. The receiving department works with a blind copy of the purchase order, with the counts not shown. • Details of the invoice submitted by the vendor are compared to the purchase order and to the receiving report. The invoice is checked for mathematical accuracy. If everything is in order, the invoice is approved for payment. • A check is prepared and sent to the vendor, and all the previous documents are cancelled to avoid the possibility of duplicate payments. Integrity of the Purchasing Application System Buyers must request competitive bids through request-for-quotation forms. Approved vendor lists, prepared by an independent function, may be used to restrict a buyer's options to those vendors who have been found reliable, financially sound, and free of conflicts of interest.

146 8 Procurement and Human Resource Business Processes

The Attribute Rating Approach to Vendor Selection. The attribute rating approach to vendor selection is appropriate whenever an objective evaluation of the opinions of several independent evaluators is desired: that is, an amalgamation of evaluations of the same system. The following steps are involved: 1. Identify and list the attributes to be included in the evaluation. 2. Assign a weight to each attribute, based on relative importance and objectivity. 3. Have individual evaluators rank each vendor on each attribute, giving a numerical score on a range of 1 to 10 or some other scale. 4. Total the individual evaluations by multiplying each attribute's numerical ranking by its weight; then total all evaluations by adding the scores together. SOX Compliance: Procurement Business Process. Risk assessment of the procurement business process will be necessary for compliance with SOX. CASH DISBURSEMENTS BUSINESS PROCESS The major features of the cash disbursements business process are the use of a voucher system to support the drawing of checks, the separation of approval from actual payment, and an independent bank reconciliation. The accounts payable department receives copies of the purchase requisition, purchase order, receiving report, and vendor invoice. These documents are reviewed, certified as to completeness, and assembled in a voucher package. After the voucher checks and voucher packages are reviewed by the treasury function, the checks are signed and the voucher packages are cancelled and filed by number. The voucher checks are then posted to a check register. This posting is totaled and reconciled to the control total received from accounts payable. Voucher checks are forwarded directly to the payees. The control total is forwarded to general ledger. Voucher Systems. The real control over disbursements is a final review of documents evidencing the entire transaction prior to the authorization of payment. Posting of Payables. Most firms attempt to accumulate several invoices from the same vendor and pay these invoices with a single check. Such procedures are called built-up voucher procedures. HUMAN RESOURCE MANAGEMENT BUSINESS PROCESS The business process that involves management of human resource is concerned with establishing and maintaining an information system that processes human resource (HR) information. The HR system should provide tools for the setup and maintenance of information pertaining to the organizational structure. A listing of jobs that exist in an organization, a listing of job descriptions, and a listing of any qualifications that are required for a job are examples of HR information pertaining to the organizational structure. The HR system should also provide tools for the processing of employee data, such as employee address, payroll, and employment history data. HR Processing in SAP ERP: SAP ERP contains two HR modules. The Personnel Administration module (HR-PA) is concerned with the maintenance of employee data, such as personnel details, salary data, and performance appraisal data. The Personnel Planning and Development module (HR-PD) provides tools for the setup and maintenance of organizational structure information.

Procurement and Human Resource Business Processes 8

147

HR Data Structure: Master data records in the HR-PA and HR-PD modules are created and maintained for organizational units, job profiles, employees, and training. In many business processes, the data in master records is referenced often but seldom changed. However, some HR master records are subject to frequent change. Data Organization: Data is organized and presented to users in SAP ERP by 'infotypes' and personnel 'events'. An infotype is a SAP term that denotes a collection of data fields that are grouped together for display. SAP ERP offers a number of standard infotypes that are specific to the tax and benefit systems of different nations. These 'blueprint' infotypes may be included in the implementation of the HR module as appropriate. A personnel event is a group of infotypes. Events are created to simplify HR transaction entry. HR Objects: Human Resource object types are identified with a one or two letter identifier. The code for the object Employee is P. Each employee also has a unique personnel number which identifies him or her throughout the information system. Transaction Cycle Controls in Payroll Processing The following functions should be separated: personnel, timekeeping, payroll department. Other important controls include: The use of a separate imprest payroll account for paychecks An independent reconciliation of the payroll account bank statement The use of an independent paymaster Payroll Processing Requirements Numerous files must be maintained in a payroll system. Basic employee information, such as name, address, rate of pay, and deductions, is necessary to prepare a payroll. Social Security and other tax legislation impose several taxes based on payrolls: REVIEW QUESTIONS 1.

Procurement is the business process of selecting a source, ordering, and acquiring goods or services.

The general steps in the procurement process are: • requirement determination • selection of source • request for quotation • selection of a vendor • issuing of a purchase order • receipt of the goods • invoice verification • vendor payment.

3. A purchase requisition is an internal document that is created to initiate the procurement process. A purchase order is the external document sent to a vendor to actually order the goods. 4.

No accounting entry is necessitated by the issuance of a purchase order.

SAP ERP processes several types of purchase orders. A standard purchase order is issued to order a

148 8 Procurement and Human Resource Business Processes good or service. A subcontract purchase order is issued when a vendor must receive parts (i.e., subassemblies) in order to produce an end product that is what will be delivered to the company. The subcontract purchase order specifies the end product and also the parts that the vendor must acquire. A consignment purchase order is issued for goods held in consignment. A third-party purchase order is issued when goods or services are to be delivered to a third party. Finally, a stock transport purchase order is issued to initiate a good movement between plants in the company. 6. There are three categories of information in vendor master records. General data consists of vendor number, name, address, telephone, and similar items. Company code data (also called accounting data) is defined at the company code level and is linked to the Financial Accounting and General Ledger modules in SAP ERP. Company code data defines agreed payment terms and the sub-ledger reconciliation account number. Every vendor master record must have a reconciliation account number which links the vendor to the Accounts Payable sub-ledger. Purchasing data describes purchasing needs and is defined at the purchasing organization level. For example, purchasing data includes information used for quotations, invoice verification, or inventory control. 7. One aspect is the use of purchase documents to ensure that individual orders are received as expected. A second aspect concerns control of the integrity of the buyer-vendor relationship. Buyer-vendor relationships are more a matter of policy than procedure. 8. A receiving report documents the receipt of shipments from vendors. This allows confirmation that shipments have been received prior to payment. 9. The invoice verification process is a review of purchasing documentation prior to authorizing payment to vendors. 10. Buyers must request competitive bids through request-for-quotation forms. Copies of these forms are filed and reviewed by purchasing management. Methods of evaluating and selecting bids based on vendor attributes (vendor rating plans) may be formalized, with decisions subject to review by a higher authority. A policy of rotating a buyer's responsibilities weakens buyer-vendor relationships but reduces possibilities for buyer specialization. Approved vendor lists may be used to restrict a buyer's options. 11. Budgetary control might be exercised by having requisitions posted to accounts which are then compared to budgeted amounts. A department could not purchase more than has been authorized in its budget. 12. Approved vendor lists should be prepared by an independent party and used to restrict a buyer's options to those vendors who have been found reliable, financially sound, and free of conflicts of interest. 13. The real control over disbursements is a final review of documents evidencing the entire transaction prior to the authorization of payment. 14. The major controls are the use of a voucher system to support the drawing of checks, the separation of approval from actual payment, and an independent bank reconciliation. 15. A voucher system is a procedure in which every organizational expenditure must be documented with an approved voucher. 16.

Three files are necessary to maintain useful information: a file of approved but unpaid invoices,

Procurement and Human Resource Business Processes 8

149

with access to due date for payment; a file of paid invoices, usually in numerical order; and a vendor file showing both paid and unpaid amounts, ordered by vendor ID. 17. If invoices are booked on the due date, there is no formal record of unpaid invoices, because the liability is immediately cancelled by payment. If invoices are booked on the date of approval, a formal record of liabilities exists. 18. The human resource business process is concerned with establishing and maintaining an information system that processes human resource (HR) information. The HR system should provide tools for the setup and maintenance of information pertaining to the organizational structure. A listing of jobs that exist in an organization, a listing of job descriptions, and a listing of any qualifications that are required for a job are examples of HR information pertaining to the organizational structure. The HR system should also provide tools for the processing of employee data, such as employee address, payroll, and employment history data. 19. An infotype is a SAP ERP term that denotes a collection of data fields that are grouped together for display. In database terminology, an infotype is a segment. 20.

A personnel event is a group of infotypes. Events are created to simplify HR transaction entry.

21. The basic information about what the U.S. government requires with respect to payroll is outlined in the Department of Treasury Internal Revenue Service publication Circular E Employers Tax Guide. 22. The major controls in a payroll procedure are separation of functions, use of a separate imprest payroll account for paychecks to facilitate reconciliations, and an independent reconciliation of the payroll account bank statement. 23. At the close of each quarter an employer is required to file a quarterly return of Form 941 or 941E and pay the balance of undeposited taxes. On or before January 31 each employer is required to give each employee a completed Form W-2 Wage and Tax Statement. The employer is required to forward a copy of these W-2 forms with a Form W-3 on or before February 28 to the government. Form 1099-Misc. documents payments to people who render services to a business for a fee but are not controlled or directed by the client. Amounts paid to them are not subject to payroll taxes. An earnings statement summarizes payroll computations of an employee.

150 8 Procurement and Human Resource Business Processes ANSWERS TO DISCUSSION QUESTIONS AND PROBLEMS 24. - 59. Multiple-Choice

Varies

24. D 25. D 26. A 27. A 28. C 29. D 30. D 31. C 32. A 33. B 34. A 35. C 36. C 37. D 38. B 39. D 40. C 41. A

42. C 43. A 44. A 45. A 46. B 47. D 48. B 49. D 50. C 51. B 52. B 53. D 54. D 55. C 56. B 57. D 58. D 59. C

60. Internal Controls - 20 minutes Easy a. Prevent the submission of vouchers for duplicate payments. b. Avoid the possibility of a shortage in any single account being hidden by kiting checks between several accounts. The interim date adds a surprise element to the reconciliation. c. Physical control over checks to avoid misappropriation. d. Basic element of accounting control is a record of assets. e. To ensure that payroll checks are being drawn only to valid employees. This should be done by a person other than the one who distributes checks. f. Similar to (e) above if addresses are supplied by the person mailing the checks. Also, reduces possibilities of misappropriation if checks are reviewed by an independent party prior to mailing. 61. Internal Controls - 15 minutes Easy a. Voided checks must be accounted for to prevent a misappropriated check being recorded as "void." b. Guard against misappropriated checks. c. Imprest control over the payroll checking account simplifies payroll reconciliations. d. Separation of duties in the payroll function. e. Ensure that payroll checks are being drawn to valid employees. f. Approval is basic to control; salary payroll is not subject to time card/clock control; thus approval and review are essential to ensure that the payroll is valid. 62. Internal Controls - 10 minutes Easy This policy would allow the resubmission of previous paid invoices for duplicate payment. Invoices should be stamped "paid" only after payment, preferably by the controller himself. 63. Control Procedures - 15 minutes Easy

Procurement and Human Resource Business Processes 8 a.

c. d.

151

Documents policies and procedures of the purchasing function. This should ensure that employees are aware of practices that should be followed, such as competitive bidding, buyer rotation, use of approved vendor lists, and other practices designed to ensure proper buyer-vendor relationships. Approved vendor lists, prepared by an independent function, may be used to restrict a buyer's options to those vendors who have been found to be reliable, financially sound, and free of conflicts of interest. Used to implement and document bidding practices. Such plans formalize the processes used to evaluate and select bids on the basis of several vendor attributes, such as prices, reliability, service, location, quality of merchandise or service, and reputation. Vendor's bids usually receive points in several of the above-mentioned areas: points are totaled to develop an overall vendor rating. The vendor with the most points is usually awarded the bid. This practice weakens improper buyer-vendor relationships which may develop over a long period of association; rotation tends to keep buyers independent of specific vendors.

64. Purchasing - 10 minutes Easy a. Inform the requisitioning department that goods have been ordered and the related details of the purchase. b. Inform and authorize the receipt of the forthcoming shipment of goods from the vendor. c. Initiates invoice verification of the purchase and the subsequent payment to the vendor. 65. Approval of Invoices - 10 minutes Easy The major difference lies in the receipt and inspection of the quality of the goods received. Services received are often more difficult to evaluate than physical goods due to their intangible nature. Janitorial services and legal services are two good examples. Janitorial services (cleaning, waste removal, etc.) are difficult to document and evaluate on a short-term basis. It is more difficult at the end of a month when a bill is received for janitorial services to vouch that trash was removed every day or that floors were mopped every day than it is to vouch that one or more shipments of physical goods were received in good condition. Part of this condition is due to the fact that procedures are not often established to control services as they are to control the receipt of goods (i.e., receiving report). Many organizations have probably paid for services that they never received. Legal services and other types of professional services, billed on a time basis, are often impossible to verify. The receiving report which accompanies physical goods should be implemented by use of a signed statement by a responsible official that services were received as stated on invoices. 66. Purchasing Controls - 20 minutes Easy CIA Examination, Unofficial Answer a. The risks incurred are: Condition (a) (a) Buyers would not be officially notified of the strict code of conduct that management expects them to adhere to. (b) Buyers could deny that they were expected to conform to a prescribed code of conduct. Condition (b) (a) Only favored suppliers may be asked to bid. (b) Low-cost suppliers may be excluded. Condition (c) (a) Bids from favored suppliers could be retained.

152 8 Procurement and Human Resource Business Processes (b) Bids from nonfavored suppliers could be discarded. Condition (d) (a) The defect was caused by a minor human error. The procedure seems adequate and requires no improvement. b. The controls that could be recommended to prevent continuation of each following condition are: Condition (a) (a) Require that buying personnel periodically report all outside business affiliations or employment. (b) Issue a formal statement of policy on conflicts of interest. (c) Require that buying personnel report the receipt of gifts and other personal benefits from suppliers. Condition (b) (a) Require that appropriate levels of supervision in the Purchasing Department review and approve the list of bidders. (b) Require a list of acceptable suppliers which the buyers must use. Condition (c) (a) Require receipt and retention of bids until the bid closing date by an independent service or by the purchasing agents' or purchasing manager's secretaries. Condition (d) (a) Verbally recommend that the buyer responsible be instructed on the requirements for authorized requisitions. 67. Purchasing Flowchart - 45 minutes Medium CPA Examination, Unofficial Answer The identification and explanation of the systems and control problems are as follows: (1) The purchase requisition is not approved. The purchase requisition should be approved by a responsible person in the stores department. The approval should be indicated on the purchase requisition after the approver is satisfied that it was properly prepared based on a need to replace stores or the proper request from a user department. (2) Purchase requisition number two is not required. Purchase requisitions are unnecessarily sent from the stores department to the receiving room. The receiving room does not make any use of the purchase requisitions and no purpose seems to exist for the receiving room to obtain a copy. A copy of the requisition might be sent from stores directly to accounts payable where it can be compared to the purchase order to verify that the merchandise requisitioned by the authorized employee has been properly ordered. (3) Purchase requisitions and purchase orders are not compared in the stores department. Although purchase orders are attached to purchase requisitions in the stores department, there is no indication that any comparison is made of the two documents. Prior to attaching the purchase order to the purchase requisition the requisitioner's function should include a check that: (a) Prices are reasonable. (b) The quality of the materials ordered is acceptable. (c) Delivery dates are in accordance with company needs. (d) All pertinent data on the purchase order and purchase requisition (e.g., quantities, specifications, delivery dates, etc.) are in agreement. Since the requisitioner will be charged for the materials ordered, the requisitioner is the logical person to perform these steps. (4) Purchase orders and purchase requisitions should not be combined and filed with the unmatched purchase requisitions in the stores department. A separate file should be maintained for the combined and matched documents. The unmatched purchase requisitions file can serve as control

Procurement and Human Resource Business Processes 8

(5)

(6)

(7)

(8)

(9)

(10)

(11)

(12)

(13)

(14)

(15)

(16) (17)

153

over merchandise requisitioned but not yet ordered. Preliminary review should be made before preparing purchase orders. Prior to preparation of the purchase order the purchase office should review the company's need for the specific materials requisitioned and approve the request. The purchase office should attempt to obtain the highest quality merchandise at the lowest possible price, and the procedures that are followed to achieve this should be included on the flowchart. There is no indication that the purchase office submits purchase orders to competitive bidding when appropriate. That office should be directly involved with vendors in determining the cost of material ordered and should be primarily responsible for deciding at what price materials should be ordered and which vendor should be used. The purchase office does not review the invoice prior to processing approval. The purchase office should review the vendor's invoice for overall accuracy and completeness, verifying quantity, prices, specifications, terms, dates, etc., and if the invoice is in agreement with the purchase order, receiving report, and purchase requisition, the purchase office should clearly indicate on the invoice that it is approved for payment processing. The approved invoices should be sent to the accounts payable department. The copy of the purchase order sent to the receiving room generally should not show quantities ordered, thus forcing the department to count goods received. In addition to counting the merchandise received from the vendor, the receiving department personnel should examine the condition and quality of the merchandise upon receipt. There is no indication of the procedures in effect when the quantity of merchandise received differs from what was ordered. Procedures for handling over-shipments and short-shipments should be clearly outlined and included on the flowchart. The receiving report is not sent to the stores department. A copy of the receiving report should be sent from the receiving room directly to the stores department with the materials received. The stores department, after verifying the accuracy of the receiving report, should indicate approval on that copy and send it to the accounts payable department. The copy sent to accounts payable will serve as proof that the materials ordered were received and are in the user department. There is no indication of control over vouchers in the accounts payable department. Accounts payable should keep a record of all vouchers submitted to the cashier, and a copy of the vouchers should be filed in an alphabetical vendor reference file. There is no indication of control over dollar amounts on vouchers. Accounts payable personnel should prepare and maintain control sheets on the dollar amounts of vouchers. Such sheets should be sent to departments posting transactions to general and subsidiary ledgers. There is no examination of documents prior to voucher preparation. In addition to the matching procedure, the mathematical accuracy of all documents should be verified prior to preparation of vouchers. The controller should not be responsible for cash disbursements. The cash disbursement function should be the responsibility of the treasurer, not the controller, so as to provide proper division of responsibility between the custody of assets and the recording of transactions. There is no indication of the company's procedures for handling purchase returns. Although separate return procedures may be in effect and included on a separate flowchart, some indications of this should be included as part of the purchases flowchart. Discrepancy procedures are not indicated. The flowchart should indicate what procedures are followed whenever matching reveals a difference between the documents compared. There is no indication of any control over prenumbered forms. All prenumbered documents should be accounted for.

68. Internal Control - 30 minutes Medium

154 8 Procurement and Human Resource Business Processes CPA Examination, Unofficial Answer a. Flowchart - see next page.

b. (1)

(2) (3) (4)

A system of advice forms should be installed so that hirings, terminations, rate changes, etc., are reported to the payroll department in writing. Such forms should be approved by the foreman's supervisor. Before an applicant is hired, his background should be investigated by contacting references to determine that he is not dishonest and has no other undesirable personal characteristics. The supply of blank time cards should be removed. At the beginning of each week the payroll department should provide each worker with a time card stamped with his name. A time clock should be installed and the workers required to "punch" in and out. A responsible employee should be stationed at the time clock to determine that workers are not "punching" the

Procurement and Human Resource Business Processes 8

(5)

(6)

(7)

(8) (9)

(10) (11)

155

time cards of other workers who may be late or absent, or who have left work early. The foreman should collect the time cards at the end of the week, approve them, and turn them over to the payroll clerk. All time cards should be accounted for and any missing cards investigated. If the Company has a cost system that requires the workers to prepare production reports or to account for their time by work tickets, the time cards and the production reports or work tickets should be compared. The payroll clerks' work should be arranged so that they check each other. Under the existing system of computing the payroll, the clerk who does not do the original computing should check the original work of other clerk. As an alternative one clerk may make the original computations for the full payroll and the other clerk do all the rechecking. The payroll checks should be prenumbered to control their issuance. The payroll checks should be distributed to the workers by a responsible person other than the foreman. Unclaimed checks should be held in safekeeping by the payroll department until claimed by the worker. A responsible person other than the chief accountant and the payroll clerks should reconcile the payroll bank account. From time to time an officer of the Company should witness a payroll distribution on a surprise basis.

69. Payroll - 30 minutes Medium CPA Examination, Unofficial Answer a. Weaknesses in the system of internal control are the following: (a) Lack of approval of the foreman's clock card by an appropriate supervisor is an unsound practice. Employees should not be permitted to maintain their own time records and submit them without approval. (b) The computation of regular and overtime hours prepared by payroll clerk No. 2 that is used in the preparation of the payroll register is not compared with the summary of the regular and overtime hours prepared by the foreman. (c) Arithmetic computations and rates of pay used in the preparation of the payroll register are not checked by a person who is independent of their preparation and payroll register columns are not verified (re-added) by a person other than the preparer of the payroll register. (d) Payroll checks are not reconciled to the payroll register in order to prevent improper disbursements. (e) A signature-stamp machine should not be in the custody of any payroll clerk who has access to unsigned checks. (f) Since the paymaster should be independent of the payroll process, signed payroll checks should not be distributed by the foreman. (g) Unclaimed payroll checks should be in the custody of an employee who is independent of the payroll process. (h) The comparison of (regular and overtime) hours indicated on payroll checks (or attachments) with (regular and overtime) hours indicated on clock cards should not be performed by the clerk who is responsible for the original computation of (regular and overtime) hours indicated on clock cards. (i) The comparison of gross and net payroll indicated on payroll checks (or attachments) with gross and net payroll indicated in the payroll register should not be performed by the clerk who is responsible for preparing the payroll register. b. One should inquire whether: (a) Payroll clerk No. 2 checks clock cards for the foreman's written approval.

156 8 Procurement and Human Resource Business Processes (b) (c) (d) (e)

Approved overtime is indicated on clock cards. Employment, wage, and related data in payroll files are periodically crosschecked with personnel files for agreement. The punching of clock cards is observed by a timekeeper. Other mitigating internal control measures (for example, bonding, required vacations, and so forth) are in existence.

70. Purchasing - 30 minutes Medium CMA Examination, Unofficial Answer (a) The documents that would be required to satisfy the minimum requirements of a basic system and the minimum number of copies are: Internally generated documents (a) Purchase requisition - 2 copies (b) Purchase order - 4 copies (c) Receiving report - 2 copies (d) Payment voucher - 2 copies (e) Check - 2 copies Externally generated documents (a) Invoice - 2 copies (b) Packing slip - 1 or 2 copies (b)

How these documents interrelate and flow among Poster's departments are detailed below. Purchase Requisition (2 copies) This document is generated by the inventory supervisor. The copies are distributed as follows: Original - sent to the Purchasing Department as a formal request for an order; filed in Purchasing Department by number. Copy - filed in Stores/Inventory department. Purchase Order (4 copies) This document is generated by the Purchasing Department with distribution as follows: Original - vendor Copy - sent to Stores/Inventory Department (problem seems to imply there is no separate receiving department) to check with order received. Copy - sent to Accounts Payable to be matched with the invoice from vendor and receiving report from Stores/Inventory Department. Copy - retained in Purchasing Department and filed by vendor. Receiving Report (2 copies) This report is generated by the Stores/Inventory Department and completed as follows: Original - the report is completed in the Stores/Inventory Department and this copy is forwarded to the Accounts Payable Department to compare with the invoice and purchase order. Copy - retained in Stores/Inventory Department. Payment Voucher (2 copies) and Check The voucher and check are prepared by the Accounts Payable Department and routed as follows: Originals - voucher and check with supporting documents (invoice, purchase order, receiving report) sent to the controller or treasurer for signature; check sent directly to vendor; approved payment voucher returned to Accounts Payable.

Procurement and Human Resource Business Processes 8

157

Voucher Copy - retained in Accounts Payable Department. Check Copy - retained by the controller or treasurer. Invoice (2 copies) This document is generated by the vendor, usually in duplicate. Both copies go to the Accounts Payable Department where the invoice is compared with the receiving report, purchase order, and packing slip. Original - forwarded to controller or treasurer with supporting documents and with payment voucher and check for approval; returned to Accounts Payable after approval and filed by date. Copy - retained in Accounts Payable and filed by vendor. Packing Slip (2 copies) The packing slip is generated by the vendor and included with the shipment of goods. Original - compare with what was actually received and also compare to the Purchase Order. It should then be filed by Stores/Inventory Department. Copy

- sent with Receiving Report to Accounts Payable Department.

71. Analytic Flowchart - 30 minutes Medium CMA Examination, Unofficial Answer See next page

158 8 Procurement and Human Resource Business Processes

Procurement and Human Resource Business Processes 8 72. Purchasing Flowchart - 2 Hours Hard a. Flowchart.

159

160 8 Procurement and Human Resource Business Processes

Procurement and Human Resource Business Processes 8

161

162 8 Procurement and Human Resource Business Processes b. Note: Analytic flowcharting of this problem clearly reveals the lack of segregation of duties between accounts payable and cash disbursements. (a)

(b)

(c)

(d)

(e)

(f)

(g) (h)

(i)

The accounts payable supervisor has far too many functions. The supervisor is responsible for functions that should be the responsibility of an independent cash disbursement clerk. Examples of weaknesses include: (1) approval of the cash disbursement journal voucher. (2) handling of the checks after they are drawn. (3) a major weakness is that the supervisor also performs the bank reconciliation. The cash disbursement clerk should review the voucher packages independently of the accounts payable supervisor. Weaknesses 1, 2, and 3 above should be performed by someone other than the accounts payable supervisor. Freight invoices are not included as part of the voucher package and the matching process. Freight invoices should be matched to invoices, at least on a periodic basis, to validate their authenticity. This weakness aggravates the weaknesses listed in (a) above. The overall integrity of the purchase procedure may be weak. There is no mention that the check signers or anyone else reviews the terms of the purchase, or verifies the vendor, or the reasonableness of the prices, or other such matters. Competitive bidding and other such policies should be in force and subject to documentation and review. The accounting distribution on the requisition should be entered or at least reviewed by someone other than the requisitioning department. Both copies of the requisition should not be sent to purchasing; rather, one copy should be sent directly to accounts payable to ensure that the requisitions originate in the user departments. A major weakness is that the inventory department files its copy of the receiving report rather than signing/approving it and routing it to accounts payable. Routing of the receiving report through inventory is a basic feature of the matching process and essential to accounting control of purchases. Minor weaknesses which may exist as they are not specifically mentioned include: (1) Accounting for prenumbered forms in all departments. (2) Keeping a register of vouchers forwarded to data processing. (3) Batch control procedures. (4) Budgetary control over the requisitions of users. Invoices should be sent first to purchasing (not accounts payable) for initiation of the payment process. The approved invoice should be sent to accounts payable. Receiving procedures appear to be sound (blind count, supervisor) with the exception that discrepancy procedures are not discussed, and there is no mention of what is done with the completed tally sheets. There should be adequate controls over blank checks (not specifically mentioned), and checks should be forwarded directly to the mail room (see (a(2)) above).

Procurement and Human Resource Business Processes 8

163

73. Purchasing - 30 minutes Medium CPA Examination, Unofficial Answer (a) There seems to be poor control over the requisitioning of materials. Each bill of materials from the engineering department, along with a schedule of the planned production of the item called for by the bill of materials, should be forwarded to a stores supervisor. The stores supervisor should be responsible for preparing the necessary purchase requisitions to maintain a supply of materials to meet the scheduled production. The foremen would draw the necessary materials from stores on a material requisition and should have no part in the purchase requisition process. (b) The copy of the purchase order that is sent to the receiving department and used as a receiving report should not show the quantities so that receiving department personnel would be required to count incoming material. Receiving department personnel would also be prevented from converting overshipments to their own use. Additional copies of the purchase order and the receiving report might prove desirable. The accounting department should receive a copy of the purchase order for vouching purposes. A copy of the purchase order routed to the stores manager might prove helpful to him in planning storage space. A copy of the receiving report would be necessary if stock record cards are maintained. Routing a copy of each to the foreman who will use the material might help him in scheduling his work. (c) In the purchasing department there is safeguard against issuance of unauthorized purchase orders. The purchasing department supervisor should assign purchase order numbers to the requisitions prior to distribution to the employees who place the orders. He should also account for the sequence of purchase order numbers. There is no evidence that the purchase orders are approved. They should be approved by the purchasing department supervisor to insure that purchases are made from approved vendors at the best price for the quantity and quality requested. (d) The mail department should send the vendors' invoices to the purchasing department when they are received. The purchasing department should compare the terms, etc., of the invoices and purchase orders and send one invoice copy to the accounting department for vouchering. The other copy should be retained in the files of the purchasing department. The accounting department, rather than the purchasing department, should approve the vouchers for payment. The voucher section should receive a copy of each purchase order and receiving report and the original invoice. This section should then reconcile the purchase orders, receiving reports, and invoices; check discounts, footings, and extensions; prepare a voucher; and approve the voucher for payment. This will insure that payment is made only for authorized material received. 74. Purchasing - 1 Hour Medium a. Logical Data Flow Diagram (see next page)

164 8 Procurement and Human Resource Business Processes

Procurement and Human Resource Business Processes 8 b.

Flowchart

165

166 8 Procurement and Human Resource Business Processes c. (a) (b) (c)

(d) (e) (f)

(a) (b) (c) (d)

(e) (f)

Cash Disbursements Invoices and supporting data should be furnished to check signers and reviewed by them prior to signing checks. There should be a method of canceling voucher packages in the presence of the check signer at time of payment. Signed checks should be delivered directly to the mail room rather than routed back through the accounts payable clerk, particularly because this individual is also responsible for reconciliation of the bank statement. Prenumbered checks should be used for all accounts. The supply of unused checks should be controlled to preclude their being accessible to persons unauthorized to prepare them for signature. It would be highly desirable to have an independent bank statement reconciliation. Accounts Payable Accounting (in this case the office manager) should establish control over invoices received by assigning sequential voucher numbers or establishing some other type of method. Invoices should be checked for mathematical accuracy either by accounting or by the purchasing department. The account to be charged should be indicated on the purchase requisition by the person requesting the purchase. Trial balances of voucher registers (or accounts payable ledgers) should be prepared monthly and reconciled with the general ledger control account by an employee other than the accounts payable clerk. When an invoice is received from a supplier not previously dealt with, steps should be taken to assure that the supplier is genuine. Payments should be made on the basis of original invoices only.

75. Cash Disbursements - 30 minutes Medium CMA Examination, Unofficial Answer Reference Number

Nature of Weakness

Recommendation to Correct Weakness

Verification

The clerical accuracy of vendors' invoices should be tested.

Comparison

The process of matching requires more than looking for vendor name and skimming the document. Clerks should ensure a match between I, PR, PO, and RR by checking dates, descriptions, amounts, and reference numbers.

Segregation of duties

The preparation of DV or VR should be separated. DV requires matching supporting documents and VR requires an account distribution.

Procurement and Human Resource Business Processes 8

167

Documentation

DV should be prepared in four parts with one part used as a remittance advice and sent to the vendor with the check and one part retained in the Accounts Payable Department to verify amounts paid upon the return of documents from the Treasury Department.

JV prepared in Accounts Payable Department

JV should be prepared in the General Ledger Department.

Document Control

A journal register should be maintained.

Filing sequence

DV and supporting documents should be filed by due date in the unpaid vendor file. This will avoid the necessity to search the file daily and reduce the possibility of losing purchase discounts.

Segregation of duties

The functions of preparing, signing, and distributing checks should be done by different persons instead of all being done by the cashier. In addition, cashier should not make entries in the check register. The recordkeeping function should be separated from the custodial function.

Cross referencing

CR should be sent to the Accounts Payable Department for entry of check numbers on VR.

Segregation of duties

Bank reconciliation should be prepared by one outside the Treasury Department.

76. Purchasing - 30 minutes Medium CPA Examination, Unofficial Answer XY Company's major internal accounting control weaknesses are: Purchasing: . The buyer does not verify that the department head's request is within budget limits. .

No procedures have been established to assure that the best price is obtained. Large dollar requisitions should be ordered after receiving quotes and/or sealed bids.

Prior to placing an order, the buyer does not determine the adequacy of the vendor's past record as a supplier to XY.

168 8 Procurement and Human Resource Business Processes Receiving: . Receiving clerk does not make blind counts for all special equipment or at least for large dollar items. .

Written notice of equipment received is not sent to purchasing.

Written notice of equipment received is not sent to accounts payable.

Accounts Payable: . The mathematical accuracy of the invoice is not recomputed. .

Invoice quantity is not compared with a report of the quantity received.

Notification of the acceptability of the equipment from the requisitioning department is not obtained before the payable is recorded.

No alphabetic file of vendors from whom purchases have been made is maintained.

Treasurer: . Documentation supporting the checks is not sent by the accounts payable department to the cashier in order for the cashier or treasurer to be assured that the check is for properly authorized and received equipment. .

Checks for large dollar purchases are not signed by two officers of XY Company to assure that material expenditures are proper.

All documentation to support a check is not cancelled by the check-signer and returned to the accounts payable department.

The cashier alone has custody of the key, the signature plate, and record of usage.

The controller is authorized to sign checks. WEB RESEARCH ASSIGNMENTS

77. The eProcurement value chain is discussed in a Wikipedia article located here: http://en.wikipedia.org/wiki/E-procurement . Indent management involves the workflow related to the preparation of tenders. 78. The main ethical issue in procurement is the possible conflict of interest. The buyer should not have any direct or indirect financial interest in (or benefit from) purchases. 79. SAP ERP’s Human Capital Management provides functionality in the following areas: End-user service delivery, workforce analytics, talent management, workforce process management, and workforce deployment. 80. Quickbooks provides both e-file and e-pay features. In addition, it’s possible to link Quickbooks to payroll services like ADP (www.adp.com), using services such as PTEBRidge (www.ptebridge.com ). Similar functions can be performed with other small business software, such as Microsoft Dynamics.

Procurement and Human Resource Business Processes 8

81. Crossword

169

170 8 Procurement and Human Resource Business Processes

Across 1. APPROVED VENDOR LIST — a reference list for use by the purchasing function. 9. RECEIVING REPORT — record of deliveries from vendors. 11. INVOICE VERIFICATION — prior to authorizing payment to vendors. 13. REQUEST FOR QUOTATION — triggers bids. 14. PURCHASE REQUISITION — before the purchase order. Down 2. VOUCHER SYSTEM — every organizational expenditure must be documented. 3. ATTRIBUTE RATING — identifies, lists, and evaluates several different aspects concerning a vendor. 4. INDEPENDENT PAYMASTER — not involved in payroll preparation. 5. BUILT-UP VOUCHER SYSTEM — the payment of several invoices with a single check. 6. PURCHASE ORDER — issued to a vendor. 7. VOUCHER — voucher package. 8. BLIND COUNT — counters in receiving do not have access to quantities shown on purchase orders. 10. PROCUREMENT — selecting a source, ordering, and acquiring goods or services. 12. VOUCHER PACKAGE — authorize a disbursement

Chapter 9 THE PRODUCTION BUSINESS PROCESS TEACHING TIPS I usually gloss over the materials on job costing, for my students have covered job costing in their Cost/Managerial course. I do emphasize the need for good ledger control over property, plant, and equipment. THE PRODUCTION BUSINESS PROCESS Production Planning and Control. A sales order or sales forecast cause the creation of production orders which specify items that should be produced. Materials are requisitioned and production is scheduled. Items are produced, inspected, transferred to finished goods inventory, then transferred to shipping to complete the process. Basic production requirements are provided by the bill of materials and master operations list. Resources available for production are communicated to the production control function through inventory status reports and factor availability reports. The production order serves as authorization for the production departments to make certain products. Materials requisitions are issued for each production order to authorize the inventory department to release materials to the production departments. Production status reports are periodically sent from the production departments to the production control function. Cost Accounting Controls. Job costing is a procedure in which costs are distributed to particular jobs or production orders. In process costing, costs are compiled in process or department accounts by periods (day, week, or month).The cost accounting department is responsible for maintaining a file of WIP cost records. Inventory Control. The control of inventories is accomplished through a series of inventory records and reports that provide such information as inventory use, inventory balances, and minimum and maximum levels of stock. A reorder point is the level of inventory at which it is desirable to order or produce additional items to avoid an out-of-stock condition. The economic order quantity (EOQ) must balance two system costs--total carrying costs and total ordering costs: EOQ = economic order quantity (units) R = requirements for the item this period (units) S = purchasing cost per order P = unit cost I = inventory carrying cost per period, expressed as a percentage of the period inventory value Then

EOQ =

/ 2 x R x S \/ P x I

171

172 9 The Production Business Process Lean Production is a term used to describe a production system in which parts are produced only as they are required in subsequent operations. . The concept of lean production is based on the concept that inventory is waste. Lean production systems expose the hidden causes of maintaining inventory. Property Accounting Applications Fixed Assets. Every organization, including those on a cash basis, should keep a ledger of fixed assets as an aid to effective control. A fixed asset register is a systematic listing of an organization's fixed assets. There are four objectives of fixed asset or investment accounting applications: 1. Maintain adequate records that identify assets with description, cost, and physical location. 2. Provide for appropriate depreciation and/or amortization calculations for book and tax purposes. 3. Provide for reevaluation for insurance and replacement cost purposes. 4. Provide management with reports for planning and controlling the individual asset items. Investments. The investment register should contain all relevant information, such as certificate numbers and the par value of securities, to facilitate identification and control. QUICK RESPONSE MANUFACTURING SYSTEMS Components of Quick Response Manufacturing Systems The Physical Manufacturing System. Two subsystems directly support the physical manufacturing system. These include the CADD (computer-aided design and drafting) and CAM (computer-aided manufacturing) systems, discussed below. Some CAM systems, called flexible manufacturing systems (FMS), incorporate programmable production processes that can be quickly reconfigured to produce different types of products. FMS can significantly contribute to the overall speed in which a system responds, for it can greatly speed up time-consuming retooling. The Manufacturing Resource Planning (MRP II) System. The MRP II system comprises the materials requirements planning (MRP) system and the related systems for sales, billing, and purchasing. But the MRP system is the heart of the MRP II system. Advanced Integration Technologies. Automatic identification enhances integration because electronically tagging products and materials effectively makes them machine-readable and thus physically part of the organization's computer-based information system. Radio Frequency Identification, or RFID, is an automatic identification technology that uses low power radio waves to send and receive data between RFID tags and readers. EDI enhances integration because it effectively integrates the company's system with the systems of its suppliers and customers. Distributed processing enhances integration because it logically and physically combines geographically dispersed information resources into a single system. Transaction Processing in Quick Response Manufacturing Systems Production Planning. Production planning involves the determination of which products to produce and the scheduling of production to make optimal use of production resources. The master production plan is processed against the production-status, bill-of-materials, and master-operations files. This processing generates production order files, materials requisitions, and routings, and also updates the production-status file. The production-status file contains

The Production Business Process 9

173

both accounting data and operational data pertaining to the status of production orders. This file integrates production-order data pertinent to the stage-of-completion; the production-status file is a major input to the scheduling and cost accounting applications. The bill-of-materials file contains a record for each product manufactured. Each record contains the detailed material requirements and standard material cost of the product identified by the record's key value. The master-operations file contains similar data related to each product's detailed labor and machine operation requirements and their sequencing through the production process. Standard times and costs are also contained in the master-operations file. The production-planning application program integrates data from the master production plan, bill-of-materials file, and master-operations file and generates the necessary production-order documents -- detailed production orders, materials-requisition forms, and routings (RTGs) to guide the flow of production. RTGs indicate the sequence of operations required to manufacture a product. RTGs contain information about the work center, length of time, and tooling required to perform each task. Production Scheduling. Routing (RTG) data concerning current production status is collected in the factory departments as work progresses. RTG data may be collected in different ways. RTGs may be output as turnaround documents by the production-planning application. RTGs are filled in by the factory departments as work progresses on specific production orders. Each RTG contains a production-order number and a format for specifying the work completed on an order. The production-loading file is the major input to the production-scheduling application. This file is processed by the scheduling application program to produce production schedules. The scheduling application program may simply accumulate and print reports showing total labor and machine operation requirements for each department/work center. In MRP systems, the scheduling application program would include the use of linear programming or other decisionsupport techniques to relate resource availabilities within each department or work center to overall production requirements to generate a schedule that represents an optimal assignment of available resources to production. Cost Accounting. The central feature of the cost-accounting application is the updating of the production-status (Work-In-Process) file. The outputs of the cost-accounting program include the following items: an updated production-status file a completed production-order file a resource usage file a summary report Reporting. The completed production-order file lists all cost data for completed production orders. Outputs of processing this file include an updated finished-goods inventory file, a finished-goods stock status report, a completed production-order cost summary, and a summary report that includes batch and application control information as well as the summary journal entry data debiting finished goods and crediting Work-In-Process for the standard cost of goods completed.

174 9 The Production Business Process Activity-Based Costing. Traditional cost accounting techniques may be inadequate in a CIM environment. CIM significantly alters a manufacturer's cost-behavior patterns by causing a substitution of capital equipment for direct labor. For a CIM environment, products manufactured with costly automated machinery, which contributes greatly to overhead costs, typically have the lowest number of direct labor hours associated with their production. Activity-based costing (ABC) calculates several overhead rates, one for each manufacturing activity, and uses these rates to build product costs from the costs of the specific activities that are undertaken during production. MRP II versus MRP. Extensions to routings file processing in MRP II might include expanded data concerning work center capacity data, maintenance of machine tooling data, and maintenance of numerical machine control data from the CADD system. Extensions to production order processing in MRP II might include the creation of transaction files and numerical machine control tapes for the plant floor. ERP, ERP II, and EAS. These more advanced systems incorporate all the functionality of MRP and MRP II, but they also integrate all other major business processes into a single system. Implementing Lean Production in a MRP II/CIM Environment. In a batch production environment, manufacture of specific products is sporadic. Batches of similar products are periodically assembled to satisfy present and planned future needs. Setup costs are usually incurred every time a batch is produced, and these costs are typically the same regardless of the proposed size of the batch production run. As the word "planned" indicates, a batch environment fosters a "push" concept of manufacturing efficiency. Economic (i.e., efficient) batch size is derived by using formulas (i.e., economic order quantity models) or is output from a computer simulation or computational model. Special Internal Control Considerations. Quick response manufacturing systems, similar to other totally computerized systems, intensify certain internal control problems. Transactions may be processed without human intervention or approval. This eliminates conventional controls associated with separation of duties in transactions. Thus, a major consideration is to ensure that such controls, or their equivalents, are an integral part of a quick response manufacturing system. Computer processing in general, and EDI in particular, eliminates human-oriented paper documents. There are challenging validation and authenticity problems concerning the operation of paperless processing systems, both within a firm (e.g., electronic production order) and in its exchanges with its trading partners (EDI and EFT). Extensive control and audit trails may be implemented in quick response manufacturing systems, but these features must be included within the design and development of the system. It is neither feasible nor desirable to install controls in a computer-based information system after it has been implemented.

The Production Business Process 9

175

REVIEW QUESTIONS 1. Job costing is a procedure in which costs are distributed to particular jobs or production orders. In process costing, costs are compiled in process or department accounts by periods (day, week, or month). At the end of each period, the cost of each process is divided by the units produced to determine the average cost per unit. 2. WIP is increased for production costs and decreased when production is completed. Production cost entries debit WIP and credit stores (material), payroll and manufacturing overhead. Completed production is evidenced by a debit to finished goods inventory and a credit to WIP. 3. A bill of material lists the raw materials that are necessary to produce a product. A reorder point is the level of inventory at which it is desirable to order or produce additional items to avoid an out-ofstock condition. The reorder quantity must balance two system costs--total carrying costs and total ordering costs. A master operations list identifies and specifies the sequencing of all labor operations and/or machine operations that are necessary to produce a product. 4. Internal control over inventories and production is based on separation of functions and basic records and documentation, such as production orders, material requisition forms, and labor time cards. Protection of inventories from physical theft involves security and access provisions as well as periodic physical counts and tests against independent records. 5. The production order serves as authorization for the production departments to make certain products. A copy of the production order is sent to the cost accounting function to establish a WIP record for each job. 6. JIT systems differ from conventional production systems in that inventories of work-in-process, raw materials, and finished goods are minimized or totally eliminated. 7. There are four objectives of fixed asset or investment accounting applications: 1. Maintain adequate records that identify assets with description, cost, and physical location. 2. Provide for appropriate depreciation and/or amortization calculations for book and tax purposes. 3. Provide for reevaluation for insurance and replacement cost purposes. 4. Provide management with reports for planning and controlling the individual asset items. 8. Fixed assets and investments should be recorded in a ledger as an aid to effective control. Assets themselves should be labeled with identifiers linked to the fixed asset register. 9. Several entries must be made when an asset is disposed of. The first records the date of disposal. The second entry removes the original cost of the asset in the current period. A third entry removes the accumulated depreciation taken to date. 10.

CIM integrates the physical manufacturing system with the MRP II (resource planning) systems.

11.

MRP II includes MRP plus the related systems for sales, billing, and purchasing.

12.

CADD can provide many support functions such as simulation and testing.

13. CAM can control robots used to automatically generate products, and also to automatically scan cost data and generate reports.

176 9 The Production Business Process

14. Automatic identification could be used (for example) to scan work orders at the stores department and to physically track products as they flow through production. 15. MRP II systems involve production planning, scheduling, cost accounting, and reporting. They must also interface with other systems such as sales and billing. 16. ABC costing involves breaking the production process down into a series of operations and assigning overhead and other costs to each operation. CIM operations typically involve many operations, so ABC costing often helps provide better cost collection and control in CIM environments. ANSWERS TO DISCUSSION QUESTIONS AND PROBLEMS 17. - 32. Multiple-Choice Varies 17. A 25. A 18. A 26. D 19. D 27. B 20. D 28. C 21. B 29. A 22. B 30. D 23. B 31. D 24. C 32. B 33. EOQ - 15 minutes Easy CMA Examination, Unofficial Answer In order to compare the two alternatives, the carrying costs and the production initiation costs must be calculated for each alternative. These two amounts are calculated as follows: Carrying costs = annual carrying cost (20%) x standard manufacturing cost ($50) x average inventory Production initiation costs =

number of runs x cost to initiate a run ($300).

Current Situation 2 production runs of 3,000 units per run Average inventory = 3,000 / 2 = 1,500 units Present costs: Carrying costs (.20 x $50 x 1,500) Production initiation costs (2 x $300) Total cost

$15,000 600 $15,600

The Production Business Process 9

177

Proposed situation The EOQ formula as it applies to inventories can be used to determine production run quantities by substituting "cost per order" with "production initiation costs."

Production quantity

/ 2 x 6,000 x $300 = \/ 50 x .2 =

\/ 360,000 =

600 units

Average inventory 600/2 = 300 units Number of runs 6,000 / 600 = 10 runs Proposed costs: Carrying costs (.20 x 50 x 300) Production initiation costs (10 x 300) Total cost

$3,000 3,000 $6,000

Expected annual cost savings

$9,600

34. EOQ - 15 minutes Easy CIA Examination, Unofficial Answer a. (1) The increase in demand for an inventory stock item means that quantities on hand will be exhausted more quickly. With no change in lead time, the reorder level would have to be increased to assure stock being on hand until an order that was placed can be filled. (2) The economic order quantity would also increase because the increased usage would force an increase in total ordering costs, making it more economical to order in larger quantities. In the EOQ equation / 2AS \/ R where S = the total annual usage in dollars, an increase in S will result in an increase in EOQ. b. (1)

(2)

A decrease in the cost of capital would have no effect on the reorder point, but would make it economical to carry larger average inventory amounts which, in turn, would be the result of placing larger orders. EOQ would increase. In the equation, / 2AS \/ R R is the carrying cost expressed as a percentage of the dollars invested in inventory. A decrease in cost of capital would cause a decrease in R.

c. (1)

The salary increase of purchasing and receiving personnel would have no effect on the reorder point; but the increased ordering costs that would result would, in part, be compensated by placing fewer orders for larger quantities.

178 9 The Production Business Process (2)

Again, the result is indicated by the EOQ equation / 2AS \/ R where A is the cost of ordering and where an increase in A will cause an increase in EOQ.

35. Work Order Application - 1 Hour Medium CMA Examination, Unofficial Answer a. (1) Data items which should be included on a Repair/Maintenance work order document are as follows: . Job Identification - department (or plant) in which work is to be done, machine or work station, and general description of job. . Starting and completion dates - both estimated and actual. . Materials and supplies data - estimated and actual quantities and costs. . Labor data - estimated and actual hours and cost and employee number for each job or person completing the work. . Applied overhead. (2)

At least four copies of the work order would be required with a possible fifth copy needed if a work order summary is not prepared. The work order would be prepared in the R & M Department and given to the Supervisor for review and scheduling. The work order would then be used by the person responsible for the work for the recording of actual hours spent on the job and actual materials and supplies required to complete the job. After the job is completed, the work order would be forwarded to accounting for costing and charging. The distribution of each copy of the work order would be as follows: . Original (Copy l) - Once the job is completed and all data has been recorded on the work order, this copy is forwarded to the Accounting Department for costing and then filed in the Accounting Department. . Copy 2 - This copy is also fully completed and is filed in the R & M Department in a completed work order file. . Copy 3 - This copy would be kept by the R & M Department in a file of scheduled jobs until the work is complete. A reference file is needed for all work orders while the job is in process. Once this job is completed, Copy 3 would be attached to Copy 2 and filed with Copy 2. . Copy 4 - This copy would be sent to the production department where the work is being done to acknowledge the actual scheduling of the job. An evaluation of the performance of the R & M Department would probably be done in three departments as explained below. .

The production department which requests the work should compare the estimated charges indicated on the Work Order Request with the actual charges and the timelines on the work (i.e., the estimated and actual starting and completion times on the Work Order). If the work is not timely or if the actual charges vary considerably from the estimate, the management of the production department would contact the Supervisor of the R & M Department for an explanation. The supervisor of the R & M Department would conduct a self-evaluation by comparing the Work Order Request and the completed Work Order. The Supervisor would want to be sure the actual times and charges were close to the original estimates. Such a comparison would be important for evaluating the staff in the department and also for

The Production Business Process 9

179

preparing future estimates. The Accounting Department (or some other appropriate department) would probably conduct a review of the R & M Department's work. The estimates and actual results shown on the Work Order would be compared. Types of repair and maintenance jobs which have standard times for completion could be compared with actual times required for the work in order to evaluate the department's performance.

Flowchart. See following page.

36. Systems Development - 45 minutes Hard a. There are many variations possible in preparing the standard journal entries that Fred Beam, the controller of the Wadswad Corporation, could use to document how the expected outputs of the new system for work-in-process accounting will impact on the general ledger. There should be two basic standard journal entries, one to debit work-in-process for manufacturing costs and the second to credit work-in-process for the cost of completed production. Standard Journal Entry (1) Manufacturing Costs Debit: Work-in-process Inventory Credit: Raw Materials Inventory Credit: Accrued Payroll (direct labor) Credit: Applied Overhead Control While the debit to work-in-process is straightforward, there are many possible variations in the credits. The credit to Raw Materials Inventory might be made to Stores, or even possibly to Purchases. The credit to Accrued Payroll for direct labor cost has several variations, a common one being to credit a Payroll Clearing or Payroll Summary account. The credit to Applied Overhead Control might be made instead to either Factory (or Manufacturing or Production) Overhead Control (i.e., actual). Of course one might make three separate entries, one each for materials, labor, and overhead, rather than use a single compound entry as shown above. Standard Journal Entry (2) Cost of Completed Production Debit: Finished Goods Inventory Credit: Work-in-process Inventory While both the basic debit and the basic credit are straightforward in this case, there is a major complication which the instructor (or students) might raise concerning the accounting for spoilage. The indicated entry would account for spoilage by the method of omission. That is, any spoilage is simply omitted in calculations. If one wishes to include an accounting for both normal and abnormal spoilage, then the basic entry might appear as follows. Standard Journal Entry (2-a) Cost of Completed Production (with spoilage) Debit: Finished Goods Inventory Debit: Cost of Abnormal Spoilage Credit: Work-in-process Inventory

180 9 The Production Business Process In this case the cost of normal spoilage is calculated and added to the cost transferred to Finished Goods Inventory. In some cases the cost of normal spoilage is debited to Overhead Control (and the overhead rate includes a charge for anticipated normal spoilage) and in some cases the net disposal value of spoilage is calculated and debited to the Stores (or Materials Inventory account). With these factors, the standard journal entry might appear as follows. Standard Journal Entry (2-b) Cost of Completed Production (with spoilage, part 2) Debit: Finished Goods Inventory Debit: Cost of Abnormal Spoilage (net) Debit: Overhead Control (normal spoilage (net)) Debit: Stores (disposal value of spoilage) Credit: Work-in-process Inventory Other entries are possible, but this should suffice as a reasonably complete discussion of the topic. One should note that the basic file structure includes data concerning spoilage, but the accountant would have to determine several other statistics (i.e., data concerning percent complete) to develop the data for the standard journal entry. b.

In addition to accounting-related data, the system will output several other types of information which should be useful to management. This is a major advantage of computer processing of accounting data: the ability to produce other types of useful data as a byproduct of preparing the accounting records. Spoiled production reports are to be prepared by the system. Units spoiled in production for each job will be posted to the master work-in-process file and accumulated for each job. Special messages will be printed during processing if the spoilage rate exceeds management's expectations. Management's expectation (such as a rate of 15 percent) is included as a parameter in the work-in-process program. This type of processing is a good illustration of the concept of management by exception. When a job is complete the computer system will report the total cost of the job and also the per unit cost. The date of completion will be compared to the expected date of completion, field 7 in the master work-in-process file. Special messages will be printed during processing if a job is completed late. This type of processing is another example of the concept of management by exception.

37. Property Accounting System - 30 minutes Medium CMA Examination, Unofficial Answer a. Four major objectives which the automated property system should possess include: Completeness. Records for all fixed assets owned by Deake Corporation need to be included in the system. Completeness is important because the users of the information derived from the system will assume the data in the system are complete and all fixed assets are recorded. If all fixed assets are recorded in the system, a reconciliation of the physical inventory of all fixed assets with the records will reveal any disappearances or losses. In order to assure complete records, controls must be established so that all fixed assets are updated, and records cannot be deleted without proper authorization. Accuracy. Accuracy in establishing records and updating them based upon current transactions

The Production Business Process 9

181

(improvements, maintenance, depreciation, additions, disposal) are very important if users are going to rely on the information generated from the system for decisions. Timeliness. Transactions affecting the fixed assets records should be processed as quickly as possible. Users of the information will assume that all events pertaining to the fixed asset records are reflected in the records. In addition, requests for information from the system should be handled as expeditiously as possible. Information has to be provided on a timely basis to users if the information is to be useful for decision-making purposes. Flexibility. The property account system should be designed to permit additions, revisions and changes to be made without the system needing to be redesigned and redeveloped completely. This flexibility is needed should the company's needs change in the future. b.

The data items which should be included in the computer record for each fixed asset owned by Deake include: Descriptive data Name of asset Manufacturer Model and serial number Asset class code Company assigned asset number General ledger account number Location data (plant, department, building) Acquisition date Original cost Data for book depreciation Data for tax depreciation Maintenance record Cycle Date Amount

38. Systems Implementation - 15 minutes Easy a. The problem which Yard Company has experienced in implementing the use of numerically-controlled machines in its production operations stems from errors in the programming and subsequent operation of the numerically-controlled machines which have created conflicts between the programmers and the artisans. Total production costs have increased rather than decreased, and management is aware that both the programmer and the artisans are blaming each other for the company's problems. Machine programmers and artisans are segregated not only by physical location and operational function, but also by educational and vocational background as well as age. Programming the numerically-controlled machines requires skills which are most readily obtained by studying computer science in college or a trade school. As none of the artisans employed by the Yard Company had the necessary background, it was necessary to hire recent college graduates to program the machines. The programmers are much younger than most of the artisans and very different in terms of their backgrounds and career objectives. It was thus very difficult for the two groups to communicate. Since effective communication between system designers (i.e., the programmers) and the users (i.e., the artisans) is required to successfully implement an information system, Yard Company has experienced problems.

182 9 The Production Business Process b.

A solution to Yard Company's problem depends on improving the relationship between the artisans and the programmers. These two groups must be able to communicate effectively if the new system is to operate profitably. This task in improving human relations in the workplace may not be easy as the two groups are so different. The inherent problem stems from the nature of computer system analysis and design. Special skills are required to perform these functions, but they also require an in-depth understanding of the user's problem. This problem is particularly acute in the implementation of a man-machine system such as the numerically-controlled machines because the interfaces between the system design and the user are so tight. The slightest error by the programmers is immediately experienced by the artisans. Programming the numerically-controlled machines requires a degree of education which none of the artisans possess. And the programmers do not themselves have the skills of the artisans. The ideal candidate to design and implement (i.e., program) the system in Yard Company's situation would be either an artisan who had the required programming skill or a programmer who had the required artisan skill. Neither of these two types of person is, unfortunately, likely to be readily obtainable. Thus, communication between these two groups must improve to overcome this inherent problem in the implementation of computer systems.

39. Activity-based Costing - 20 minutes Easy a. Overhead Base Rate

Material Handling $200,000 40000 $5

Robotic Assembly $400,000 5000 $80

All Other $400,000 20000 $20

Product X Y Z -----------------------------------------------------------# of Parts 10 15 20 Robot Hours 3 0 1 Labor Hours 0 4 2 ABC Costs Material Labor ($30/hour) Overhead: # of Parts Robot Hours Labor Hours Total

$200 $0

$200 $120

$200 $60

$50 $240 $0 $490

$75 $0 $80 $475

$100 $80 $40 $480

Allocation bases for activity costs should be identified informally through a cause and effect (i.e., cost incurrence) or benefits received analysis, or more formally through the use of statistical regression techniques. WEB RESEARCH ASSIGNMENTS

40. Lean accounting is consistent with lean manufacturing, which focuses on cutting waste, eliminating inventories, controlling processes, and allocating only direct costs or costs organized by value stream. ABC accounting, on the other hand, tends to focus on allocating full costs based on activities. See the July 2004 article published in Journal of Accountancy (www.journalofaccountancy.com) by Karen M. Kroll. In a given application the two approaches can have much in common, as “activities” and the value stream can coincide. 41. E-Z-MRP™ as targeted towards small manufacturers. The main issue with this product is the effort

The Production Business Process 9

183

to integrate with one’s existing accounting system. On the other hand, ERP systems such as SAP One come with financial accounting and ERP fully integrated. 42. Toyota is well known for using all the latest technologies, including robotics (FMS). A lot has been written about Toyota’s manufacturing and accounting systems. A web search reveals a wealth of materials. 43. A virtual enterprise is a partnership between multiple companies. The ability for companies to quickly set up virtual enterprises depends on their ability to interface and integrate their operations and information systems. EDI-type technologies (e.g., ebXML) can be a big help. Whereas the extended supply chain focuses on vertical integration, the virtual enterprise may also focus on horizontal integration. The SAP application suite is built on a service-oriented architecture. Obviously, two companies both using SAP would find it relatively easy to collaborate. However, SAP has interfaces to communicate with other companies using a wide variety of protocols, so it’s not necessary that all collaborating companies use SAP. 44. Crossword – see next page

184 9 The Production Business Process

Across 3. FLEXIBLE MANUFACTURING SYSTEM — a type of CAM system. 4. COMPUTER-AIDED DESIGN AND DRAFTING — software helps to perform engineering functions. 5. PRODUCTION ORDER — authorizes the production departments to make certain products. 6. ACTIVITY-BASED COSTING — separate overhead rates for each manufacturing activity. 7. MATERIALS REQUIREMENTS PLANNING SYSTEM — software assistance in production planning and control. 8. QUICK-RESPONSE MANUFACTURING SYSTEM — physical, MRP II, and advanced integration technologies. 9. MASTER OPERATIONS LIST — involves the sequencing of certain manufacturing activities. 13. REORDER POINT — paying attention to this avoids an out-of-stock condition. 14. STATISTICAL PROCESS CONTROL — involves comparing process outputs to engineering specifications. 15. SOLIDS MODELING — representation of a part in computer memory.

The Production Business Process 9

185

20. FINITE ELEMENT ANALYSIS — determine mechanical characteristics. 21. INVENTORY STATUS REPORTS — details the resources available in raw materials or finished goods. 22. ADVANCED INTEGRATION TECHNOLOGIES — EDI, automatic identification, and distributed processing. 25. MATERIALS REQUISITIONS — authorize the release of raw materials to the production departments. 26. PROCESS COSTING — production costs are compiled by department rather than by job. 27. ECONOMIC ORDER QUANTITY — the procurement amount that optimizes total inventory cost. 28. FACTOR AVAILABILITY REPORTS — communicate regarding labor and machine resources. 29. BILL OF MATERIALS — list of certain things necessary to produce a product. 30. COMPUTER-AIDED MANUFACTURING — includes tools to improve process productivity Down 1. COMPUTER-INTEGRATED MANUFACTURING SYSTEM — ties together the physical manufacturing system and MRP II. 2. JOB TIME CARDS — used to document certain charges to the job. 10. FIXED-ASSET REGISTER — a particular systematic list maintained for control purposes. 11. JOB — production order. 12. COST DRIVER — an element that influences the total cost of an activity. 16. VENDOR-BASED CODING — buyer and vendor use certain things that are the same. 17. JOB COSTING — assigned to production orders. 18. LEAN PRODUCTION — items are produced only as they are required in subsequent operations. 19. INDUSTRIAL ROBOT — variable programmed motions for the performance of a variety of tasks. 23. ROUTINGS — involves the sequence of operations required to manufacture a product. 24. INVESTMENT REGISTER — a type of systematic list maintained for control purposes. 25. MRP II SYSTEM — MRP plus certain related systems.

Chapter 10 SYSTEMS PLANNING, ANALYSIS, AND DESIGN TEACHING TIPS I often ask students to analyze AIS for local businesses. I usually support the discussion in the chapter with the examples provided by the students. Most students are familiar with the workings of at least one business. Further, students all come in contact with business information systems in their everyday dealings. With only a small amount of effort I can usually get students to produce a long list of horror stories of problems they have experienced with various companies. This chapter is best taught with supplemental software such as Microsoft AccessTM. I sometimes have students use Access to design and implement a sample sales order system. Alternatively, the students can run transactions through the sample sales order system that comes with the software. GENERAL OVERVIEW Every systems development project goes through essentially the same systems development life cycle: planning and analysis, design, and implementation. The traditional systems development process follows a somewhat rigid top-down sequential approach: first a plan is set in place, next a design is developed to produce an architectural blueprint for implementing the plan. Finally, a working system is developed and implemented that conforms to the architectural plan. The traditional rigid approach has been adapted in two ways to become for flexible. First, it has become iterative. This means that the initial plan is rougher and more tentative, so that it is more easily improved when its deficiencies become apparent in the design phase. The second major adaptation of the rigid approach involves breaking projects up into smaller pieces. Service Oriented Architecture (SOA) has greatly facilitated working in smaller projects, since the whole concept of SOA relies on small independent pieces of software called services. SYSTEMS PLANNING AND FEASIBILITY ANALYSIS Systems planning involves identifying subsystems within the information system that need special attention for development. The objective of systems planning is to identify problem areas that either need to be dealt with immediately or sometime in the future. Systems analysis seeks to understand the existing systems and problems, to describe information needs, and to establish priorities for further systems work. The majority of development cycle costs are tied up in the design and implementation phases. An overall systems plan seeks to ensure the following objectives: 1. Resources will be targeted to the subsystems where the needs are greatest. 2. Duplication and wasted effort will be minimized. 3. Systems development in the organization will be consistent with the overall strategic plan of the organization. Systems planning and feasibility analysis involve seven phases, which must operate in a top-down fashion: 1. Discussing and planning on the part of top management. 2. Establishing a systems planning steering committee. 3. Establishing overall objectives and constraints. 4. Developing a strategic information systems plan. 186

Systems Planning, Analysis, And Design 10 187 5. 6. 7.

Identifying and prioritizing specific areas for the systems development focus. Setting forth a systems proposal to serve as a basis of the analysis and preliminary design for a given subsystem. Assembling a team for purposes of the analysis and preliminary systems design.

Systems Planning and Top Management Development efforts must be conducted while in close communications with top management. Steering Committee The overall systems development effort should be guided by a steering committee, representing top management and all major functional areas within the organization. This committee should focus on the overall current and future information needs of the company. The steering committee should not become involved in the details of specific development projects. Individual projects should be supervised and managed by an individual who reports periodically to the steering committee. Developing Objectives and System Constraints Effective, overall sound planning calls for the development of general objectives for the company and specific objectives for individual subsystems within the company. Developing a Strategic Systems Plan A major output of the steering committee or individual in charge of systems development should be a strategic systems plan. This plan should take the form of a written document that incorporates both short-run and long-run goals relating to the company's systems development effort. Key elements of a plan should include: 1. An overall statement relating to key success factors of the company and overall objectives. 2. A description of systems within the company for which development efforts are needed. 3. A statement of priorities indicating which areas are to be given the highest priority. 4. An outline of required resources, including costs, personnel, and equipment. 5. Tentative timetables for developing specific systems. Identifying Individual Projects for Priority The strategic plan should identify specific areas to be given the highest priority. Commissioning the Systems Project Teams must be assigned. Regular meetings are required. Good communication is essential THE STEPS OF SYSTEMS ANALYSIS Survey the Present System Objectives of Surveying. There are four objectives of the system survey. 1. Gain a fundamental understanding of the operational aspects of the system. 2. Establish a working relationship with the users of the system. 3. Collect important data that are useful in developing the systems design. 4. Identify specific problems that require focus in terms of subsequent design efforts. Behavioral Considerations. The human element is of key importance in conducting the system survey. The important thing is to obtain 'buy-in' from the users and participants.

188 10 Systems Planning, Analysis, And Design

Sources for Gathering Facts. A variety of techniques can be used to gather facts, including interviews, questionnaires, observations, and reviews of various types of documents such as corporate minutes, charts of accounts, organization charts, financial statements, procedure manuals, policy statements, job descriptions, and so on. In addition, sources of information outside the company should not be overlooked. These include industry and trade publications as well as professional journals. Finally, the customer should be viewed as a vital component of the system and included in any analysis. Analysis of Survey Findings. When the survey has been completed, the strengths and weaknesses of the subsystem under study should be thoroughly analyzed. Evaluation of the effectiveness of the system's ability to achieve the overall planned objectives should focus on bottlenecks. Bottlenecks represent weaknesses in the system where small changes can result in major improvements. Identify Information Needs This involves identifying information requirements for managerial decision making. Considering several basic issues may be helpful: Identify the manager's primary job responsibilities Identify the means by which the manager is evaluated Identify some of the major problems the manager faces Identify the means by which the manager evaluates personal output Identify the Systems Requirements This involves specifying the inputs and outputs required for the subsystems. Develop a Systems Analysis Report The final output of the systems analysis project is a report that organizes and documents all the findings of the three phases of the analysis project. Some of the key elements of the systems analysis report should include: 1. A summary of the scope and purpose of the analysis project 2. A reiteration of the relationship of the project to the overall strategic information systems plan 3. A description of any overall problems in the specific subsystem being studied 4. A summary of the decisions being made and their specific information requirements 5. Specification of system performance requirements 6. An overall cost budget and timetable for the project to date 7. Recommendations for improving the existing system or for designing new systems 8. Recommendations relating to modifying objectives for the subsystem under study FACT-GATHERING TECHNIQUES Depth interviews are useful for familiarizing the analyst with individual decision makers and their problems. Structured Interviews answer a specific set of questions. Open-Ended Questionnaires are a fact-gathering technique where persons provide written answers to general rather than specific questions.

Systems Planning, Analysis, And Design 10 189 Closed-Ended Questionnaires are for gathering answers to a large number of questions. Document Reviews Observation TECHNIQUES FOR ORGANIZING FACTS Work Measurement Analysis analyzes a particular task and summarizes the required number of inputs to complete the task. Work Distribution Analysis focuses on several tasks for a given individual. Information Flow Analysis involves analyzing the flows of information both between and within subsystems. Techniques commonly used include decision flow diagrams, logical data flow diagrams, and analytical flow charts. Warnier-Orr methodology is based on analyzing the outputs of an application and factoring the application into a hierarchical structure of modules to accomplish the necessary processing. Functional Analysis includes techniques such as the HIPO (hierarchy, plus input-process-output). Matrix Analysis involves analyzing the sources and uses of information. STRUCTURED SYSTEMS ANALYSIS AND DESIGN Structured systems analysis is an approach to systems analysis that begins with a very general description of a particular system and then proceeds through a logically related set of steps, each increasing in detail, and ends with computer program code (and other details). Logical Flow and Business Process Diagrams versus Flowcharts. Structured systems analysis incorporates physically-abstract diagrams (i.e., logical data flow or business process) as opposed to document or analytic flowcharts. The primary difference between the two approaches is that the flowchart gives a physical description of a system, whereas the logical data flow and business process diagrams gives a logical description of a system. Systems Design versus Systems Analysis. Structured systems analysis and structured systems design are very similar processes. Strictly speaking, design refers to the creation of a new or modified system, whereas analysis involves the critical evaluation of a particular problem or existing system. However, practically speaking, systems analysis and design are often indistinguishable. The Steps in Structured Systems Analysis Develop Logical Flow Diagrams. Start general and then explode the details. Define Data Dictionaries. Describe the data structure and data elements. Define Access Methods. Define primary and secondary access keys. Define Process Logic. Structured English. This step will not be required with a programmable database system.

190 10 Systems Planning, Analysis, And Design ITERATIVE SYSTEMS DEVELOPMENT Rapid application development (RAD) involves a mixture of structured and iterative development. A key feature of RAD is the use of prototype designs, which form tentative designs relative to the finished system. Rational Unified Process (RUP) development breaks down project life cycles into 4 phases. 1. Inception phase 2. Elaboration phase 3. Construction phase 4. Transition phase Object-Oriented Design and Analysis focuses on the business problem domain. Specifically, it focuses on defining “objects,” the actions the object perform, the data they use, and how they collaborate (i.e., communicate) with each other. Diagrams in Process Orientation versus Object Orientation. The classical design approach--which relies on successive refinement logical of data flow (or business process) diagrams--is process oriented. Object-oriented design and analysis is object-oriented and relies on UML diagrams. STEPS IN SYSTEMS DESIGN Systems design can be defined as the formulation of a blueprint for a completed system. Systems design can be either preliminary or detailed. In most cases, the design effort actually begins during the systems planning and analysis phases of the development cycle. The design effort should be viewed as a process of continuously increasing detail that begins during the analysis and planning phases and ends with the beginning of the implementation phase of the development cycle. Evaluating Design Alternatives Enumerate Design Alternatives 1. New system: design the system completely from scratch, or select and recommend a premade system. 2. An existing system that is not adequately functioning: modify the data collected and reports generated; alternatively, change job responsibilities--a more drastic approach Describe the Alternatives: document and describe each alternative, showing relative advantages and disadvantages Evaluate the Alternatives: use cost-benefit analysis, feasibility Preparing Design Specifications: work backward from outputs to inputs. Begin with the system objectives: 1. reports 2. database design 3. processing steps 4. inputs (including formats, media, volume of transactions) Preparing and Submitting the Systems Design Specifications The completed design specifications should take the form of a proposal. If the project is large, the

Systems Planning, Analysis, And Design 10 191 proposal should be reviewed by top management before approval. The detailed design proposal should include everything necessary to actually implement the design project: 1. specific timetables for completion 2. a budget 3. a description of personnel requirements 4. flowcharts and other diagrams that describe the systems to be implemented 5. a summary of all proposed system outputs 6. specifics on any databases to be created or modified. In addition, details relating to storage requirements, file size, and updating frequency should be provided. 7. specifics on data processing (hardware requirements, processing times, processing logic, and so on) 8. specific details relating to the input of data (including the method of input, procedures for screening input data, and the content of data inputs) 9. specific volume and cost information 10. detailed analysis of control and security measures Business Process Blueprinting: It is becoming increasingly popular to use prepackaged sets of blueprints for all a company’s business processes GENERAL DESIGN CONSIDERATIONS Output Design cost effectiveness relevance, clarity, and timeliness appropriate titles and captions within reports Database Design 1. the company's databases should be integrated 2. data items entered in a standard format and assigned a common name when used in more than one place 3. flexibility: databases should be designed so that users can structure a wide variety of queries 4. security Data Processing uniformity and integration Data Input accuracy use of well-defined source documents check for and correct errors Controls and Security Measures appropriate controls should be established for each phase of the system's design process

DESIGN TECHNIQUES Forms Design Database Design: data structure diagrams, record layouts, file analysis sheets, and file-related matrices. Systems Design Packages: many options exist.

192 10 Systems Planning, Analysis, And Design Choosing Software and Hardware 1. Should be made at the end of the analysis phase. 2. Purchased software packages have several advantages: They are cheaper. They are already debugged. The company can try the product before buying. 3. The main disadvantage of purchased software packages is that they rarely exactly meet a company's needs. Evaluating Purchased Software When evaluating purchased software, it is helpful to use a decision table format to consider the following: How close is the fit to what is needed? Will the programs or our procedures or both have to be modified? How stable is the software vendor? Will it still be in business in a year or two when problems arise? Does it give prompt support when problems arise? A toll-free, 24-hour telephone line is a good indicator. Is there a trial period, where everything can be returned for full refund after a month or so? How many other installations have used the software? For how long? Who are they? Some people get a list of users' names from the vendor but do not ask those users for evaluations because they know the evaluation will be good or the vendor would not have supplied them. Instead, ask them for second-level references - other organizations that they know are using the package but whom the vendor failed to mention. Here is where the skeletons can be uncovered. How flexible is the software? Can it change along with the changing business environment? Are there any growth limits on file size, number of transactions, or embedded tables? Is it user friendly? Does the software guide the operator through each program, with adequate explanations and error messages? Is the documentation clear, complete, and easy to read? Are source programs supplied? If not, the company will be forever dependent on the vendor for modifications at whatever price is named. CONVENTIONAL WISDOM IN SYSTEMS DEVELOPMENT In practice, there are various practical problems in developing systems: 1. The major phases of implementation may consist of the search for the guilty, punishment of the innocent, and promotion of nonparticipants. 2. Communication problems. Solution to the Problems. Use a user-oriented approach to systems design. The objective is to maximize later user acceptance and to minimize changes submitted by users after the project has started. REVIEW QUESTIONS 1.

systems planning: define and prioritize information needs.

Systems Planning, Analysis, And Design 10 193 b. c. d. e. f. g. h. i. j. k. l. m.

systems analysis: investigate problems. communications problem: analyst-management communication gap. information needs analysis: defining what managers need. depth interview: long, open-ended interview, may ask questions not predefined. open-ended questionnaire: no predefined answer categories. closed-ended questionnaire: predefined answers to select from. structured interview: ask only predefined questions. work measurement: measure time/resources to complete tasks. work distribution: analyze work assignments. hierarchical function diagram: tree-diagram style breakdown of functions. input/output matrix: shows inputs and outputs to processes. logical flow diagram: shows flow of information without reference to specific physical components.

No.

Top level managers and relevant subordinates.

To prioritize and approve systems projects.

To identify and propose solutions to systems problems.

6. Correctly identifying the problem, understanding management's information needs, identifying and prioritizing reasonable solutions. 7.

They stimulate managers to say more and raise unknown issues.

They are good at getting answers to known questions.

They would be useful when a large number of similar individuals would be questioned.

10.

Problems, plans, budgets, solution alternatives, and priorities.

11. Work measurement analysis focuses on how long it takes to complete a task, and work distribution analysis focuses on how employees are assigned to tasks. 12.

It's consistent with a top-down approach.

13.

Resource requirements are not shown. Not flow oriented.

14.

Combines simple input-output analysis with top-down diagrams.

15.

When the decision process is complicated.

16.

Processes, data sources/destinations, and data repositories.

17.

Multi-column sales reports, work-distribution tables, and work measurement tables.

18.

One must design a solution for the correct problem, and start with the best general solution.

194 10 Systems Planning, Analysis, And Design 19. The main problems involve misunderstandings between analysts and users, and there can be a tendency for users to dislike change. 20. a. design alternatives: alternative choices at the planning/analysis stage. b. forms analysis sheet: shows distribution of form c. file-related matrices: shows inputs and outputs for file. d. operational feasibility: plans that are capable of being implemented. 21.

Evaluate design alternatives and prepare design specifications.

22.

Human (psychology/user satisfaction) and technical problems (hardware and software).

23.

Evaluating alternatives. Implementing the wrong alternative can be a disaster.

24.

Cost out various alternatives.

25.

They simplify recording and reporting tasks.

26.

Design packages can assist but not replace a good designer.

27.

Top management should be involved in all stages.

28. A good report should clearly lay out the design specifications. It should do so in a way that it can easily be implemented in computer software. 29. Sequential versus random access. Low security versus high security. Integrated versus not integrated. 30.

Cost effectiveness, clarity, relevance, and timeliness. ANSWERS TO DISCUSSION QUESTIONS AND PROBLEMS

31. Systems Analysis - 10 minutes Easy A. Problems: 1) Human factors a) resistance to change b) fears about job security B. Problem Avoidance: 1) Good communication with employees 2) Discussion sessions, emphasizing the benefit of the new system 3) Whenever possible, reassure employees regarding job security 32. Observation - 10 minutes Easy Systems don't always perform as documented. 33. Communication - 10 minutes Easy This is the normal situation. Managers typically don't analyze their information needs and therefore often have difficulty describing them. The analyst can often solve this problem by asking the manager to describe the work performed. It is usually helpful to find out what decisions are made and how the manager is evaluated. It is also helpful to find out how the manager evaluates subordinates.

Systems Planning, Analysis, And Design 10 195

34. Steering Committee - 10 minutes Easy The company accountant would probably be the first choice. It should be emphasized that computer training alone doesn't qualify a person to develop an accounting information system. 35. Function Diagram - 20 minutes Medium Below is a hierarchical function schema for a purchase system. Similar diagrams would be applicable to production and inventory management systems. A. Requisition and approval a) generate requisition b) obtain approval 1) determine proper account code c) forward approved requisition to purchasing d) purchase order generation 1) review requisition a) verify account code and check for adequate funds 2) generate purchase order 3) select appropriate vendor 4) send completed order to vendor B. Receiving a) accept goods if a purchase order is on file b) count and inspect goods c) transmit goods to inventory control (with documentation) C. Inventory control a) mark goods, when appropriate, with inventory control numbers b) deliver goods to requisitioning department D. E.

Payment a) after receipt of voucher, issue check Accounting a) generate voucher 1) compare relevant documents b) journalize transactions c) post to appropriate accounts 1) do batch control totals

36. Systems Analysis - 10 minutes Easy The basic steps of development are: A. planning and analysis B. design C. implementation, operation, evaluation, and control D. follow-up review and audit 37. Systems Analysis - 10 minutes Easy The primary goals of analysis are: A. obtain an understanding of the system, including: 1) information needs 2) problems B. develop a working relationship with management and those involved in the system.

196 10 Systems Planning, Analysis, And Design 38. Systems Analysis - 10 minutes Easy The systems analysis report can be a very critical document since it will probably have a major effect on: A. the prioritization of projects; B. the basic approaches taken in designing analyzed systems. 39. Systems Analysis - 20 minutes Easy . a. Raw materials shortages 1) Analyze the raw materials system including flowcharting, interviewing, etc. 2) It might also be necessary to analyze: a) purchasing b) the raw materials markets b. Production bottlenecks 1) analyze the production planning system 2) It might also be necessary to analyze the sales forecasting system, since sales forecasts can be an important input to the production planning system. c. Credit losses 1) conduct an analysis of the credit management system d. Low production and employee morale. This could be a result of many factors such as excessive overtime due to poor scheduling, insufficient incentives, etc. Therefore, it would be best to conduct preliminary interviews with key production employees to obtain a basic understanding of the problem. e. Obsolete inventory 1) analyze the inventory control system 40. Systems Techniques - 15 minutes Easy Useful fact gathering techniques in this case might be: A. Interview the accountant in charge of accounts receivable. B. Review all written policy on processing in this department. C. Review all relevant source documents. D. Observe transactions as they flow through the system. E. Administer an internal control questionnaire. F. Develop document flowcharts for the system. 41. Systems Techniques - 15 minutes Easy a. Production manager Interview, questionnaire, logical data flow diagram and input/output diagram b. Sales department information flow Interview, questionnaire, logical data flow diagram and input/output diagram c. Inventory management system Interview, questionnaire, logical data flow diagram and input/output diagram d. Purchase order system Interview, questionnaire, logical data flow diagram and input/output diagram 42. Structured Analysis - 15 minutes Easy Structured systems analysis is an organized multi-phase approach to analyze a system by successive refinement. The major steps are: A. Develop a general overview logical data flow diagram for the system. B. Develop supporting logical data flow diagrams providing additional detail. C. Define the required data stores.

Systems Planning, Analysis, And Design 10 197 D. E.

Define the required process logic. Do structured programs.

43. Approaches to Systems Development - 15 minutes Easy The waterfall approach is the highly-structured, big-design-up-front, top-down systems development approach that proceeds in rigid sequence as follows: planning, analysis, design, implementation, operation, evaluation, and control. Iterative approaches follow the same sequence as does the waterfall approach, but the sequence is not rigid. In other words, it's possible change the design while in the implementation stage. Iterative approaches tend to first develop prototype designs, which permit one to return to the planning and analysis stage if the prototype appears unsatisfactory. The most popular iterative approach is probably IBM's Rational Unified Process. 44. Systems Techniques - 10 minutes Easy Auditors tend to prefer flow diagrams because standard audit procedures involve tracing transactions as they flow the accounting system. Vouching is the practice of tracing transactions in reverse, beginning with a transaction posted to an account that appears on the financial statements and tracing it backwards to one or more source documents. 45. Systems Analysis - 15 minutes Easy a. Probably the best place to begin is by having long talks with Barbara Novel and other company executives. After obtaining their opinions, it would then be advisable to interview the major managers involved. These would include the managers for production, sales, and purchasing. It is surprising, in practice, to find out these managers never sit down and talk over their problems together. However, this author has seen this happen not infrequently when working with businesses. Once some kind of consensus is reached on the nature of the problems, it is then possible to consider an information systems solution. It should be emphasized that there isn't always an information systems solution. In some cases, solutions are more management related. You can easily generate a lot of debate among students as to whether or not this is an information systems or management problem. There is no final answer. For example, consider a manager who is not skilled in complicated job scheduling techniques. A management solution might be to get a "better" manager. On the other hand, an information systems solution might provide this manager with a computerized system that automatically does the optimal job scheduling. The manager might then focus attention on work stoppages or other specialized problems. b.

Students might be tempted to say that you should immediately start flowcharting, set up input/out diagrams, etc. It would be unwise to apply specific techniques, except interviewing, until a basic understanding of the problems are attained.

46. Systems Analysis - 15 minutes Easy This is a typical case where managers believe that the solution to all of their problems exists in buying new computers. This is very common in practice. In the present case there are obvious problems with the credit system, and it is very unlikely that computers will help. Note that Joe

198 10 Systems Planning, Analysis, And Design Starr conducted an analysis of the accounts receivable and found many overdue accounts. This implies that there is no aging report. The solution is to review credit policy and generate an aging report. If a company can't manage a simple thing like this, it probably has no business going to a potentially more complicated computer system. There is a possible exception to this line of thinking. A turnkey system might be installed that automatically generates the aging report. Therefore setting up a pre-packaged system might help. The problem with this is that a company that doesn't age their accounts receivable probably isn't capable of selecting, installing, and maintaining a sophisticated computer system. 47. Communication - 15 minutes Easy There is no guarantee that the systems person will be met with open arms. Top management might be very enthusiastic about a project, while the opposite is true for lower level management. It is important that top management lay some groundwork before the analyst begins work. Specifically, top management needs to enlist the active support of all critical managers to be involved in the project. It is important for the consultant to recognize this situation when it occurs. Given this, it might be possible to try various approaches to enlist the help of the production foremen; however, it might be necessary to discuss the problem with top management. 48. Work Distribution Chart - 30 minutes Easy a. M. J. Wild Freedmire Typing Invoices Check Paperwork 5 Prepare Statements 4 Filing Documents 5 Prepare Invoices 4 Checking Invoices 4 Aging Report 3 Account Posting Prepare Vouchers Other Activities 1 Total 15 11 b.

D. Stans

M. Lee 4

3 2 5

4 3 10

D. Chase Total 4 5 4 5 4 3 12 5 5 4 4 7 52

The tasks are not evenly distributed. Some of Wild's work could be given to Chase and Lee. It would be preferred to separate three functions: a. report preparation b. document preparation (e.g., vouchers) c. document checking and verification

49. Systems Analysis - 15 minutes Easy Jack shouldn't have been caught by surprise regarding employee resistance. To prevent this problem, he could have conducted various formal and informal meetings and/or seminars relating to the development project. The systems developer has the responsibility of dealing with, as much as possible, employee anxiety before it occurs. When possible, employees should be told that their jobs are safe, they won't be replaced by a computer, and they will have a voice in the development of any new system. The analyst needs to make the employees feel that the system is there to support the employees and not the other way around. 50. Database Design - 15 minutes Easy Important fields for an accounts receivables database:

Systems Planning, Analysis, And Design 10 199 a. customer name b. customer account number c. previous month's account balance d. current month's balance e. credit limit f. customer address and telephone number 51. Cost/Benefit Analysis - 15 minutes Easy Examples of design proposals for which it would be difficult to quantify benefits: (It should be emphasized to students that it is important to state all benefits in a systems proposal, including those that aren't quantifiable.) a. Proposal to permit credit managers to do on-line account balance inquiries b. Proposal to implement an evaluation system for the legal staff c. Proposal to go to a monthly (versus quarterly) system 52. Database Design - 15 minutes Easy This is a good question to help students understand the concept of integrated database design. One common field between inventory, sales order and accounts receivable might be a part of an inventory number and description. In a sophisticated system it is possible to have the salesperson check to see if an item is in the inventory. This same information can be used to immediately update the inventory record and then bill the customer. 53. User Acceptance - 10 minutes Easy The best approach is to make the users of the system feel that the system is being developed in light of their needs and opinions. A user isn't likely to reject a system that he or she helped design. The worst thing to do is to develop a system in isolation and then attempt to suddenly impose it on the users. 54. Report Design - 20 minutes Easy This question helps students understand that a lot of what they learned in cost/managerial accounting is applicable to accounting information systems development. The usual set of statements for a standard cost system can be generated: Lost-cost variance report. This analysis can be broken down by pattern: 1) labor efficiency analysis 2) labor price variance analysis Materials cost variance analysis. The materials costs can be broken down for each individual fabric and pattern: 1) usage analysis 2) price variance analysis Order completion summary. This report would summarize the flow of jobs through the system and highlight jobs that might be delayed beyond the normal time of completion. 55. Communication - 10 minutes Easy The initial project should be approved by an information system steering committee. The design team should be in constant contact with this committee throughout the life of the project. It is also important that constant lines of communication be kept open to all sales managers and the design team.

200 10 Systems Planning, Analysis, And Design

56. Systems Design - 10 minutes Easy The basic approach should be the same for all companies, regardless of size. Of course, operationalization will vary, but all information systems tend to have the same elements. For example, accounts receivable is conceptually similar for both small and large companies. Also, the basic steps of planning, analysis, design, etc., should always be followed. Some students will argue that smaller systems require a different approach. If this occurs, ask them which phase of the development effort can be reasonably omitted for the small company. 57. Systems Design - 10 minutes Easy One problem relating to automobiles is the tremendous number of parts required to manufacture an automobile. In this situation, effective cost control can be a highly complex process. 58. Systems Design - 15 minutes Easy The offered computer system might be just what the company needs. However, unless an analysis and design is done, the company will never know for sure if the proposed computer system fully meets the needs of the company. Buying computers and software can be a dangerous affair. The computer vendors are typically trying to sell their products. One vendor may not refer you to a competitor if that person's product isn't the most suited for you. Therefore, computer vendors cannot be treated like independent consultants that render unbiased assessments relating to the company's needs. In summary, it is imperative that the company's needs be carefully defined. Once this is done it is possible to make comparisons among computer vendors, when applicable. Too many companies do it the other way. A need is perceived, but not carefully defined. The company calls a computer salesperson. The salesperson says that you need a so-and-so computer and a pile of software. The company will then purchase the package. It often happens that systems purchased under these conditions are never implemented. The company management finds itself too "busy" to get things going. 59. Systems Design - 15 minutes Easy Unfortunately, this is a common problem. When it comes to hardware and software, people develop intense loyalties. The main principle is that an individual will want the hardware or software which that individual is already familiar with. This is understandable, since if someone has found something that serves them well in the confusing arena of modern technology, they want to stick with it. This question illustrates that managers and even database designers may be resistant to change. It is important to take an objective look at all reasonable alternatives. The best way to combat this problem is to insist on defining the company's needs and set specifications for system performance. Only after this has been done is it possible to select or design the best system. 60. Systems Design - 15 minutes Easy One approach might be to have all of the sales information from the cash registers transferred to machine readable format. This information could then be input daily to a central computer which could then batch process the input data and: 1) summarize the day's sales on an item-by-item and department-by-department basis; 2) generate reorders for all needed items.

Systems Planning, Analysis, And Design 10 201 A second approach might be to have department supervisors prepare a daily reorder request. This could be done by visual inspection of the levels of the various products on the shelves. 61. Systems Design - 15 minutes Easy One system might integrate ordering, billing, and typesetting. An order could be taken and immediately entered into the computer. The system would then automatically bill the customer. A computerized typesetting program could access the customer's order file for automatic insertion into the next newspaper. Variations of this system are used by many newspaper companies. A simple solution in a manual system is to do the batch processing daily instead of every three days. To generate some interesting discussion, you might ask students which approach is better. Many will argue for the alternative A, simply because it is high technology. It should be emphasized that the choice of the best alternative can only come through a thorough analysis of the company's situation. An integrated computerized system can be expensive to operate and maintain. It might be possible to restore the company's competitive edge with no additional expenditure at all. Buying a computer might make things work more smoothly, but it might end up lowering the company's profits by increasing overhead without offsetting financial benefits. 62. Systems Design - 30 minutes Medium This case is similar to the grocery store inventory problem (#22). The big difference is that geographical distance is involved. One fairly sophisticated high technology solution is to use point of sale cash register/terminals at all of the individual food stores. These devices can easily store a day's sales and then automatically dial up headquarters and generate reorders. This technology is presently used by many types of businesses. A slightly different approach is to set things up so that headquarters can dial up individual stores at any time and query for sales statistics. This would allow for headquarters to generate hour-by-hour analyses of sales. 63. Systems Design - 30 minutes Medium One solution is to have salespersons code all sales transactions onto forms that can be optically scanned. These forms can then be submitted for fast batch processing. Another approach would be to have salespersons enter all transactions into portable microcomputers. The data could then be uploaded (or mailed via some type of transportable machine readable medium) to headquarters. The central computer could then process and analyze the sales data. Still another approach might retain the manual system, but process customer accounts on a cycle basis. This would involve dividing up the month and assigning all customer accounts to specific sub-periods. This would spread the work throughout the month. 64. Systems Design - 15 minutes Easy Please see answer to question 50. 65. Systems Design - 15 minutes Easy This is another problem involving communication. It is an inescapable fact the communications technology is reshaping the way AIS are designed in practice today.

202 10 Systems Planning, Analysis, And Design

A simple solution is to have a central computer that supports several dial-in ports. It should be emphasized that this does not require a large mainframe computer and can be implemented with one or more microcomputers. One approach might be to have one microcomputer running a multitasking operating environment capable of supporting several concurrent communication sessions via several communications ports. A database program allowing concurrent access would also be required. Another solution might be a local area network, where each office is a node in the network. The possible configurations for such a network are almost endless. Inter-node communication might be accomplished by radio, digital telephone line, coaxial cable, or other means. 66. Systems Design - 20 minutes Medium This company's problems are varied. There are problems in cost accounting, production planning, ordering, storage, and delivery. What this company sorely needs is an overall integrated systems approach to solving its problems. This case vividly shows that subsystems often cannot be dealt with in isolation. The solution to accounting for waste is straightforward. Implement a standard cost accounting system and generate daily variance reports. This part of the question reinforces the importance of students' cost accounting course work. The typical cost/management accounting textbook emphasizes techniques, but not system selection. If the company is to avoid the need to store the finished product, it will need to develop and implement a fairly sophisticated system that integrates ordering, production, and delivery. All orders would have to be queued for production until it could be assured that a truck would be waiting upon completion. This queuing module would require access to the delivery schedule database to estimate the times when trucks would be available. The delivery database would have to contain the time that each truck left, its destination, and expected return time. This database would have to be available for updating continuously. All of this could be done in a manual system, but a computer would be very appropriate. Finally, at least one backup truck would have to be available in case of a possible mechanical failure of one of the regular delivery trucks. 67. Systems Design - 15 minutes Medium This is a real problem experienced by law firms in practice. This case emphasizes the problem of data collection. One system that is used by some law firms integrates the telephone and copying machines directly into a centralized computerized accounting system. When attorneys engage themselves in telephone calls, they enter a client code into the telephone. The centralized system charges the time to the client's account. 68. Communication - 15 minutes Easy This case emphasizes the inescapable human element that permeates the entire development process. The missed meetings could be symptomatic of a wide range of problems. The managers are not supportive of the project. There could be many reasons for this, including: 1) The managers feel that top management is imposing an ill-advised project on them. 2) Some of the managers might feel that the project is a threat to their job security. Maybe the managers are simply too busy. A bad time of the year was selected, when managers are involved in their busy season (e.g., Christmas season for a toy manufacturer).

Systems Planning, Analysis, And Design 10 203 The managers might feel that devoting a substantial amount of time to the project would adversely affect their own job performance. WEB RESEARCH ASSIGNMENTS 69.

70.

Development can be done very rapidly with Quickbase. One has to create the needed tables, define the data fields, formulas, and relations. Quickbase will automatically format the screens used to input and output data. Alternatively, a SaaS application would be immediately available for use with no development work required.

71.

There are plenty of options for SaaS accounting. Most standard accounting systems can be licensed in SaaS mode, if not from the original software vendor than from a 3rd party.

72.

Extreme programming is a form of “agile programming” that recognizes that design changes (and hence changes to programs under development) are normal and desirable. In other words, programs are not designed in a ridged fashion; so that end users can change their mind regarding functionality as the program is being developed. Cowboy programming exists when the programmer has complete control over the program development. Cowboy programmers develop programmers they way they see fit and actually make significant design decisions.

73. Crossword – see next page

204 10 Systems Planning, Analysis, And Design

Across 3. FEASIBILITY — design criterion that it must be possible to actually implement the design specifications. 6. STEERING COMMITTEE — represents top management and all major functional areas within the organization. 7. STRUCTURED ENGLISH — describes process logic that uses several key words, including IF, THEN, ELSE IF, and SO. 11. STRUCTURED SYSTEMS ANALYSIS — then proceeds through a logically related set of steps, each increasing in detail. 13. PSEUDOCODE — structured-English type of system documentation that includes provisions for error conditions and data file access. 15. METHODS — things that objects do. 18. ATTRIBUTES — data items belonging to objects.

Systems Planning, Analysis, And Design 10 205 20. AGILE APPROACH — iterative development practice. 21. COBOL — programming language used mostly for business. 27. WS-BPEL — an executable computer language that facilitates interactions between business processes and web services. 29. FORTRAN — a procedure-oriented computer programming language used mostly for scientific purposes. 31. BPEL — same as WS-BPEL. 32. OBJECT — possess methods (thing that object do) and attributes (items of data). 33. CANNED SOFTWARE PACKAGES — vendor software. 35. SOFTWARE AS A SERVICE SAAS — software delivered over the Internet. 36. RAPID APPLICATION DEVELOPMENT — an approach to systems software development that combines iterative and structured approaches. 37. WATERFALL APPROACH — a synonym for the big-design-up-front approach to systems development. 38. UPWARDLY COMPATIBLE — computer hardware that is easily upgradable to a larger or faster model without losing existing data or programs Down 1. COST-EFFECTIVENESS — the benefits of a design should exceed its costs. 2. SYSTEMS DEVELOPMENT LIFE CYCLE — life cycle of systems analysis, systems design, and implementation. 4. ITERATIVE APPROACH — the initial plans and designs are subject to revision as the project develops. 5. STRATEGIC SYSTEMS PLAN — incorporates both short- and long-run goals. 8. INFORMATION NEEDS ANALYSIS — analysis of specific decisions made by managers in terms of the information inputs. 9. SYSTEMS ANALYSIS — the process of understanding existing systems and problems. 10. WARNIER-ORR METHODOLOGY — factoring the application into a hierarchical structure of modules to accomplish the necessary processing. 12. INTEGRATION — collecting and maintaining the same data items in more than one place. 14. DECISION FLOW DIAGRAM — graphic technique that emphasizes the chain of decisions. 16. DEDICATED SOFTWARE PACKAGE — a software package that is intended for a narrow audience. 17. BIG-DESIGN-UP-FRONT — initial plans and designs are not subject to much change 19. KEY SUCCESS FACTORS — characteristics that distinguish a company from its competitors and are the keys to its success. 22. SYSTEMS PLANNING — identifying subsystems within the information system that need special attention for development. 23. DETAILED DESIGN PROPOSAL — everything necessary to actually implement a design project. 24. RATIONAL UNIFIED PROCESS — development process that focuses on achieving milestones at the end of each phase. 25. TURNKEY SYSTEMS — computer packages that meet the specific needs of an individual situation with minimal design work. 26. BOTTLENECKS — small changes can result in major improvements in performance. 28. STANDARDIZATION — design criteria. 30. RUBY — an object-oriented programming language. 34. FORMS DESIGN — the process of designing specific forms.

Chapter 11 SYSTEMS PROJECT MANAGEMENT, IMPLEMENTATION, OPERATION, CONTROL TEACHING TIPS The best way to supplement this chapter is to bring in outside guests who work in systems groups. Almost all educational organizations (e.g., colleges, universities, and community colleges) have their own systems groups, who can be invited into the classroom. Students can also visit the systems groups to observe actual operations. OVERVIEW There are three major steps in systems implementation: (1) establish plans and controls, (2) execute activities as planned, and (3) follow up and evaluate the new system. Finally, the implemented system must be reviewed and controlled. SYSTEMS IMPLEMENTATION Establishing Plans and Controls for Implementation. These plans should incorporate three major components: 1. A breakdown of the project into various phases. 2. Specific budgets applicable to each phase. 3. Specific timetables applicable to each project phase. There are several different scheduling techniques that might be used to control implementation: A Gantt chart, which graphically depicts the major activities of a hypothetical systems implementation project. This chart shows both the actual and planned times for a given activity. A network diagram, which depicts the order in which the activities must be performed. The critical path is a list of activities that are critical to the project in the sense that if any one of them is delayed, the entire project will be delayed. Executing Implementation Activities: training personnel, installing new computer equipment, detailed systems design, writing and testing computer programs, system testing, standards development, documentation, and file conversion. Good documentation can serve a wide range of useful purposes, including 1. training new employees, 2. providing programmers and analysts with useful information for future program evaluation and modification activities, 3. providing auditors with useful information for evaluating internal controls, and 4. assisting in assuring that systems design specifications are met. Test Operations: Three basic approaches to the final testing of the system: The direct approach involves switching to the new system and abandoning the old system at a fixed point in time called the cutover point. The direct approach, while relatively inexpensive, has the distinct disadvantage of allowing for the possibility of major system problems impairing the actual operation of the company. The parallel operation approach involves running the new and old systems simultaneously. All transactions are processed by both systems. Parallel operation has the advantage of being extremely safe; 206

Systems Project Management, Implementation, Operation, Control 11

207

however, it is very expensive and may not be cost effective in all applications. Modular conversion involves phasing in a new system in segments. A major drawback of modular conversion is that it can involve a greatly extended check-out period. But it is relatively safe. Evaluating the New System: Follow-up is necessary to ensure that the new system operates as planned. There are many approaches that can assist in follow-up and evaluation, including observation, questionnaires, performance measures, and benchmarks. PLANNING AND ORGANIZING A SYSTEMS PROJECT Project Selection. Project selection is usually the responsibility of a steering committee. The Project Team. The project team consists of the project leader, analysts, and programmers from the information systems department, and one or more user participants from the organizational unit(s) for which the project is being undertaken. Project Leader Responsibilities. The project leader has direct responsibility to the steering committee for project progress and completion. The major problem faced by any project team is the uncertainty associated with an application systems project. Project Breakdown into Tasks and Phases. The objective of project breakdown is to facilitate assignment and control of labor and other project resources. Project Accounting. A project accounting system is a cost accounting system in which costs are assigned to individual projects as the projects proceed through their development. The Project Development Environment. The project development environment refers to the tools and technologies used to implement a given project. Project collaboration platform. Project collaboration platforms serve to optimize management of the communication chain. Software application framework. A software application framework provides a structured environment in which to develop software. Integrated development environment. The Integrated Development Environment (IDE) is a software platform for actually writing program code. Software versioning system. The software versioning system keeps current and historical versions of the software source code, Application solution stack. An application solution stack is a group of software components needed to deliver a workable application. CONTROL OVER NONFINANCIAL INFORMATION SYSTEMS RESOURCES Nonfinancial measures include performance measures for hardware, software, and personnel, among other things. Measuring hardware performance involves system utilization, system downtime, and system responsiveness. Utilization statistics are very important, since they can indicate bottlenecks or needs for systems expansion. A sound overall approach to evaluating software performance is to survey systems users, asking a large number of questions relating to ease of use, functionality, and user friendliness. Personnel performance reports are helpful. Auditing the Information System. The audit's focus should be on the information system itself and on

208 11 Systems Project Management, Implementation, Operation, Control the validity and accuracy of data as processed by the system. In systems with a high degree of internal controls, the auditor can rely on a statistical sampling of transactions. Maintaining and Modifying the System. In all operational systems, it becomes necessary to make changes. All modifications to the system's software and data schema should be formally reviewed and approved. REVIEW QUESTIONS 1.

a. b.

PERT chart: chart for planning the flow of activities. Gantt chart: scheduling technique for graphically showing actual and planned activity

times. c. critical path: the sequence of activities that can be completed in the least amount of time. Any delay in any of the activities in this sequence may delay the entire project. d. parallel operation: operating the new and old systems at the same time. e. modular conversion: phased conversion of a an old system into a new one. f. test data: made-up transactions put through a system to test its performance. 2.

Establish plans and controls, execute activities, follow up and evaluate new system.

3. Data input, processing, user support. Systems implementation plan: many elements are required, including employee training, documenting the system, and file conversion. 4.

That approach allows for needed hands-on work.

Modular is typically more practical, but less safe. Parallel is very safe but expensive.

6. It conveys directives to management, clarifies the intended systems design, and provides for continuity as employees change. 7. The project leader must maintain contact with the principal user department manager and must also be in contact with technical specialists as required to successfully complete the project. 8.

The objective is to facilitate assignment and control of labor and other project resources.

Adjustments might be made to reflect the complexity of tasks, experience, and competency.

10. Low-balling is purposely or inadvertently submitting unreasonably low time or cost estimates to obtain a contract. Time estimates are often overly optimistic as they are made by personnel who are subsequently the ones to perform the tasks and also fail to realistically consider idle or nonproductive time due to sickness, vacations, coffee breaks, washroom breaks, and other such factors. 11. A projects accounting system operates much like a conventional cost accounting system: materials, labor, and overhead charges are accumulated by project and periodically compared to budgeted costs, and reports are prepared. 12. Project costs are often not charged to users. Nonetheless, a project accounting system is necessary to measure and report actual performance against responsibility.

Systems Project Management, Implementation, Operation, Control 11

209

ANSWERS TO DISCUSSION QUESTIONS AND PROBLEMS 13. Productivity of Programmers - 15 minutes Easy Programmer productivity is influenced by: Programmer attributes: general experience and specific experience with projects of the same type; general problem-solving ability. Project characteristics: complexity of project output requirements; project supervision and team members. Environmental factors: programming style and language; documentation required; amount of secretarial assistance; method of coding - on-line or off-line; whether there are automatic aids in the programming process (software for documenting program code, software editors); size and nature of computer system (speed of processing, memory size). Measurement and evaluation of programmer productivity is difficult owing to the variety of factors that influence productivity. Lines of code is frequently used as a measure, but this has limitations. For more discussion of this point, see the solution to problem 19. Aids to productivity that are discussed in the text include preprocessors; on-line programming via data terminals; and automated documentation systems. Structured programming techniques, database management systems, and high-level languages also tend to aid programmer productivity. 14. Task Time Estimation - 15 minutes Medium low-competence quite simple junior 100 hours x

(.5)

( 2.8

+ .

average knowledge .2 )

= 150 man-hours

Whether this type of estimation is worthwhile can be determined only by experience. The theory is that more detail provides more accuracy and therefore better control. Standards which are developed in-house and are used consistently over time will likely prove to be of some value. 15. Task Time Estimation - 10 minutes Easy It is not likely. Experience has shown that "diminishing returns" exist in the addition of manpower to systems projects. This occurs because of the need for communication between workers. The effect of new staff is initially negative, as existing staff have to take time to orient the new staff. The project may actually be completed later if the orientation and assignment of the new staff is more time-consuming than it is worth. Adequate planning is necessary to the addition of manpower to a project, as coordination and control are the keys to success. 16. Project Accounting system - 10 minutes Easy A project accounting system would likely apply overhead to projects on the basis of actual hours or some type of Standard Earned hours. Standard hours would be determined by supervision or the project accountant. Other measures are possible: computer time used, salaries of the project team (direct labor cost), number of project members - but some measure of hours is the most common and perhaps the most sensible basis. Assigning overhead to projects enhances management control to the extent that it creates an awareness of overhead costs and a "cost-consciousness" among project staff. The costs themselves are largely fixed and thus not alterable in the short run; however, if overhead is not assigned, budgets and other such financial controls will probably be less effective in motivating employees to be cost-effective on project tasks.

210 11 Systems Project Management, Implementation, Operation, Control 17. User Acceptance - 20 minutes Easy CMA Examination, Unofficial Answer a. (a) Delaying action on certain reports during periods of peak activity could be dysfunctional. If the reports contain information that requires immediate attention, any delay in action would have to be dysfunctional. If the reports continue to accumulate with no action taking place (i.e., the department heads do not catch up during the lulls), this definitely is dysfunctional behavior. (b)

Having too many reports so that no action or the wrong action is taken is a dysfunctional response and a good example of information overload. The department heads were unable to assimilate the supplied information properly, and therefore they either did not use it or used it incorrectly.

(c)

Delaying action until reminded by someone can be dysfunctional. If delays continually take place and result in complications and/or delays in other departments, this lack of action is dysfunctional.

(d)

The department head's actions can be considered both functional and dysfunctional. The development of information from alternative sources is dysfunctional to the firm because the formal system is not producing the information in a usable form and the process of developing information from other sources probably has a cost. However, the fact that the department head was able to generate the needed information from other sources in order that action could be taken is a functional response to the problem.

b. The dysfunctional behavior that occurred in Wright Company was a direct result of management's failure to recognize that information systems are dynamic. Once a system is designed and implemented, it should be continually reviewed to acknowledge and incorporate any changes. A system study committee composed of both system staff and users should be established to review the present system and to educate users as to information needs and the use of information. During the system's review, the committee's attention should be directed toward the information that is needed by department heads, the form of the information, and the timing of the information. Unnecessary reports should be eliminated, and individual reports should be redesigned so that only relevant information is included. Once the reporting system is revised, the system should be periodically reviewed to see that it is functioning smoothly and to make any necessary corrections.

Systems Project Management, Implementation, Operation, Control 11

211

18. Documentation - 30 minutes Medium CIA Examination, Unofficial Answer a. Advantages of adequate documentation for a data processing function are: (1) Adequate documentation provides management, users, system analysts, programmers, internal auditors, external auditors, and data processing operations personnel with a clear picture of the EDP function, objectives, concepts, and outputs. (2) It helps ensure correct and efficient processing within both data processing and user areas. (3) It increases the ease of and promotes the accuracy of computer program maintenance. (4) It helps in determining that policies are adhered to. (5) It provides a basis for review of internal controls. (6) Adequate documentation can reduce time and cost of subsequent program modification. b. Match the elements of documentation with categories of documentation. A. Systems documentation. 1. Flowcharts showing the flow of documentation. 14. A complete history of planning through installation. 18. List of programs in a system. B. Program documentation. 5. Constants, codes, and tables. 7. Logic diagrams and/or decision tables. 12. Source statement of listings. C. Operations documentation. 8. Support distribution instructions. 9. Messages and programmed halts. 15. Restart and recovery procedures. D. User documentation. 2. Procedures needed to balance, reconcile, and maintain overall control. 13. Instructions to show proper use of each transaction. 17. Instructions to insure the proper completion of all input forms. E. Library documentation 3. Storage instructions. 10. Procedures for backup files. 11. Retention cycle. F. Data entry documentation. 4. Contents and format of data to be captured. 6. Verification procedures. 16. Rules for handling blank spaces. WEB RESEARCH ASSIGNMENTS 19. SalesForce.com supports Force.com Connect, a group of services designed to facilitate integration between Salesforce.com and other applications. These services include working with integration middleware, “native connectors,” the Salesforce.com AppExchange, web scripting languages (e.g. Java), and cloud services connections (e.g., to Amazon Web Services, Facebook, and Google AppEngine). 20. There have been lots of ERP failures. For example, do a web search for “Hershey ERP failure,” “Maytag ERP failure,” and “Shane Company ERP Failure” (without the quotes). 21. We don’t present a detailed comparison of the two products here, as product features can change

212 11 Systems Project Management, Implementation, Operation, Control rapidly over time. However, as a general matter, Easy Projects is perhaps one of the easiest project managers to use. 22. The easiest Ruby on Rails stack to install on Windows is Instant Rails, available at http://rubyforge.org/projects/instantrails/ . The current version of the stack includes Ruby, Rails, WeBrick web server, and MySql Database. The stack runs independently of any web servers or databases running on the same computer. 23. Crossword

Systems Project Management, Implementation, Operation, Control 11

213

Across 3. DOWNTIME — the percentage of time that equipment is unavailable for use. 5. INTEGRATED DEVELOPMENT ENVIRONMENT IDE — a software platform for writing programming code. 6. MODULAR CONVERSION — an approach to implementation that involves phasing in a new system in segments. 10. SOFTWARE APPLICATION FRAMEWORK — a structured environment in which to develop software. 11. CRITICAL PATH — activities that if delayed delay the entire project. 14. BUG — a computer programming error that is not detected until the program is in use. 15. APPLICATION SOLUTION STACK — a group of software components needed to deliver a workable application. 16. PARALLEL OPERATION — involves running the new and old systems simultaneously before final conversion. 17. CUTOVER POINT — when the switch to a new system is made in the direct approach. 18. GANTT CHART — shows actual and the planned times for activities. 19. NETWORK DIAGRAM — depicts the order in which activities must be performed. Down 1. SOFTWARE VERSIONING SYSTEM — keeps current and historical versions of the software source code. 2. PROJECT DEVELOPMENT ENVIRONMENT — the tools and technologies used to implement a given project. 4. PROJECT MANAGEMENT — tools used to track progress and manage resources for a systems development project. 7. LOWBALLING — pertains to cost estimates to obtain a contract. 8. PROJECT COLLABORATION PLATFORM — optimizes management of the communication chain in software development projects. 9. SPICE — a process-based development approach that focuses the "maturity" of the process being developed. 12. ISO 15504 — the same as SPICE 13. DIRECT APPROACH — switching to a new system and abandoning the old system at a fixed point in time.

Chapter 12 DATA MANAGEMENT CONCEPTS TEACHING TIPS This chapter gives fairly thorough coverage to the underlying technology for database management systems. I sometimes like to supplement the coverage of this chapter with database projects in the lab, using products such as Microsoft AccessTM. This chapter can be covered at more than one level of depth. Those not wishing the deepest level of coverage should skip the specifics of relational technology, such as the relational algebra and the various normal forms. INTRODUCTORY TERMINOLOGY Databases. A database is a structured collection of data stored in a computer system or network. The data inside a database are manipulated and retrieved using database software. Fields, Data Items, Attribute, and Elements. These terms are used interchangeably to denote the smallest block of data that will be stored and retrieved in the information system. Examples of fields include items such as customer name, employee social security number, and purchase order number. Data Occurrences. A record occurrence is a specific set of data values for the record. For example: EMPLOYEE(Brown, 111222333,33). Record. A record is a organized collection of fields. Fixed- and Variable-Length Records. In a fixed-length record, both the number of fields and the length (character size) of each field are fixed. In variable-length records, however, the width of the field can be adjusted for each data occurrence. Further, in variable-length records, the actual number of fields can vary from one data occurrence to another. Repeated groups are related groups of fields that repeat themselves in variable-length records. For example, for each instance of a PART record there may be more than one SUPPLIER and more than one LOCATION. Thus the part record may be thought of as a parent record and SUPPLIER and LOCATION as child records. Repeated groups are also called nodes or segments. Record Key and File Sequence. A key or record key is a data item or combination of data items that uniquely identifies a particular record in a file. DATABASE MANAGEMENT SYSTEMS AND THEIR ARCHITECTURE There are three levels of architecture relevant to databases and database management systems: the conceptual level, logical level, and physical level. At the conceptual level, databases are collections of various elements of information that are to be used for assorted purposes. At the logical level, the records and fields in the database are structured and organized in some logical manner, thus giving rise to logical data structures. There are three basic types of logical data structures that can be used to accomplish this objective: hierarchical, network, and relational. 214

Data Management Concepts 12 215

Conceptual Architecture. The Entity-Relationship (E-R) data model is one popular approach. The E-R model simply depicts the relationships between segments. In the E-R model, however, the term "Entity" is used instead of segment, and the term "attribute" is used to refer to individual fields or data items. Database Architecture at the Logical Level: Logical Data Structures. The relationships that exist between the segments in the database are determined by the logical data structure, also called the schema or database model. Three major models of logical data structures appear in the literature: (1) tree or hierarchical models, (2) network models, and (3) relational models. Some authorities define as many as eight additional models, but the ones discussed below are of special importance to practice. Tree or Hierarchical Structures. In a tree structure, each node represents a set of fields (i.e., a segment), and a node is related to another node at the next highest level of the tree. The latter is called the parent node. Every parent may have one or more children, and the connection between the children and parents is called a branch. The significant feature of the tree model is that a child node cannot have more than one parent. The tree model corresponds to the data structures supported by COBOL and other widely used programming languages and has been implemented in many commercial DBMS such as IMS and IDMS. Network Structures. A network structure is one that allows a child segment to have more than one parent. A network, therefore, is a more general data structure than a tree. Both trees and networks are implemented with imbedded pointer fields, which cross-link segments, as discussed more thoroughly below. Implementing Tree and Network Structures. There are various ways to implement tree and network structures. These include using lists and pointers. In a list organization, each record contains one or more pointers (fields) indicating the address of the next logical record with the same attribute(s). A ring structure differs from a list in that the last record in the ring list points back to the first record. Two growing areas of application for pointer-based systems are hypertext and semantic data networks. The only difference between the two models is that in semantic networks the crosslinking of records is limited to text, whereas in hypertext models the cross-linking can include multimedia objects such as photographs and other graphic forms. Relational Data Structures. The relational model views the database as a collection of twodimensional tables rather than a hierarchical or network type structure. Information (e.g., a financial report) is extracted from tables using relational algebra, which can be summarized in three basic operations: Operation Function Selection Creates a new table from selected rows of existing tables. The rows are selected on the basis of their data values. Join Creates a new table from the rows of two existing tables. The rows are selected on the basis of their data values. Projection Creates a new table by deleting columns from an existing table. Certain rules called normal forms govern the creation of tables. The process of applying these rules is called normalization. Tables that satisfy these rules are said to be normalized. Tables that do not satisfy these rules are un-normalized. Normalization is important because without it,

216 12 Data Management Concepts updating the entries in the tables can cause problems. We will show this with an example. Normalization is simply the process of converting the record structure from a tree or network format into the appropriate tables The three normal forms are as follows: Normal Form First Normal Form Second Normal Form Third Normal Form

Rule Divide tables to eliminate repeated groups. Divide tables so that no key determines the values of a nonkey field. Divide tables so that no nonkey field determines the values of another nonkey field.

The term relation is synonymous with table, and tuple refers to a row in a table. Database Architecture: The Physical Level In discussing the physical level of database architecture, we will focus on the three file-access methods: sequential, indexed, and direct. DASDs are capable of supporting all these methods, and the choice of the best one will depend on the particular application. Sequentially Accessed Files. In a sequential-access file, records can only be accessed in their predefined sequence. Sequential files are useful in batch processing, which normally accesses all the records in the file. Indexed Files. Any attribute can be extracted from the records in a primary file and used to build a new file whose purpose is to provide an index to the original file. Such a file is called an indexed or inverted file. An indexed-sequential file is a sequential file that is stored on a DASD and is both indexed and physically sorted on the same field. Directly Accessed Files. Direct-access files allow individual records to be almost instantly retrieved without the use of an index. This is accomplished by assigning each record to a storage location that bears some relationship to the record's key values. A randomizing transformation is a widely used method of storing and locating records in a direct-access file. Economic Relations Between File Organization Techniques. The basic economics of file processing are largely determined by the activity ratio (the number of accessed records divided by the number of records in the file), and the desired response time for processing and inquiries. The second economic consideration concerns response time. In relation to databases, response time is the length of time the user must wait for the system to complete an operation, such as a query. Direct-access files are necessary for very quick response times; longer response times (hours or more) can be economically handled by sequential files. DATABASE ARCHITECTURE AND DATABASE DEVELOPMENT The classical approach to database design for e-business applications is to use an entity-relationship (conceptual) model, which in then translated into a relational database (logical model), which is then implemented using ISAM and/or other methods. In the case of off-the-shelf, prepackaged e-business applications, the e-business application will typically generate the database automatically, without the user needing to worry about the conceptual, logical, and physical models. An alternate approach to database design is to use the object-modeling technique.

Data Management Concepts 12 217

Other Types of Logical Structures and Related Databases OLAP (OnLine Analytical Processing). OLAP provides lightning-fast response to complicated queries, often 1,000 times faster than responses in standard relational system. IN-MEMORY DATABASES. The in-memory database differs from conventional databases in that the entire database is loaded into computer-internal high-speed random access memory or other high-speed electronic storage device. ACID. Reliable Processing of Database Transactions. Regardless of the type of database architecture, certain fundamental requirements must be met in order to ensure the reliability of processing database transactions. These requirements are commonly described using the acronym ACID (Atomicity, Consistency, Isolation, and Durability). DATABASE MANAGEMENT SYSTEMS AND DATABASES IN PRACTICE DBMSs contain three common attributes for managing and organizing data. DATA DESCRIPTION LANGUAGE (DDL). The DDL allows the database administrator (DBA) to define the logical structure of the database, called the schema. DATA MANIPULATION LANGUAGE (DML). The DML consists of the commands for updating, editing, manipulating, and extracting data. DATA QUERY LANGUAGE (DQL) The DQL is a user-friendly language or interface that allows the user to request information from the database. SQL Data Manipulation Language. Structured Query Language (SQL) is the technology used to retrieve information from databases. SQL is a non-procedural programming language. Four basic statement types comprise the DML (Data Manipulation Language) component of SQL. • SELECT to retrieve rows from tables • UPDATE to modify the rows of tables • DELETE to remove rows from tables • INSERT to add new rows to tables. Select Queries retrieve information from a database. Update, Insert, and Delete Queries modify a database. Why Database Management Systems Are Needed. DBMS integrate, standardize, and provide security for various accounting applications. Database Documentation and Administration. Database dictionaries are used both alone and with DBMS to centralize, document, control, and coordinate the use of data within an organization. The data dictionary is simply another file, a sort of file of files, whose record occurrences consist of data item descriptions. Responsibility for the data dictionary should be centralized in a database administrator (DBA). REVIEW QUESTIONS 1. In a fixed-length record both the number of fields and the length (character size) of each field are fixed. In a variable-length record both the number of fields and the length (character size) of each field are variable. 2. A primary sort key is the first field used to sort the records in a file. A secondary sort key is a field used to determine relative position among a set of records when the primary key has the same value

218 12 Data Management Concepts in each record of the set. 3. The major developments in the evolution of database technology are mainframe environments, database management systems, on-line information services, expert systems, object-oriented programming, hypertext systems, and intelligent database systems. 4. Hypertext systems allow users to browse through databases in a somewhat random fashion by selecting key words. 5. At the conceptual level, databases are collections of various elements of information to be used for assorted purposes. This requires that the records and fields in the database be structured and organized in some logical manner, thus giving rise to logical data structures. The physical level of database architecture deals with specific implementation techniques and issues relating to methods for accessing data. 6. A tree or hierarchical model is a logical data structure where each node represents a segment, and each node is related to another node at the next highest level of the tree. Network models are logical data structures that allow a child segment to have more than one parent. Relational models are logical data structures that view the database as a collection of two-dimensional tables. 7. In a list organization each record contains one or more pointers (fields) indicating the address of the next logical record with the same attribute(s). A ring structure is a list organization in which the last record in the ring-list points back to the first record. 8. Selection creates a new table from selected rows of existing tables. Join creates a new table from the rows of two existing tables. Projection creates a new table by deleting columns from an existing table. Information is extracted from tables using relational algebra. 9. Normalization is the process of applying normal form rules in the relational database model. In first normal form, relational tables do not contain any repeating groups. In second normal form, no key in a relational table is allowed to determine the values of a nonkey field. In third normal form, no nonkey field in a relational table is allowed to determine the values on another nonkey field. 10. In sequentially-accessed files, records are always accessed in the exact same sequence, from the first to the last. An indexed-sequential file is a sequential file that is indexed and physically ordered on one key. Such a file can be processed either sequentially or through the use of the index. A direct-access file physically places records in such a way that they can be located by one or more data values. 11. Physical access time and the manner in which data records are physically distributed on a disk affect response time. 12. Database Management Systems are computer programs that enable a user to create and update files, to select and retrieve data, and to generate various outputs and reports. 13. Data description language (DDL) allows the Database Administrator (DBA) to define the logical structure of the database, called the schema. The data manipulation language (DML) consists of the commands for updating, editing, manipulating, and extracting data. Data query language (DQL) is a userfriendly language or interface that allows the user to request information from the database. 14.

Database administration is responsible for resolving incompatibilities and coordination and

Data Management Concepts 12 219 communication problems between groups of users sharing a database. A major task of the DBA is to establish standards, conventions, and documentation of the data resource. ANSWERS TO DISCUSSION QUESTIONS AND PROBLEMS 15. File Concepts - 15 minutes Easy The traditional approach to the design of information systems has been separate systems consisting of the programs and their associated files of data that are needed by each organizational unit. An advantage of maintaining separate information systems is the ability to handle data security. Each organizational unit is responsible for maintaining its own files and generating appropriate reports. Individuals outside the particular unit have no direct access to the data and they can obtain information only by direct request to the concerned organizational unit. Of course, security within each organizational unit must be established and maintained. With new development of a common database, the control of, and responsibility for, the entire system must be centralized under one organizational unit. While centralization of data management causes increased problems for data security, there are advantages in developing a common database. The principal reasons for centralization are that replication of data is avoided and the problem of updating is simplified. In order to update a data value in the centralized system, only one change needs to be made; but when the data item is a constituent of several files, all of these files must be altered to preserve consistency. Specific differences for discussion include: (1) The use of traditional programming languages (FORTRAN, COBOL) versus the use of database software. (2) Separate redundant files versus integrated data storage. (3) Enhanced information retrieval capabilities of database software. 16. Databases - 15 minutes Easy Standardization of database software has proved to be very difficult owing to the wide variety of systems and approaches which are in use. The major disadvantages would likely be a lack of flexibility in basic design, possible biases against specific types of hardware or vendors, and a deterrent to future innovation. The potential advantages are many: (1) Compatibility of systems across vendors; (2)

Uniform standards for internal control/security requirements;

(3)

Standardized design and usage requirements would facilitate management and maintenance.

An industry-wide standard would facilitate the external audit function. The wide diversity of systems software has caused significant problems in the use of generalized audit software packages. Standardization would facilitate the development of audit software and techniques for database software by the public accounting profession. 17. File Structures - 30 minutes Easy a. Sequential organization is probably the most economic. The activity ratio would be high for the weekly applications and 100% for the monthly and quarterly applications. Processing time frame and response time to inquiries need not be immediate, and there is no apparent advantage to factoring the entire file.

220 12 Data Management Concepts b.

Direct access organization. Very low activity ratio, an immediate processing time frame, and a small file size.

Indexed sequential. Daily processing has low activity ratios and immediate time frame requirements. Monthly processing, with high activity ratios, favors sequential organization.

Indexed sequential, owing to the expected large file size. Periodic processing of the inventory file would have high activity ratios; thus indexed sequential is preferable to purely direct access organization.

Sequential organization is probably sufficient for the same reasons given in (a) above.

Direct access organization. A very low activity ratio (individual inquiries), an immediate processing time frame for quick response, and the entire file is never processed to generate reports.

Sequential organization would be appropriate. There is a very high activity ratio (the entire file), the processing time frame need not be immediate, and the response time to satisfy inquiries need not be immediate.

Indexed sequential organization. Daily processing has a low activity ratio (individual inquiries) and an immediate processing time frame for quick response to inquiries. But weekly (periodic) processing has a high activity ratio (the entire file) and the processing time frame need not be immediate.

Sequential organization would be appropriate. There is a very high activity ratio (the entire file), the processing time frame need not be immediate, and the response time to inquiries need not be immediate.

18. File Structures - 15 minutes Easy Possible advantages: (1)

Individual records could be accessed directly for inquiry or immediate processing, rather than being batched.

(2)

Sorting would be unnecessary prior to updating the file.

Possible disadvantages: (1)

Direct or indexed sequential organization requires more complicated systems software support.

(2)

Direct organization may significantly decrease storage efficiency.

(3)

The extra costs may not be justifiable when related to the use of the file.

(4)

Backup procedures would be more complicated.

19. File Structures - 15 minutes Easy

Data Management Concepts 12 221 The relative merits of sequential, direct, and indexed sequential organization depend on the attributes assigned to each case in the discussion. Generally, case a. (open order file in a large manufacturing firm) and c. (inventory file for a large automobile dealership) would merit direct or indexed sequential organization due to the need for timely inquiry capability to support operations. Case b. (accounts receivable for a magazine publisher), d. (accounts payable for a retailing firm), and e. (fixed assets in a manufacturing firm) would tend to merit sequential organization owing to high activity ratio processing and no general need for immediate inquiry capability. Indexed sequential organization is possible in each of these cases. However, the extra costs associated with this method of file organization (e.g., software and direct-access storage devices versus magnetic tape) and the complexities inherent in maintaining the index may not be justified by the intended use of the files. 20. Database Concepts - 15 minutes Easy Direct access files are necessary for very quick response times; longer response times (hours or more) can often be economically handled by sequential files. Such inquiries are typically appended to routine file processing runs. For example, a copy of customer records can be obtained as a by-product of posting invoices to the accounts receivable file. Printouts from routine processing runs may be utilized to satisfy inquiries. Note that printouts are only as current as the last processing run. Indexed sequential organization offers a middle ground. Short response time requests may be processed through use of the index; longer response time requests may be appended to any routine sequential processing runs against the file. An inquiry for a specific record in a direct access or indexed sequential file may be obtained directly if the search parameter is the file key field. If the inquiry is based on a non-key attribute (e.g., employee skill when the file is organized on employee number), the entire file may have to be searched sequentially. In this case the factors discussed in the previous paragraph come into play in determining the cost and capability of satisfying the inquiry. Inquiries for groups of related records: regardless of file organization, the entire file must be searched to find all of the desired records. If the file is on a direct-access storage device, pointers or indices may exist to satisfy the inquiry. A request for all outstanding work-in-process for a specific client, for example, may be satisfied by searching an index for the client number, then obtaining all records by consulting the record numbers or entry point to a list or ring structure contained in the index. Specific Examples of inquiries: a. employee master file (1) employee x (2) all employees in department x (3) all employees who earn more than x dollars b. accounts receivable file (1) account balance of customer x (2) all accounts with balance greater than x dollars (3) all balances due in x days c. work-in-process file

222 12 Data Management Concepts (1) status of job x (2) all work-in-process for client x (3) all jobs late more than x days 21. Sequential File Concepts - 30 minutes Medium Note: The last record test (block no. 5 in Figure 11.13) consists of the inquiry - is the record number equal to 99? The number 99 is a dummy record number which is used to identify the logical end of the file. Processing Sequence Key Comparison Master Transaction Result 11 11 Update Master 11 11

Write Master 11

Write error notice Transaction out of sequence

Write Master 15 (not updated)

31 31

Update Master 31 Update Master 31

Note: Master 31 is updated with two separate transactions. This illustrates the capability of the processing logic to process multiple transactions against a single master file record. 31

Write error notice Transaction out of sequence

Write Master 31

Update Master 84

Write Master 84

Write Master 87

Last record test is now "Yes" Initiate end-of-job processing

Solution: a. Master Records Updated: 11 31 84 b. Master Records Not Updated: 15 87 c. Transaction Records: 11 posted

Data Management Concepts 12 223 12 error condition 31 posted 31 posted 15 error condition 84 posted 22. Linking Files - 15 minutes Easy A purchase order file would likely be sequenced on purchase order number. A database system might provide and support linkages to the following files to facilitate information retrieval: (1)

Material inventory file to identify items on order;

(2)

A vendor master file to identify items on order;

(3)

An accounts/vouchers payable file might point to the purchase order file rather than duplicate the contents of the purchase order.

The purchase order file would generally be linked to the above files by providing a separate pointer field in the purchase order file for each file. 23. Linking Files - 15 minutes Easy Index or Directory Key-Name

Key-Value

Pointer

Division

Chicago Los Angeles New York

64 108 22, 28

Specialty

Audit Marketing Personnel

22, 28 64 108

Age

21 - 25 26 - 30 31 - 35 36 - 40

28 22, 64 108

Note that no pointers are required in the records themselves as the key of each record possessing the key-value (attribute) which is indexed appears in the directory itself. 24. Linking Files - 15 minutes Medium A significant advantage of inverted file organization over pointer field structures such as lists and rings is the ability to answer the types of inquiries listed as a. and b. in the question without actually having to retrieve the records themselves. These types of inquiries can be quickly answered by a search of only the directory (index) to the inverted file and logically ANDing or ORing the lists of pointers corresponding to the attributes in the inquiry. (See the inverted file solution to problem 10-26 above for an illustration.)

224 12 Data Management Concepts In contrast, pointer field structures entail significantly more processing to answer these types of inquiries as the search of a list or ring involves the actual retrieval and examination of the records in the file. 25. Normalization - 15 minutes Medium a. No, it is not possible to add a new class time for a particular class number, as the key requires a student number as well. This is a disadvantage associated with records that are not in 2nd normal form. (The relation is in 1st normal form.) In this example, a classroom number and time cannot be added to the file until a student has signed up for the class. b.

If all students drop a class, the time and room of that class are lost. This is a disadvantage that arises as the relation is not in 2nd normal form.

It is in 1st normal form, as the relation does not contain a repeating group under the assumption that each student has a single major.

26. Normalization - 10 minutes Medium Yes, the relation is in 3rd normal form. The key field MAKE, BODY-STYLE, COLOR, SALES-REGION is unique in total only because the file is of cumulative sales. 27. Normalization - 15 minutes Medium . Yes, PROFESSOR is a repeating group in the DEPARTMENT relation. The relationship can be normalized by removing the repeating group into a separate relation. This requires duplication of the DEPT #. The normalized relations are: DEPARTMENT (DEPT #, DEPT-NAME, ...) PROFESSOR (DEPT #, PROF #, PROF-NAME, ...) Note the removal of the professor field in the DEPARTMENT relation that was used to link the two relations, and the addition of DEPT # to the key of the PROFESSOR relation. 28. Database Concepts - 30 minutes Medium a. A programmer writing a COBOL program to update inventory records which are stored in the database would use the data manipulation language (DML). The data manipulation language (DML) is used by an application program to communicate its data needs to the database system, which then retrieves the actual data items. b.

The database administrator (DBA) documents the content and structure of the database using the data definition language (DDL). The data definition language (DDL) is used to define the logical structure of the entities and relationships which constitute the database.

A sales manager requesting an ad hoc report on sales of a certain product over the past month would use the query language. The query language in a database system provides a convenient, non-procedural, English-like, nonprogrammer-oriented means to use the system for spontaneous on-line information retrieval in relatively low volume. Both users and programmers may make use of the query language.

The field for customer address in the accounts receivable record would be expanded to allow for a

Data Management Concepts 12 225 ten-digit ZIP code using the data definition language (DDL). The data definition language (DDL) is used to define the logical structure of the entities and relationships which constitute the database. This would probably be done by the database administrator (DBA). e.

The payroll manager's request for a special report detailing those employees in the database who have college degrees would probably be fulfilled using the query language. The query language in a database system provides a convenient, non-procedural, English-like, nonprogrammer-oriented means to use the system for spontaneous on-line information retrieval in relatively low volume. Both users and programmers may make use of the query language.

A programmer writing a COBOL program to prepare payroll checks for employees whose records are stored in the database would use the data manipulation language (DML). The data manipulation language (DML) is used by an application program to communicate its data needs to the database system, which then retrieves the actual data items.

The new field to allow for a new payroll deduction for health benefits would be added to employee personnel records in the database using the data definition language (DDL). The data definition language (DDL) is used to define the logical structure of the entities and relationships which constitute the database. This would probably be done by the database administrator (DBA).

A programmer writing a COBOL program to update accounts receivable records which are stored in the database would use the data manipulation language (DML). The data manipulation language (DML) is used by an application program to communicate its data needs to the database system, which then retrieves the actual data items.

A credit manager requesting a special report detailing those customers in the database who have purchased more than $25,000 worth of goods in the past three months would use the query language. The query language in a database system provides a convenient, non-procedural, English-like, nonprogrammer-oriented means to use the system for spontaneous on-line information retrieval in relatively low volume. Both users and programmers may make use of the query language.

29. Database Concepts - 30 minutes Medium The field "Total Cost" is virtual data in the work-in-process record as it might be computed as the sum of three other fields in the record: materials cost, direct labor cost, and applied overhead cost. The field "Good Units in Process" is virtual data in the work-in-process record as it might be computed as the difference between two other fields in the record: units started less units spoiled. The field "Applied Overhead Cost" might be virtual data if it is calculated as a percentage of direct labor cost and there is a single, plantwide overhead rate (percentage). If different overhead rates (percentages) are used in different departments, then the field "Applied Overhead Cost" could not be virtual data. Virtual data is an example of redundancy in data records. There are several types of advantages that might be gained if virtual data elements are removed from the work-in-process record. One advantage is to reduce the overall size of the data record and thus reduce the amount of storage space which is required for the file. This would tend to reduce the total cost of storing a data record (and the entire file). In addition to reduced storage requirements, another advantage is that there are fewer data items in the data record which have to be maintained during processing. This might lead to simpler application programs and would tend to reduce the possibility of having errors occur when the data record is modified in an

226 12 Data Management Concepts updating run. This becomes more important when a data element is contained in more than one data record. In such cases, a data element might be updated in one record but not in others. This results in inconsistent data in an information system.

30. Database Design - 1 Hour Medium a. If a user requested the data name "lot size" in the production scheduling application, he would get as a result the economic production quantity for a product. If the same user entered the data name "minimum level" in the finished goods inventory application, he would get the same result - the economic production quantity for product. If a user requested the data name "units started" in the production scheduling application, and then requested the data name "quantity" in the work-in-process application, and then requested the data name "units" in the finished goods inventory application, he would get the same result in each of these three cases - the number of units being produced in a job. These three different data names in the three different applications all refer to the same real data element. Both of the above are examples of data redundancy. Different data names in different applications refer to the same real data element. The problem of data redundancy is complicated by the fact that the different data names for the same data element usually have different physical representations in the different application systems. For example, "units started" in the production scheduling application has a length of eight characters, but "quantity" in the work-in-process application has a length of ten characters. This creates the need to reformat data when it is transferred from one application to another. b.

If a user requested the data name "code" in the production scheduling application, and then requested "code" in the work-in-process application, and then requested "code" in the finished goods inventory application, the result would be three different data elements even though the data names are the same. The data name "code" in the production scheduling application means department code, but "code" means transaction code in the work-in-process application and "code" means product number in the finished goods inventory application. This example indicates a type of data ambiguity known as inconsistency. Inconsistency occurs when the same data name is used to mean different things in different applications. This can create difficulties in updating the same data element in different applications as the data name (and perhaps also the data format) is different in each application.

A data dictionary is the primary tool in analyzing and solving data ambiguity. The specification section of a data dictionary gives the standard for the data name along with its definition and synonyms, if any. Then in the characteristic section, the data name, type, size, format, and validation criteria are documented. In the utilization section, aspects concerning usage of the data name are listed. If constructed properly, a data dictionary can assist in resolving data ambiguity.

The database project is more complex than either management or the project team anticipated. However, management of Ernst and Anderson should probably approve the continuation of the DBMS project. The DBMS project should proceed in view of the large amount of data ambiguity which has been discovered because in all likelihood these problems will only worsen if they are not corrected now. It seems as if anticipated benefits from the project will have to be higher in view of the additional costs. If management does approve continuation of the DBMS project, the project team should complete its study of data ambiguity even though the project has taken considerably more time than

Data Management Concepts 12 227 expected. Construction of a data dictionary is the primary tool in analyzing and solving data ambiguity. Accordingly, a data dictionary is the first database that should be implemented. This would provide a computer-based source of standard data names and specifications for the design of the integrated applications. A data dictionary would also provide a central reference for making modifications in data names as required as the project proceeds. Correcting the problems of data ambiguity first before the actual conversion process begins will significantly increase the probability of a successful conversion. 31. Database Administration - 25 minutes Medium a. The database is a large repository of data crucial to a large and growing number of application systems and users. The database is a costly and important resource of any organization. It is costly to form a database, to administer it, and to manage it. However, the potential benefits of database technology can by far exceed its costs. The database requires proper design, administration, and control - and these tasks fall on the DBA. The DBA (Database Administration) function must not be diffused among the many users and information system specialists. The reason is that there will be situations requiring much coordination among the various users, and frequently even conflicting demands on the database. The functions of the DBA have not been standardized and as a result there are significant differences in DBA practice. Wide differences are also noticeable between written charters of the DBA function and the tasks actually consuming most of the time of the DBA. b.

The DBA functions include those that must be taken away from any one application system or user for the overall good. The DBA has a wide number of responsibilities, all the way from managerial realms to highly technical realms. Specific responsibilities include: (1) Justify and promote database technology within an organization. (2) A major task of the DBA is to establish standards, conventions, and documentation for the data resource. A data dictionary is often used to accomplish this task. The integration of data into a centralized or distributed database is frequently not too difficult, technically speaking. However, frequently it is very different as far as organizational or political aspects are concerned. The DBA should assist in resolving incompatibilities and coordination and communication problems between different groups sharing a common database. (3) Participation in the information system development process. (4) A major function of the DBA is to carry out, manage, and control the database design. Three phases are involved: logical database design, physical database design, and database loading and operation. As part of this design process, the DBA must deal with the additional concerns of performance, security, integrity, data sharing, and recovery. (5) The DBA should be responsible for achieving a satisfactory performance level for the database. (6)

(7)

(8)

The DBA is responsible for assuring that satisfactory levels of security of data are achieved and maintained. The database must be protected against unauthorized or illegal access, modification, or destruction. The DBA is responsible for establishing and maintaining integrity constraints on the database with the goal of preserving the correctness of the data resource. Once the constraints are established, the system must monitor the usage of the database under the direction of the DBA and make sure that the constraints are satisfied. The DBA should coordinate data sharing by proper use of locking mechanisms provided

228 12 Data Management Concepts

(9)

by the data management system, with the goal of ascertaining that at all times any one user sees the database (his subschema) in a consistent state, and not in a possible temporarily inconsistent state that may be brought on by other concurrent processing not properly coordinated or locked. Provide for backup, system recovery capability, and audit trails.

To achieve organizational independence, the DBA function should not be allowed to operate the computer system or initiate transactions into the database. Documentation of systems changes should be the responsibility of an independent control group. Custody of active files and programs should also not be the responsibility of the DBA function.

The role and organizational position of the DBA continue to evolve. The DBA functions and its location in an organization have not been solidified nor standardized. Thus, differences exist in DBA practices from organization to organization. The DBA function needs to be at a sufficiently high organizational position, or at least work with some systems development group at such a level, for example, a corporate information systems group. The DBA must have the ability to deal with or assist in dealing with information systems which cross different organizational units. It must not be subordinate to the EDP manager, unless the latter is at sufficiently high level.

32. Normalization - 30 minutes Hard a. The combination key that consists of the concatenated fields ORDER#, VENDOR#, and PART# uniquely identifies each part ordered. This relation is in 1nf because it does not contain any repeating groups. However, it is not in 2nf. Several of the non-key domains (DESCRIPTION and PRICE) can be uniquely identified with only a part of the key, the PART#. ORDER# and VENDOR# are irrelevant. In other words, if you know the PART#, you know the DESCRIPTION and PRICE, not caring about the ORDER# or VENDOR#. This is a different situation from that of QUANTITY: to know the quantity in a particular ORDER, you have to know all three of the domains that have been combined as the key. QUANTITY is fully functionally dependent on the entire key. To get ORDER into 2nf, we must eliminate the partial functional dependence of DESCRIPTION and PRICE. Partial functional dependencies can be eliminated by taking out the domains that are partially dependent and placing them in one or more separate relations. In this case we have ORDER(ORDER#,VENDOR#,PART#,QUANTITY,TOTAL_AMOUNT) and PART(PART#,DESCRIPTION,PRICE) Note that duplication is introduced to normalize a relation; PART# must be repeated in the new relation PART to form the key of the relation. b.

Both ORDER and PART are in 2nf, since all the non-key domains in each case are fully functional dependent on the key. To reach 3nf, no non-key domain may be functionally dependent on any other non-key domain. To place a 2nf relation into 3nf, we must examine each of the non-key domains to see that they are independent of each of the other non-key domains and eliminate any such dependencies. In the case of ORDER, we can see that TOTAL-AMOUNT is in fact a redundant data element, because it can be computed if we know the QUANTITY and PRICE. So TOTAL-AMOUNT can be eliminated altogether to place ORDER in 3nf. PART is in

Data Management Concepts 12 229 3nf, as DESCRIPTION and PRICE are independent. Thus we have the following relations in 3nf: ORDER(ORDER#,VENDOR#,PART#,QUANTITY) and PART(PART#,DESCRIPTION,PRICE) Data elements like TOTAL-AMOUNT in the above example are called virtual data. Virtual data elements are data that can be computed as needed on the basis of other data elements; thus virtual data need not be physically stored as part of a relation or file. It is generally desirable to have the computer compute virtual data elements as needed rather than physically store such items in relations. At times relations can be normalized through the elimination of virtual or redundant domains. At other times one must remove functionally dependent domains into separate relations, as has been illustrated above. 33. Normalization - 30 minutes Hard a. If each student can have only one major, then CLASS-LIST is in 1nf as there are no repeating groups. It is also in 2nf since the key COURSE# is a single domain. But it is not in 3nf, since STUDENT-MAJOR is functionally dependent on STUDENT#. To place the relation in 3nf, we must separate it into two separate relations, both of which are in 3nf. CLASS-LIST(COURSE#,CLASS-ROOM,STUDENT#) and STUDENT(STUDENT#,STUDENT-MAJOR) b.

The relation is in 1nf, if and only if each student can have only one major. If a student can have more than one major, then this would be a repeating group since STUDENT-MAJOR is not part of the key, and would thus take on several values for a single key value. This is an example of how functional dependence is a semantic concept; whether or not something is functionally dependent depends on the descriptions of data as perceived by the database designer.

34. Select Queries – Varies a.

SELECT * FROM orders

SELECT [order number], [vendor product] FROM [order details]

SELECT [order number], [order type] FROM orders ORDER BY [order number]

SELECT [order number], [vendor product] FROM [order details] WHERE price > 20.00

SELECT [order number], [customer number] FROM orders WHERE [order type] = “fax” ORDER BY [customer number] DESC

SELECT COUNT(*) AS tally FROM [order details]

SELECT AVG([shipping charges]) FROM orders

230 12 Data Management Concepts h.

SELECT [order number], subtotal + [shipping charges] FROM orders WHERE price > 20.00

SELECT orders.[order number], orders.[customer number], [order details].[vendor product] FROM orders INNER JOIN [order details] ON orders.[order number] = [order details].[order number]

SELECT orders.[order number], orders.[shipping charges], [order details].[vendor product], [order details].quantity FROM orders INNER JOIN [order details] ON orders.[order number] = [order details].[order number] WHERE orders.[order type] = “fax” or orders.[order type] = “email” WEB RESEARCH ASSIGNMENTS

35. At present the OpenOffice database is a version of the HSQLDB (Hyper Structured Query Language) database, a relational database system written in Java. Hundreds of books have been written about HSQLDB, and it’s used in many open source software projects. MySQL is another database this is extremely popular and used extensively in Web 2.0 applications. 36. One might say that Oracle and DB2 are the heavy hitters, as their history goes way back in time to the mainframe era. Oracle is not only one of the most powerful database systems, it’s well known for running on a wide variety of platforms. SQL Server, being a Microsoft Product, tends to be used in tandem with Microsoft-specific applications. MySQL is available in a free version, and is probably used more often than any other database system in support of Web 2.0 applications. 37. ACID stands for Atomicity, Consistency, Isolation, and Durability. The concept applies to transactions processed against a database. The main objectives of ACID are to conduct transactions in such as way so that transactions don’t end up being half processed and the database doesn’t end up in an indeterminate or corrupt state as a result of a transaction being processed. For example, you wouldn’t want to end up with a ATM withdrawal of cash but no corresponding charge to the related customer’s bank account. For a complete discussion of ACID, see the Wikipedia article: http://en.wikipedia.org/wiki/ACID . 38. At present, object-oriented databases are a niche market. In theory it is simpler to use object-oriented databases with object-oriented analysis and programming, but in practice the relational model dominates because of speed and the degree of support in existing products. Examples of a commercial objectoriented database include Versant (www.versant.com) and Objectivity (www.objectivity.com ). The Objectivity web site lists commercial uses of object-oriented databases in many different industries.

Data Management Concepts 12 231 39. Crossword

Across 2. ACTIVITY RATIO — the number of active records divided by the number of records in the file. 6. DATA ITEM — synonym for field. 7. RECORD KEY — a data item or combination of data items that uniquely identifies a particular record in a file. 8. RELATIONAL MODEL — a logical data structure that views the database as a collection of two-dimensional tables. 9. LIST STRUCTURE — each record contains one or more pointers (fields) indicating the address of the next logical record with the same attribute(s). 10. DIRECT-ACCESS FILE — each record has a storage location (address) that bears some relationship to the record's key field. 12. TUPLE — a row in a relational table.

232 12 Data Management Concepts 15. DATABASE MODEL — synonym for schema. 16. INHERITANCE — a relationship created when an object class is divided into subclasses. 18. DATA DESCRIPTION LANGUAGE — used to define the logical structure of the data-base (schema). 19. RELATIVE RANDOM ORDER — a field on which a file is not sorted. 21. OCCURRENCE — a specific set of data values for a record. 22. ENTITY-RELATIONSHIP DATA MODEL — a conceptual model for depicting the relationships between segments in a database. 25. OBJECT — corresponds to an instance in the object-oriented modeling technique (OMT). 28. RANDOM ACCESS — synonym for direct access. 32. RELATION — synonym for table in the relational model. 33. SEGMENT — synonym for repeated group. 34. JAVA DATA OBJECTS QUERY LANGUAGE — a Java-based and query-language capable of converting queries into different underlying query languages. 35. ATTRIBUTE — synonym for field. 37. SUBSCHEMA — individual, logical user views of the database. 39. OBJECT CLASS — corresponds to a segment in the object-oriented modeling technique (OMT). 40. TRAILER RECORD — a fixed-length extension of a master record. 41. ISAM — indexed-sequential access method; synonym for indexed-sequential file organization. 44. DATA MANIPULATION LANGUAGE — the commands for updating, editing, manipulating, and extracting data from a database. 45. SECONDARY SORT KEY — a field used to determine relative position among a set of records when the primary key has the same value in each record of the set. 47. SCHEMA — synonym for logical data structure of a database. 48. HYPERTEXT SYSTEMS — systems that allow users to browse through databases in random fashion by selecting keywords or objects. 49. DISK ACCESS TIME — the time required for the CPU to retrieve a single block of data from the disk. 50. CONSISTENCY — the ACID rule that requires that only valid data be written to the database. 51. NORMAL FORMS — rules that govern the creation of relational tables in the relational database model. 53. DATABASE MANAGEMENT SYSTEM — enables a user to create and update, select, and retrieve data. 55. MULTIPLE-RING STRUCTURE — several ring organizations pass through individual records. 56. INDEXED FILE — one where an attribute has been extracted from the records and used to build a new file. 60. NATURAL LANGUAGE DATABASE QUERY INTERFACE — a high-level database query approach that uses natural language processing and conversational analytics. 61. OBJECT QUERY LANGUAGE — a database query language structured after SQL but for objectoriented databases. 63. RECORD — a logical grouping of fields (data items) that concern a certain entity. 64. NETWORK STRUCTURE — a logical data structure that allows a child segment to have more than one parent. 65. TERTIARY SORT KEYS — additional fields beyond primary and secondary keys required to uniquely identify and sort records in a file. 66. RING STRUCTURE — a list organization in which the last record in the ring list points back to the first record. 67. RANDOMIZING TRANSFORMATION — a widely used method of storing and locating records in a direct-access file. 68. THIRD NORMAL FORM — no nonkey field in a relational table is allowed to determine the values

Data Management Concepts 12 233 on another nonkey field. 69. DATA QUERY LANGUAGE — a user-friendly language or interface that allows users to request information from a database. Down 1. FIRST NORMAL FORM — relational tables that do not contain any repeating groups. 3. ISOLATION — the ACID rule that that other operations can't interfere with a transaction that is in the middle of being processed. 4. CHILDREN — lower-level elements in a tree diagram of a data structure that are connected to the parent element. 5. RELATIONAL ALGEBRA — operations used to extract information from relational tables. 6. DATABASE ADMINISTRATOR — has overall responsibility for database administration. 11. FIELD — the smallest block of data that will be stored and retrieved in the information system. 13. PRIMARY SORT KEY — the first field used to sort the records in a file. 14. ALIAS — different users call the same field different names. 17. ATOMICITY — the ACID rule that says that either the entire transaction is completed or no part of it is completed. 20. INDEXED-SEQUENTIAL FILE — a sequential file that is stored on a DASD and is both indexed and physically sorted on the same field. 23. INVERTED FILE — synonym for indexed file. 24. PARENT — the highest-level element in a tree diagram of a data structure. 26. FULLY INVERTED — a file that is indexed for all its fields. 27. DATABASE — a structured collection of data stored in a computer system or network. 29. DATABASE SOFTWARE — software used to store, retrieve, and manipulate data in a database. 30. DURABILITY — the acid rule that requires that a transaction isn't undone if the system fails after it is completed. 31. REPEATED GROUP — related groups of fields that repeat themselves in variable-length records. 36. MULTILIST ORGANIZATION — a record may be part of several list organizations. 38. ONLINE ANALYTICAL PROCESSING — a database approach that involves a multi-dimensional generalization of the two-dimensional relational table. 42. DATABASE DRIVER — software that connects a given application program to a particular DBMS. 43. NODE — synonym for repeated group. 46. TREE STRUCTURE — a logical data structure in which each node represents a segment, and each node is related to another node at the next-highest level of the tree. 52. ACID — Generally accepted requirements for the reliable processing of transaction in a database setting. 54. NORMALIZATION — the process of applying normal form rules in the relational database model. 57. INSTANCE — synonym for occurrence. 58. ELEMENT — synonym for field. 59. KEY — synonym for record key. 62. BRANCH — the connection between children and parent(s) in a tree structure

Chapter 13 AUDITING INFORMATION TECHNOLOGY TEACHING TIPS Many of the auditing concepts can be demonstrated with the ACL software. See the ACL Web site at www.acl.com, and contact ACL for possible student versions. It is my understanding that they have offered student versions in the past. INFORMATION SYSTEM AUDITING CONCEPTS The process of reviewing and evaluating the internal controls in an electronic data processing system is called auditing through the computer. Auditing with the computer describes the utilization of the computer by an auditor to perform some audit work that otherwise would have to be done manually. Structure of a Financial Statement Audit. The primary objective and responsibility of the external auditor is to attest to the fairness of a firm's financial reports. An audit is almost universally divided into two basic components. The first component, usually called the interim audit, has the objective of establishing the degree to which the internal control system can be relied upon. This usually requires some type of compliance testing. The purpose of compliance testing is to confirm the existence, assess the effectiveness, and check the continuity of operation of those internal controls on which reliance is to be placed. The second component of an audit, usually called the financial statement audit, involves substantive testing. Substantive testing is the direct verification of financial statement figures, placing such reliance on internal control as the results of the interim audit warrant. Auditing Around the Computer. In the around-the-computer approach, the processing portion is ignored. Instead, source documents supplying the input to the system are selected and summarized manually so that they can be compared to the output. Auditing Through the Computer. Auditing through the computer may be defined as the verification of controls in information system. Auditing With the Computer. Auditing with the computer is the process of using information technology in auditing. Risk Based Auditing. Risk based auditing (RBA) provides assurances relating to the effectiveness an organization’s Enterprise Risk Management (ERM) processes. Specifically, RBA provides assurance that risks are being managed to within the organization’s risk appetite. INFORMATION SYSTEM AUDITING TECHNOLOGY Test Data. Test data is auditor-prepared input containing both valid and invalid data. Prior to processing the test data, the input is manually processed to determine what the output should look like. The auditor then compares the test output with the manually processed results. Integrated-Test-Facility Approach. Integrated test facility (ITF) involves the use of test data and also the creation of fictitious entities (e.g., vendors, employees, products, accounts) on the master files of a computer system. The technique is integrated as the test data are processed concurrent with real transactions against live master files that contain the real as well as fictitious entities. Accordingly, audit checks are made as a part of the normal processing cycle, ensuring that the programs being checked are identical to the programs that process real data. 234

Auditing Information Technology 13

235

Parallel Simulation. The test data and ITF methods both process test data through real programs. Parallel simulation processes real data through test or audit programs. The simulated output and the regular output are compared for control purposes. Parallel simulation - the redundant processing of all input data by a separate test program - permits comprehensive validation and is appropriate where transactions are sufficiently important to require a 100 % audit. Audit Software. Generalized Audit Software (GAS). Generalized audit software (GAS) is software that has been specifically designed to facilitate the use of information technology in auditing. PC Software. Programs such as ACL™ allow the auditors to analyze audit data from notebook computers in the field. Embedded Audit Routines. Embedded audit routines involve building special auditing routines into regular production programs so that transaction data or some subset of it can be subjected to audit analysis. One such technique has been termed embedded audit data collection. Embedded audit data collection uses one or more specially programmed modules embedded as in-line code within the regular program code to select and record data for subsequent analysis and evaluation. In an approach called the system control audit review file (SCARF), auditor-determined, programmed edit tests for limits or reasonableness are included in the program as it is initially developed. Transactions might be selected randomly rather than as exceptions to programmed edit tests. The objective of this approach is to generate a statistical sample of transactions for later audit. This approach has been termed sample audit review file (SARF). Extended Records. Extended records refers to the modification of computer programs to provide a comprehensive audit trail for selected transactions by collecting in one extended record additional data concerning processing that are not normally collected. Snapshot. Snapshot, as the name implies, attempts to provide a comprehensive picture of the working of a program at particular points in time. Tracing. Tracing a program's execution provides a detailed audit trail of the instructions executed during the program's operation. Tracing is normally executed using an option in the program source code language (such as COBOL). Review of Systems Documentation. Review of systems documentation, such as narrative descriptions, flowcharts, and program listings, is probably the oldest Information System auditing technique, and still a widely used one. This approach is particularly appropriate in the initial phases of an audit as preparation for the selection and utilization of other more direct audit technology. Programs might be desk checked by the auditor. In desk checking, the auditor manually processes test or real data through the program logic. Control Flowcharting. In many cases, specific documentation for auditing purposes is reviewed and developed to show the nature of application controls in a system. This documentation has been termed control flowcharting. Analytic flowcharts, system flowcharts, or other graphic techniques are used to describe the controls in a system. Mapping. More direct audit evidence concerning programs may be obtained by monitoring the running of a program with a special software measurement package. This audit technique is termed mapping.

236 13 Auditing Information Technology Special software is used to monitor the execution of a program; in doing so, the software counts the number of times each program statement in the program is executed and provides summary statistics concerning resource utilization. TYPES OF INFORMATION SYSTEM AUDITS General Approach to an Information System Audit. Most approaches to an Information System audit follow some variation of a three-phase structure. The first phase consists of an initial review and evaluation of the area to be audited and audit plan preparation. The second phase is a detailed review and evaluation of controls. The third phase involves compliance testing and is followed by analysis and reporting of results. Information System Application Audits. Application controls are divided into three general areas; input, processing, and output. An Information System application audit generally involves reviewing the controls in each of these areas. Application Systems Development Audits. Systems development audits are directed at the activities of systems analysts and programmers who develop and modify application programs and procedures. Computer Service Center Audits. Normally, an audit of the computer service center is undertaken before any application audits to ensure the general integrity of the environment in which the application will function. IT GOVERNANCE AND COBIT IT governance is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives. An IT governance framework, such as Control Objectives for Information and related Technology (CobiT) can be a critical element in ensuring proper control and governance over information and the systems that create, store, manipulate and retrieve it. CobiT. CobiT is an acronym for Control Objectives for Information and related Technology. It is an open standard for control over information technology (IT). CobiT identifies 34 IT processes, a highlevel approach to control over these processes, and several hundred detailed control objectives and audit guidelines to assess the IT processes. Navigation Diagram. For each of the CobiT IT processes, a description is provided, together with key goals and metrics in the form of a waterfall diagram. Maturity Models. A maturity model component is used to evaluate an organization's relative level of achievement of IT governance. The maturity model offers a way of measuring how well developed management processes are and how well developed they should be. Management Guidelines. These consist of detailed inputs, outputs, activities, goals, and metrics for the thirty-four CobiT processes. Performance Measurement. Goals and metrics are defined in COBIT at three levels: IT goals and metrics, Process goals and metrics, and Activity goals and metrics. CobiT and Sarbanes-Oxley Compliance. While it is not specifically targeted at Sarbanes-Oxley compliance, CobiT may be used to address this issue. Professional Certifications Relating to IT Governance. ISACA sponsors three professional certifications relating to IT Governance. These are Certified Information Systems Auditor (CISA), the Certified Information Security Manager (CISM) certification, and the CGEIT, Certified in the

Auditing Information Technology 13

237

Governance of Enterprise IT. Auditing Service Oriented Architectures. Auditing a Service Oriented Architectures (SOA) involves special audit considerations. In SOA environments, the auditor can still use many of the traditional audit techniques, such as tracing test transactions, but he must also investigate the policies, procedures, and behaviors surrounding the specialized services unique to the SOA. REVIEW QUESTIONS 1.

This means conducting the audit without using the client's computer system.

2. Information system auditing is used to assess both operational efficiency and the validity of the financial statements. 3.

Internal control evaluation, compliance testing, substantive testing.

Auditing with the computer involves making use of the client's computer to conduct the audit.

A program that analyzes and reports audit data collected from the client's accounting system.

6. data.

All relevant documentation (e.g., procedure manuals and organization charts) and accounting

Validation checks, range checks, reasonable checks, ratios tests, and limit checks.

Compliance with the operation of the system as documented.

9. Auditors typically download data from client computers to the auditor's computers. The data is then analyzed on the auditor's computers. 10.

All audits proceed through the same phases of evaluation, compliance, and substantive testing.

11.

Areas with the larger control and compliance problem might receive the most attention.

12. To audit a computer service center the auditor must understand most of the inner workings of the service center's computers. ANSWERS TO DISCUSSION QUESTIONS AND PROBLEMS 13.-33. Multiple-Choice Varies 13. C 14. A 15. B 16. C 17. A 18. B 19. A

20. 21. 22. 23. 24. 25. 26.

C A C A D C A

34. Generalized Audit Software - 20 minutes Medium CIA Examination, Unofficial Answer

27. 28. 29. 30. 31. 32. 33.

B B B B C C C

238 13 Auditing Information Technology a. Some major functions of the typical generalized audit software package include the capability to: (1) Read computer files without disturbing content (2) Perform mathematical operations (3) Compare values (logic operations) and direct decisions (4) Sort or summarize data from a file (5) Produce reports or files for future reference (6) Perform statistical sampling or analysis (7) Print confirmations (8) Test the host program b. Important steps in the auditing of accounts payable for which generalized software can be used include: (1) Test mathematical accuracy of the A/P ledger (2) Compare the total of the A/P ledger to the general ledger (3) Select samples of vendors, vouchers, and other documents or files to be audited (4) Examine disbursements and supporting documents for errors and relation to A/P ledger and inventory (5) Age accounts payable (6) Determine whether cash discounts were properly applied (7) Stratify accounts or vouchers by vendors, value, time or other parameters c. Generalized audit software can be used to complete the audit steps in part (b) above by performing the following functions: (1) Verify accuracy of accounts by independent calculation (extensions, footings, etc.) (2) Produce comparison reports (3) Use statistical function to take samples (4) Use statistical function to analyze samples (5) Use software logic function for comparison and validity checks (6) Use mathematical and logic functions to analyze cash payments or discounts taken (7) Use software logic function to stratify records 35. Generalized Audit Software - 30 minutes Medium CPA Examination, Unofficial Answer Basic Inventory Auditing How General Purpose Computer Procedures Software Package and Tape of Inventory File Data Might Be Helpful 1. Observe the physical count, 1. Determine which items are to be test counted making and recording test by making a random sample of a representative counts where applicable. number of items from the inventory file as of the data of the physical count. 2. Test the mathematical 2. Mathematically computing the accuracy of the inventory dollar value of each inventory item counted by compilation (summary). multiplying the quantity on hand by the cost per unit and verifying the addition of the extended dollar values. 3. Compare the auditor's test 3. Arranging test counts in a tape-format identical counts to the inventory to the inventory file and matching file tapes. records. 4. Compare physical count 4. Comparing the total extended value of all data to inventory records. inventory items counted and the extended values of each inventory item counted to the inventory records.

Auditing Information Technology 13

239

5. Test the pricing of the 5. Preparing a tape in a format inventory by obtaining aidentical to the tape of the list of costs per item inventory and matching the tapes. from buyers, vendors, or other sources. 6. Examine purchase and sale 6. Listing of sample of items on the inventory file cutoff. for which the date of last purchase and date of the last sale are on or immediately prior to the date of the physical count. 7. Ascertain the propriety of 7. Listing items located in warehouses. items of inventory located in public warehouses. 8. Analyze inventory for 8. Listing items on the inventory file for which the evidence of possible date of the last sale indicates a lack of recent obsolescence. transactions. 9. Analyze inventory for 9. Listing items on the inventory file for which the evidence of possible quantity on hand is excessive in relation to the over-stocking or slowquantity sold during the year. moving items. 10. Perform overall test for 10. Listing items, if any, with negative quantities accuracy of inventory or costs. master file. 36. Program Change Controls - 30 minutes Medium Courtesy of Touche Ross Foundation There is a dual purpose to this case. First, it is to expose a student to the inquiry process used in gathering information during a preliminary review. Second, it is to give the student an opportunity to see part of the review questionnaire completed and do part her/himself. There is an opportunity to do some evaluation of control as well. a. When conducting an interview, you should never assume that a situation exists. Each area should be clarified by appropriate questions and follow-up to adequately complete the questionnaire. Additional questions should be asked concerning: (a) What specific application documentation is created? (b) What operation documentation is provided? (c) Is there internal audit review and control of the system and programming area? (d) What is the extent of user participation? b. Questionnaire (next two pages) c. Possible weaknesses that might be identified: (a) Inadequate documentation standards. (b) Programmers should not have access to operating equipment. (c) Programmers should not implement changes to production copies of programs. (d) Users not sufficiently involved in the design or testing process. They neither discuss tests performed nor do they provide the input, nor do they see the output. (e) It is not clear that anyone actually reviews the changes made on a regular basis. (f) There is not sufficient user involvement in the development of a new application or maintenance of existing applications. The Applications Coordinator is a member of the systems department and is not a user. All changes are controlled by the systems and programming department. (g) No effort is made to "beat the system."

240 13 Auditing Information Technology (h) (i)

It is not clear how estimated dates are approved and no mention is made of the percent over/under estimate or who looks into this. Only informal procedures exist to provide direction in making program and coding changes.

Author's Note: There is an inconsistency between the problem narrative and the organization chart shown in the problem. I do not know whether this inconsistency was intentional or not; it is not mentioned in the solution to the case. According to the narrative of the case, "Application Coordinators" are members of the staff of the Manager of Systems and Programming (the interviewee); however, in the organizational chart, Application Coordinators are shown as reporting to the Manager of On-line Services. This inconsistency does not have any direct consequence to the above solution. Many students will simply not notice it. CLIENT - Rayo Corporation

AUDIT DATE

SYSTEMS AND PROGRAMMING

Yes No N/A

1. Are there systems and programming standards in the following areas: a) Applications design? b) Programming conventions and procedures? c) Systems and program documentation? d) Applications control? e) Project planning and management? 2. Does the normal documentation for an application include the following: Application Documentation a) Narrative description? b) Systems flowchart? c) Definition of input data and source format? d) Description of expected output data and format? e) A listing of all valid transactions and other codes and abbreviations and master file fields affected? f) File definition or layouts? g) Instructions for preparing input? h) Instructions for correcting errors? i) Backup requirements? j) Description of test data? Program Documentation a) Program narrative? b) Flowchart of each program? c) Current source listing of each program? Operations Documentation a) Data entry instructions, including verification? b) Instructions for control personnel, including batching? c) Instructions for the tape librarian? d) Operator's run manual? e) Reconstruction procedure? 3. Is there a periodic management review of documentation to insure that it is current and accurate?

X X X X

Auditing Information Technology 13 If yes, when and by whom was it last performed? 4. Is all systems and programming work done in-house? If not, is it done: a) By computer manufacturer's personnel? b) By contract programming? c) Other? Describe 5. Are all changes programmed by persons other than those assigned to computer operations? 6. Are program changes documented in a manner that preserves an accurate chronological record of the applications? If yes, describe 7. Do the users participate in the development of new applications or modifications of existing applications through frequent reviews of work performed? "User" = Applications Coordinator If yes, are the results of reviews documented?

8. Are testing procedures and techniques standardized? 9. Are program revisions tested as stringently as new programs?

X X

10. Are tests designed to uncover weaknesses in links between programs, as well as within programs? 11. Are users involved in the testing process, i.e., do they use the application as it is intended during the testing process? 12. Do user departments perform the final review and signoff on projects before acceptance?

13. What departments and/or individuals have the authority to authorize an operator to put a new or modified program into production? Applications Coordinator and Manager Systems and Programming 14. What supervisory or management approval is necessary for the conversion of files?

241

242 13 Auditing Information Technology WEB RESEARCH ASSIGNMENTS 37. a.

1. Outcome measure 2. Outcome measure 3. Performance measure 4. Performance measure 5. Outcome measure 6. Outcome measure

b. The Maturity Model defines five levels of process maturity for an organization or process within an organization: 1. Initial (chaotic, ad hoc, heroic) 2. Repeatable (project management, process discipline) 3. Defined (institutionalized) 4. Managed (quantified) 5. Optimizing (process improvement) The ISACA web site (www.isaca.org) publishes a member's only downloadable document that provides a detail mapping the Maturity Model into COBIT. The mapping is done in two parts. A high-level mapping compares the five maturity levels to the high-level goals of COBIT. A second mapping compares COBIT detailed control objectives to the Maturity Model . 38. a.

1. Outcome measure 2. Outcome measure 3. Performance measure 4. Performance measure 5. Outcome measure 6. Outcome measure 7. Performance measure 8. Performance measure

b. The COBIT governance standard is accompanied by a toolset that assists management with implementation. The complete COBIT package includes the following: -Executive Summary -The Governance and Control Framework -Control Objectives -Management Guidelines -Implementation Guide -IT Assurance Guide The IT assurance guide includes tools for assessing controls. The standard Governance and Control Framework is summarized in the text.

Auditing Information Technology 13 39. Crossword

(Continued on next page)

243

244 13 Auditing Information Technology

Addendum to Bodnar/Hopwood Accounting Information Systems 10th Edition Author's Discussion of Solutions to Multiple-Choice Professional Examination Questions The 10th Edition contains an extensive collection of multiple-choice questions from professional examinations. The majority of these questions are from CPA examinations. The Instructor's Manual contains the Official Answer to these questions. However, the Official Answers were published without any explanation as to 'why' the indicated answers are 'correct'. Usually, the correctness of the answer will be evident. However, this may not be the case for at least a few of these questions. The textbook's collection of multiple-choice questions from professional examination is one of its strongest pedagogical features. These questions pertain to the most important control concepts in the textbook, and are an excellent vehicle for stimulating classroom discussion. Accordingly, the authors have prepared this document, which provides a detailed discussion/explanation of each stem for each question. This material was prepared to facilitate the instructor's use of these questions in the classroom. This addendum contains discussion of the following questions from the textbook: • Chapter 4: Questions 21 to 46 page 2 • Chapter 6: Questions 16 to 45 page 12 • Chapter 7: Questions 26 to 50 page 23 • Chapter 8: Questions 24 to 59 page 34 • Chapter 9: Questions 17 to 32 page 48 • Chapter 13: Questions 13 to 33 page 55

Chapter 4 Transaction Processing and the Internal Control Process Author's Discussion of Solutions to Multiple-Choice Professional Examination Questions 21.

Answer B

a. Internal accounting controls are designed to provide reasonable assurance that transactions are executed in accordance with management's authorization. This is part of the definition of internal control in SAS No. 1. b. Internal accounting controls are not designed to provide reasonable assurance that irregularities will be eliminated. This concept is not part of the definition of internal control that was included in SAS No. 1. c. Internal accounting controls are designed to provide reasonable assurance that access to assets is permitted only in accordance with management's authorization. This is part of the definition of internal control in SAS No. 1. d. Internal accounting controls are designed to provide reasonable assurance that recorded accountability for assets is compared with the existing assets at reasonable intervals. This is part of the definition of internal control that was included in SAS No. 1.

22.

Answer B

a. Responsibility for accounting and financial (i.e., treasury) duties should be separated and not combined in one responsible officer as they are incompatible functions. b. The concept of a plan of organization in the definition of internal control which was contained in SAS No. 1 implies that responsibility for the performance of duties must be fixed. c. The audit committee is normally an advisory function and in no event should it have accounting responsibilities. d. This statement violates the concept of reasonable assurance, which has to do with the relative costs and benefits of internal controls. Normally the cost of bonding accounting employees would exceed the expected benefits as such employees should not have custody of financial assets. 23.

Answer B

a. Internal auditors should report to the audit committee of the board of directors to maintain organizational independence of internal auditing from other functions. 2

b. The controller should not report to the vice president of production because this would involve an activity (production) having responsibility and authority over the record-keeping function for that activity. c. Payroll is an accounting function and as such should report to the chief accountant. d.

The cashier is a treasury function and as such should report to the treasurer.

24.

Answer B

a. Setting automatic reorder points is an example of general authorization as no specific transaction is involved. b. Approval of a construction budget for a (specific) warehouse is an example of specific authorization. c. Establishment of requirements to be met in determining a customer's credit limits is an example of general authorization as no specific transaction is involved. d. Establishment of sales prices for products to be sold to any customer is an example of general authorization as no specific transaction is involved.

25.

Answer B

a. Internal accounting controls are not designed to provide reasonable assurance that employees act with integrity when performing their assigned tasks. This concept is not part of the definition of internal control included in SAS No. 1. b. Internal accounting controls are designed to provide reasonable assurance that transactions are executed in accordance with management's general or specific authorization. This is part of the definition of internal control that was included in SAS No. 1. c. Internal accounting controls are not designed to provide reasonable assurance that decision processes leading to management's authorization of transactions are sound. This concept is not part of the definition of internal control that was included in SAS No. 1. d. Internal accounting controls are not designed to provide reasonable assurance that collusive activities would be detected by segregation of employee duties. This concept is not part of the definition of internal control that was included in SAS No. 1.

26.

Answer C

a. The concept of reasonable assurance has to do with the relative costs and benefits of internal controls. This statement concerns only one type control, competent employees, and is thus incorrect. b. The concept of reasonable assurance has to do with the relative costs and benefits of internal controls. This statement concerns management's responsibility for internal control, and is thus incorrect. c.

This is a correct statement of the concept of reasonable assurance.

d. The concept of reasonable assurance has to do with the relative costs and benefits of internal controls. This statement concerns the concept of segregation of incompatible functions, and is thus incorrect.

27.

Answer B

a. Control procedures are the policies and procedures in addition to the control environment and accounting system that management has established to provide reasonable assurance that specific entity objectives will be achieved. b. Control environment is the collective effect of various factors on establishing, enhancing, or mitigating the effectiveness of specific policies and procedures. Such factors include personnel policies and practices, and thus the development of personnel manuals which document promotion and training policies. c. Accounting system is the methods and records established to identify, assemble, analyze, classify, record, and report the entity's transactions and to maintain accountability for the related assets and liabilities. d. The quality control system is not an element of an entity's internal control structure. 28.

Answer D

a. An entity's internal control structure is not designed to provide reasonable assurance that collusion among employees cannot occur. b. The establishment and maintenance of the internal control structure is an important responsibility of management. c. An exceptionally strong internal control structure may be sufficient for the auditor to reduce, but never to totally eliminate, substantive tests on a significant account balance. 4

d. Cost-benefit relationship (i.e, reasonable assurance) is a primary criterion that should be considered in designing an internal control structure. 29.

Answer A

a. According to SAS No. 55, an entity's internal control structure consists of three elements: the control environment, the accounting system, and control procedures. b. According to SAS No. 55, an entity's internal control structure includes control procedures. c. According to SAS No. 55, an entity's internal control structure includes the accounting system. d. According to SAS No. 55, an entity's internal control structure includes the control environment.

30.

Answer B

a. Fidelity bonds do not protect employees who make unintentional errors from possible monetary damages resulting from their errors. b. Fidelity bonds deter dishonesty by making employees aware that insurance companies may investigate and prosecute dishonest acts. c. Fidelity bonds do not facilitate an independent monitoring of the receiving and depositing of cash receipts. d. Fidelity bonds do not in of themselves force employees in positions of trust to take periodic vacations and rotate their assigned duties.

31.

Answer D

a. The concept of execution functions was not part of the definition of internal control that was included in SAS No. 1. b. The concepts of execution functions and payment functions were not part of the definition of internal control that was included in SAS No. 1. c. The concepts of receiving functions and shipping functions were not part of the definition of internal control that was included in SAS No. 1.

d. Internal accounting controls are designed to provide reasonable assurance concerning authorization, recording, and custodial functions. These terms were part of the definition of internal control that was included in SAS No. 1.

32.

Answer A

a. Bearer bonds are a financial asset, and as such should be the responsibility of the treasury function. b.

Legal counsel is not responsible for the custody of financial assets.

c. The general-accounting function should not be responsible for the custody of financial assets. d. The internal-audit function should not be responsible for the custody of financial assets.

33.

Answer B

a. The general-accounting function should not have operating control of the checksigning machine because check signing is a treasury function. b. Check signing is a treasury function. Accordingly, operating control of the checksigning machine should normally be the responsibility of the treasury function. c. Legal counsel should not have operating control of the check-signing machine because check signing is a treasury function. d. The internal-audit function should not have operating control of the check-signing machine because check signing is a treasury function.

34.

Answer B

a. It is not a weakness for the employee who receives mail receipts to prepare the initial cash receipts records as this is part of the duty of proper control of mail receipts. b. Internal control over cash receipts is weakened if the employee who receives mail receipts prepares credits to individual accounts receivable as this is a record-keeping function and is thus incompatible with custody of cash mail receipts. c. It is not a weakness for the employee who receives mail receipts to prepare the bank deposit slips as this is part of the duty of proper control of mail receipts.

d. Any employee can be charged with the maintenance of a petty cash fund as it is kept on an imprest basis and is thus accountable.

35.

Answer B

Discussion: This is an old question, as is indicated by the possible answers. None of these answers would be considered as correct today, as internal auditing or someone totally independent of cash disbursements should be charged with preparing bank reconciliations. It is a good question to raise a discussion of this change in philosophy. a. The treasurer, who is responsible for custody of cash, is the supervisor of the credit manager. Thus the credit manager should not direct the reconciliation of monthly bank statements. b. The controller is charged with record keeping and thus might direct the reconciliation of monthly bank statements. Given that the other three choices are treasury functions, this is the best choice. Historically, the controller was usually held responsible for bank reconciliations. c. The cashier is charged with custody of cash and thus should not direct the reconciliation of monthly bank statements. d. The treasurer is the supervisor of the cashier, who is charged with custody of cash. Thus the treasurer should not direct the reconciliation of monthly bank statements.

36.

Answer D

a. The person preparing the checks should be accounts payable. The treasurer should sign the checks. b. The purchasing agent is an operating function and thus should not have responsibility for the custody of cash (i.e., check signing). c. Accounts payable should prepare the checks for signature, but to maintain a segregation of duties, checks should be signed by the treasurer. d.

The treasurer should sign the checks.

37.

Answer D

a. The sales manager is an operating function and thus should not have responsibility for the credit manager, which is a treasury function.

b. The controller is an accounting function and thus should not have responsibility for the credit manager, which is a treasury function. c. The accounts-receivable clerk is an accounting function and thus should not have responsibility for the credit manager, which is a treasury function. d. The treasurer should have responsibility for the credit manager, which is a treasury function.

38.

Answer D

a. The credit manager should initiate write-offs, but they should be approved by the treasurer. Since the credit manager is responsible to the treasurer, his authorization is received from the treasurer. b. The controller is an accounting function and thus should not have authorization for write-off of accounts as this is the responsibility of the treasury function. c. The accounts-receivable clerk is an accounting function and thus should not have authorization for write-off of accounts as this is the responsibility of the treasury function. d. The treasurer should have the responsibility for authorization for write-off of accounts as this is a treasury function in that it concerns financial assets and the treasurer is responsible for the treasury function.

39.

Answer B

a. The cashier is subject to the supervision of the treasurer and is less likely to be in a position to commit a material irregularity than is the controller. b. As a vice-president level officer, the controller is not directly subject to supervision (as are all the other choices) and, because of the nature of the position, might perpetrate a material irregularity. c. The internal auditor should not have custody of any assets and is subject to the supervision of the director of internal auditing. The internal auditor is less likely to be in a position to commit a material irregularity than is the controller. d. The data entry clerk (a data processing input clerk) is subject to the supervision of the manager of data processing and is less likely to be in a position to commit a material irregularity than is the controller.

40.

Answer B 8

a. A well-designed system of internal control that is functioning effectively is one in which there is functional separation of duties. The fraudulent action of several employees (i.e., collusion) is less likely to be detected than choice b. is because if collusion exists then the internal control system is not functioning effectively (i.e., segregation of duties is being overridden by the collusion). b. The fraudulent action of a single employee is most likely to be detected in a welldesigned system of internal control that is functioning effectively because separation of duties will bring this action to light. c. Informal deviations from the official organization chart (it is not exactly clear what this means) is less likely to be detected than choice b. is because if the internal control system is functioning effectively in light of these deviations then they must not have an effect on management's authorization and control of transactions and thus will not be detected. d. Management fraud is that which is committed by management. Management establishes a system of internal control, and is thus not controlled by it to the extent that other employees are. Thus irregularities by management are less likely to be detected.

41.

Answer C

a. Internal auditing should not report to the financial vice president as it should be independent of all operating functions. b. Internal auditing should not report to the corporate controller as it should be independent of all operating functions. c. Internal auditing should report to the Board of Directors as it should be independent of all operating functions. d. It would not be possible to report to corporate stockholders directly. The Board of Directors (answer c) are the elected officials of the stockholders.

42.

Answer D

a. This is incorrect as fidelity bonds would not cover the losses which might be incurred by interruption of business. b. This is incorrect as fidelity bonds do not cover the losses of employees but rather they cover the losses of a company.

c. Fidelity bonds should be used in addition to other aspects of internal control, not as a substitute. d. The bonding company will usually perform a background check of the employees who are to be bonded to assess its risk.

43.

Answer A

a. Data processing is record keeping and thus should not be the responsibility of the treasurer's department. b. Handling of cash is a treasury activity and thus should be the responsibility of the treasurer's department. c. Custody of securities is a treasury activity and thus should be the responsibility of the treasurer's department. d. Establishing credit policies is a treasury activity and thus should be the responsibility of the treasurer's department.

44.

Answer D

a. Preparation of monthly statements and maintenance of the accounts receivable ledger are both natural record-keeping functions of accounts receivable and thus are not incompatible. b. Posting the general ledger and approval of payroll transactions (i.e., personnel functions) are not basically incompatible as they are unrelated functions. c. Custody of unmailed signed checks is a treasury function and is not incompatible with the maintenance of the expense subsidiary ledger as the expense subsidiary ledger is posted after checks have been prepared and is not necessarily or inherently a responsibility of accounts payable. Refer to the flowchart of cash disbursements in Chapter 8 of the text to clarify this point. d. Collection of receipts on account and maintenance of the accounts receivable records are basically incompatible as they are closely related. Collection of receipts on account should be a treasury function which is separated from the accounting function of maintenance of the accounts receivable records.

45.

Answer D

Auditors do not have any responsibilities under the Foreign Corrupt Practices Act. 10

b. There is no explicit requirement in the Foreign Corrupt Practices Act pertaining to the establishment of audit committees. c.

Bribes, not sizable payments, are the subject of the Foreign Corrupt Practices Act.

This is a direct statement from the Foreign Corrupt Practices Act.

46.

Answer A

a. Management is responsible for establishing and maintaining a system of internal accounting control. b. Management is responsible for establishing and maintaining a system of internal accounting control, not the internal auditor. c. Management is responsible for establishing and maintaining a system of internal accounting control, not the external auditor. d. Management is responsible for establishing and maintaining a system of internal accounting control, not a financial analyst. e. Management is responsible for establishing and maintaining a system of internal accounting control, not the data processing manager.

Chapter 6 Electronic Data Processing Systems Author's Discussion of Solutions to Multiple-Choice Professional Examination Questions 16.

Answer D

a. A personal computer is a type of computer rather than a type of EDP system. A microcomputer might be used in either a batch processing system or in an on-line, real time system. b. A minicomputer is a type of computer rather than a type of EDP system. A minicomputer might be used in either a batch processing system or in an on-line, real time system. c. Batch processing is characterized by data that are assembled at a centralized location and processed against records periodically as batches of sufficient size are accumulated. d. An on-line, real time system is characterized by data that are assembled from more than one location and records that are updated immediately.

17.

Answer C

Document count processing is not a defined term in data processing.

b. Multiprogramming is a type of computer operating system that supports the simultaneous operation of several different computer programs, and is not a data processing technique. c. Batch processing is characterized by data that are collected into groups (i.e., batches) to permit convenient and efficient processing. d.

Generalized-audit processing is not a defined term in data processing.

18.

Answer D

a. The collection of like transactions which are sorted and processed sequentially against a master file is a characteristic of a batch processing system. b. Key transcription of transactions, followed by machine processing, is a characteristic of a batch processing system.

c. The production of numerous printouts is a characteristic of a batch processing system. d. The posting of a transaction as it occurs, to several files, without intermediate printouts is a characteristic of an on-line, real time system, not of a batch processing system.

19.

Answer A

a. Real time processing occurs when data processing is performed concurrently with a particular activity and the results are available soon enough to influence the particular course of action being taken or the decision being made. b. Batch processing is characterized by data that are assembled at a centralized location and processed against records periodically as batches of sufficient size are accumulated. c. Random access processing has to do with the organization of records on magnetic disk. Random access processing is not a defined term which is directly related to the use of computer systems in decision making. d. Integrated data processing means that data are subsequently used in several, integrated computer runs. Integrated data processing is not a defined term which is directly related to the use of computer systems in decision making.

20.

Answer B

a. Bank-account balances should be as current as possible and thus would benefit from being updated using the real-time feature. b. Property and depreciation accounting are infrequent and rarely required to be done in a very short time frame. Thus the real-time feature would be least useful for this type of accounting. c. Customer accounts receivable should be as current as possible to support inquiry for credit and other purposes and thus would benefit from being updated using the realtime feature. d. Merchandise inventory records should be as current as possible to support inquiry for sale and other purposes and thus would benefit from being updated using the real-time feature. 21.

Answer C

EDP processing controls ensure that machine processing is accurate.

b. area.

EDP general controls are concerned with the restriction of access to the computer

c. EDP input controls are concerned with the handling of data received for processing. d. EDP output controls are concerned with whether data processing has been performed as intended.

22.

Answer C

a. Error reports should be reviewed by the EDP control group, not computer operators. b.

Error reports should be reviewed by the EDP control group, not system analysts.

Error reports should be reviewed by the EDP control group.

d. Error reports should be reviewed by the EDP control group, not computer programmers.

23.

Answer B

a. The computer librarian is normally charged with the custody of computer program files and detailed listings. b. Computer operators should not have access to detailed program listings in order to maintain a segregation of functions between machine operators and system development (programming). c. Having the control group maintain sole custody of all output would enhance control. d. Programmers are normally expected to write and debug programs designed by systems analysts.

24.

Answer C

a. Maintenance of a tape library cannot detect unauthorized usage of the computer because it does not control the computer.

b. File controls cannot detect unauthorized usage of the computer because they control files, not the computer. c. A computer console log automatically records all usage of a computer and thus can be used to detect unauthorized or unexplained computer usage. d. Control over program tapes cannot detect unauthorized usage of the computer because this does not control the computer, only its tapes.

25.

Answer D

a. Control figures (such as batch control totals) are not operating controls but are application controls which are concerned with the results of processing. b. Crossfooting tests are not operating controls but are application controls which are concerned with the results of processing. c. Limit tests are not operating controls but are application controls which are concerned with the results of processing. d. External labels are an operating control which are used to minimize the possibility of operator error in handling data files and programs.

26.

Answer B

Total net pay is a meaningful total and is thus not a hash total.

b. Total department number is a meaningless total which is useful for control purposes only. c.

Total hours worked is a meaningful total and is thus not a hash total.

Total debits and total credits are meaningful totals and thus are not hash totals.

27.

Answer A

a. Limit or reasonableness tests are used to validate quantities such as the amount of a paycheck. b. Error review is a procedure, not a computer processing control to determine errors.

c. Data validity tests are used to validate qualitative data, not quantities such as the amount of a paycheck. d.

A logic sequence test is not used to validate data.

28.

Answer D

This is incorrect as discs locate information points very rapidly.

b. The grandfather-father-son backup concept does not concern where files are stored. c. The necessity for hard copy for human review is true for tapes as well as disks, and has nothing to do with the grandfather-father-son backup concept. d. The grandfather-father-son backup concept occurs naturally with magnetic tape as one always reads from one tape (the father) and writes to another (the son). Because disks can update records in place (and thus destroy old records), the grandfather-father-son backup concept does not occur naturally and is thus relatively difficult to implement.

29.

Answer C

a. The source document (the customer order) is incorrect, so a batch total will not catch this error as it will balance (assuming that it is input correctly). b. Key verifying is a control only over the initial keying operation, not the source document (the customer order). c. A self-checking (i.e., check) digit will catch this error, assuming that the vendor's part number has one. Note that the customer's error is a transposition error, which is what check digits are specifically designed to catch. d.

An internal consistency check is not an application control.

30.

Answer A

a. A control total for hours worked prepared from time cards collected by the timekeeping department would prevent the writing of a paycheck for a terminated employee in that when this control total is reconciled to the control total for hours paid (which should be accumulated by the payroll program during processing), the two totals would not match and the reason would be investigated. There should not have been any hours worked for the terminated employee in the control total prepared from the time cards collected by the timekeeping department as the terminated employee would not 16

have had a time card, but to have a paycheck written some number of hours must have been used to calculate pay, and these erroneous hours would be included in the control total for hours paid accumulated by the payroll program during processing. b. Accounting for prenumbered checks cannot prevent the writing of a paycheck for a terminated employee because without input controls (as in answer a.), there is no way to control the number of checks that should be written. Note that the statement says prenumbered, not precounted. c. Use of a check digit for employee numbers cannot prevent the writing of a paycheck for a terminated employee because the terminated employee's number would still have a valid check digit. d. A header label is used to identify a file. A header label on an input file might contain input control totals, but since answer a. is explicitly an input control total, answer d. must be taken to mean strictly the identification of the file. A header label for the payroll input sheet cannot then prevent the writing of a paycheck for a terminated employee because a header label is a file control, not a record processing control.

31.

Answer B

a. Although controls are necessary to restrict access to the magnetic tape library, this answer is not directly related to accounting functions which are normally considered incompatible in a manual system and which might be combined in an EDP system. b. The revision of existing computer programs is directly related to accounting functions which are normally considered incompatible in a manual system and which might be combined in an EDP system because computer programs normally combine such functions. A common example of this is billing and accounts receivable. These functions are considered incompatible and thus normally separated in a manual system, but are both typically included in computer programs for accounts receivable. A single unauthorized change to a computer program may thus omit both the printing of a bill and the updating of the related accounts receivable record. c. This is essentially the same choice as answer a. Although controls are necessary to restrict usage of computer tapes, this answer is not directly related to accounting functions which are normally considered incompatible in a manual system and which might be combined in an EDP system. d. Although controls are necessary in the testing of modified computer programs, testing programs does not create errors in the programs. Testing may fail to catch errors, but since testing does not cause errors in the programs answer b. is a better choice.

32.

Answer B 17

Record totals pertain to counts of records, not the contents of data fields.

b. Hash totals is the common term used to identify data field totals which are not usually added for other purposes but are used only for data processing control purposes. c. Hash totals, not processing data totals, is the common term used to identify data field totals which are not usually added for other purposes but are used only for data processing control purposes. d. Hash totals, not field totals, is the common term used to identify data field totals which are not usually added for other purposes but are used only for data processing control purposes.

33.

Answer A

a. Computer operators normally handle magnetic tapes during processing and thus this answer is correct. b. Data entry clerks do not normally handle magnetic tapes during processing and thus this answer is incorrect. c. Computer programmers do not normally handle magnetic tapes during processing and thus this answer is incorrect. d. Maintenance technicians do not normally handle magnetic tapes during processing and thus this answer is incorrect.

34.

Answer B

a. A documentation librarian maintains documentation for programmers. This is not the same function as the file librarian, who maintains custody of operating programs and data files. Thus there is no basic incompatibility with respect to internal accounting control if the manager of programming also serves as the documentation librarian because these two functions do not combine authority for authorization, record keeping, or custody of assets. b. Programmers should be segregated from console operators. These functions are incompatible as programmers may write programs which request unauthorized files or perform unauthorized processing. Such actions often require cooperation from the console operators, and thus would not be controlled if the programmer operated the computer equipment.

c. There is no basic incompatibility with respect to internal accounting control if the functions of programming and systems analysis are combined because these are subdivisions of the system development process. These two functions do not combine authority for authorization, record keeping, or custody of assets. d. There is no basic incompatibility with respect to internal accounting control if the processing control clerk also serves as the data input supervisor because these are both data input functions. These two functions do not combine authority for authorization, record keeping, or custody of assets.

35.

Answer D

Odd parity check is a hardware control.

Dual-head processing is a hardware control.

c. File protection rings are a physical file control which prevent accidental overwriting of a tape file. d. The son-father-grandfather concept is the basic form of backup used in magnetic tape operations.

36.

Answer D

a. This answer is incorrect as data entry implies batch input of transactions and thus batch processing, not on-line, real time processing. b. This answer is incorrect as magnetic tapes are used for batch processing, and are not capable of supporting an on-line, real time processing system. c. This answer is incorrect as on-line, real time processing is transaction-oriented; individual transactions rather than batches of transactions are processed. Thus preparing batch totals to provide assurance that file updates are made for the entire input (which would be a single transaction) becomes nonsensical and thus incorrect. d. Making a validity check on an identification number (i.e., checking a password) strengthens internal control in an on-line, real time processing system because the user has direct access to computer equipment, programs, and data files.

37.

Answer C

a. The control clerk should establish control (totals) over data received by the EDP department and reconcile control totals after processing for good control. 19

b. Application programmers are expected to develop programs which are specified by systems analysts. c. Systems analysts are responsible for the development of programs which produce output and thus should not be responsible for the distribution of computer output as this is an incompatible function. Systems analysts should be segregated from computer operations as systems analysts may specify (or write) programs which perform unauthorized processing. Such actions would produce output and thus would not be controlled if the systems analysts were responsible for the distribution of computer output as unauthorized output would not be detected. d. Preparing data for processing and entering the same data into the computer are not incompatible functions as these two functions do not combine authority for authorization, record keeping, or custody of assets.

38.

Answer A

Control totals are used to validate the accuracy of data input.

b. Master files do not contain transaction data but rather the results of processing transaction data. Thus reviewing the contents of master files cannot function as a control over the accuracy of input data. c.

Access to on-line terminals is not an application control pertaining to data input.

d. Master files do not contain transaction data but rather the results of processing transaction data. Thus having users review the contents of master files cannot function as a control over the accuracy of input data.

39.

Answer B

a. Initiation of changes to master records would most likely be done by user departments, not the EDP department. b. Conversion of information to machine-readable form would most likely be done by the EDP department. c. Correction of transactional errors would most likely be done by user departments, not the EDP department. d. Initiation of changes to existing applications would most likely be done by user departments, not the EDP department.

40.

Answer D

This answer is correct as far as it goes, but answer d. is the best choice.

d. A check digit may be placed in any position in an account number as long as it is done so consistently in the same position.

41.

Answer D

a. A tape library in conjunction with a file librarian is used to segregate custody of data files and programs from computer operators. However, this control would not compensate for an inadequate segregation between programmers and machine operators. If ones reads the term literally, a tape library as simply a separate physical area for tapes (i.e., without a file librarian) would not function at all as a control for inadequate segregation of duties. b. A self-checking digit system is an application control, and is thus not directed at incompatible functions. c. Computer generated hash totals are an application control, and are thus not directed at incompatible functions. d. A computer log is an operating control which automatically records all computer usage. It thus might compensate for an inadequate segregation of duties between the computer operator and custody of data files as all use of files would automatically be recorded and thus subject to review.

42.

Answer A

a. Run manual is the term used to describe the primary documentation for a computer program. b. Periodic memory dump is a listing of the contents of a program in memory, not the documentation for a computer program. c. Master files are the output of a computer program, not the documentation for a program.

d. Echo check printout is a nonsense term. An echo check is a hardware technique used to control the operation of devices, not the documentation for a computer program.

43.

Answer D

a. Computer programmers do not normally handle magnetic tapes during processing and thus this answer is incorrect. b. System analysts do not normally handle magnetic tapes during processing and thus this answer is incorrect. c. Data entry clerks do not normally handle magnetic tapes during processing and thus this answer is incorrect. d. Computer operators normally handle magnetic tapes during processing and thus this answer is correct.

44.

Answer B

Both types of systems would use edit programs.

b. An on-line sales order processing system would enable shipment to be initiated as soon as the orders are received as it offers real-time processing of individual transactions. c files.

Both types of systems could keep backup copies of the database on magnetic tape

d. Both types of systems would maintain accurate records of customer accounts and finished goods inventories.

45.

Answer C

Grandfather-father-son record retention is a file backup technique.

Input and output validation routines pertain to data.

c. Systems documentation is a general control that would assist by describing the content of the project to others. d.

Check digit verification pertains to data.

Chapter 7 Customer Order and Account Management Business Processes Author's Discussion of Solutions to Multiple-Choice Professional Examination Questions 26.

Answer A

a. Merchandise should never be shipped without an approved customer order because all transactions should be authorized for effective internal control. Independent approval of customer orders is necessary before assets (merchandise) are released to a customer. b. Invoiced prices on orders should be checked, but not necessarily before merchandise is shipped. Normally invoiced prices on orders are checked by billing as it prepares the invoice, and this occurs after the goods have been shipped as notice of shipment is necessary before a customer can be billed for merchandise. c. Although it may be desirable to inform sales when merchandise has been shipped, this is not necessary for adequate internal control over sales. This assumes that sales and billing are separate functions as they are in the sales order system presented in the text. If one assumes that this were not the case and thus notifying sales/billing becomes necessary for invoice preparation, the word promptly still makes answer a. (which is definitely a control problem) the better answer. d. Normally only one quotation on transportation costs would be obtained as shipping goods would be a high-volume, routine operation. Transportation costs should be periodically assessed for reasonableness, but on any given order only one quote would normally be obtained. Answer a. (which is definitely a control problem) is the better answer. e. If checked is taken to mean "tested for reasonableness", then this is essentially a rewording of choice d., which is discussed above. If checked is taken to mean "validated for purposes of billing the customer", then this is essentially a rewording of choice b., which is discussed above. 27.

Answer D

a. Having persons who handle cash receipts (i.e., the cashier) be responsible for the preparation of documents that reduce accounts receivable balances (i.e., remittance advices) is an incompatible combination of duties. Cash and remittance advice should be separated under control in the mailroom, with cash being forwarded to the cashier and the remittance advice sent directly to accounts receivable for posting. Otherwise the cashier might keep a payment and not forward the related remittance advice for posting, or the cashier might forward remittance advice for which cash has not been received.

b. This, similar to answer a. above, is an incompatible combination of duties. Writeoffs should originate with the credit manager, who does not have access to cash, and be approved by the treasurer. A cashier could keep a payment and issue a write-off notice to reduce a customer,s account. c. It would most likely be ineffective control to balance the subsidiary accounts receivable ledger to the general ledger only once a year. In most cases it would be balanced much more frequently. d. The separation of billing and accounts receivable is an effective control over accounts receivable as it segregates the preparation of transaction documents from the posting of those documents. 28.

Answer C

Discussion: The question asks for the best protection against lapping of accounts receivable. Lapping involves the theft of several cash payments made on account, with subsequent payments on customer accounts being mismatched or "lapped" against the receivables records which pertained to the cash payments which were confiscated. This process is continued indefinitely. Generally, access to both the payments and the accounts receivable records are necessary in the absence of collusion. With collusion among employees, there is always the possibility of lapping in a company unless the company does not process its cash payments. a. Segregating duties so that the bookkeeper does not have access to the mail (which contains cash payments) is a good internal control but it is not the best protection as lapping could still occur with collusion among several employees. b. This is not a meaningful segregation of duties as checks and cash are essentially the same and either could be received as payment on a customer's account. c. This is the best protection against lapping, as the customers' payments are never in the hands of company employees. Thus, lapping is not possible. d. This is not a meaningful choice as checks would normally be in the company's name and they will eventually be delivered to the treasurer (or his subordinates) as the treasurer is responsible for the custody of cash. 29.

Answer B

a. The customer order file represents requests for shipments and is not necessarily the same as the actual shipments file. Customer orders may not become sales due to a lack of merchandise or a bad credit rating. This choice is thus incorrect as the question asks for the population of transactions that cause the preparation of invoices.

b. The bill of lading file documents shipments and thus represents the population of transactions that cause the preparation of invoices. Invoices are prepared and sent to customers when billing receives a shipping report and a bill of lading. c. The open invoice file represents the invoices which were prepared and are not yet paid and is thus incorrect as the question asks for the population of transactions that cause the preparation of invoices. d. The sales invoice file represents the invoices which were prepared and is thus incorrect as the question asks for the population of transactions that cause the preparation of invoices. 30.

Answer C

a. Employee overtime wages are not related to the accounts receivable subsidiary ledger balances and thus is not the best choice. b. Credit granted to customers is not related to the accounts receivable subsidiary ledger balances and thus is not the best choice. c. Write-offs of customer accounts directly affects the accounts receivable subsidiary ledger balances and thus is the best choice. Approval of write-offs should be independent of the accounts receivable and cashier functions. d. Cash disbursements is not related to the accounts receivable subsidiary ledger balances and thus is not the best choice. 31.

Answer A

a. Having each shipment supported by a prenumbered sales invoice that is accounted for may prevent the failure to bill customers for some shipments, assuming that each shipment is documented. This answer is correct because it states "having each shipment supported", which is what is desired. b. Sales orders are approved before shipments are made, and may not correspond to shipments because of out-of-stock conditions. Sales orders are not evidence of shipments. c. Reconciling sales journal entries to daily sales summaries does not insure that all shipments are supported by invoices. Sales summaries are the totals of sale invoices which are supported by shipping documents. The question concerns whether each shipping document is supported by a sales invoice. d. Each sale invoice should be supported by a shipping document, but the question concerns whether each shipping document is supported by a sales invoice. There may be 100 invoices, each of which is supported by a shipping document, but there may be 105 shipping documents. 25

32.

Answer A

a. Billing should match shipping documents with sale orders and prepare daily sales summaries. b.

Shipping should prepare shipping documents and send them to billing.

c. Credit is a treasury function and as such should not have responsibility for accounting. Matching shipping documents with sales orders and preparing daily sales summaries is an accounting function. d. The sales order department authorizes sales and should not account for them. Matching shipping documents with sales orders and preparing daily sales summaries is an accounting function. 33.

Answer B

a. Shipping documents have nothing to do with determining whether posting payments by customers to their accounts is proper. b. Shipping documents should be compared to sales records or invoices to assure that shipments are billed to customers. Each sales invoice should be supported by a shipping document. c. Shipping documents have nothing to do with determining whether unit prices are correct. Invoices must be compared to sales contracts to make this determination. d. Shipping documents should be compared to sales records or invoices to assure that shipments are billed to customers. Each shipping document should be supported by a sales invoice, but because this is true one cannot ascertain that each sales document is supported by a shipping document. There may 100 shipping documents, each of which is supported by a sales invoice, but there may be 110 sales invoices. 34.

Answer D

a. Inadequate internal control exists because of a lack of segregation of duties. See discussion of answer d. below. b. Inadequate internal control exists, but not for this reason. Mailroom employees must necessarily have controlled access to cash if they are to separate cash from customer remittances. c. Inadequate internal control exists, but not for this reason. The treasury department would normally prepare the deposit slip, but to have it prepared in the mailroom is not a

control weakness if it is directly delivered with the related receipts to the treasury department. d. Inadequate internal control exists because of a lack of segregation of duties. Accounts receivable should not have access to the receipts and the deposit slip. Both of these should be sent directly from the mailroom to the treasury department. Duties between accounts payable and the treasury department are inadequately segregated. 35.

Answer A

a. This statement is consistent with the flowchart for write-off of accounts receivable which is shown in the text, which shows the treasurer (i.e., a responsible official) approving write-off memos which have been prepared by the credit manager. This procedure would most likely prevent the concealment of a cash shortage as writeoffs are initiated by the credit manager, who should not have access to cash payments which are received on customers' accounts. b. Write-offs should be supported by an aging schedule, but this statement of procedure is an inferior choice to answer a. Since the question concerns the procedure which would most likely prevent the concealment of a cash shortage, answer a. is the better choice as it clearly indicates who initiates write-offs. The person who initiates write-offs should not have access to cash payments which are received on customers' accounts. c. Having the cashier initiate write-offs would increase the possibility of concealment of a cash shortage as write-offs are initiated by the persons who have access to cash payments which are received on customers' accounts. d. Having write-offs authorized by sales representatives indicates incompatible duties. The credit department is the function which should determine the financial standing of customers, and credit should be a separate function from sales. 36.

Answer A

Discussion: A postdated check, say one which is dated May 5 which is received as payment on May 1, is essentially a receivable as it cannot be cashed until the day it is dated. a. For proper accounting control, all checks, including postdated checks, should be restrictively endorsed in the company's name as the earliest possible point. b. There is no reason to return the check to the customer unless it is unacceptably postdated, such as by several weeks. Proper accounting control would keep the payment and process it when possible.

c. A postdated check is not cash, and therefore should not be recorded as a cash sale if cash is to balance to reported cash sales. d. Placing postdated checks in the joint custody of two officers would likely be improper accounting control as the cost of this control would exceed its benefits. 37.

Answer B

a. Defective merchandise returned by customers should not be delivered to the sales clerk as the sales clerk should not have custody of merchandise. Refer to the cash sales application system flowchart in the text. b. Defective merchandise returned by customers should be delivered to the receiving clerk as receiving and inventory control should be separate functions. Refer to the flowchart of the accounts receivable application system in the text. c. Defective merchandise returned by customers should be delivered to the receiving clerk, not the inventory control clerk, as receiving and inventory control should be separate functions. Refer to the flowchart of the accounts receivable application system in the text. d. Defective merchandise returned by customers should not be delivered to the accounts receivable clerk as the accounts receivable clerk should not have custody of merchandise. 38.

Answer D

a. Miscellaneous income would normally be credited rather than debited (i.e., charged). Debits to this account would thus be too suspicious and an experienced bookkeeper would not charge miscellaneous income. b. Petty cash is an asset with a debit balance and is normally kept on an imprest basis. Charges to this account would thus create an imbalance with the petty cash fund, which one can assume is periodically reconciled. Thus an experienced bookkeeper would not charge petty cash. c. Charges to miscellaneous expense by the bookkeeper would be too suspicious if one assumes that the bookkeeper is submitting entries as a result of posting the accounts receivable ledger. The journal entry to debit miscellaneous expense, credit accounts receivable is an unusual transaction. d. Sales returns is normally debited and accounts receivable credited when items are returned. Unlike answer c., one would normally expect the bookkeeper to debit this account when submitting entries as a result of posting the accounts receivable ledger. Thus improper debits to this account are most likely to conceal defalcations involving receivables. 28

39.

Answer C

a. Goods are usually shipped before transactions are recorded in the subsidiary accounts. b. Omission of shipping documents would cause an overstatement, not an understatement, of inventory. c. Final authorization of credit memos should be made in billing, not by personnel in the sales department. d. Fictitious revenue transactions would cause overstatement of both revenues and receivables. 40.

Answer A

a. Proper authorization procedures in the revenue cycle usually provide for the approval of bad debt write-offs by an employee in the Treasurer department, as shown by the Write-off of Accounts Receivable Application System flowchart in the text. b. Bad debt write-offs should be approved by an employee in the Treasurer department, not in the Sales department. c. Bad debt write-offs should be approved by an employee in the Treasurer department, not in the Billing department. d. Bad debt write-offs should be approved by an employee in the Treasurer department, not in the Accounts receivable department. 41.

Answer A

a. Tracing bills of lading to sales invoices provides evidence that shipments to customers were invoiced. b. Tracing bills of lading to the sales journal provides evidence that shipments to customers were recorded as sales. c. Tracing entries in the sales journal to bills of lading provides evidence that recorded sales were shipped. d. Tracing sales invoices to bills of lading provides evidence that invoiced sales were shipped. 42.

Answer A

a. Comparison of a predetermined (i.e., batch) total of invoices to the total amount of posting to the ledger will prevent this type of posting error. The totals will not agree, and thus the error will be discovered and corrected. b. The error involves posting an incorrect amount to the ledger. Having an independent check of serial numbers, prices, discounts, extensions, and footings, which are all on the invoice, will not uncover this error because the error occurs in the ledger, not in the invoice. c. The error occurs in posting the invoice to the ledger. Monthly statements are prepared from the ledger, not invoices. Thus, procedures concerning monthly statements are not relevant to the prevention of this type of error. d. The error occurs in posting the invoice to the ledger; the customer is not involved. As a result, the monthly statement is incorrect. The customer pays the amount shown on the incorrect statement. The procedure described in answer d. is not relevant to this type of error as the customer has not disputed anything nor made an unauthorized deduction. 43.

Answer A

a. Billing is an accounting function and thus should be under the direction of the controller. b. The credit manager (a treasury function) should be independent of billing (an accounting function). c. The sales manager (an operating function) should be independent of billing (an accounting function). d.

The treasurer should be independent of billing (an accounting function).

44.

Answer C

Access to cash is not a relevant consideration.

b. Accounting for sales and the authority to write-off bad debts are not relevant issues. c. An independent credit function is most likely to be effective in offsetting the tendency of sales personnel to maximize sales volume at the expense of high bad debt write-offs. d. Separation of accounts receivable reconciliation and authorization of credit is not a relevant issue. 45.

Answer D 30

a. Comparison to authorized credit limits and current customer account balances should occur before a sale is made. b.

Reconciliation pertains to sales which are already recorded.

Mailing of monthly statements pertains to sales which are already recorded.

d. Matching prenumbered shipping documents with entries in the sales journal most likely would help ensure that all credit sales transactions are recorded. 46.

Answer D

a. Employee fidelity bonds would tend to reduce the risk of misappropriation, but answer D is better as it completely eliminates the possibility. b. Independently prepared mailroom prelists would tend to reduce the risk of misappropriation, but answer D is better as it completely eliminates the possibility. c. Daily check summaries would tend to reduce the risk of misappropriation, but answer D is better as it completely eliminates the possibility. d. A bank lockbox system eliminates any possibility of misappropriation as employees no longer have access to cash. 47.

Answer C

a. Normally the cashier would be responsible for preparing the daily deposit of cash received as the cashier has custody of cash assets. b. Normally the cashier would be responsible for making the daily deposit of cash received as the cashier has custody of cash assets. c. Since the cashier has custody of cash assets, the cashier should not have any responsibilities for posting receipts to the accounts receivable subsidiary ledger. This would be an incompatible function as the cashier would have both custody of cash receipts and the related record keeping responsibility. d. Checks should be restrictively endorsed in the company's name at the earliest possible point, preferably in the mail room before they are delivered to the cashier. However, if the cashier is responsible for endorsing checks this would not normally be seen as an incompatible operation as the cashier is responsible for the custody of cash, and endorsement of checks is necessary for preparing and making the daily deposit of cash received. 48.

Answer D 31

a. Performing bank reconciliations on a timely basis would not prevent an employee from misappropriating cash and then altering the accounting records to conceal the shortage if there is not a segregation of duties between employees who have custody of cash receipts and those who account for them. b. Depositing promptly all cash receipts in the company's bank account would not prevent an employee from misappropriating cash and then altering the accounting records to conceal the shortage if there is not a segregation of duties between employees who have custody of cash receipts and those who account for them. c. Prenumbering all cash receipt documents would not prevent an employee from misappropriating cash and then altering the accounting records to conceal the shortage if there is not a segregation of duties between employees who have custody of cash receipts and those who account for them. d. Enforcing a segregation of duties between employees who have custody of cash receipts and those who account for them is the most effective way to prevent an employee from misappropriating cash and then altering the accounting records to conceal the shortage. 49.

Answer B

a. Separation of cash handling and record-keeping functions is a universal rule for achieving strong internal control over cash. b. Decentralization of cash receiving is not a universal rule for achieving strong internal control over cash. The opposite is; centralize cash receiving to the extent feasible. c. Depositing each day's cash receipts by the end of the day is a universal rule for achieving strong internal control over cash. d. Having bank reconciliations performed by employees independent with respect to handling cash is a universal rule for achieving strong internal control over cash. 50.

Answer A

a. Understating the sales journal could conceal a defalcation involving the misappropriation of cash receipts from sales on account as the sale is never recorded and thus the corresponding receivable never appears on the books. b. Overstating just the accounts receivable control account would likely be detected as it should balance to the accounts receivable subsidiary ledger.

c. Overstating just the accounts receivable subsidiary ledger would likely be detected as it should balance to the accounts receivable control account. d. Understating just the cash receipts journal would likely be detected as it should balance to the accounts receivable control account.

Chapter 8 Procurement and Human Resource Business Processes Author's Discussion of Solutions to Multiple-Choice Professional Examination Questions 24.

Answer D

a. Incorrect for several reasons. Purchase requisitions are normally internal to a firm and are not sent to vendors. Purchase requisitions need to be approved before they are used to prepare purchase orders, which are then sent to vendors. Purchase requisitions do not offer any assurances that merchandise ordered (by purchase orders) was actually received. b. Having the receiving department count all merchandise received does not by itself provide any substantial assurance of anything. The count must be compared to something (normally a copy of the purchase order) to exercise any control. c. Incorrect as accounts payable is not the normal point of origin for purchase requisitions. Accounts payable should receive copies of purchase requisitions rather than originate them. In addition, purchase requisitions do not offer any assurances that merchandise ordered (by purchase orders) was actually received. d. Having the accounts payable department match the purchase requisition (prepared by the requesting department), the purchase order (prepared by the purchasing department), the receiving report (prepared by the receiving department and approved by the requesting or stores department), and the vendor's invoice is the focal point of a wellcontrolled purchase application system. This process provides substantial assurance that merchandise actually ordered is received in satisfactory condition as each phase of the transaction has been documented and approved by duly-segregated participants. e. Incorrect as invoices originate with vendors and should be received by purchasing or perhaps accounts payable. If invoices are for some reason delivered to the stores department, there is no rational reason why copies would be sent to either the receiving department or the insurance department. 25.

Answer D

a. Having vouchers prepared by the individuals who are responsible for signing checks would increase rather than prevent the possibility of having vouchers paid a second time as this is an incompatible combination of duties. Normally accounts payable (i.e., the accounting function) prepares the vouchers and the signing of the checks is done by the cashier (treasury function). A single individual could easily write a second check for the same voucher.

b. Having at least two officials approve disbursement vouchers would tend to lessen the possibility of having vouchers paid a second time, but it would not prevent it. A voucher could be paid a second time if none of the officials realized through memory that it had been previously paid. c. Allowing vouchers to be dated within a few days of payment would increase rather than prevent the possibility of having vouchers paid a second time as this would make it easy to submit the same voucher for payment more than once. For example, a voucher dated May 1 could be submitted on May 2 (one day after) for payment, then again on May 4 (three days after) for a second payment. If possible, vouchers should be dated the same date that they will be paid. d. The key control in preventing disbursement vouchers from being presented for payment a second time is to have the check-signer deface (cancel or perforate) the voucher documents immediately after signing the related check. This allows the checksigner to clearly distinguish between paid and unpaid vouchers. 26.

Answer A

a. The check-signer's review of supporting evidence (documents) for a transaction is an effective internal accounting control against the preparation of improper or inaccurate disbursements. This assumes many other things, of course, but this choice is clearly the best of those offered in this problem. b. To have the treasurer review the checks before mailing is not an effective internal accounting control against the preparation of improper or inaccurate disbursements because the checks themselves say little or nothing about the nature of the disbursements. Checks must be compared to something (the original documentation) for control to be exercised. c. Sequential numbering of checks with accountability (for check numbers) by internal auditing is not an effective internal accounting control against the preparation of improper or inaccurate disbursements because check numbers themselves say absolutely nothing about the nature of the disbursements. Checks must be compared to something (the original documentation) for control to exercised. d. Checks are normally cancelled by the banking system during the payment process. If they were not for some reason, this would not be an effective internal accounting control against the preparation of improper or inaccurate disbursements because the checks themselves say little or nothing about the nature of the disbursements. In addition, canceling checks when they are returned with the bank statement (which is after the bank has made payment) obviously cannot prevent payment. 27.

Answer A

a. For effective control, signed checks should be mailed under the supervision of the check signer. Checks should not be available to persons who requested, prepared, or recorded them. b. Spoiled checks which have been voided should be retained just as any regular check. If spoiled checks are disposed of, it becomes possible to dispose of checks which were drawn and cashed for improper disbursements but which were marked as void in the check register. There would be no way to verify that all disposed checks were truly void. c. This statement implies a lack of separation of duties. Checks should be prepared by accounts payable and signed by the cashier. The cashier, who is responsible for cash receipts and cash disbursements, should not prepare checks for signature. d. A check-signing machine is a machine, not an element of internal accounting control. This statement says nothing about internal accounting control, and thus is incorrect. 28.

Answer C

a. The supporting documents should be cancelled immediately after the check is signed. This should occur after the voucher has been approved for payment. b. The check amount should be entered in the check register after the check is signed. This should occur after the voucher has been approved for payment. c. After the invoice, purchase order, requisition, and receiving report are verified, the voucher should be approved for payment. d. The voucher amount is posted to the expense ledger after the voucher has been approved for payment. 29.

Answer D

a. The controller should not be responsible for the review of monthly bank statements. For effective internal accounting control, the bank reconciliation should be independent of the controller (i.e., accounting function). b. The cash receipts accountant should not be responsible for the review of monthly bank statements. For effective internal accounting control, the bank reconciliation should be independent of both accounting and cashier functions. c. The cash disbursements accountant should not be responsible for the review of monthly bank statements. For effective internal accounting control, the bank reconciliation should be independent of both accounting and cashier functions.

d. The internal auditor is independent of both accounting and cashier functions and thus should directly receive and review the monthly bank statements for effective internal accounting control. 30.

Answer D

a. In a properly designed internal accounting control system, the approval of writeoffs of customer accounts should be independent of cashier functions. b. In a properly designed internal accounting control system, the approval of vouchers should be independent of check signing. Vouchers should be approved for payment by accounts payable and checks should be signed by the cashier. c. In a properly designed internal accounting control system, the bank reconciliation should be independent of cashier functions. d. In a properly designed internal accounting control system, supporting documents should be cancelled by the check signer immediately after the check is signed. 31.

Answer C

a. In a properly designed internal accounting control system, the check signer should cancel the supporting documents. b. In a properly designed internal accounting control system, the same person (i.e., receiving department) should receive merchandise and prepare a receiving report. c. In a properly designed internal accounting control system, the same person should not prepare disbursement vouchers and sign checks. Disbursement vouchers should be prepared by accounts payable (an accounting function) and signed by the cashier (a treasury function). d. In a properly designed internal accounting control system, the person who initiates a request to order merchandise and approves merchandise received should be the same person (i.e., stores in the purchasing flowchart discussed in Chapter 7 of the text.) 32.

Answer A

a. For effective internal control, the accounts payable department should compare the information on each vendor's invoice with the receiving report and the purchase order. This ensures that goods were both authorized for purchase and received before payment is made. b. The voucher is a summary document, not a source document. Failure to compare invoices to purchase orders makes it possible to pay for goods which were never authorized to be ordered. 37

c. The vendor's packing slip is not an acceptable substitute for a properly prepared receiving report. d. The vendor's packing slip is not an acceptable substitute for a properly prepared receiving report. The voucher is a summary document, not a source document. 33.

Answer B

a. Counting goods upon receipt in the storeroom does not detect the preparation of vouchers which are prepared for goods not received. b. For effective control, the accounts payable department should match each purchase order, receiving report, and vendor's invoice for each voucher. This ensures that goods were both authorized for purchase and received before payment is made. c. Comparing goods received with goods requisitioned in the receiving department is a good practice but does not detect the preparation of vouchers which are prepared for goods not received. d. Having the internal audit department verify vouchers for accuracy and approval does not detect the preparation of vouchers which are prepared for goods not received as this control, as described, does not include a reconciliation of the voucher to the receiving report. 34.

Answer A

a. The mailing of disbursement checks and remittance advices should be controlled by the employee who signed the checks last - someone in cash disbursements. b.

Accounts payable approves vouchers for payment.

c. Accounts payable matches the receiving reports, purchase orders, and vendors' invoices. d. Accounts payable verifies the mathematical accuracy of the vouchers and remittance advices. 35.

Answer C

Vendors' invoices do not document merchandise received.

Purchase orders do not document merchandise received.

Receiving reports document merchandise received.

Cancelled checks do not document merchandise received.

36.

Answer C

a. Determining the mathematical accuracy of the vendor's invoice is a vouchers payable function. b.

Approval of vouchers is a vouchers payable function.

c. Controlling the mailing of the check and remittance advice is a cash disbursements function. d. Matching the receiving report with the purchase order is a vouchers payable function. 37.

Answer D

a. Cash disbursements should stamp, perforate, or otherwise cancel supporting documentation after payment is mailed. b. Purchasing should ascertain that each requisition is approved as to price, quantity, and quality of an authorized employee. c. Purchasing should obliterate the quantity ordered on the receiving department copy of the purchase order. d. For effective internal control purposes, the vouchers payable department generally should establish the agreement of the vendor's invoice with the receiving report and purchase order. 38.

Answer B

a. The accounts payable department should compare the vendor's invoice with the receiving report. b.

Cash disbursements should cancel supporting documentation after payment.

c. The accounts payable department verifies the mathematical accuracy of the vendor's invoice. d. The accounts payable department signs the voucher for payment by an authorized person. 39.

Answer D

Accounts payable approves vouchers for payment. 39

b. Accounts payable matches the receiving reports, purchase orders, and vendors' invoices. c. Possession of the mechanical check-signing device is a secondary consideration to who handles the checks last. d. The mailing of disbursement checks and remittance advices should be controlled by the employee who signed the checks last - someone in cash disbursements. 40.

Answer C

Discussion: The term matching is a key word which means the verification of documents to authorize payment. Refer to the discussion and flowchart of purchasing in the text. a.

Warehouse-receiving prepares the receiving report.

b. Purchasing prepares the purchase order and subsequently matches it to a copy of the receiving report, but this is to close the open purchase order, not to authorize payment. c. Matching the purchase order and the receiving report should normally be the responsibility of accounts payable, which is a general accounting function. d. Treasury signs the checks after the required documents have been matched by accounts payable. Treasury makes payments, and thus should not authorize payments. 41.

Answer A

a. Cash disbursements should be made by the cashier and vendor invoice verification should be done by purchasing (as shown in the text) or perhaps accounts payable. Verification of invoices, which is part of the process of authorizing payment, should be separate from the actual making of payment. b. Vendor invoice verification should be done by purchasing (as shown in the text) as purchasing possesses the expertise necessary to verify that the invoice is consistent with the related purchase order (i.e., the invoice does not contain any errors or irregularities). Since purchasing prepares the purchase order, these are compatible functions. c. The receiving department is responsible for preparing the receiving report. In order to prepare the receiving report, the receiving department must be responsible for physical handling of merchandise deliveries which are received from vendors.

d. Check signing and cancellation of supporting documents should both be done by the cashier (i.e., the check-signer), as shown in the text in order to control against the possibility of paying the same voucher more than once. 42.

Answer C

Discussion: Separation of function in a payroll application involves separate departments for personnel, payroll, timekeeping, and cash disbursement, as shown in the text. a. Approval of employee time records should be the responsibility of the timekeeping department, not payroll. b. Maintenance of records of employment, discharges, and pay increases should be the responsibility of the personnel department, not payroll. c. Preparation of periodic governmental reports as to employee's earnings and withholding taxes is part of payroll processing and accordingly should be the responsibility of the payroll department. d. Temporary retention of unclaimed paychecks is custody of cash assets and should be the responsibility of the cashier (i.e., cash disbursements. 43.

Answer A

a. Purchase orders are sent to vendors to request delivery of merchandise. Judd's poor control over purchase orders means that Jackson was able to use several purchase orders to order merchandise which was never received by Judd. This might easily occur if purchase orders were not prenumbered, for then there would be no way of knowing whether several were missing. b. Purchase requisitions are internal documents, and are not issued to vendors. Jackson had to issue purchase orders to order merchandise, and, as a purchasing agent, he did not need phoney requisitions if there were poor controls over purchase orders. c. Judd's controls over cash receipts are not relevant to the question as Jackson's actions had no effect on Judd's cash. d. Judd's controls over perpetual inventory records are not relevant to the question as Jackson's actions had no effect on Judd's inventory. 44.

Answer A

a. The personnel department should be responsible for authorizing payroll rate changes.

b. The payroll department should not be responsible for authorizing payroll rate changes. The payroll department should compute the payroll. c. The treasurer should not be responsible for authorizing payroll rate changes. The treasurer should be responsible for signing the payroll checks. d. The timekeeping department should not be responsible for authorizing payroll rate changes. The timekeeping department should be responsible for accumulating employee time data. 45.

Answer A

a. Receiving operations are included in the purchasing cycle. There is a risk that personnel sign receiving documents without inspecting or counting the goods. b. This answer is incorrect because although a weakness is described, the weakness is a production cycle rather than a purchasing cycle activity. c. This answer is incorrect because although a weakness is described, the weakness is a production cycle rather than a purchasing cycle activity. d. This answer is incorrect because although a weakness is described, the weakness is a production cycle rather than a purchasing cycle activity. Transfer tickets are internal documents used to document transfers of production. 46.

Answer B

a. Internal control is inadequate, not adequate, because of inadequate separation of duties. See discussion of answer b. below. b. Inadequate separation of duties exists in this situation because the stores manager has responsibility for both purchasing and stores as well as some of the responsibilities of accounts payable. Stores and purchasing should be separate functions. c. Although it seems as if inadequate control over accounts payable exists because the stores manager has responsibility for some of the normal responsibilities of accounts payable, this answer is incorrect because the question says "which of the following statements best describes the internal control over purchasing" (not accounts payable). d. Control over requisitioning appears adequate in that requisitions do not originate with those who have responsibility for purchasing. 47.

Answer D

a. To ensure that each new employee has a separate folder does not indicate whether only valid employees are on the payroll because an invalid employee could also have a separate folder. b. The payroll clerk should not deliver paychecks, but assuming that he does, to ensure that he delivers them to supervisors does not indicate whether only valid employees are on the payroll because the supervisor might deliver paychecks to invalid employees. c. To ensure that personnel places names on payroll only on the basis of written, prenumbered authorizations does not indicate whether only valid employees are on the payroll because written, prenumbered authorization forms might be prepared for invalid employees. d. Payroll bank accounts should be reconciled monthly by appropriate personnel. Of the choices given, this is the best answer, even though it does not directly address the issue of invalid employees on the payroll. The other choices are clearly incorrect.

48.

Answer B

a. Determining the dates of unpaid invoices is not appropriate to determining whether purchase orders are processed on a timely basis as invoices are sent after purchase orders have been issued and filled by vendors. b. Comparing dates on selected purchase orders with those of purchase requisitions is appropriate to determining whether purchase orders are processed on a timely basis as processing a purchase order means initiating one based on an approved purchase requisition. c. Accounting for purchase order numbers is not appropriate to determining whether purchase orders are processed on a timely basis as the numbers do not say anything about the date of the corresponding purchase requisitions. d. Discussion and observation of procedures is not an adequate test. Dates must be compared, not observed. 49.

Answer D

a. Having the personnel department document all changes to payroll data is adequate control. b. Verifying payroll checks against the payroll register prior to distribution is adequate control.

c. Using a separate payroll account and having the treasurer sign the paychecks and having the paychecks distributed by personnel from the treasurer's office are each adequate control. d. Returning unclaimed payroll checks to the payroll clerk, an accounting function, is inadequate control. Unclaimed payroll checks should be given to the cashier for custody as they are financial assets. 50.

Answer C

The payroll clerk should not have access to cash.

b. Unclaimed payroll checks are cash assets and thus should be placed in the custody of the cashier, not the paymaster. The paymaster (the person who distributes the payroll) should be independent of the cashier function. c. Each employee should be asked to sign a receipt as evidence of cash payment. This is not normally necessary when the payroll is paid by check, as the cancelled check provides a receipt for the company. d. Since payroll is paid in cash, there is no need for a separate checking account as there are no checks. 51.

Answer B

Discussion: The word "subordinate" qualifies the actions of the payroll department supervisor in answers a., c., and d., which makes each of these choices incorrect as they indicate appropriate actions for the payroll department supervisor. a. The payroll department supervisor should review and approve time reports for subordinate employees. b. The payroll department supervisor should not distribute paychecks to employees. The payroll should be distribute by an independent paymaster. c.

The payroll department supervisor should hire subordinate employees.

d. The payroll department supervisor should initiate salary adjustments for subordinate employees. 52.

Answer B

The department that initiated the requisition must know the quantity.

b. Internal accounting control is strengthened when the quantity of merchandise ordered is omitted from the copy of the purchase order sent to the receiving department, as this facilitates implementing a blind count. c.

The purchasing agent determines and thus must know the quantity.

The accounts payable department must know the quantity to verify the invoice.

53.

Answer D

a. Internal accounting control is strengthened when the quantity of merchandise ordered is omitted from the copy of the purchase order sent to the receiving department, as this facilitates implementing a blind count. b. Having vendors' invoices compared with purchase orders by an employee who is independent of the receiving department is reasonable as far as it goes, but answer d is a better choice. c. Having receiving reports require the signature of the individual who authorized the purchase is reasonable as far as it goes, but answer d is a better choice. d. Having purchase orders, receiving reports, and vendors' invoices independently matched in preparing vouchers would be most effective in assuring that recorded purchases are free of material errors. 54.

Answer D

a. Administrative controls are conceptually separate from internal accounting controls. b. Neither the term "human resources" nor "controllership" are used in the definition of internal control structure. c.

Hiring personnel is an authorization function.

d. The purpose of segregating the duties of hiring personnel and distributing payroll checks is to separate the authorization of transactions (hiring personnel) from the custody of related assets (payroll checks). 55.

Answer C

a. Comparing the purchase order and the requisition form does not validate the shipment received. b.

Receiving does not normally have access to the vendor's invoice.

c. When goods are received, the receiving clerk should match the goods with the vendor's shipping document and the purchase order. d.

Receiving prepares the receiving report.

56.

Answer B

a. Reconciliation of totals on job time tickets with job reports by employees responsible for those specific jobs is not an independent verification. b. Verification of agreement of job time tickets with employee clock card hours by a payroll department employee is an effective internal control procedure as payroll is independent of timekeeping. c. Preparation of payroll transaction journal entries by an employee who reports to the supervisor of the personnel department would violate segregation of duties in the payroll function. d. Custody of rate authorization records by the supervisor of the payroll department would violate segregation of duties in the payroll function. 57.

Answer D

Discussion: The only way in which one can rationalize the official answer to this vague question is to use the concept of the independent paymaster, a person who otherwise has no involvement in the payroll function. Refer to the flowchart of the payroll application system in the text. a.

The bookkeeper is an accounting function and thus should not deliver paychecks.

The payroll clerk is an accounting function and thus should not deliver paychecks.

c. The cashier should sign paychecks and deliver them to the paymaster for distribution. d. Paychecks should be distributed by an independent paymaster. Of the choices given in this problem, the receptionist is the choice most independent of both accounting and treasury functions. 58.

Answer D

a. The vendor's invoice does not provide evidence that goods have been properly ordered. b. A materials requisition might be used to initiate a purchase of goods, but it does not provide evidence that goods have been properly ordered. 46

A bill of lading documents shipping charges.

d. The authority to accept incoming goods in receiving should be based on an approved purchase order. 59.

Answer C

a. Preparing a voucher based on the payroll department's payroll summary is a control procedure. b. Payroll check preparation by the payroll department and signature by the treasurer is good separation of duties. c. This is a control weakness. Unclaimed payroll checks are a financial asset and as such should be returned to the cashier rather than to the payroll department. d. Separation of personnel and payroll department functions is good separation of duties.

Bodnar/Hopwood Accounting Information Systems 8th Edition Chapter 9 The Production Business Process Author's Discussion of Solutions to Multiple-Choice Professional Examination Questions 17.

Answer A

a. Failure to record some purchases returned to vendors would cause the inventory records to be overstated (higher than a physical count) as items are removed from inventory when they are returned to vendors but the corresponding inventory records are not adjusted to reflect the reduced quantity of the items. b. Failure to record some sales returns received would cause the inventory records to be understated (lower than a physical count) rather than overstated (higher) as items are added to inventory when they are returned but the corresponding inventory records are not adjusted to reflect the increased quantity of the items. c. Failure to record some sales discounts allowed should have no effect on the inventory records as sales discounts do not change the quantity of items involved in a sale, they change only their prices. d. Failure to record some cash purchases would cause the inventory records to be understated (lower than a physical count) rather than overstated (higher) as items are added to inventory when they are purchased but the corresponding inventory records are not adjusted to reflect the increased quantity of the items. 18.

Answer A

a. Ball Company has placed the same order twice, resulting in excessive purchases of inventory items. Review of an adequate record of open purchase orders would prevent this situation from occurring as the open purchase orders would indicate the quantity of items already on order. b. Use of perpetual inventory records that indicate goods received, issued, and amounts on hand would not prevent excessive ordering as review of an adequate record of open purchase orders is necessary to prevent this situation from occurring as the open purchase orders would indicate the quantity of items already on order. c. Use of prenumbered purchase orders would not in itself prevent this situation from occurring as prenumbering does not indicate the purpose or status of any particular purchase order. Review of open purchase orders is necessary.

d. Preparation of purchase orders only on the basis of purchase requisitions would not in itself prevent this situation from occurring as failure to review open purchase orders would result in two purchase requisitions being prepared in the situation described. Review of open purchase orders is necessary to prevent excessive reordering. 19.

Answer D

a. Approval of requisitions for inventory parts is an effective internal control over the process of requisitioning parts, but this does not directly contribute to effective internal control over the parts in inventory. b. Maintenance of inventory records for all parts (perpetual inventory records) is desirable but would likely be very expensive in this situation as the problem states that there are thousands of items of small individual value. Inventory records would thus be cost-ineffective as a control. Even with inventory records for all parts, separation of duties (answer d.) would still be a necessary condition for effective control. c. More frequent physical counts in the absence of detailed inventory records would not significantly increase internal control as without inventory records there is no basis for reconciliation. Furthermore, this would function primarily as a detective rather than protective control and contribute very little to the protection of inventory parts. d. Separation of the store-keeping function from the production and inventoryrecord keeping functions is the basis of effective internal control over any type of inventory and is particularly suited to the situation which is described in the problem. The separation of custody, use, and recording functions for inventory assets provides the best protection against unauthorized use or disposal of parts. 20. Answer D a. Establishing procedures which require capitalization of costs in excess of a specific amount is an internal accounting control over fixed-asset additions. However, capitalization of costs in excess of a specific amount is something which occurs after a fixed-asset addition has occurred, and thus is of secondary importance to answer d. in establishing effective control over additions. b. Establishing procedures which require performance of recurring maintenance work solely by maintenance department employees is not a relevant consideration. At best it is an operational control that might enhance the useful life of fixed-assets and thus tend to reduce the need for fixed asset additions. c. Establishing procedures which require classifying as investments fixed-asset additions which are not used in the business is an accounting policy and is not an internal accounting control over fixed-asset additions. In addition, this is something which occurs after a fixed-asset addition has occurred.

d. Establishing procedures which require the authorization and approval of fixedasset additions is an effective internal accounting control. Authorization and approval of transactions is a basic element of effective internal accounting control. 21.

Answer B

a. Establishing a written company policy distinguishing between capital and revenue expenditures is an internal control over acquisitions of property, plant and equipment (fixed assets). However, distinguishing between capital and revenue expenditures is something which occurs after an expenditure has occurred, and thus this control is of secondary importance to answer b. b. Using a budget to forecast and control acquisitions and retirements is the most important internal accounting control as it is the means by which management authorizes such transactions. Since authorization of transactions is the first step in the process of acquiring property, plant and equipment, this is the most important internal control. c. Establishing procedures to analyze monthly variances between authorized expenditures and actual costs is an element of internal control, but this occurs after fixed assets have been acquired and thus does not control the process of acquisition. d. Requiring acquisitions of property, plant and equipment to be made by user departments is a sound internal control over acquisition, but this control is of secondary importance when compared to answer b. Using a budget to forecast and control acquisitions and retirements (answer b.) is the most important internal accounting control as it is the means by which management authorizes such transactions. Since authorization of transactions is the first step in the process of acquiring property, plant and equipment, it is the most important internal control. 22.

Answer B

a. Checks should be signed by the treasurer, not the controller. The controller is responsible for record keeping, and accordingly should not be charged with the release of cash assets in order to maintain a segregation of duties. Thus this is an internal accounting control strength rather than a weakness. b. This is an internal accounting control weakness as it implies an absence of controls over the purchasing function for factory equipment. Purchase requests (requisitions) should originate in the department in need of the equipment, but purchases should be made by the purchasing department, which prepares and sends purchase orders to vendors. c. This is a statement of fact, not policy, concerning replacement of assets. The statement has nothing to do with internal accounting control, and thus is incorrect. d. This situation indicates a relative strength because it implies that sales of fullydepreciated assets are recorded. The accounting policy for the sales is not in itself an 50

aspect of internal accounting control, but the recording of sales is the result of an adequate system of internal accounting control over the disposition of plant assets. 23.

Answer B

a. Reconciliation of work in process inventory with cost records would not be effective as the question concerns the accuracy of posting source documents concerning direct labor to the cost records. b. Comparison of daily journal entries (which indicate the total charges for direct labor and overhead) with the factory labor summary (the original source document which indicates the total amount of direct and indirect labor cost to be charged) could best prevent direct labor from being charged to overhead. c. The comparison of periodic cost budgets to time cards would not be effective as the question concerns the accuracy of posting source documents concerning direct labor to the cost records. Budgets are not posted to cost records and budgets are not themselves cost records. d. Reconciliation of unfinished job summary and production cost records would not be effective as the question concerns the accuracy of posting source documents concerning direct labor to the cost records. 24.

Answer C

a. This question would most likely be found in the finance cycle (cash disbursements) section of an internal accounting control questionnaire as an invoice for raw materials should be paid the same as any other invoice. b. This question would most likely be found in the finance cycle (cash disbursements) section of an internal accounting control questionnaire as a check for the purchase of raw materials should be processed the same as any other check. c. This question would most likely be found in the production cycle section of an internal accounting control questionnaire as it pertains specifically to the production cycle activity of releasing raw materials to production. d. This question would most likely be found in the finance cycle (cash disbursements) section of an internal accounting control questionnaire as the procedures for posting raw materials purchases to the general ledger should be the same for posting any type of purchase to the general ledger. 25.

Answer A

a. Having physical inventory counts be independent of the inventory custodians is the most important element of internal control relating to raw materials inventory of a manufacturing company. b. Materials from vendors should be received by the receiving department, not the production department which will be using the materials. c. While it might be desirable to immediately report shortages in shipments to the requesting department, this is an operational consideration rather than an element of internal control. d. This choice is nonsensical. Sales invoices are sent to customers; issues from inventory are documented by material requisition forms. 26.

Answer D

a. Shipping orders are used to initiate the release of goods from inventory to the shipping department for shipment to a customer. b. Material requisitions are used to document the issuance of raw materials from inventory to production. c. Bills of lading are used to document freight charges between the shipper and the carrier when goods are shipped to customers. d. An inspection report accompanying a completed production order indicates that the finished goods have been inspected and are suitable to be accepted for stock for subsequent sale to customers. 27.

Answer B

a. The accounting department is not the source of origin for data concerning the amount of scrap incurred during production. The accounting department should process the data concerning scrap to produce a report. b. In order to be accurate, data should be accumulated at the source of its origin. The production department is the source of origin for data concerning the amount of scrap incurred during production, thus it should accumulate the data. c. The warehousing department is not the source of origin for data concerning the amount of scrap incurred during production, and thus could not possibly accumulate the required data. d. The budget department is not the source of origin for data concerning the amount of scrap incurred during production, and thus could not possibly accumulate the required data. 52

28.

Answer C

a. Independent storeroom count of goods received is important, but does not in itself maintain accurate perpetual inventory records. b. Periodic independent reconciliation of control and subsidiary records is important, but does not in itself maintain accurate perpetual inventory records. c. Periodic independent comparison of records with goods on hand would most likely be used to maintain accurate perpetual inventory records. This procedure directly verifies and corrects the perpetual inventory records. d. Independent matching of purchase orders, receiving reports, and vendor's invoices is important, but does not in itself maintain accurate perpetual inventory records. 29.

Answer A

a. A separation of duties between those authorized to dispose of equipment and those authorized to approve removal work orders is most likely to prevent the improper disposition of equipment as it establishes accountability for dispositions. b. The use of serial numbers to identify equipment that could be sold is not likely to prevent the improper disposition of equipment as this procedure does not address the question of establishing proper authorizations for dispositions. c. Periodic comparison or removal work orders to authorizing documentation is not likely to prevent the improper disposition of equipment as this procedure does not address the question of establishing proper authorizations for dispositions. d. A periodic analysis of scrap sales and the repairs and maintenance accounts is not likely to prevent the improper disposition of equipment as this procedure does not address the question of establishing proper authorizations for dispositions. 30.

Answer D

Control of access does not in and of itself assure effective control over custody.

b. Control of record keeping does not in and of itself assure effective control over custody. c. Control of authorization does not in and of itself assure effective control over custody.

d. Periodic comparison of the recorded balances in the investment subsidiary ledger with the contents of the safety deposit box by independent personnel is an effective internal control. 31.

Answer D

a. Activity reports are not an objective of an internal control structure for a production cycle. b.

Documenting transfers to finished goods is a control technique, not an objective.

Prenumbering production orders is a control technique, not an objective.

d. Proper custody of work in process and of finished goods is a major objective of the internal control structure for a production cycle. 32.

Answer B

a. Independent internal verification does not occur when employees who issue raw materials obtain material requisitions for each issue and prepare daily totals of materials issued. b. Independent internal verification occurs when employees who compare records of goods on hand with physical quantities do not maintain the records or have custody of the inventory. c. Independent internal verification does not occur when employees who obtain receipts for the transfer of completed work to finished goods prepare a completed production report. d. Independent internal verification of inventory does not occur when employees who are independent of issuing production orders update records from completed job cost sheets and production cost reports on a timely basis.

Bodnar/Hopwood Accounting Information Systems 8th Edition Chapter 13 Auditing Information Technology Author's Discussion of Solutions to Multiple-Choice Professional Examination Questions 13.

Answer C

a. In auditing around the computer, source documents are manually processed and compared to computer outputs. The actual computer processing is ignored. This approach is likely to be successful in batch processing applications, such as payroll, as such systems tend to have processing of batches of transactions which is independent of other applications and most or all outputs are printed. b. A card-based system for inventory is a batch processing application, thus auditing around the computer is likely to be successful. See answer a for discussion. c. Auditing around the computer is least likely to be successful in an audit of an online system for demand deposit accounting. On-line systems are characterized by direct input of transactions (no batches), interdependent processing in which more than one file is updated, and little if any printed output. Thus there is more of a need to audit the actual computer processing to determine results than there is in a batch system. d. A mark-sense (i.e., optically scanned) document system for utility billing is a batch processing application, thus auditing around the computer is likely to be successful. See answer a for discussion.

14.

Answer A

a. If only immaterial transactions are entered, then limit tests of material transactions cannot be attempted. This is a disadvantage because incorrect processing of material transactions would be of interest to an audit. b. This is incorrect because most individual real (not audit-entered) transactions will also be immaterial. c. This is incorrect because the system must be able to process immaterial real (not audit-entered) transactions. d. Although designing the test deck (data) can be difficult, this is not a disadvantage which is inherent to the entry of immaterial transactions. 15.

Answer B 55

a. Control flowcharting is developed to document and/or review the total business control context of an application system. b.

Test data are used to verify the processing accuracy of a computer program.

c. Review of program documentation does not verify the processing accuracy of the actual computer program - which may differ from the program documentation. d. Embedded audit source code is used to select transactions for audit according to predefined audit selection criteria.

16.

Answer C

a. Control flowcharting is developed to document and/or review the total business control context of an application system. b.

Test data are used to verify processing accuracy.

c. Generalized audit software allows an auditor to independently analyze the content of a computer application system file. d. Embedded audit source code is used to select transactions for audit according to predefined audit selection criteria.

17.

Answer A

a. Control flowcharting is developed to document and/or review the total business control context of an application system. b.

Test data are used to verify processing accuracy.

18.

Answer B

a. Test data should never be processed against real master files as this is the equivalent of entering unauthorized transactions into the accounting records.

b. The auditor should prepare a program to compare actual credit limits to authorized credit limits. c. This is incorrect for two reasons. First, it would be preferable for the auditor to have control over the program which provides the data to be audited, and, reviewing a printout of the entire file is much less efficient than the procedure in choice b.

d. This is incorrect for two reasons. First, it would be preferable for the auditor to have control over the program which provides the data to be audited, and, second, reviewing a printout of a sample of the entire file is much less efficient than the procedure in choice b, which, with less effort, could examine the entire file.

19.

Answer A

a. Test data are processed by the client's computer programs under the auditor's control. b. Test data need not consist of all possible valid and invalid conditions. In many cases this would not be possible. What is required is that the test data meet the auditor's objectives in testing the system. c. A test at year-end provides assurance only of the program which was tested at year-end. d. Only one transaction of each type need be tested as the same type of transaction will always be processed in exactly the same manner.

20.

Answer C

a. Embedded data collection technique will usually require substantial additional programming as special audit source code must be added to a program which is used to select transactions for audit according to predefined audit selection criteria. b. Integrated Test Facility (ITF) requires the addition of fictitious records to master files in order to process test transactions at the same time that normal transactions are processed. Thus client master files are contaminated with the fictitious records. c. Test data are used to verify the processing accuracy of a computer program. Test data are processed without substantial additional programming as the regular computer program is not modified and without contaminating the client's master files as test data is processed separately from real transactions.

d. Snapshot method will usually require substantial additional programming as special audit source code must be added to a program which is used to select program data (the contents of memory locations) for printout according to predefined audit selection criteria.

21.

Answer A

a. Integrated Test Facility (ITF) requires the addition of fictitious (i.e., dummy entity) records to master files in order to process test transactions (i.e., fictitious) at the same time that normal transactions are processed. b. Fictitious names processed in a separate run of the payroll application would be the test deck (data) approach, not Integrated Test Facility. c. Processing a sample of last month's payroll with generalized audit software to dummy records would be controlled reprocessing or simulation, not Integrated Test Facility. d. Fictitious names processed through the generalized audit software package with the same company codes would be controlled reprocessing or simulation, not Integrated Test Facility.

22.

Answer C

a. Generalized audit software was developed for batch processing systems and many types of generalized audit software are not capable of being used in auditing on-line systems. b. Generalized audit software can only work on computers for which it was developed because, like COBOL or FORTRAN, the source language must be converted into machine code by a special compiler or translator program. c. Generalized audit software each have their own characteristics. This is the best answer given the other choices. d. Generalized audit software is more useful for testing of balances than it is for compliance testing. Also, it would not be possible to use generalized audit software to test purely manual procedures.

23.

Answer A

a. The most important function of generalized audit software is the capability to access information stored on computer files. 58

b. Selecting a sample for testing is an example of the most important function of generalized audit software, the capability to access information stored on computer files. c. Evaluating sample test results initially requires the data sample. The data sample is obtained by accessing information stored on computer files. d. Testing the accuracy of the client's calculations initially requires the client's calculations, which are obtained by using the most important function of generalized audit software, the capability to access information stored on computer files.

24.

Answer D

a. Test data are not used when auditing around the computer as test data are used to verify the processing accuracy of a computer program. b.

The auditor ignores EDP processing when auditing around the computer.

c. When auditing around the computer, the auditor focuses solely on the source documents and the EDP output, not on compliance techniques. d. When auditing around the computer, the auditor focuses solely on the source documents and the EDP output.

25.

Answer C

a. Test data are used when auditing through the computer to verify the processing accuracy of a computer program, not the accuracy of input data. b. Test data are used to verify the processing accuracy of a computer program, not the validity of the output. c. Test data are used when auditing through the computer to verify the procedures contained within the program by observing how the test data are processed. d. Test data are not used to test the normalcy of distribution of the test data, whatever this means.

26.

Answer A

a. Generalized audit software is useful for parallel simulation of a client's processing programs. Generalized audit software is used to write an independent program which is

then used to process the same transactions. Then the outputs are reconciled for differences. b. Integrated Test Facility (ITF) requires the addition of fictitious records to master files in order to process test transactions at the same time that normal transactions are processed. This does not require the use of generalized audit software. c. Test data are processed by the client's computer program and thus the use of test data does not require the use of generalized audit software. d. Exception report tests are compliance testing of manual procedures. It would not be possible to use generalized audit software to test manual procedures.

27.

Answer B

a. Substantiating the accuracy of data through self-checking digits and hash totals is not a primary advantage of generalized audit software as this initially requires access to the data. b. A primary advantage of generalized audit software in auditing the financial statements of a client that uses an EDP system is that the auditor may access information stored on computer files without a complete understanding of the client's hardware and software features. c. Generalized audit software allows an auditor to independently analyze the content of a computer application system file, but this is not involved in compliance testing and thus has little or no effect on the required amount of compliance testing in an audit. d. Although generalized audit software allows an auditor to gather and store large quantities of audit information in machine readable form, this is true for any client, including those who do not use EDP. A primary advantage of generalized audit software in auditing the financial statements of a client that uses an EDP system is that the auditor may access information stored on computer files without a complete understanding of the client's hardware and software features.

28.

Answer B

a. It is true that test data are processed by the client's computer program under the auditor's control. b. Test data need not consist of all possible valid and invalid conditions. In many cases this would not be possible. What is required is that the test data meet the auditor's objectives in testing the system.

c. It is true that the test data need consist only of those valid and invalid conditions in which the auditor is interested in order that the test data satisfy the auditor's objectives in testing the system. d. It is true that only one transaction of each type need be tested as the same type of transaction will always be processed in exactly the same manner by a computer system.

29.

Answer B

a. The flowchart depicts computer processing of a transaction file against a master file, not program code checking (which is a manual procedure). b. The flowchart depicts computer processing of a transaction file against a master file by both the client's program and the auditor's program, and subsequent comparison of the results of processing. This is the EDP auditing technique which is known as parallel simulation. c. The EDP auditing technique of integrated test facility does not involve a separate auditor's program, and it requires both test transactions and fictitious master records. Neither of these latter two items are depicted in the flowchart. d. Controlled reprocessing is not a widely-accepted term for the activities depicted in the flowchart.

30.

Answer B

a. Auditor's test data should never be processed against live master files in an actual computer update run. b. The flowchart depicts computer processing of a transaction file against a master file, with sales invoices as one type of transaction and an unspecified second type of transaction. Remittance advices would normally be a transaction in the updating of the accounts receivable master file. c. Error reports are not a transaction, but rather are the result of processing transactions. d. Credit authorization forms are used to authorize sales transactions, and would normally have been processed prior to the preparation of sales orders. 31.

Answer C

a. Parallel simulation involves computer processing of real transactions against a master file by both the client's program and the auditor's program, and subsequent 61

comparison of the results of processing. Fictitious transactions are not processed in parallel simulation. b. Generalized audit software is not used by client operating personnel to process real transactions. c. Integrated test facility allows fictitious and real transactions to be processed together without client operating personnel being aware of the testing process. d. Test data are processed by the client's computer programs under the auditor's control. Thus, client operating personnel must be aware of the testing process.

32.

Answer C

a. Test data are input transactions used to test computer processing. Deductions authorized by employees are usually stored in the master payroll file. b. Overtime not approved by supervisors is not determined by computer processing, and thus not useful as test data. c. Time tickets with invalid job numbers is payroll input which should not be processed by a computer program. d.

Payroll checks with unauthorized signatures are not input.

33.

Answer C

Test data tests program logic, not changes to programs.

Check digits verify data.

Source code comparison programs test for the presence of program changes.

Control totals verify data.