Accounting Information Systems, 12th Edition International Student Version By Simkin, Strand Norman
Chapter 1 Accounting Information Systems and the Accountant Discussion Questions 1-1. The answer to this question will vary with each university’s location. However, it is likely most students will reveal that their parents are employed in non-manufacturing jobs. Instructors may wish to emphasize that the large numbers of service sector employees and knowledge workers reflect a trend. 1-2. This question is designed to encourage students to think about some of the information reporting limitations imposed by the traditional accounting general ledger architecture. Other activities that do not require journal entries include (1) obtaining a line of credit, (2) issuing purchase requisitions or purchase orders, (3) signing contracts, (4) hiring a new executive, and (5) sending financial information to investors or bank loan personnel. But instructors may wish to point out that important information about a company’s business transactions may be included in an annual report outside the financial statements. The management letters and footnotes in annual reports may reveal more about a company’s future prospects than the financial statements themselves. Managers have access to much more information than what is published in financial reports. Whether or not they would like to have access to more non-financial information, or if they would prefer that the accounting information system capture data about business events rather than accounting transactions, is debatable. It may also be a function of the accounting system in a particular company. Investors may wish to have more information available to them but the downside is that too much information can be just as problematic as too little information. 1-3. The financial accounting systems we have known for more than 500 years are changing dramatically as a result of advances in information technology and financial accounting software. For example, databases allow accountants to collect and store all the data about a transaction or other file entity in one system, allowing those needing such information to retrieve it quickly, efficiently, and specifically in any format they wish. Financial data can be more easily linked to nonfinancial data as a result of database technology as well. Thus, it is likely that financial reporting will undergo tremendous change in the next few years as we learn to use technology more effectively in the design of financial AISs. ERP systems are another example of the information age's impact on financial accounting. Now, organizations capture more data and produce more information than ever before. This allows companies to integrate more of their financial and non-financial system, better forecast everything from raw materials requirements to finished product production, and to perform more sophisticated analyses of important business functions. For instance, sales can be examined at many different levels and organized according to criteria such as geography, customer, product, or salesperson at the touch of the keyboard. One of the most important changes in AISs is the way these systems will gather financial information in the future. Although many of these systems will continue to capture data in traditional batch mode or at POS sites, we expect newer systems to collect more of it on mobile devices—for example, cell phones, PDAs, and digital cameras. Because more employees are working from home these days, “digital commuting” may be another trend.
SM 1.1
1-4. The objective of a company’s financial statements is to communicate relevant financial information to such external parties as stockholders, investors, and government agencies. Issuing financial statements in XBRL formats contributes to this objective by making such financial data more searchable, comparable, informative, and therefore useful. Also, because XBRL enables companies to use standard tags to identify specific accounting values, the language itself therefore imposes a greater degree of standardization in the informational content of the reports. Finally, as suggested by Case-in-Point 1.7, XBRL also helps government agencies gather financial data that are more consistent, easier to understand, self-checking, and more quickly communicated. Chapter 14 contains more about XBRL, including the idea that the language also enables its users to verify accounting relationships as assets = liabilities + net worth. 1-5. The questions asked here about suspicious activity reporting (SAR) require opinions from students. Regarding the first question, which asks if SAR activity should be a legal matter, here there is little room for disagreement because so much of SAR is mandated by such federal legislation as Annunzio-Wylie Anti-Money Laundering Act of 1992, the Bank Secrecy Act of 1996, and the Patriot Act of 2001. Although the number of SAR filings is large, less is known about how much of what appears to be suspicious are, in fact, violations of federal statutes. 1-6. This is another opportunity for students to practice their Internet search skills. Using the keywords “university and scorecard” students can find a number of examples of how universities are using metrics to help achieve their strategic goals. Missouri State University is one of those examples (http://www.missouristate.edu/publicscorecard/). This university calls their scorecard the “Public Scorecard” and includes an interesting variety of metrics for student achievement, research and creative activity, access and diversity, community impact, and institutional support. 1-7. The AICPA website lists hundreds of potential assurance services for CPAs to offer. These include productivity improvement, cost analysis, benchmarking, internal auditing quality assurance, CPA WebTrust for electronic commerce, and SysTrust. Several of the proposed assurance services are in the information technology management/security category. These include information systems security reviews, reviews of computer disks for unauthorized software, and audits of computerized controls. Classroom discussion might address the particular skills that CPAs would need for each of the proposed assurance service areas. Skepticism and integrity, for example, are two characteristics typically associated with public accountants. It is interesting to learn which of the existing or proposed assurance services recommended by the AICPA will actually be offered by a given public accounting organization. Many of the larger firms already offer at least some of these services, and the largest accounting firms today derive a large portion of their revenues from professional services other than auditing and tax consulting. But the industry shake-up in 2002 may also prompt some accounting firms to scale back services and focus on only their auditing business. The AICPA offers one-day training classes for those interested in certifying websites. Many auditors take advantage of this training but it is unclear at this point what the market for website verification services will be. So far, there have not been many adopters of WebTrust. 1-8. This question asks students to interview auditors from professional service firms and ask them whether or not the firms for which they work offer any assurance services. Hopefully,
SM 1.2
several firms do offer such services and instructors can use this as point of departure for additional discussion about such work. 1-9. Almost every traditional accounting job today requires at least some information systems skills. In addition, there are many job opportunities that require combined skills in both accounting and information systems. Consulting is one key area. Consultants with these skill sets can work at helping companies choose and install accounting software. They can also help companies with analyses of their business processes. Evaluating information systems security is another area of consulting where accounting and information systems skills are valuable. Tax planning, preparation, and consulting are yet other areas. Prior research suggests that it is easier to train an accountant in information systems than vice versa. Whether this is true or not, it is certainly clear that accounting students with information systems skills are valuable employees. Individuals who are technically skilled at computers but lack knowledge about accounting concepts are handicapped when trying to help a company to develop and enhance its information systems. Their lack of accounting skills may lead their employer to install information systems that fail to meet their needs. 1-10. Employers of both accounting and IS personnel often rank “analytical reasoning” and “writing” skills on the same priority as technical skills, and some rank them even higher. Said one recruiter at the school of one author: “I can train new employees to use our computer systems and perform the majority of the technical tasks we will require of them. What I cannot train them to do is to think analytically or logically. And what I refuse to do is to teach them to speak and write clearly and effectively—skills they should have learned in high school.” Another recruiter said it slightly differently: “Give me a technically-competent accounting or IS student who can perform AIS tasks well, and I will pay them X dollars. Give me a student who can explain to my clients how our services can solve their business problems and I will pay them 2X dollars.” There are several other attributes beyond “analytical thinking” and “writing” skills that many employers also value highly. One of them is “teamwork”—i.e., the ease and willingness of an employee to work with others instead of working alone. Another is “dedication”—i.e., the willingness and desire to get a given job done even if this means working more than 40 hours a week. A third is meticulousness—the attention to detail and the desire to get all the details correct. Finally, there is “selflessness”—the willingness to sacrifice personal goals, ego, and time in order to finish important organizational and professional projects.
Problems 1-11. a. b. c. d. e. f. g. h. i. j.
AAA ABC AICPA AIS CFO CISA CITP CPA CPM ERP
American Accounting Association activity based costing American Institute of Certified Public Accountants accounting information systems chief financial officer certified information systems auditor certified information technology professional certified public accountant corporate performance measurement enterprise resource planning
SM 1.3
k. FASB Financial Accounting Standards Board l. HIPAA Health Insurance Portability and Accountability Act m. ISACA Information Systems Audit and Control Association n. IT information technology o. KPI key performance indicator p. OSC Operation Safe Commerce q. PATRIOT Act Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act r. REA resources, events, and agents s. SAR suspicious activity reporting t. SEC Securities and Exchange Commission u. SOX Sarbanes-Oxley v. VAR value-added reseller w. XBRL extensible business reporting language 1-12. The number of articles in professional accounting journals that relate to information technology has grown significantly during the past several years. Almost every issue of these journals has a large number of articles on such topics as accounting software, electronic commerce, information systems security, SOX software, and new computer tools for accountants. Several now have separate “Technology” columns or sections devoted to IS topics or developments. Students completing this exercise are likely to conclude that “information technology” now influences almost every aspect of accounting. 1-13. This problem focuses on the human side of organizations—especially ways that employees might devise to “beat the system.” This problem is therefore especially useful in alerting students to the importance of designing and using systems that employees perceive as “fair,” and classroom discussions should reveal that employees can sabotage even the most cleverly-designed accounting systems. a. Organizations often use accounting measures such as return on investment (ROI) for performance evaluation. Unfortunately, managers can manipulate these measures, at least in the short run, by either artificially increasing profits (the numerator) or decreasing assets (the denominator). Some ways to accomplish this are to (1) defer expenses, (2) maximize sales, (3) postpone maintenance on assets, (4) postpone investments in assets, or (5) using historical cost-based assets, adjusted by depreciation instead of market costs (which can result in an infinite return on investment once all the organization's assets have been fully depreciated). Where net profit is used in the calculation, Nehru's comment about including allocated overhead in deriving profit, is another argument against using return on investment. There are many different performance measures that Acme might use—some quantitative and some qualitative. Other accounting measures include (1) segment margins, (2) units of sales, (3) increases in the number of customers, (4) increases in new customers, (5) measures of customer satisfaction, (6) decreases in sales returns, (7) employee complaints, and (8) employee turnover. b. Accounting numbers can frequently lead to dysfunctional behavior if their limitations are not universally understood. For example, if the incentives are large enough or the penalties for underperformance are harsh enough, managers might be tempted to record “potential sales” as “actual sales” in a given time period, accelerate the depreciation of assets using alternate depreciation schedules, “forget” to subtract costs in computing
SM 1.4
returns, or sabotage the “returns” of other managers in order to improve their own performance values. Dysfunctional behavior may also surface if one number is used in isolation. For instance, return on investment discriminates against entities with larger investment bases. It also has the shortcomings mentioned above. However, ROI adjusted for overhead allocations and current asset values might be a good measure when used in conjunction with other measures. c. This part of the problem requires Internet research. Students might have trouble trying to find the best “keywords” to use for searching. A hint the professor might give the students is “manufacturing and software”. Such a search yields many choices for students to research. An example is: http://www.manufacturing-software.com/. This website offers a 2011 TOP 15 Manufacturing Software Report. Also, the site offers comparison tools to help manufacturing companies find a vendor that can help their manufacturing company succeed. Help students notice that this company is described as a large manufacturing company, which suggests that the company has the resources to consider a variety of choices of tools to help run the company effectively and efficiently – which translates to a more profitable company. 1-14. The idea behind Mr. Zucker’s observation is that many companies now make less money in the digital age than they did in the analog age. This is perhaps because items like CD music, downloads, and DVD movies are now in digital formats that can easily be copied and transmitted, making copyright infringement common. a. Music company executives are having a difficult time. Music files are small and easily shared once downloaded. Protection is difficult because legitimate users often wish to copy their music from one computer to another, or from one computer to ipods, MP3 players, cell phones, and other portable devices. b. Consumers of course love it when product prices decrease. But they dislike anything that restricts their free and liberal use of digital media. After all, they paid for it and feel they should be free to copy and use it any way they wish. c. TV executives appear to both appreciate and dislike the new reality of the digital age. Digital media makes TV programming easier and cheaper, but decreases the income streams that used to come from VHS tape sales. TV executives also find that making older episodes of popular TV series available on their websites increases the visibility of their works and therefore the popularity of their websites. However, it is not clear whether the advertising revenues from such sites are able to offset the lost revenues of tape and disk sales. 1-15. This problem requires students to find out “what’s new” in the field of AIS now, and to write a report on their findings. A good starting point for this is to read the “Technology” sections of popular accounting journals, or reference the websites of some of the professional accounting associations such as the AICPA or ISACA. 1-16. Instructors might want to mention that this problem asks students to consider the accounting information needs of a subset of not-for-profit organizations, and to note that the accounting data required by them often does not differ much from for-profit organizations. a. Examples of the financial information gathered and maintained by such groups include data on dues payments, revenues from such club activities as bake sales, rummage
SM 1.5
sales and swaps, car washes, newsletter expenses, advertising expenses, office equipment expenses, professional service expenses, and disbursements for such items as gifts, student scholarships, and travel reimbursements. b. Hopefully, students will realize that they are talking about manual accounting information systems. For example, the manual system gathers the same data that would be gathered by a computerized system, stores it for future reference and further processing, and periodically outputs it in useful formats for club members and perhaps government agencies. c. Most recreational clubs have only a single “treasurer” to look after the financial matters of the organization. This is a good idea to the extent that assigning only one person for the task of treasurer limits the burden of the job to only one individual and ensures accountability and responsibility to a single person for the “money portion” of club activities. But it is also a recipe for fraud, inasmuch as there is no separation of duties and, for example, the same person who spends the money writes the checks for it, most club members do not concern themselves with the financial details of the club, and deception can be very simple. Although it is easy to dismiss the financial activities of most such organizations as immaterial because the amounts of monies involved are small, this is often not true for condo associations. d. Several advantages can accrue to computerizing club finances. Among them are (1) greater accuracy in data recording and data processing, (2) the ability to output financial information in a variety of legible and professional-looking formats, (3) added flexibility in the ways the treasurer can process and output financial information, (4) greater ease in accessing needed data or generating ad-hoc reports, and (5) the potential for moretimely reports. Where club treasurers can use an existing personal computer for club tasks and/or the services of the treasurer are free, such computerization can be cost effective. If a club has to pay for either the computer or the services of a treasurer, the cost-effectiveness of computerization becomes less clear. 1-17. In this case, students are asked to look at three different sources of information to help them invest $10,000 in the common stock of a publicly-held company. In general, they will find the following: a. Financial Reports from the company’s own website: Most students will indicate that the information contained in the reports on the website is “complete,” but that it is not sufficient for making an informed investment decision. Three possible shortcomings are: (1) the information is self-promoting and therefore positive and upbeat, even if the company has been losing money year after year; (2) the information is mostly limited to the company itself, and may not discuss the industry in which it competes or possible negative factors that may affect it; (3) the information may not include substantiated predictions about the value of the company’s stock in the future. b. Information found at brokerage or investment firms: For investment purposes, the information provided by firms such as e-trade tends to be more useful than a company’s own financial statements. Among the reasons are: (1) the information tends to focus on investment decisions rather than provide general information, (2) the user can access and even customize historical charts that show stock prices, income, revenues and so forth, and (3) these websites often include links to additional news stories and analytical
SM 1.6
reports about the company, the industry in which it competes, and the firm’s future prospects, all written by independent and presumably objective reviewers. c. Information from investment services: This information typically includes dispassionate reviews of a company’s operations, its successes and failures, important management changes, the industry in which it operates, and prospects for the future. This information typically also includes an overall rating for a particular company such as “hold,” “accumulate,” or “sell.” Whether or not such ratings are “sufficient” to convince a student to buy stocks is a personal matter, but certainly the information might be considered more useful than the simple facts or historical values provided in items 1 and 2 above. d. A large number of dry facts about a company are rarely as informative as an objective analysis of it and a recommendation to “buy” or “sell” its stock. After performing this exercise, students should have a much better feel for the difference between “data” and “information.” 1-18. This problem requires students to do some research on the Internet about suspicious activity reporting. Specifically, the question asks students to indicate what types of activities the various banks, casinos, and so forth, should watch for. Another example is insurance companies and fraudulent claims. At this website we find an interesting instance of this type of suspicious activity: http://www.insurancejournal.com/news/east/2011/09/20/216476.htm. On August 3, 2010, Reed made a false claim to his insurance company for damage to the driver’s side of his truck. On that date, he reported that on July 31, 2010, while driving in Boston, he struck a guard rail. He told the claims representative that the driver’s side of the truck was damaged but that no other vehicle or property damage was involved in the accident. When the insurance company was investigating the claim, they received a tip that the truck was not damaged as Reed had claimed, but was purchased “as is” with the damage to the driver’s side of the truck.
Case Studies The Annual Report 1. a. An annual financial report is a one-way communication device. It emphasizes clarity and conciseness, but there is often no immediate feedback from readers about the messages they receive from it. Thus, preparers must attempt to identify the users/audience of the report, and estimate their informational needs. Only then can preparers determine the content and language of the report—i.e., the words and phrases that are most familiar and appropriate to users or readers. The preparer must also consider the length, content, and organization of the material in the annual report. For example, a report that is too long or contains too much detail can detract from the overall goal of communicating important financial information (as opposed to data) to readers. Conversely, a report that is too succinct might trigger reader suspicions that the company is hiding important information. Finally, a logical ordering and an attractive format can also help transmit ideas . At one point, some businesses (e.g., Disney Corporation) traditionally included personal messages from the company’s CEO in order to personalize the report and perhaps make it more appealing. Similarly, companies that put the basic financial information
SM 1.7
required of them in small print at the end of a yearly report might convey the message that they don’t want readers to see it. b. The different users of annual reports have differing information needs, backgrounds, and abilities. For some users, the annual report may serve as an introduction to the company and/or the only source of information about it. But other users read annual reports from cover to cover, searching for clues about the firm’s future prospects, hidden problems or strengths, and other information useful for evaluating the company’s investment potential. Because the same annual report must communicate with all its users, the problems the corporation faces include the following: •
In attempting to reach several audiences, companies try to include information for each audience. As a consequence, the annual report may grow in size and complexity to the point where it contains more information than many users want or are able to digest—a problem discussed in the chapter as information overload. In some cases, technical concepts may be reduced to simpler terms, losing precision and conciseness and thereby leading to generalizations that readers may perceive as being of little value.
•
The report developers must exercise care in presenting the information contained in the report. Key terms or phrases that may be familiar to one user group—for example, technical terms commonly used in the company’s industry—may not be understood by general investors. Similarly, graphic displays that may be useful to some may be meaningless to others.
2. Other than the financial statements and accompanying footnotes, an annual report often contains: • A discussion and analysis of operating results • Information about organizational objectives, strategies, and long term goals • An indication of management’s outlook for the future (almost always rosy!) • A list of the Board of Directors and the officers and top management of the organization • Segment data and performance information for the firm’s major divisions • Information on new initiatives and research • Recent stock price history and stock information • In the case of retailers, perhaps a coupon entitling the holder to a discount 3. Stating well-defined corporate strategies in a company’s annual report accomplishes the following advantages: • Communicates the company’s plan for the future and resolves any disparate issues • Provides a vehicle for communicating the company’s strengths • Builds investor confidence and portrays a positive image • Reassures nervous investors that the company’s managers are working hard for owner interests • It alerts investors to potential adverse, long-term forces in the company’s industry Some of the disadvantages of including corporate strategies in an annual report are: • It commits management to fulfilling the stated objectives and strategies, a commitment that may cause inflexibility • It communicates to unintended parties who could put the company at risk (i.e., competitors)
SM 1.8
•
The strategies themselves may make the company appear out-dated by the time they are in print.
4. Annual reports fulfill users’ information needs as discussed below. a. Shareholders. Annual reports meet the statutory requirement that publicly-held corporations report annually to stockholders and potential stockholders about the financial operations of the company and the stewardship of management. The annual report gives shareholders financial and operating information such as income from operations, earnings per share, the Balance Sheet, Cash Flow Statement, and related footnote disclosures, all of which potential shareholders may need in order to evaluate the risks of and potential returns from investing in the company. As noted above, however, the volume of data presented in annual reports can result in information overload that reduces the value of the reports. Confusion can also result from reducing technical concepts to common concepts or by the presentation of duplicate messages by different forms of media. b. Creditors. The annual report of public companies provides financial information that allows creditors to project a company’s financial solvency and therefore its ability to repay its loans. This can be a good thing if the company is doing well. c. Employees. The annual report gives employees such information as a description and status of the company’s pension plan and the employee stock incentive plan. This gives employees a base from which to compare their benefits program to those of other companies. Annual reports also provide employees with a year-end review of the results to which they have contributed during the year. In this sense, the annual report provides reinforcement and rewards. The annual report also informs or reminds employees of the organization’s values and objectives, and sensitizes them to the aspects of the organization with which they are not familiar. On the other hand, many employees may already know how their organization is performing so the annual report may not provide any substantive additional information to them. d. Customers. The annual report provides trend information and perhaps information on management performance. Customers can use this information to assess the popularity of selected products, the likelihood that the firm can provide the goods or services they need, or even the company’s longevity. e. Financial analysts. The set of audited comparative financial statements provides the basis for the research done by financial analysts. Notes, which are an integral part of the annual report, describe or explain various items in the statements, provide additional details, or summarize significant accounting policies. Financial analysts are the most sophisticated users of the information in annual reports. For example, they are able to ignore subjective interpretations included in the reports. However, these individuals may find that some of the data contained in the report may be too condensed and therefore need more detailed information than what the annual report provides. 5. Management may decide to omit competitive information entirely from the annual report, or to disguise it because competitors have access to annual reports. The objective of reporting should be to reveal as much as possible without giving away proprietary information or a competitive edge.
SM 1.9
6. This part of the problem requires students to conduct an Internet search. At the website for Philips (http://www.annualreport2010.philips.com/) students can find an interesting variety of information on what the company is doing to support sustainability reporting. This is just one example of the many companies reporting on their sustainability efforts. Performance Management Company The issue of performance evaluation is one of the most controversial and interesting topics in accounting today. Computerized AISs offer the capability to produce so much more information than was available in the past, allowing for new and better performance evaluation systems. Since performance evaluation affects individuals directly (i.e., in terms of rewards), this topic is one that can create many problems for organizations. 1. It is probably useful for budget specialists to work with management to develop a performance evaluation system. However, it is not a good idea for special staff to be charged with the entire task of performance evaluation reporting. Once a system is in place, the managers should be able to produce these reports. Scott's staff could work with managers at the various plants to derive an evaluation system. Auditors (or perhaps Scott's staff) should periodically review each manager's report to ensure that the reporting is fair and accurate. Students may differ on the matter of who best explains the variances. The managers are correct in asserting that they better understand their suppliers, contractors, and customers, and that Scott's staff is not likely to understand these matters well enough to explain the variances. On the other hand, students can argue that managers are human and have a natural conflict of interest in such reporting. In particular, although they understand their business, it is easy to blame others—including each other—for problems that are well within their own control. Allowing managers to explain variances begs the question: “are selfreported explanations of variances likely to be unbiased assessments of plant activities?” 2. Decentralizing performance evaluation is probably a good idea for this organization. Under the old system, revenues and expenses were consolidated for all plants to produce one income statement. Undoubtedly this required allocation of indirect costs. Such allocation can never please everyone since all allocations are essentially arbitrary. Striving for some consistency in performance evaluation is a good idea so that the performance of each plant can be compared against the others. Use of segment margins which show the difference between direct revenues and expenses would be a good measure. Return on investment which uses current values and the segment margins might be another. Nonfinancial evaluation measures, such as employee turnover, amount of production, customer turnover (customer satisfaction), sales returns, employee productivity, and so on, can also be part of the evaluation system. 3. The performance evaluation report Mr. Stewart receives should be short and concise. Ideally, one page per month per plant should be sufficient. The report can also compare all plants on various financial and nonfinancial measures, such as the ones mentioned above. Any significant variances can include managers’ explanations in footnotes. The point to remember is that this is an "action report." Mr. Stewart will look at it most months, note variances and explanations, and take no action. However, on occasion, the report will call for investigation. Note to Instructor: You might want to have your students design a sample report using spreadsheet software.
SM 1.10
Chapter 2 Information Technology and AISs Discussion Questions 2-1. An AIS is best viewed as a set of interacting components that must all work together to accomplish data gathering, storage, processing, and output tasks. For example, computer hardware runs software, and each would be "lost" without the other. Similarly, software must have data to provide useful information. And all these components would be useless without people and procedures to maintain them, gather them, run them, and use them properly. 2-2. An understanding of information technology (IT) is important to accountants for many reasons. Some examples: a) Much of today's accounting tasks are performed with computers. Thus, it is essential that the modern accountant possess a basic understanding of a computer's functions, capabilities, and limitations. b) Accountants often help clients make hardware and software decisions. Knowledge of IT concepts is critical to these efforts. c) Accounting information systems that are computerized must still be audited. It is impossible to audit such systems without a firm understanding of IT concepts. d) Accountants are often asked to sit on evaluation committees when changes to existing accounting systems are contemplated. An understanding of how a computer operates enables the accountant to participate more intelligently in such committees. e) Accountants are often asked to assist in the design of new computerized accounting information systems. Computer technology often plays an important role in this design work. f) Most accounting systems require controls to assure the accuracy, timeliness, and completeness of the information generated by such systems. An understanding of how computer technology contributes to these objectives, and also how computer technology can thwart these objectives, enables the accountant to evaluate computer controls in an automated accounting environment. g) Those accountants who understand how to use computer hardware and software will have the easiest time in performing such tasks as auditing, budgeting, database use, and so forth. Thus, the more accountants understand about information technology, the easier it is to get hired, noticed, and/or promoted. h) A great deal of accounting data are gathered, transmitted, processed, and distributed via the Internet. A fundamental understanding of the information technology that drives these activities is therefore essential to the accountants that help perform these activities. 2-3. Data transcription refers to the transformation of data from source documents into machine-readable "computerized" input. Data transcription is unnecessary in manual accounting information systems because there is no computer. However, data transcription is critical to those computerized accounting information systems that collect data with manually-prepared source documents. Data entry personnel typically transcribe data by copying them onto computer-readable media such as CDs, or more commonly, keying data directly into computers (e.g., when a bank clerk helps a customer make a deposit). Thus, data transcription is usually labor intensive and therefore costly. Data transcription also has the potential to insert errors into SM 2.1
data and/or to delay or “bottle-neck” operations. Designers of effective accounting information systems are willing to incur such costs because the benefits of the computerized processing from these systems make them cost-effective. However, data-preparation time and costs can be saved, and transcription delays avoided, if an AIS gathers data that are already in machine readable form (e.g., through automatic tag readers, bar codes, or magnetized-strip cards). 2-4. Computer input equipment includes computer keyboards, computer mouse, bar code readers, POS devices, MICR readers, OCR readers, magnetic strip readers, and such specialized microcomputer input devices as computer mice, joysticks, web cams, and microphones. A growing amount of accounting data is also now input via mobile devices such as smart phones and PDAs. The chapter describes the functioning of each of these devices in detail. 2-5. This question asks students to voice their personal opinions about red-light cameras—the ones that automatically issue traffic tickets when drivers run red lights. This question should therefore generate lively discussion. Many drivers hate them—for example, arguing that winter conditions made it difficult to stop or that such systems are more motivated by ticket revenues than by concerns for safety. Local government officials typically argue the opposite—i.e., that such systems merely enforce driving laws already on the books, serve a safety function, and save local residents money by generating revenues that could otherwise only be raised by other taxes. 2-6. The three components of the central processing unit are: (1) primary memory, (2) arithmetic/logic unit, and (3) control unit. As its name suggests, the primary memory of the CPU temporarily stores data and programs for execution purposes. The arithmetic-logic units of most central processors have special-purpose storage memories called registers that perform arithmetic operations (such as addition, subtraction, multiplication, division and exponentiation) and logical operations (such as comparisons and bit-manipulating functions). Finally, the control sections of central processing units act as an overseer of operations, interpreting program instructions and supervising their execution. Microprocessor speeds are measured in megahertz (MHz) or gigahertz (GHz)—the number of pulses per second of the system’s timing clock. In larger computers, processor speed is also measured in millions of instructions per second (MIPS) or millions of floating point operations per second (MFLOPS). Processor speeds are rarely important to accounting systems because the speed of the processor drastically exceeds the speeds for input and output operations. Most computers are I/O bound, meaning that their CPUs mostly wait for data to be input or output. 2-7. The three types of printers mentioned in the text are dot-matrix printers, inkjet printers, and laser printers. Dot-matrix printers a) Advantages: (1) inexpensive, (2) flexible, and (3) able to print on multipart paper (i.e., make “carbon copies”) b) Disadvantages: (1) slow print speeds, (2) low print resolutions Ink-Jet Printers a) Advantages: (1) higher print resolutions than most dot-matrix printers, (2) can print in multiple colors, (3) can print photographic prints, and continuous graphs, (4) selected models can perform faxing, copying, and scanning functions, and (5) comparatively inexpensive compared to laser printers SM 2.2
b) Disadvantages: (1) lower speeds (compared to laser printers), (2) can print single copies only (not carbon copies), and (3) ink cartridges are comparatively expensive Laser Printers a) Advantages: (1) high output quality, (2) fastest print speeds, (3) selected models can perform faxing, copying, and scanning functions b) Disadvantages: (1) comparatively higher costs for both printers and toner cartridges, and (2) can print single copies only 2-8. Secondary storage devices provide a permanent, non-volatile medium for storing and retrieving accounting data. Examples include permanent hard disks, removable disks such as zip disks, CD-ROM disks, DVDs, flash (USB) drives, cartridge tape, and flash memory sticks (e.g., the type used in cameras). Secondary storage is important to AISs because the primary memory of a computer is too small and too volatile to meet the permanent-storage requirements of the typical accounting information system. In addition, such secondary storage media as CD-ROMs and USB devices are removable and therefore useful for backup, mailing, and distribution tasks. These media and their relative advantages and disadvantages are described at length in the chapter. 2-9. Image processing refers to storing graphic images in computer files (usually of business documents) and manipulating them electronically. Examples of image processing applications mentioned in the text include: insurance companies (storing claims forms and accident reports), banks (storing check images), hospitals (storing medical diagnostic scans), and the IRS (storing tax returns data). Other examples include catalog applications (storing merchandise images), personnel applications (storing employee pictures), and legal applications (storing mortgages, deeds, wills and other legal documents). Four advantages of image processing that are important to AISs are: (1) fast data capture, (2) archiving efficiency (the ability to store hundreds of thousands of documents on a small medium), (3) processing convenience (the ability to retrieve, catalog, sort, or otherwise organize images quickly and efficiently), and (4) accessibility (the ability to provide the same images to several users at once). This last, file-sharing advantage is also important for collaborative tasks in professional offices. 2-10. Data communications protocols are the standards by which computer devices communicate with one another. Examples of such standards include the packet size and format, the transmission rate, the duplex setting, the type of transmission (synchronous versus asynchronous), and the type of parity used (odd, even, or none). Communication protocols are important because they enable computers to transmit digital data over different types of communications media, and also to interpret data after the transmission takes place. For instance, if the parity bit for a character were different than the parity bit at the time it was transmitted, the character would either be different or unreadable. 2-11. Local Area Networks (LANs) are collections of computers, file servers, printers, and similar devices that are all located in a small area (e.g., the same building), and that are all connected to one another for communications purposes. The advantages of LANs are described in the chapter, and include: (1) ability to facilitate communication among LAN members, and between LAN members and the Internet, (2) sharing computer equipment, (3) sharing computer files, (4) saving software costs, and (5) enabling unlike computer equipment to communicate with one another. 2-12. Client/server computing is an alternate to mainframe/host computing. In centralized computing systems, the mainframe computer or minicomputer performs most, if not all, of the processing and database tasks, which are also mostly centralized. In SM 2.3
client/server computing, processing may be performed by the server computer or the client (typically, a microcomputer), and database information is usually copied onto several file servers. Client/server systems offer several advantages. These include the ability to: (1) substitute the inexpensive processing capabilities of microcomputer hardware and software for comparatively expensive mainframe or minicomputer processing capabilities, (2) reduce data communications time and costs, and (3) utilize thin-client systems. Some disadvantages are: (1) the problem of maintaining multiple copies of the same databases on several servers, (2) the additional tasks required to keep server databases current, (3) more difficult backup and recovery, (4) increased difficulty when changing application software from one package to another, and (5) a potential need for greater user training. The security and auditability of client server systems are usually also more complex. 2-13. These days, almost any vendor that offers remote services could be classified as a cloud computing vendor. This includes those companies that perform basic payroll services such as Intuit, tax preparers that prepare tax returns remotely such as H. & R. Block, and even those universities that offer distance-education courses on the Internet. Cloud computing vendors offer the major advantages of other outsourcing suppliers along with near-instantaneous electronic speed (no more need for a courier service!). But cloud computing isn’t always cheaper, faster, or better. Moreover, the quality of a vendor’s work is not automatically guaranteed simply because it provides online services, and “security” is also a concern because the owner loses control of data. Finally, subscribers that become dependent upon their vendors run an added risk should data failures or data breaches occur. 2-14. Windowing operating systems such as Windows Vista and Windows 7 are operating systems that use graphical user interfaces (GUIs) with menus, icons, and other graphics elements. These elements enable users to select processing options and perform computing tasks without the need to memorize system commands. In contrast, commanddriven operating systems such as DOS and UNIX force users to memorize system commands because available options are not usually listed or displayed onscreen. Multitasking capabilities enable operating systems to perform more than one task on a single-user computer. Most windowing operating systems are multitasking systems that allow users to operate several concurrent sessions in separate windows, and to switch back and forth among them as needs dictate. Multitasking operating systems enable users to work more efficiently and perhaps be more productive. Windowing operating systems, GUIs, and multitasking operating systems are also important to AISs because so many other microcomputer accounting programs require them. For example, Peachtree, Solomon, Great Plains, Excel, Access, and Word software all run under Microsoft’s Windows operating systems. These programs are used by accountants as personal and professional productivity tools, and also by auditors and the clients of CPA firms for similar reasons. 2-15. Four classes of application software are: (1) personal productivity software, (2) commercial productivity software, (3) accounting software, and (4) communications software. Other types of application software include database software, software for academics (e.g., grade-book management software), medical diagnostic software, gameplaying software, software that processes marketing data, production data, personnel data, and enterprise resource planning (ERP) software. Personal productivity software enables users to create and manipulate word documents (word processing software), create and manipulate spreadsheets (spreadsheet software), SM 2.4
create and manipulate databases (database management systems software), create and maintain calendars, or maintain personal budgets and finances (personal finance software). Commercial productivity software enables users to plan and track resources on large projects (project management software), design consumer or industrial products (CAD software), control manufacturing processes (CAM software), or create presentations (presentation graphics software). Accounting software performs the familiar accounting tasks involved in payroll, accounts receivable, accounts payable, and inventory control. Chapter 7 of this text discusses integrated accounting packages in detail and Chapter 8 discusses the transaction cycles involved in these applications. Communications software enables users to email one another, transmit data to and from distant computers, and access the Internet and World Wide Web. Finally, ERP software enables businesses to transmit, manipulate, and integrate financial data on a corporate wide basis. 2-16. Computer programmers create the capabilities of each and every computer application by writing computer instructions in a programming language that a computer can understand and execute. Fortran (an acronym for “formula translation”) was one of the first such languages, and excels in translating mathematical expressions into computer code. COBOL (Common Business Oriented Language) enables users to write programming instructions in English-like code and is comparatively self-documenting. RPG (Report Program Generator) is good for creating simple reports from existing databases and is widely supported by IBM on minicomputers. Some of the newer programming languages mentioned in the text include (1) C++, which excels at bit manipulations and assembler tasks, (2) HTML (HyperText Markup Language), which programmers use to create web pages, (3) JAVA, which programmers can use to create interactive websites, and (4) Visual Basic, which enables programmers to develop interactive windows programs with easilymanipulated, event-driven programming tools.
Problems 2-17.
Classifying equipment:
Item: a) ALU b) CD-ROM c) keyboard d) modem e) dot-matrix printer f) POS device g) MICR reader h) laser printer i) flash memory j) OCR reader k) magnetic hard disk l) ATM m) primary memory
Classification: CPU component secondary storage device input equipment data communications output equipment input equipment input equipment output equipment secondary storage device input equipment secondary storage device input and output device CPU component
SM 2.5
2-18.
Defining acronyms:
Item: a) POS b) CPU c) OCR d) MICR e) ATM f) RAM g) ALU h) MIPS i) OS j) MHz k) pixel l) CD-ROM m) worm n) modem o) LAN p) WAN q) RFID r) WAP s) Wi-Fi t) ppm u) dpi v) NFC
Meaning: Point of sale Central processing unit Optical character recognition Magnetic ink character recognition Automated teller machine Random access memory Arithmetic-logic unit Millions of instructions per second Operating system Megahertz Picture element Compact disk - read only memory Write once read many Modulator demodulator Local area network Wide area network radio frequency identification Wireless application protocol Wireless fidelity Pages per minute Dots per inch Near field communications
2-19. a) one DVD disk capacity = 17 gigabytes b) one hard disk capacity = 160 gigabytes c) ten CD-ROM disks = 10 * 650 megabytes = 6,500 megabytes = 6.5 gigabytes Conclusion: Choice (b) holds the most data. 2-20. 500*(1024^3) = 536,870,912,000 bytes 2-21.
a) b) c) d) e) f) g) h) i) j) k) l) m) n)
Brian Fry Products character positions 1-4 5-9 10-19 20-22 23-27 28-32 33-34 35-42 43-46 47-54 55-58 59-61 62-66 67-71
field order number part number part description manufacturing department number of pieces started number of pieces finished machine number date work started (MM/DD/YYYY) hour work started date work completed (MM/DD/YYYY) hour work completed work standard per hour worker number foreman number SM 2.6
2-22. Go the AICPA website and identify the top ten information technologies for the current year.
http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TopTechnologyIniti atives/Pages/2010TopTenInitiatives-Complete.aspx At the time this answer key was prepared, they were: 1) 2) 3) 4) 5) 6) 7) 8) 9) 10)
electronic data interchange (EDI - hardware) database accounting software local area networks (hardware and software) client/server computing (hardware) open systems (hardware and software) downsizing (hardware, but also people) continuous auditing (software) image processing (hardware and software) decision support systems (software) expert systems (software)
Some current important trends and topics not mentioned are such items as computer viruses, the Internet and the World Wide Web, electronic commerce, Internet taxation, software piracy, privacy on the Internet, and the Telecommunications Act of 1996. 2-23.
An RFID system for a state’s toll roads. Debit Account Title
a. b. c. d. e.
Cash Cash Transponder Deposits Transponder Deposits Owner’s Equity
Credit Amount 20.00 100.00 900.00 25.75 10.00
Account Title Transponder Sales Transponder Deposits Credit Cards Receivable Cash Cash
Amount 20.00 100.00 900.00 25.75 10.00
2-24. This problem requires students to select a type of computer hardware of interest and to write a one-page report. We recommend requiring students to use a spreadsheet with which to embed pictures of three different hardware examples in separate cells. We found that the results are interesting and fun to grade, and that some of our students were surprised to learn that they can embed pictures in spreadsheets.
SM 2.7
Case Studies Pucinelli Supermarkets Example: UPC Code: Length Test: Check Digit is: Sum of odd digits: Sum of even digits: Add digits x 3: Sum: Last digit: Computed check digit: Conclusion:
Computations (Column B) 064200115896 OK 6 19 17 57 74 4 6 valid number
Formulas for Column B 064200115896 (Stored in cell B2) =IF(LEN(B2)=12, "OK", "Not OK") =RIGHT(B2,1) =MID(B2, 1, 1) + MID(B2, 3, 1) + MID(B2, 5, 1) + MID(B2, 7, 1) + MID(B2, 9, 1) + MID(B2, 11, 1) =MID(B2, 2, 1) + MID(B2, 4, 1)+MID(B2, 6, 1) + MID(B2, 8, 1)+ MID(B2, 10,1) =3*B5 =SUM(B6:B7) =RIGHT(B8,1) =IF(B9=0, 0, 10-B9) =IF(AND(B3="OK",VALUE(B10)=VALUE(B4)),"valid number", "invalid number") 1. UPC Code: Length Test: Check Digit is: Sum of odd digits: Sum of even digits: Add digits x 3: Sum: Last digit: Computed check digit: Conclusion:
639277240453 OK 3 29 20 87 107 7 3 valid number SM 2.8
2. UPC Code: Length Test: Check Digit is: Sum of odd digits: Sum of even digits: Add digits x 3: Sum: Last digit: Computed check digit:
040000234548 OK 8 10 12 30 42 2 8
Conclusion:
valid number
3. UPC Code: Length Test: Check Digit is:
034000087884 OK 4
Sum of odd digits: Sum of even digits: Add digits x 3: Sum: Last digit: Computed check digit:
19 19 57 76 6 4
Conclusion:
valid number
4. UPC Code: Length Test: Check Digit is:
048109352495 OK 5
Sum of odd digits: Sum of even digits: Add digits x 3: Sum: Last digit: Computed check digit: Conclusion:
22 23 66 89 9 1 invalid number SM 2.9
Savage Motors (Software Training) No. of Employees 112
Word Processing 1150
Spreadsheets 750
Operations
82
320
Accounting
55
750
No. of Employees 112
Word Processing 10.3
Spreadsheets 6.7
Operations
82
3.9
Accounting
55
13.6
Sales
1150
Word Processing
Operations
2450
Spreadsheets
Accounting
3600
Spreadsheets
249
2,220
6,800
2,370
850
3,700
8.9
27.3
9.5
3.4
14.9
Department Sales
Answers for Part 1: Sales
900
Presentation Graphics 500
2450
650
100
500
3600
820
250
2500
Database
Accounting 700
8
Presentation Graphcs 4.5
29.9
7.9
1.2
6.1
65.5
14.9
4.6
45.5
Database
Accounting 6.3
Answers for Part 2:
Answers for Part 3: Totals: Averages:
Spreadsheets are used the most hours. Answer to Part 4:
35.0 30.0 25.0 20.0 15.0 10.0 5.0 0.0
Sales
Accounting
Presentation Graphcs
Database
Spreadsheets
Operations
Word Processing
Average per week
Average softrware usage by application and department
Software application
Answer to Part 5: Answers will vary by students.
SM 2.10
Accounting
Morrigan Department Stores Genera comment: This case discusses the difficulties that most companies, government agencies, and individuals face when new hardware or new versions of familiar software force individuals to learn, or relearn, how to accomplish old tasks on new computer systems. Inasmuch as this phenomena is usually well-understood by students, the case can lead to lively discussions of the pains and gains involved in these upgrades. 1. Roberta Gardner’s description of “64-bit machines” is not wrong, but probably overly simplifies what this term means. The transition to 64-bit microprocessor designs represents a doubling of register size from earlier 32-bit designs, and is a natural extension of the processing capabilities of mainframe computers to microcomputers. The newer, 64-bit systems enable personal computers to access more random access memory as well as perform large-number computations with more significant digits. However, along with these improvements in hardware processing capabilities has come newer software that can take advantage of these capabilities. In the case of Microsoft’s 2010 Office suite, for example, the changes were considerable, requiring users to relearn how to perform formerly familiar tasks using unfamiliar menus and commands. 2. Possible arguments against upgrading current hardware or software include: A. avoid the costs of such hardware and/or software B. the convenience of using current software, which is usually well understood C. compatibility with current accounting applications D. savings in training time and cost E. ability to manage without them 3. Possible arguments in favor of upgrading current hardware or software include: A. compatibility with the word processing, spreadsheet, or database files in other departments or branch offices B. free software support from vendors C. the potential to acquire more capable software than the older versions D. the ability to run new software on new, 64-bit devices E. increased speed of processing F. better security 4. Students are likely to have conflicting views on whether hardware or software upgrades are “more hype than real.” For example, newer operating systems are likely to include additional security features such as better anti-virus protection—a very real advantage— as is the ability to address more bytes of random access memory. It is less clear whether or not the newer versions of say, word processors, are worth the incremental costs in time and effort required to learn how to use them—a question that can best be answered on a case by case basis. 5. This question asks students if they feel if it is ethical for software vendors such as Microsoft, Adobe or Apple to ship software packages with both known and unknown defects in them. While most students are willing to make allowances for “unknown defects,” few are likely to feel that it is ethical for these vendors to ship software with known defects. Hopefully, at least some students will distinguish between “ethical” and “practical,” noting that there will always be some “bugs” in large, integrated and complicated software packages. 6. This question asks students if they agree with the argument that “many hardware and/or software upgrades are unnecessary.” Most students are likely to agree that some SM 2.11
upgrades are unnecessary. Thus, a good question to also ask is “are there some upgrades that are necessary?” In answering this question, some students will note that upgrading virus protection software, operating systems, and (eventually) application software is inevitable. 7. Students are likely to agree with Alex McLeod’s statement that companies should provide training. However, the expectation to learn software “on your own” is a common policy and common expectation especially characteristic of corporate policy in times of tight budgets. Instructors might point out here that end users sometimes skip software training even when it is offered—a factor that sometimes leads to huge implementation failures. An example may be found in the case by Baltzan and Phillips (2009). “Campus ERP” (Boston: McGraw-Hill/Irwin), pp. 356-357. It might also be worth noting here that the expectation to “keep current” includes a working knowledge of current software as well as a hallmark of professional accountants. 8. This question asks students whether or not they feel it was necessary for the corporate participants in this case to physically meet in one location. Certainly, with the (often free) availability of conferencing software such as Skype or other messaging software, for example, virtual meetings are easily arranged and of course, save companies travel funds. On the other hand, employees are likely to both attend and appreciate the rest and relaxation afforded meetings in lovely tropical settings, and is a benefit likely to foster both employee loyalty and motivation. Students may also mention that traveling to a distant location often leads to increased understanding of problems of other people.
SM 2.12
Chapter 3 Data Modeling Discussion Questions 3-1. Almost every AIS must organize and store data in permanent files. This leads to the need for databases that help business and governmental users store, modify, extract, and distribute accounting data. The text discusses seven specific reasons why databases are important to AISs: (1) the fact that AIS databases usually store critical information, (2) the large volume of data in some databases, which increases the importance of organizing data efficiently, (3) the complexity of modern database designs (e.g., because of client/server networks, (4) the need for privacy and security, (5) the fact that most AIS databases contain irreplaceable data, (6) the importance of accuracy, and (7) Internet uses such as storing online customer transactions. The first section of the chapter discusses each of these reasons in greater detail. 3-2. The hierarchy of data describes the fact that AISs store the data in a database in logical structure. The date hierarchy in ascending order is: data field → record → file → database Specific examples with vary by students. 3-3. The data field in each record that uniquely distinguishes one record from another on a computer file is called the primary key. Typically, the primary key is numeric, although alphabetic or alphanumeric primary keys are also possible. A primary key can be a simple number such as a customer account number, or a complicated value such as (1) a composite number (e.g., a bank account number including branch and individual account number) or (2) a large number with imbedded codes (e.g., a credit-card number). AIS databases also use foreign record keys to link the records in one database table to the records in other tables. The presence of all these record keys may seem complicated, but their uses are vital to the efficient functioning of the databases used by AISs. 3-4. Here are some examples of typical accounting information system files and the potential primary record key used for each: Computer File Accounts Receivable Master File Accounts Payable Master File Employee Payroll File Employee Personnel File Chart of Accounts File General Ledger File Budget File Purchase Order File Inventory File Check-Writing File Transaction File
Potential Primary Record Key Customer account number Supplier account number Employee social security number Employee social security number Journal category code General Ledger account number General Ledger account number Invoice number Inventory Part number Check number Account number and date
SM 3.1
3-5. The data in large, commercial databases pose special challenges for database designers and users. Some major concerns are: (1) data integrity: the requirement that stored data are both complete and completely accurate (2) transaction accuracy and completeness: the concern that any changes made to a database are performed properly and completely (3) concurrency: ensuring that two users do not access and sequentially change the same database record at the same time (4) security: the requirement that database information be protected from external access and fraudulent manipulation. Specific examples will vary by students. 3-6. The term “REA” is an acronym for “resources, events, and agents.” In the REA model, an AIS database stores information about these file entities—for example, information about inventories (resources), cash sales (events), and customers (agents). The REA model differs from traditional accounting systems in that REA databases tend to store information about resources, events, or agents that do not immediately affect the financial statements of a company. Two examples of such information mentioned in the text are “sales orders” and “hiring decisions.” Similar information includes data about customer demographics, interest rates, or competitor activities. 3-7. Database cardinalities represent the relationships between database entities—for example, one-to-one, one-to-many, or many-to-many. In a payroll application, for example, a one-to-one relationship would be “employee” and “social security number,” a one-to-many relationship would be “invoice” and “detail lines,” and a many-to-many relationship would be “employees” and “pay rates.” 3-8. The entity-relationship (E-R) model is a graphic tool for helping developers design databases. Ovals denote data attributes (e.g., hourly pay rate), rectangles denote file entities (e.g., an employee), diamonds denote relationships (e.g., one-to-many), and straight lines denote data flows. 3-9. Assuming that the records in the Salesperson table stores information about individual sales people (e.g., name, employee number, office phone number, etc.) and that the records in the Sales table stores information about individual sales transactions (e.g., date, amount, type of payment, salesperson number, etc.), the relationship between these two tables is one-to-many. This means that each salesperson could have many sales transactions, but each sales transaction could have, at most, one salesperson. To show the sales for each salesperson in any given month, you would need to create a relationship between them to link the file records in these two tables together. The use of foreign keys would be sufficient to do this, and you would not need to create an intermediate relationship table for this purpose. Now suppose that more than one salesperson could make a sale to the same customer. Then, the relationship between “salesperson” and “sales” would be many-to-many. In that case, you would need to create an intermediate relationship table that showed which salesperson made which sale to which customer. This gets complex, which is the reason why database cardinalities and data modeling are important—if challenging—topics in AIS. 3-10. Normalization is a process for ensuring that attributes are stored in the most appropriate tables and are non-redundant. The text describes the first three levels of normalization: first normal form, second normal form, and third normal form. If databases are SM 3.2
not normalized, they can suffer from database anomalies such as the inability to add information to the database, the inability to delete data without deleting related information, and difficulty updating data.
Problems 3-11. a) Definitions: 1) Field: A set of characters that describe or define a person, event, or thing in the database, (e.g., the employee number field in a payroll file). 2) Record: A set of data fields about one file entity, (e.g., the set of data fields that describe an employee in a payroll file). 3) File: A collection of records about similar file entities, (e.g., a collection of employee records in a payroll file). b) 1) A database is a collection of data files that are shared by one or more accounting applications. Typical database files include files containing the accounting data themselves (e.g., payroll information), as well as a set of auxiliary files such as query files and index files that help manage this data. 2) Database advantages: a) Eliminates or reduces data redundancy b) Reduces data conflicts that often result from files of duplicate information c) Centralizes file information d) Separates file data from the applications that use them, enabling the application to focus on its tasks rather than the format of the data e) Enables users to create convenient reports both at the time they first create a database as well as later as new needs dictate f) Availability of excellent software for easily altering, inquiring, or reporting file data 3) Disadvantages: a) Increases work of creating and maintaining databases b) Increases coordination among the data needs of several departments requiring, or collecting, the data in the database c) Increases the need for security to protect informational assets d) Increases complexity of the systems that use them e) Increases cost 3-12. Data items likely to be included in a cash table are: Cash Account #, Type of Account, Bank, Beginning Balance, Beginning Balance Date. As suggested by the underlining, the Cash Account # would be the primary key. The Cash Receipts table would include: Cash Receipt #, [Cash Account #], Date Received, [Employee#], and Amount. Cash Receipt# is a primary key, Cash Account # and Employee# are foreign keys. 3-13. a) Teachers can teach zero to many courses, and each course is taught by one teacher. Courses can be taught many times or may not have even been taught. b) A surgery involves one patient, one nurse, and one doctor. A patient can have zero to many surgeries. A doctor can perform zero to many surgeries. A nurse can perform zero to many surgeries. SM 3.3
3-14.
See following diagram:
3-15.
See following diagram:
3-16.
Here are some potential data fields for a Customer Table: Data field Customer Number Last Name First Name Street Address City State Abbreviation Zip Code Credit Limit
Data type Text Text Text Text Text Text Numeric Numeric SM 3.4
Suggested Size 4 30 20 30 20 2 5 (or 9 digits) 7 (long integer)
As shown here, it would be better to use separate fields for the customer’s first and last names. This will enable the system to search for a customer by either first or last name as separate items. 3-17. Customer #, customer name, customer address, customer phone Child #, child name, [customer #] Note: primary keys are underlined and foreign keys are in [ ]. 3-18. Student #, student name, student address, student phone Class #, class time, class room [Student#], [Class#], grade Note: primary keys are underlined and foreign keys are in [ ]. 3-19.
This problem is about the Bonadio Electrical Supplies company.
a. The basic differences between a file-oriented system and a database management system (DBMS) include: 1) The file-oriented system focuses on individual applications, each with its own set of files and with each file physically separate from the other files 2) In the database management system, the focus is on data rather than on a particular application. This leads to data independence, data standardization, one-time data-entry, data security, and shared data ownership 3) The records in files typically are organized in only one way—for example, sequentially according to some key or chronologically. The records in databases are typically normalized in at least third normal form 4) Most files are local. Most databases are more centralized and accessed by multiple users b. Advantages of database management systems: 1) Reduced data redundancy and inconsistencies 2) Ability to expand data fields without affecting application programs; instead, simple alterations are needed only in the DBMS 3) Single data entry and shared information 4) Data accessibility increases the timeliness, effectiveness, and availability of information Disadvantages of database management systems: 1) Typically more difficult to create initially 2) More highly trained technical personnel are required 3) Increased vulnerability as a common database is highly integrated (A breakdown in hardware or software has a much more severe effect than in a system having separate files and applications.) 4) Audit trails being somewhat obscured as the result of multiple users and perhaps multiple copies of the same database c. The duties and responsibilities of the database administrator include: 1) Design and control of a firm’s database (This responsibility includes ensuring application independence and back-up and recovery procedures.) 2) Definition and control of the data dictionary SM 3.5
3) Assignment of user codes and maintenance of other security measures 4) Control of all changes in data and in programs that use the database
Case Studies Carl Beers Enterprises (Understanding a Relational Database) This case helps students understand what types of information might be stored in accounting databases, and requires them to use this information to answer important accounting questions. Answers to specific questions: 1. Sales data that are listed by inventory item number help inventory personnel identify both fast- and slow-moving items, track customers in the event of recalls, and replenish stock. If this information were listed by invoice number, it would provide the detailed invoice information needed to reconstruct the invoice amounts listed in the "sales by invoice number" records (this would make it a lot easier to answer question 2). 2. Invoice V-3 shows a sale to customer C-5, or D. Lund, Inc. Details of this sale, found in the "sales by inventory number" records, are: Item
Quantity
Price
Extension
I-1 I-3 I-5 Total
1 6 2
2,000 1,000 4,000
2,000 6,000 8,000 16,000
3. Invoice V-2 shows that J.P. Carpenter purchased $10,000 worth of equipment, but made a payment of only $1,666. Thus, this customer has opted to pay over six months. 4. The quarterly sales amounts for the sales staff are: a) $87,600 for salesperson S-10 b) $23,000 for salesperson S-11 c) $7,200 for salesperson S-12 Note that accounting personnel would have to make additional computations (based on information readily available in the databases) if sales commissions were only paid on the paid sales of customers instead of gross sales. 5. The net accounts receivable amounts are: a) C-1 = 0 b) C-2 = $6,688 c) C-3 = $35,000 d) C-4 = $23,000 e) C-5 = 0
SM 3.6
Souder, Oles, and Franek LLP (Data Modeling with REA) 1. See following diagram:
2. Order Goods Table: Order #, [Employee#], [Vendor#], Date, Comments Receive Goods Table: Receipt #, [Employee#], [Vendor#], Date, Comments Pay for Goods Table: Cash Payment#, Amount Paid, Date, [Employee#], [Account#] Merchandise Inventory Table: Item#, Description, Unit Cost, Sales Price, Quantity on Hand Cash Table: Account#, Account Type, Bank, Current Balance Employee Table: Employee#, First Name, Middle Name, Last Name, Address, City, State, Zip Code, Date of Birth, Date Hired, Last Date of Review Inventory/Order Table: [Order#], [Item#], Quantity, Price Inventory/Receive Table: [Receipt#], [Item#], Quantity, Price Order/Receive Table: SM 3.7
[Order#], [Receipt#], Quantity Received Receive/Pay Table: [Receipt#], [Cash Payment#], Amount Paid Swan’s Supplies (Normalizing Data) The raw data is as follows: Purchase Order Number 12345
12346
Customer Phone Number
Customer Customer Item Item Date Number Name Number Description Charles 01/03/12 123-8209 Dresser, (752) 433-8733 X32655 Baseballs Inc. X34598 Footballs Basketball Z34523 Hoops Patrice 01/03/12 123-6733 Schmidt's (673) 784-4451 X98673 Softballs Sports X34598 Footballs SoccerX67453 balls
Unit Cost
Quantity Unit Ordered
$33.69 dozen
20
$53.45 dozen
10
$34.95 each
20
$35.89 dozen
10
$53.45 dozen
5
$45.36 dozen
10
1. The data can be put in first normal form by repeating the purchase order information as shown below. The data are now in first normal form because they can be stored in computer records. Purchase Order Number
Customer Date
Number
Customer
Name
Customer Phone Number
Item
Item
Number Description Cost
12345
01/03/12 123-8209 Charles (752) 433-8733 X32655 Baseballs Dresser, Inc.
12345
01/03/12 123-8209
12345
Unit
Charles (752) 433-8733 X34598 Footballs Dresser, Inc. Charles Basketball 01/03/12 123-8209 (752) 433-8733 Z34523 Dresser, Inc. Hoops
Quantity Unit
Ordered
$33.69 dozen
20
$53.45 dozen
10
$34.95 each
20
12346
Patrice 01/03/12 123-6733 Schmidt's Sports
(673) 784-4451 X98673 Softballs
$35.89 dozen
10
12346
Patrice 01/03/12 123-6733 Schmidt's Sports
(673) 784-4451 X34598 Footballs
$53.45 dozen
5
12346
Patrice 01/03/12 123-6733 Schmidt's Sports
(673) 784-4451 X67453
Soccerballs
$45.36 dozen
10
SM 3.8
2. To reorganize the data in part 1 into second normal form, it is necessary to split the file in two—a “customer file” and an “orders file.” The data are in second normal form because the data items in each record depend on the record’s primary key. Customer File: (primary key)
Customer
Customer Number
Phone Number
Customer Name
123-6733
Patrice Schmidt's Sports (673) 784-4451
123-8209
Charles Dresser, Inc.
(752) 433-8733
Orders File: (primary key - both items) Purchase
(foreign key)
Order
Item
Item
Unit
Quantity
Customer
Number 12345
Number X32655
Description Baseballs
Cost Unit $33.69 dozen
Ordered Date 20 01/03/12
Number 123-8209
12345 12345
X34598 Z34523
Footballs Bball Hoops
$53.45 dozen $34.95 each
10 20
01/03/12 01/03/12
123-8209 123-8209
12346 12346
X98673 X34598
Softballs Footballs
$35.89 dozen $53.45 dozen
10 5
01/03/12 01/03/12
123-6733 123-6733
12346
X67453
Soccerballs
$45.36 dozen
10
01/03/12
123-6733
3. The records in the orders file contain transitive dependencies. To put these data into third normal form, we must create a new products file and a new Orders file to eliminate these dependencies as follows: Customer File: (primary key)
Customer
Customer
Phone
Number 123-6733
Customer Name Patrice Schmidt's Sports
Number (673) 784-4451
123-8209
Charles Dresser, Inc.
(752) 433-8733
Purchase Orders File: (primary key)
(foreign key)
Purchase Order Number
Date
Customer Number
12345
01/03/12
123-8209
12346
01/03/12
123-6733
SM 3.9
Ordered Products: (primary key - both items) Item
Purchase
Quantity
Number
Order
Ordered
X32655
12345
20
X34598
12345
10
X34598
12346
5
X67453
12346
10
X98673
12346
10
Z34523
12345
20
Product File: (primary key) Item Number
Item Description
Unit Cost
Unit
X32655 X34598
Baseballs Footballs
$33.69 $53.45
dozen dozen
X67453
Soccerballs
$45.36
dozen
X98673 Z34523
Softballs Bball Hoops
$35.89 $34.95
dozen each
SM 3.10
Chapter 4 Organizing and Manipulating the Data in Databases Discussion Questions 4-1. There are several other database management systems available to users, including MySQL, Oracle, FoxPro, Avanquest Database Professional, Microsoft SA SQL, Filemaker Pro 7, Eltron Card Database, and IBM DB2. 4-2. The different data types available in Access include: Text, Memo, Number, Date/Time, Currency, AutoNumber, and Yes/No. You can also create hyperlinks and OLE (object link and embed) objects. The types of numbers you can create in Access include byte, Integer, Long Integer, Single, Double, ReplicationID (typically used to expand autonumber fields in replicated databases), and Decimal. 4-3.
This problem requires students to create their own Salesperson table
4-4. Database management systems (DBMS) are computer software packages that enable users to create, maintain, query, retrieve, manipulate, and output the data stored in a database. A DBMS is not the same thing as a database. Rather, a DBMS is a set of software programs that interfaces between the database and users or user programs. Because, database management systems are computer programs, they are software—not hardware. 4-5. Data definition languages (DDLs) are the special programming languages of DBMSs that enable users to design the physical structure of database records. Thus, a DDL enables users to specify the number of data fields for each record in a table, the name for each field, and (for Access) a data type for each field—for example, “text” or “numeric.” The DDL also enables users to further specify the length of each field (for text data types) or the type of number (e.g., “Integer”) for numeric data types. 4-6. The act of linking database tables to one another enables users to extract relevant information from them. For example, a database user might want to prepare a list of suppliers, with a sub-list of all products available from each supplier. A database developer might create two tables for such an application: (1) a table of suppliers and (2) a table of products. If the designer stores the supplier code in each product record, the user could then view or print the desired list. In Access, a user links tables to one another using the “Relationships window.” Chapter 4 describes how to do this. (The fields do not have to have the same name, but they must have identical data types.) Access then enables the user to create queries based upon the linked tables, and can then present the joined information requested by the user—e.g., the report described above. 4-7. Data validation is the process of ensuring that the data input into the data fields of a database record are accurate and complete. Data validation is important because it causes the system to test input data for common errors and reject values that violate the defined validation rules. This helps an organization avoid the costs and confusion caused by such errors. Experts estimate that it costs ten times as much to correct bad data already stored in a database as it does to correct simple errors at the time they are caught during input. Examples of Access data validation tests discussed in the text include the automatic tests that check for consistent data types, using input masks to help users input data correctly, using drop-down lists (combo boxes)
SM 4.1
of predefined data, specifying default values for repetitive data entries, and creating data validation rules. Enforcing referential integrity is yet another database control with data-validation characteristics. This ensures that users to not delete the “one” record joined in a one-to-many relationship with other records—for example, deleting an invoice with existing line items. It also automatically disallows a user’s attempt to link a “many” record with a non-existent parent record—for example, creating invoice detail lines for a non-existent invoice. 4-8. Data manipulation languages or DMLs enable users to define processes for accessing, updating, replacing, deleting, and protecting database records from unauthorized use. Most database management systems include proprietary DMLs that allow users to create queries, forms, reports, and macros that in turn enable users to view, update, delete, or output selected database information. Thus, a DML is that part of a DBMS that enables users to tell the system how to manipulate the underlying data in a database. 4-9. SQL is an acronym for “structured query language.” SQL and Access queries are similar in that both enable users to construct queries that answer user questions about database information. Thus, both SQL and Access enable users to construct query commands that extract the same information from a database—for example, a list of all students in a certain course in the current semester. The primary difference between SQL and Access is that SQL requires users to create queries in text-driven language while Access provides a graphical user interface to frame their questions. Access is among the many database management systems that actually translate user queries into SQL statements. 4-10. Online analytical processing is a query tool that enables database users to extract information from databases efficiently. Thus, OLAP allows users to search and retrieve complex, processed information and is especially notable for its “drill-down” capabilities. Pivot tables are multidimensional tables that enable their users to change the categorization parameters. In a sales application, for example, a pivot table might show dollar sales volume for a specific sales region of the country, classified by product line and months of the year (three dimensions). If the user changes the “sales region,” new information appears for the chosen alternate. Similarly, if the user selects a new product line, a new pivot table might show the monthly sales levels for each product in that product line. Thus, pivot tables are among the useful tools that OLAP provides to show useful information. But these are not the only tools that OLAP provides. Others include statistical analyses (means, median, and frequency distributions), trend analyses, linear regressions, and graphical charts. 4-11. Both sorting and indexing records accomplish the same task: displaying or printing database records in ascending or descending sequence as determined by a specific data field. “Sorting records” requires the database to physically re-write the records on disk. In contrast, “indexing records” requires the database to create an ordered list of disk addresses. Indexing thus provides the user with the same visual result as sorting, but eliminates the need to physically re-arrange a database’s records on disk. Indexing therefore typically takes less time to perform—especially for larger databases. 4-12. Data mining provides users with analytical tools for detecting trends or relationships among seemingly uncorrelated data—typically marketing data. For example, identifying patterns in customer purchasing behavior may enable a marketing department to streamline its marketing efforts by uncovering relationships between customer preferences and their demographics. Accounting uses of data mining techniques include predicting future sales for SM 4.2
budgeting purposes, performing audit tasks such as searching for forensic information, assessing payment trends by tax payers, or detecting trends in such areas as bad debts. (For an interesting article on this subject, see: S. A. Fadairo, et al., “Using Data Mining to Ensure Payment Integrity” Journal of Government Financial Management Vol. 57, No. 2 (Summer, 2008), pp. 22-24.) 4-13. Cloud computing is a form of Internet-based computing. Instead of applications being stored on individual workstations, software is provided through the Internet, processing occurs on a web of computers, and information is ultimately sent to the user’s computer. Cloud computing allows firms to outsource components of their AISs and expand systems at lower costs than would be necessary if systems were built in-house. 4-14. A data warehouse is a repository of historical information that a firm or governmental agency can collect during the normal course of conducting its business. Data warehouses are similar to databases in that they classify and store data systematically and can help users extract information for business uses. The major differences between data warehouses and databases are that the information in data warehouses may be stored in multiple databases, often spans multiple accounting periods, and is generally arranged with the purpose of supporting complex queries from external users. 4-15. Data warehouses enable employees to access valuable information on a corporatewide basis, often from areas outside their immediate domains. These data repositories therefore help users answer complex questions in a timely manner, marketing personnel identify purchasing trends or pinpoint customer needs, and can ultimately yield a high return on investment for the firm. But data warehouses are not for every organization. One factor that may deter companies from building data warehouses is the difficulty in collecting and storing diverse information in consistent, useful, and systematic ways—especially where the design process consumes large amounts of organizational resources.
Problems 4-16. This problem is about the Query Corporation. It requires students to create a simple database table, using data supplied in Figure 4-19. A suggested record structure is: Field Name
Size
Type
Decimal Digits
LNAME FNAME SSN DEPT PAYRATE OTIME
20 20 9 1 4 1
alphanumeric alphanumeric alphanumeric numeric numeric yes/no
none 2
a) The employees in Department 5 are: Chapin, Finn, Halpin, Laurin, Maglio, Turner, and Zorich. b) There are three employees with a first name of Brenda: Reeder, Turner, and Bloom.
SM 4.3
c) The employees with pay rates over $6.50 are: Cunningham, Chapin, McLean, Welsh, Duffy, and Turner. d) The employees eligible for overtime are: Adcox, Bloom, Chapin, Cunningham, Daniels, Davis, Finn, Halpin, Harper, Kozar, Laurin, Maglio, McGuire, Morgan, Reeder, and Zorich. 4-17. This problem requires students to search the Internet for articles on data warehousing and use of such warehouse in accounting. Reasons why companies create data warehouses and use of such warehouse in accounting are discussed in the chapter. 4-18. This problem requires students to search the Internet for articles on online analytical processing and also the connection between OLAP and databases. Reasons why businesses use OLAP are discussed in the chapter. 4-19. a)
This problem is about the Marcia Felix Corporation A suggested record structure is: Field Name
Size
Type
Decimal Digits
Employ_Name Employ_IDNum Apt_Score Depart_ID Pay_Rate Employee_Gender
20 4 2 2 4 1
alphanumeric numeric numeric alphanumeric numeric alphanumeric
none none 2
b-d)
see the following pages
e)
Average pay rate:
$8.02
f)
Average female pay rate: Average male pay rate:
$8.16 $7.95
g)
Females scoring over 70: Males scoring over 50:
none Langley, Baker, Moore, Jackson, Markham, Garrow, Conrad, Pettinari, Bliss, Barrett, and Erickson
SM 4.4
b) Records sorted by department.
Employee Number
Score on Aptitude Test
MCGUIRE, TANA B
4052
55
GARROW, SCOTT D
8753
MARKHAM, KYLE R
Department ID
Current Pay Rate
Sex
A
9.20
F
61
A
7.40
M
6766
62
A
7.90
M
BAKER, JEFFREY L
1692
73
A
7.50
M
FRANTZ, HEIDI L
6390
55
A
6.90
F
PETTINARI, DARIN M
1222
56
B
8.40
M
ERICKSON, KURT N
2217
53
B
8.50
M
BARRETT, RAYMOND G
3444
53
B
7.45
M
MONACH, SHERI L
8082
48
B
9.10
F
BOWERS, PAUL D
2084
42
B
5.90
M
NELSON, JOHN R
5873
46
B
7.40
M
HARDENBROOK, LISA A
7427
40
C
6.70
F
CHEUNG, WAI KONG
8183
55
C
7.80
F
CONRAD, MARK E
8317
58
D
9.60
M
JACKSON, GREG W
4091
67
D
8.90
M
DRISCOLL, DAVID M
5210
47
D
7.70
M
BLISS, DONALD W
6713
55
D
6.80
M
DAILY, REBECCA E
2336
45
D
8.90
F
LYNCH, SHERENE D
7857
66
D
8.90
F
LUBINSKI, TRAVIS M
3865
37
D
7.50
M
LANGLEY, JERRY W
3262
86
E
9.40
M
BUCHANAN, CINDY
3735
41
E
7.80
F
PAPEZ, PETER M
7799
41
E
8.30
M
MOORE, MICHAEL S
2431
67
E
8.50
M
Employee Name
SM 4.5
c) Records sorted by test score.
Employee Number
Score on Aptitude Test
LUBINSKI, TRAVIS M
3865
37
HARDENBROOK, LISA A
7427
PAPEZ, PETER M
Department ID
Current Pay Rate
Sex
D
7.50
M
40
C
6.70
F
7799
41
E
8.30
M
BUCHANAN, CINDY
3735
41
E
7.80
F
BOWERS, PAUL D
2084
42
B
5.90
M
DAILY, REBECCA E
2336
45
D
8.90
F
NELSON, JOHN R
5873
46
B
7.40
M
DRISCOLL, DAVID M
5210
47
D
7.70
M
MONACH, SHERI L
8082
48
B
9.10
F
BARRETT, RAYMOND G
3444
53
B
7.45
M
ERICKSON, KURT N
2217
53
B
8.50
M
MCGUIRE, TANA B
4052
55
A
9.20
F
FRANTZ, HEIDI L
6390
55
A
6.90
F
CHEUNG, WAI KONG
8183
55
C
7.80
F
BLISS, DONALD W
6713
55
D
6.80
M
PETTINARI, DARIN M
1222
56
B
8.40
M
CONRAD, MARK E
8317
58
D
9.60
M
GARROW, SCOTT D
8753
61
A
7.40
M
MARKHAM, KYLE R
6766
62
A
7.90
M
LYNCH, SHERENE D
7857
66
D
8.90
F
MOORE, MICHAEL S
2431
67
E
8.50
M
JACKSON, GREG W
4091
67
D
8.90
M
BAKER, JEFFREY L
1692
73
A
7.50
M
LANGLEY, JERRY W
3262
86
E
9.40
M
Employee Name
SM 4.6
d) Records sorted by last name within department.
Employee Number
Score on Aptitude Test
BAKER, JEFFREY L
1692
73
FRANTZ, HEIDI L
6390
GARROW, SCOTT D
Department ID
Current Pay Rate
Sex
A
7.50
M
55
A
6.90
F
8753
61
A
7.40
M
MARKHAM, KYLE R
6766
62
A
7.90
M
MCGUIRE, TANA B
4052
55
A
9.20
F
BARRETT, RAYMOND G
3444
53
B
7.45
M
BOWERS, PAUL D
2084
42
B
5.90
M
ERICKSON, KURT N
2217
53
B
8.50
M
MONACH, SHERI L
8082
48
B
9.10
F
NELSON, JOHN R
5873
46
B
7.40
M
PETTINARI, DARIN M
1222
56
B
8.40
M
CHEUNG, WAI KONG
8183
55
C
7.80
F
HARDENBROOK, LISA A
7427
40
C
6.70
F
BLISS, DONALD W
6713
55
D
6.80
M
CONRAD, MARK E
8317
58
D
9.60
M
DAILY, REBECCA E
2336
45
D
8.90
F
DRISCOLL, DAVID M
5210
47
D
7.70
M
JACKSON, GREG W
4091
67
D
8.90
M
LUBINSKI, TRAVIS M
3865
37
D
7.50
M
LYNCH, SHERENE D
7857
66
D
8.90
F
BUCHANAN, CINDY
3735
41
E
7.80
F
LANGLEY, JERRY W
3262
86
E
9.40
M
MOORE, MICHAEL S
2431
67
E
8.50
M
PAPEZ, PETER M
7799
41
E
8.30
M
Employee Name
SM 4.7
Case Studies BSN Bicycles I (Creating a Database from Scratch with Microsoft Access) 1. The resources, events, and agents for this case are as follows: Resources: inventory and cash Events: sales, cash receipts, purchases, and cash payments Agents: the company’s employees (sales personnel, cashiers, and purchasing agents) customers, and vendors. E-R diagram is on the following page 2. Examples of data fields for each of these tables: cash: account #, cash type, beginning balance, authorized personnel inventory purchases: purchase order #, item #, item name, quantity purchased, vender ID, vendor name vendor cash payments: check #, vendor ID, vendor name, purchase order #, amount vendors: vendor ID, vendor name, street address, city, state, zip code, contact person, phone #, and fax # employees: employee ID, first name, middle initial, last name, department #, street address (probably not needed inasmuch as there are only three individuals in the company) inventory table: item #, item description, units (e.g., dozens), unit cost, unit retail sales price, quantity on hand vendor purchases/inventory (join) table: purchase order #, item #, quantity purchased customers: First name, Last name, Customer #, Street Address, City, State, Zip Code, Home phone number, Work phone number, Cell phone number, Credit Card type (e.g., Visa), credit card number, credit card expiration date customer invoices: invoice #, invoice date, invoice amount Database tables for the purchasing process are: cash, purchases, cash payments, vendors, and employees. There should also be a table for the purchases/inventory relationship as this is a many-to-many relationship. 3. This part of the case requires students to create several records for each table. 4. This part of the case requires students to create relationships for each of the various tables. 5. This part of the case requires students to print hard copies of each table in data sheet view and also to create a report, documenting their relationships.
SM 4.8
SM 4.9
Furry Friends Foundation I (Creating a New Database from Scratch) This case introduces students to a relational database. It requires them to set up the database, create tables, and connect them using relationships. 1.
2. The Contributor ID is used as the primary key for the FFF contributor table. The key is unique and a donation statement can be produced for each contributor for his or her use when filing state or federal taxes. 3. Each student will need to add a unique contributor ID, their last name, first name, street address, city, state, zip and phone number using the correct formats. 4. The relationships between the tables are joined by Contributor ID in the Contributor File and Donation File. The link between the Donation File and the Animal Code File is the Animal Code.
5. See 1 above for each table and 4 for the relationship diagram. You will want to check to see that each student has entered his or her own information as required in 3.
SM 4.10
BSN Bicycles II (Creating Queries in Access) 1 and 2.
Create a database of records. This is a continuation of Case 4-20.
3. Create a query that selects all customers living in Virginia. The results depend upon the underlying data that each student creates. However, the construct for this query is:
4. Create a query that selects all customers living in zip code 12345. The selected records will depend upon the underlying data that each student creates. However, the construct for this query is:
5. Create a query that selects all customers living in Virginia with zip code 12345. The resulting records depend upon the underlying data that each student creates. However, the construct for this query is:
SM 4.11
6. Create a query that selects all credit customers. The resulting records will depend upon the underlying data that each student creates. However, the construct for this query is:
Furry Friends Foundation II (Creating Queries for Databases) 1. This is a continuation of Case 4-21. 2. This requires students to create three records using their own name and contributions to the three different categories of dogs, cats, and unspecified. The results depend upon the underlying data that each student creates. 3. Create a query of all contributors donating to cats. The results should include the entry that the student made for himself/herself. The construct for this query is:
SM 4.12
4. Create a query of all contributors who donated over $50. If the student made contributions over $50, the donation will also be reflected in this query. The construct for this query is:
5. Create a query of all contributors who donated over $100 to dogs. If the student made a contribution over $100 to dogs, it will be reflected in this query. The construct for this query is:
SM 4.13
Chapter 5 Database Forms and Reports Discussion Questions 5-1.
Some of the advantages and disadvantages of database forms are as follows: Advantages Data entry is less error-prone A number of predefined formats are available for use Usually, all the data fields for a single record appears in one screen Forms are customizable (compared to data sheet views) Forms can include instructions for data entry Forms can be more colorful and graphically appealing It is usually easier to get from one field to any other field using a form The form navigation bar enables users to easily go to the first or last record in the table. ● Disadvantages Low information density for professionals Good interface design requires time and effort to create Garish form designs or colors can distract the user ●
5-2. Most students would rather use a form, rather than a datasheet, for entering data into a database. The advantages of using forms listed above outweigh the disadvantages. 5-3. Most students, and certainly the authors, would rather use the Form Wizard in Access to create a form. Using the Form Wizard is faster to develop, provides preformatted data fields, and enables you to customize the form as desired. However, it is also true that creating a form from scratch gives the developer full control over the form’s design at all times, and possibly enhances form performance. 5-4. A subform is a form within a form—usually a form that shows the “many” records in a one-to-many relationship. Figure 5-7 provides an example. Subforms are handy for showing subordinate information and they also allow users to enter data at the time the form and subform display—a handy feature if the user wishes to create new records in the subform. There are two methods for creating subforms. One approach is to add a subform to an existing form using the subform object in the Access toolbox. A second approach is to create a subform at the same time you create a form using the Form Wizard. 5-5. Database developers customize forms for many reasons. One is the fact that the form initially created by the Form Wizard will be basic, often presenting users with an unwieldy, uncomfortable, or disorganized interface. A second reason to customize a form is to streamline data entry and manipulation as much as possible—for example, by grouping like text boxes together, logically arranging the tab order of data entry text boxes, or by creating check boxes, radio buttons, or drop down menus (combo boxes) as needs dictate. These features save end users time and companies’ money, and can reduce aggravation of employees. A third reason to customize a form is to add explanatory information on it—for example, to further explain data entry requirements or to provide important reminders about the data. A final reason to customize forms is to make them more visually appealing—for example, by adding background SM 5.1
colors, graphics, and similar visual objects that both increase the overall appearance of the form and perhaps its usefulness to end users. 5-6. Database reports provide custom information to database users. These reports can be simple documents that only output the contents of a table, or highly complex outputs that combine the information from several tables and limit themselves to selected subsets of database information. Figures 5-8 and 5-12 provide some examples. In addition to simple data from the underlying records, reports can also contain calculated fields (for example, extensions of prices times quantities), the results of logic tests (for example, a display of a reorder amount if the balance-on-hand field of an inventory product is below its reorder point), and computed summary information (for example, subtotals, minimums, maximums, or averages) for selected subgroups of records. 5-7. Most students will agree that it is important to design the format of a report before creating the report itself. Reasons include the usefulness of (1) identifying what information to include, or to omit, from a potentially large set of items, (2) deciding how to best make use of the limited “real estate” of an output page, and (3) grouping data in useful ways to best compute subtotals or other statistical outputs. This is a good opportunity to remind students that the purpose of most AISs is to provide meaningful, decision-oriented information to users—not simply to create “pretty” reports. It is also true that not every report must be planned so carefully. Smaller reports may not have a high redesign cost if redesign is necessary and planning may be a greater cost of time than redesign. 5-8. This questions asks students if they think we will still use hardcopy reports in the future, or will they be replaced with softcopy ones. There is no right or wrong answer to this question, but it is worth mentioning that, despite more than two decades of personal computers and now almost one decade of individual Internet access, most newspapers are still in business, most book publishers are still in business, and the volume of work at many printing companies has actually expanded. On the other hand, many mobile devices enable users to obtain such current information as stock market prices, data about the status of projects, text messages, and emails instantaneously in soft-copy formats. 5-9. This question asks students if they would rather use the Report Wizard to create the format of a report or design it from scratch. Most students prefer the Report Wizard because it automates so much of the work—for example, in ordering the data, creating headings, subheadings, and control breaks, and formatting the output. As an experiment, one of the authors created a report from scratch—and won’t make that mistake again. 5-10. A calculated field in a report is just that—a data value that the database system computes from the underlying data. Examples include years of service on an employee report, invoice extensions on an invoice, student grade point averages, inventory valuations, reorder inventory quantities, and salesperson commissions based on sales. Calculated fields also include the totals, averages, maximums, and minimums that database designers can imbed at control breaks in reports. Reports contain calculated fields for the same reason they contain any other type of data—because such values are meaningful and valuable to report users. 5-11. There are several reasons why databases do not store calculated fields as normal parts of database records. One reason is because these fields can be computed from a record’s basic data and are therefore redundant. Another reason is because calculated values SM 5.2
(e.g., a student’s GPA) often depend on data that may change. Storing a static value for dynamic data does not make sense, and doing so anyway just wastes space. It is also important to remember that computers can “think” must faster than they can “read” or “write.” Thus, computing values for each record that ultimately gets displayed or printed requires no additional computer time or other resources. 5-12. This question asks why calculated fields (in Access) are created with database queries rather than created directly in reports. In one sense, this is a trick question. One reason for this is because you can include calculated fields without queries, although it was not discussed in the chapter. Another reason is because such calculated fields as well as totals, averages, maximums, and minimums that database designers are created by the report itself. But DBMS designers cannot possibly anticipate all the needs of database users. Thus, one advantage of using queries to create other types of calculated fields is that it enables form or report designers to customize outputs as user needs require. Another advantage is that queries provide an easy mechanism to retrieve data for manipulations. By abstracting the calculated field from the report, the designer can modify the formulas for calculated fields without affecting the general format of the report itself.
Problems 5-13. From left to right, the symbols on the navigation bar enable the user to access the first record, the previous record, the next record, and the last record. The white box in the middle indicates the number of the current record. 5-14. a. Figure 5-9 lists the seven components of a typical database report (report header, page header, group header, detail lines, group footer, page footer, and report footer. This figure also describes the location and typical contents of each of these items. ‘ b. Student examples of these components can vary widely. 5-15. This question asks students to explain the difference between each of the following items: a. A bound control displays a data value from an underlying record, or computations from an underlying record, and therefore typically changes from record to record in a form or report. An unbound control does not display values from an underlying record and is therefore typically fixed in the form or report. b. In design mode, a database designer can change the design elements of a form or report, including such items as foreground or background colors, font types, sizes, or similar characteristics, the placement of data fields or other form objects, and even the size of the form or report itself. In run mode, the user cannot perform such formatting, but is a passive viewer of whatever information of what the form or report contains. c. The ◄ symbol in a form’s navigation bar enables the user to access the previous record in the underlying table. In contrast, the ► symbol enables the user to access the next record in that same underlying table. d. A form is a user interface or screen that typically displays the data from the current (parent) record. In contrast, a subform typically displays the subordinate (child) data associated with the parent record if it exists. Thus forms display record information from the “one” side of a SM 5.3
one-to-may-relationship while subforms display information from the “many” side of such a relationship. e. A normal data field displays the value of the data for the current record in the underlying database table. In contrast, a calculated data field displays the results of a computation based on such data. f.
A page header is the information that the user sees at the top of each page of a database report. Such information typically contains column headings that identify what data appear beneath them. In contrast, a page footer appears at the bottom of each page of a report.
g. A report header is the information that the user typically sees on the first page of a report— for example, the name of the report, the date the report was created, the time period for which the report applies (e.g., which calendar month), and perhaps the name and phone number of the report’s creator. In contrast, a report footer is typically a summary statement that contains grand totals or similar numeric summary information. It appears on the last page as the last item of a report. h. A report based on a table simply displays the data (or calculated values) from a single underlying table. A report based on a query can be based on multiple tables, can also include calculated fields, and of course, will display the information for only those records satisfying the query itself. For the Customer report in Figure 6-8, for example, a report based on query might limit the output to those customers in a few specific zip codes. 5-16. This problem requires students to recreate the form in Figure 5-1. The resulting form should look like the following:
SM 5.4
This problem also requires students to do the following: a. Add a label in the heading portion of their forms that contain the term “Prepared by:” and add their name. Print a single copy of the completed form. b. Use the navigation bar at the bottom of their form and then identify the first and last records (will vary with the student). c. Add a new record to this form with his or her name as the customer. Then print a copy of this form. d. Close the form, and then verify that their new record exists by going to the Tables portion of the database and opening the Customers table in datasheet view (see Figure 5-2). 5-17. This problem requires students to modify the form they created in problem 5-16 to include a subform similar to the one in Figure 5-7. The resultant form and subform should look like this:
The problem also requires students (a) to use the navigation bar to last record in the Customers table and to print this form, and (b) to find a customer with invoices and to use the navigation bar of the subform to select a particular invoice in the subform. The exact results will depend upon which records students create in their Customers and Invoices Tables.
SM 5.5
5-18. This problem requires students to create a report similar to the one in Figure 5-8. The resultant report should look like this:
The directions also require students to (a) add a label to the heading portion of the report that contains the term “Prepared by” and to include their names, and (b) determine who the first and last customer in their reports are. 5-19. This problem requires students to use their Customers Table and the Report Wizard to create a report similar to the one in Figure 5-15. Instructors should note that this requires users to select “subgroup totals” in the Report Wizard and a fairly large amount of reformatting and reorganizing of the template provided by the Report Wizard.
SM 5.6
Case Studies A Form for BSN Suppliers (Creating a Simple Form in Access) a. This case requires students to create a simple form in Microsoft Access, using data that they create and (perhaps), the Form Wizard. The final form should look like the following:
SM 5.7
Additional requirements of this case are: b. Identify the first and last records of the BSN Vendors table. c.
Adjust the Tab Order to ensure that the user tabs sequentially through the fields in logical sequence.
d. Use the form to add a new vendor record to the Vendors table, including their own name as the Contact Person. e. Print a copy of the form showing the new record they created in part d. f.
Suggest some additional improvements for this form. Possibilities include: • Adding a default value for the City or State • Adding a mask for the phone and/or fax numbers • Putting the Zip code on a separate line of the form • Using an autonumber to automatically generate the number of a new vendor.
A Form and a SubForm for the BSN Suppliers (Creating Forms with Subforms) a. This problem is mostly a continuation of Case 5-20. It requires students to create a form similar to the one above, and then use the subform control in the ToolBox to create a subform. The resulting form should look like this:
SM 5.8
Additional requirements of this problem include: b. and c.
Experimenting with the navigation bars in the main form and the subform.
d.
Creating a new purchase order for the current Vendor in the subform.
A Listing of BSN Suppliers (Creating Simple Reports in Access) This problem requires students to create a simple report similar to the one in Figure 5-19. We recommend that they use the Report Wizard for this task. The final product, at run time, is shown in the figure. The finished report, at design time, should look similar to this:
SM 5.9
Although straightforward, this report requires a good deal of reformatting because many of the labels in the form occupy two lines, as do the detail lines of the report itself. Students must also embed their own name, the date, and the graphic in the report header.
SM 5.10
Chapter 6 Documenting Accounting Information Systems Discussion Questions 6-1. The text provides nine reasons why documenting AISs is important: (1) depicting how the system works, (2) training users, (3) designing new systems, (4) controlling systems development and maintenance costs, (5) standardizing communication among system engineers, (6) providing information to auditors, (7) documenting a business’s process, (8) helping a company comply with the Sarbanes Oxley Act of 2002 and AS5, and (9) establishing employee accountability for specific tasks or procedures. Additional reasons include: (1) to help evaluate the performance of system personnel, (2) to help evaluate the adequacy or efficiency of an existing system, and (3) to provide design specifications to outside vendors who might be proposing new systems. Accountants are interested in system documentation for all these reasons. For example, inadequate documentation makes it difficult to use an integrated accounting package effectively, design one for others to use, or audit a system intelligently. Flowcharts and similar systems documentation are also important to auditors. These charts can help auditors spot internal control weaknesses that are not apparent from prototypes or not obvious when observing a system in use. 6-2. Document flowcharts are a type of system flowchart. Whereas system flowcharts are process-oriented, document flowcharts focus on the flow of physical documents through the processing system. Document and system flowcharts are similar in that they use similar symbols in their construction. A few additional symbols, such as envelopes and hand trucks to depict movement of goods, are more likely to appear in document flowcharts than system flowcharts. But system flowcharts contain more detail about processing logic. Accountants can use data flow diagrams (DFDs) to depict the physical flows of data through an AIS (like document flowcharts), or the logical flow of data through an AIS (like system flowcharts). Like document or system flowcharts, their main objective is to document data flows in an orderly, graphic, and easily-understood format. But DFDs use fewer symbols than either document or system flowcharts, and do not require columns (like document flowcharts). Program flowcharts are really the lowest level of system flowcharts because they outline the logic sequence for a particular application program. Thus, they are more used by programmers and system analysts than by accountants and auditors. Still, auditors will need to understand these program flowcharts when looking at program logic and program controls. Program flowcharts use many of the same symbols found in system flowcharts, but also use some special ones such as the decision symbol. 6-3. A document flowchart is a pictorial representation of the physical data flow through the various departments of a business. A document flowchart is used in designing or evaluating an accounting information system. 1. A systems analyst uses it when evaluating a system to see if each department is receiving the necessary data and that unnecessary data are not transferred. 2. A system designer uses it when there is interest in improving or replacing an existing system. 3. A computer programmer can use a document flowchart when preparing system flowcharts. SM 6.1
4. An auditor uses it to help define, follow, and evaluate an audit trail. 5. An internal data security expert uses it to indicate weaknesses in internal control and data control. 6-4. Guidelines for creating document flowcharts, system flowcharts, and data flow diagrams are listed in the text. See relevant chapter sections for document flowcharts, system flowcharts, and data flow diagrams. 6-5. Data flow diagrams use a square symbol to show the source or destination of data. A circle symbol indicates a process. An open rectangle symbol indicates a store of data. Finally, arrows depict a data flow or data stream. 6-6. Data flow diagrams are created in a hierarchy called the top-down approach to systems development. In this approach, developers create these diagrams in levels, beginning with the broadest, least-detailed level, and exploding (working towards increasing refinements of) each piece of the preceding level until the system is completely specified. The rationale behind this approach is to keep major system objectives in view at first, and to worry about details later after major system components are specified. However, the process is reiterative, revisions are common, and little is considered “final” until the lowest diagram levels have been specified and approved. The broadest DFD is called a context diagram. The next level (a “level-0" diagram) is also called a physical data flow diagram. Lower levels are numbered “level-1", “level-2", and so forth, and are commonly termed logical data flow diagrams. 6-7. It is usually easier to follow logic with a chart or figure than with a written narrative. For example, when reading a long narrative description of a process, it is often difficult to visualize relationships between system elements and a reader’s attention can wander. In contrast, graphical depictions of the same logic are usually easier to understand because most people grasp the use of arrows to show connections or data flows. 6-8. Decision tables outline the set of conditions that a given processing task might encounter and indicate the appropriate action to take for each condition. Decision tables can therefore help system designers plan data processing functions and create written records of the processing logic for later reference. The major advantage of decision tables is that they can summarize a potentially large number of conditions and actions in a compact format. Decision tables are also useful as planning tools to system analysts and related individuals who are charged with the task of helping create new AISs. Finally, the accountants who audit AISs rely heavily upon internal documentation, and decision tables can help them verify the processing logic and control procedures that were built into these AISs. 6-9. Just as word processors enable users to create, store, modify, and print word documents, CASE tools enable information technology and accounting personnel to create, store, modify, and print system documentation. The term CASE is an acronym for "computer assisted software engineering." CASE tools automate the development of program and system documentation. Thus, developers use them to create data flow diagrams, entity relationship diagrams, record layouts, data entry screens, report formats, screen menus, system flowcharts, and program flowcharts. Most also include generators for developing data dictionaries. CASE tools are computer programs that typically run on microcomputers. The user selects a particular type of document to develop or modify, and then works on it in much the same way that a secretary uses a word processor to work on a word document. It is not necessary to use SM 6.2
CASE programs to develop AIS documentation, but it is difficult to imagine why anyone would not use such capable and time-saving tools. 6-10. End user computing refers to the computer activities of non-computer employees, especially the development of large spreadsheets and databases. Although such activities are commonplace today, they also create problems. For example, when non-IT personnel develop important computer applications, a company becomes increasingly dependent upon such individuals to answer questions, or to explain how to use the software. Documentation is also important in end-user computing environments because it provides the training aids, user descriptions, tutorial manuals, and reference materials that other users need in order to run the applications effectively. See relevant chapter sections for guidelines to control end-user computing.
SM 6.3
Problems 6-11.
Process
Predefined Process
Alternate Process
Decision
Data
Internal Storage
Document
Multidocument
Terminator
Preparation
Manual Input
Manual Operation
Connector
Off-page Connector
Card
Punched Tape
Summing Junction
Or
Collate
Sort
Extract
Merge
Stored Data
Delay
Sequential Access Storage
Magnetic Disk
Direct Access Storage
Display
SM 6.4
6-12.
Prepare Sales Draft
Sales Invoice
Credit Sales Invoices
Transactions
Employee Application Forms
1
File
Batch Control Tape
CPU using “Create New Records” program
Terminal
Customer Inquiry Letters (4 types)
Review Customer Accounts
List of uncollectable accounts
Inspect shipments
SM 6.5
Employee Master File
g)
h)
Employee time card data
Key entry
Employee time card data
Key entry
Employee time card data
to CPU
to CPU
Employee time card data on floppy disk
i)
The flowcharter should use onpage connectors.
Dept. 1
Dept. 2
Dept. 3
Dept. 4
j) Source Document
Source Document
Source Document
Source Document
File
k)
Dept. 1
Source Document
Copy
Dept. 2
Source Document
File
Ledger
SM 6.6
6-13.
6-14
Mark Goodwin Convenience Stores
Garcia-Lanoue Company
SM 6.7
6-15.
Ron Mitchell Manufacturing Company
Shipping Department
Shipping order
Data Entry Department Shipping order
Computer Operations
File
Key entry
Floppy disk
Verify
Floppy disk
Floppy disk
SM 6.8
6-16.
Amanda M Company
Context Diagram:
Sales / Collection Process
Customers
Employees & Bank
Level 0 Diagram:
Customers
Sales Orders
Payments Shipping Notice and Invoice
Order Data
1.0 Process Sales Orders
2.0 Process Shipments
Shipment Data
Sales Reports Order Reports
Payment Reports
Employees & Bank
SM 6.9
3.0 Process Electronic Payments
6-17.
Winston Beauchamp Company
System Flowchart:
Product file Manual customer order
Process customer orders
Key entry
Customer order file
Customer orders report
Data Flow Diagram:
Customer
Product file
Customer orders
product information
Key customer order data
Customer order information
Customer order file
one copy of customer order
four copies of customer order
Hold for further processing Other departments
SM 6.10
6-18.
LeVitre and Swezey Credit Union
Customers
Make Deposit
Employers
Make Withdrawal
Make Deposit
Accounting Transactions
Create Monthly Statements
Update Master File Daily
Get Information For Inquiries
Bank Employees
Credit Union Accounts Master File
Prepare Payroll Checks
Pay Bills
Creditors For Rent,Phone, Utilities, Etc.
SM 6.11
6-19.
Jeffrey Getelman Publishing Company
New subscription orders, renewals, and checks
Change of address forms
Terminal
Terminal
CPU
CPU Subscriber Master File
using “Edit Subscription Orders“ Program
using “Change of Address“ Program
Summary Report of new subscription renewals
Summary Report of address changes
CPU using “Monthly Mailing Label” Program
Mailing Labels
Notices to new and renewal subscribers
to production department
to mail
SM 6.12
6-20.
The Bridget Joyce Company
a. The decision table is shown below. Note that alternate decision rules would also be reasonable here since the case does not specify exactly what action is to be taken for each set of conditions. DECISION TABLE RULES Account Status:
1
Not past due
X
Less than 30 days past due
2
3
4
5
X
X
X
6
7
8
X
X
X
9
10
11
X
X
X
X
31-60 days past due 61-90 days past due More than 90 days past due Account Activity: No activity
X
X
X
Written communications
X X
Partial payment
X X
X
X X
X
Action: Do nothing Send first letter of inquiry Send second letter of inquiry
X
X
X
X
X
X
X
X X
Collection agency referral
X X
b. This exercise requires some creativity on the part of the student. One possibility is to give each customer a rating on the following: a) no prior delinquency history b) only one prior delinquency c) only two prior delinquencies d) more than two prior delinquencies Mr. Smith can now make a decision based upon this categorization of customer account history. It might also be pointed out that many companies handle delinquencies on an individual basis. Most small companies, for example, will try to work with their customers whenever possible instead of writing to them impersonally because written confrontations rarely produce desired results.
SM 6.13
6-21. This problem requires students to draw the flowcharts in Figure 6-20. In a later part of the problem, students are also asked to recreate the flowcharts in Figures 6-3, 6-6, 6-8, 6-11, 6-12, 6-13, 6-14, and 6-15. Because these flowchart are already shown in the text, the outputs are already known. Teaching notes: Students should follow the directions provided in this case to create the two (program) flowcharts shown as well as the link that connects the two flowcharts together. Students can document their links by printing a copy of their formulas. Finally, although using Excel’s drawing tools is straightforward, it still takes time to create even small diagrams with them. Thus, we recommend that instructors do not assign all parts of this case (a through h), but only assign a selection of these diagrams.
Case Studies The Berridge Company (Document Flowcharts) 1. A document flowchart for the Berridge Company's inventory control system may be found after #3 (below). 2. The company can eliminate one or more copies of the retail store requisition (RSR) form. The document flowchart (and case description) indicate that a retail store prepares three copies of the RSR form. One copy is retained in a file at the retail store, and two copies are forwarded to the warehouse. When warehouse personnel fill the order, they file one copy of the RSR form in their own files, and forward the last copy of this form to the inventory control department for use in updating its records. The end result of this effort is a lot of paperwork. One way to reduce it would be to allow the warehouse personnel to create the computer record that indicates a disbursement to an individual store, thus eliminating the need for the third copy of the RSR form currently sent to inventory control. The company could eliminate all copies of the RSR form by computerizing its warehousing operations completely. In this new system, a retail store would create a computer record for each requisition, which the system could then display onscreen or print on a report of similar requisitions for the warehouse each day. When a requisition order is filled, personnel in the warehouse could indicate this by entering the required data into the computer system. This entry would trigger an inventory update in the inventory file and eliminate the pending requisition record from the file of active requisitions. 3. The company currently creates five copies of each purchase order. These copies are sent to: (1) the vendor, (2) accounts payable, (3) inventory control, and (4) the warehouse. The purchasing department retains the fifth copy. This seems excessive. It is obvious that the company must send one copy of the purchase order to the vendor. In addition, it makes sense for control purposes to send one copy of the purchase order to the receiving department (for use in comparing against the subsequent bill of lading), and to retain one copy of the PO to document the purchase itself. It is less obvious that the company needs to create the other two copies of the purchase order. In fact, the document flowchart indicates that both the inventory control department and warehouse personnel perform the comparison function when goods arrive - a duplication of effort. Similarly, the company can probably eliminate the copy it currently prepares for accounts payable. Instead, warehouse personnel can attach its copy to the receiving report, and the accounts payable department can use the warehouse copy to prepare a check to the vendor. SM 6.14
A document flowchart for the Berridge Company’s inventory control system. Retail Store
Retail Store requisition (RSR)
Inventory control
Warehouse
Purchasing
1
Accounts Payable
Vendor
1 2
2
RSR
3 RSR RSR
RSR
File
File 1 PR Tires and supplies
Tires and supplies
Inventory record
Purchase Requisition (PR)
1
Prepare purchase order
2 PR
Purchase order (PO)
File
Compare
1
1 PO
2
2 PO
3 4
PO
5
PO PO PO 3
1
1 4
PO
Invoice (INV)
INV
PO
2
INV File File Tires and supplies Receiving report (RR) 3 RR
Tires and supplies 1
1
RR
2
2 RR
3 4 RR RR RR
File Compare Compare
2 PO
4 PO
1 1
4 RR
File
SM 6.15
INV RR
Check
Classic Photography Inc. (Systems Flowcharts) Employee Requests
Purchase Requisition
Enter Order
Create Purchase Orders
Fax to Supplier Purchase Orders
Supplier
Open PO
Merchandise Arrives
Check Merchandise vs PO
PO Purchase Order
Enter Order
Prepare open invoices for payment
Supplier
Supplier Invoices
Check
Invoice
SM 6.16
Phone Call if Necessary
The systems flowchart is valuable because it shows the “flow” of activities and documents within the sales/collection process. The flowchart is particularly useful for identifying redundant, unnecessary, and risky activities. The Dinteman Company (Document Analysis) 1. a) Data items which should be included on a repair/maintenance work order document are as follows: 1) Job identification - department (or plant) for which work is to be done, machine or work station, and general description of job. 2) Starting and completion dates - both estimated and actual. 3) Materials and supplies data - estimated and actual quantities and costs. 4) Labor data - estimated hours, actual hours cost, and employee number for each job or person completing the work. 5) Applied overhead. b) At least four copies of the work order would be required with a possible fifth copy needed if a work order summary is not prepared. The work order would be prepared in the R & M Department and given to the supervisor for review and scheduling. The work order would then be used by the person responsible for the work by recording the actual hours spent on the job and the actual materials and supplies required to complete the job. After the job is completed, the work order would be forwarded to accounting for costing and charging. The distribution of each copy of the work order would be as follows: Original (Copy 1) - Once the job is completed and all data has been recorded on the work order, this copy is forwarded to the Accounting Department for costing and then filed in the Accounting Department. Copy 2 - This copy is also fully completed and is filed in the R & M Department in a completed work order file. Copy 3 - This copy would be kept by the R & M Department in a file of scheduled jobs until the work is completed. A reference file is needed for all work orders while the job is in process. Once this job is completed, Copy 3 would be attached to Copy 2 and filed with Copy 2. Copy 4 - This copy would be sent to the Production Department where the work is being done to acknowledge the actual scheduling of the job. An evaluation of the performance of the R & M Department would probably be done in three departments as explained below: The department which requests the work should compare the estimated charges indicated on the Work Order Request with the actual charges and the timeliness of the work, (e.g., the estimated and actual starting and completion times on the Work Order). If the work is not timely or if the actual charges vary considerably from the estimate, the management of the Production Department would contact the supervisor of the R & M Department for an explanation. The supervisor of the R & M Department would conduct a self-evaluation by comparing the Work Order Request and the completed Work Order. The supervisor would want to be sure the actual times and charges were close to the original estimates. Such a SM 6.17
comparison would be important for evaluating the staff in the department and also for preparing future estimates. The Accounting Department (or some other appropriate department) would probably conduct a review of the R & M Department's work. The estimates and actual results shown on the Work Order would be compared. Types of repair and maintenance jobs which have standard times for completion would be compared with actual times required for the work in order to evaluate the department's performance. 2.
See document flowchart on following page.
SM 6.18
PRODUCTION DEPARTMENT
REPAIR & MAINTENANCE DEPARTMENT
ACCOUNTING DEPARTMENT
4 3
3
File
2
2
1
1
Service Request
Service Request
Prepare cost estimates for materials and labor. schedule time for work
Post estimates and suggest Time
3 2
2 1
1
Service Request
Service Request
File Work out any scheduling problems with R&M
Review and approve
2
2 1 Service Request
Service Request
2 Service Request
Prepare work order
File
4 4
Work Order (Acknowledgement copy)
File
3 2 1 Work Order File
File
Record actual material and supplies used and labor time required
Activity recording
2 1
2 Work Order (completed)
Work Order (completed)
2 Work Order
Complete detailed costing
File
2 1
3
Work Order Summary
Work Order Summary
File
2 1 Work Order Summary
File
SM 6.19
Chapter 7 Accounting Information Systems and Business Processes: Part I Discussion Questions 7-1. Answers to this question will vary depending on the type of firm the student intends to start up. For example, if the student wanted to start up a pet grooming business, there are a number of possible software choices that might be identified. One is called 123 Pet Software (http://www.123petsoftware.com/), which includes a large number of features: tracks clients, pets, inventory, employees, appointments, payroll, networking, and much more. 123Pet dog grooming and vet software works with cash drawers, bar code scanners, receipt printers, and other hardware, including touch screens. The software can be used for cats or dogs. 7-2. Among the uses of accounting codes are the following: (1) to uniquely identify accounting data (e.g., more than one person or product may have the same name), (2) to compress data (e.g., written descriptions are generally much longer than a code), (3) to classify data (e.g., codes facilitate classification either manually or electronically), and (4) to convey special meanings (e.g., codes can be used to indicate such things as credit ratings, credit limits, prices, or passwords). Students should be able to find examples of such codes as: employee identification numbers, chart of account schemes, product numbers, customer or client identification numbers, and so on. 7-3. There are many outputs of an AIS. These outputs come in a variety of formats including hard copy reports, screen displays, audio, images, tape, and diskette. AIS outputs include: (1) reports to management, investors, and creditors, (2) transaction data files, and (3) current account information. Systems analysts need to begin with outputs in designing an AIS. The outputs dictate what data will be required. Otherwise, analysts will be selecting data sets without justification. This is likely to result in either too much data or the inability to provide managers with the information they need. The outputs literally “drive” the inputs in an AIS. 7-4. Some criteria that should be considered when designing managerial reports are “usefulness,” “convenient format,” “identification,” and “consistency.” These are very broad and cover most uses. In individual situations, other criteria may be necessary such as “adherence to prescribed format,” “adherence to a completion deadline,” or “satisfy the boss.” Designers learn what to include in reports by interviewing the report users, studying business processes, studying documentation, and studying existing reports. 7-5. Note to Instructor: Responses will vary by student, type of organization visited, and documents collected. In general students should find that businesses of all kinds have many source documents in common. These include purchase requisitions, purchase orders, time tickets, receiving reports, personnel action forms, sales orders, and invoices. 7-6. When data entry clerks add a new customer to an AIS, data items to be entered include customer ID number, customer name, customer shipping address, customer billing address, terms, credit limit, contact name, phone, fax, and e-mail address. Data items entered to record a sales order include customer ID number, sales order number, date, date to be SM 7.1
delivered, authorized signatures, detailed information about items ordered including quantity, price, description, and salesperson number. 7-7. Data flow diagrams are logical descriptions of a system whereas systems flowcharts capture a physical view of the system. The data flow diagram would show processes, similarly to a systems flowchart. The systems flowchart, however, is likely to show whether the processes are performed by computer, manually, or by another device. Flow lines in the data flow diagram would show input and output items. These would either go to a data source or destination or a data store. The flowchart would show inputs and outputs apart from flow lines. They might be depicted in manual files, disk files, tape files, documents, etc. Both flowcharts and data flow diagrams may be designed to show increasing levels of detail. For instance, a context data flow diagram corresponds to a high level systems flowchart and each usually shows only one overall process for the revenue cycle. 7-8. Both restaurants and car manufacturers are manufacturing organizations. They take raw materials, process them, and produce finished goods. However, the car manufacturer will deliver the product to a car dealer or intermediary, rather than to the customer. The restaurant does not only deliver the product to the customer; the process doesn't really end until the product is consumed! Insofar as inputs to the purchasing cycle are concerned, both car manufacturers and restaurants are buying raw materials, as mentioned. Therefore, inputs are likely to be similar. They would consist primarily of purchase requisitions and purchase orders. One difference worth mentioning is that a car manufacturer is likely to be closely linked to suppliers - via electronic data interchange (EDI). Therefore, the car manufacturer may make use of electronic requests for inventory items. A restaurant may not be large enough or closely linked to specific suppliers for EDI to be effective. 7-9. Business-without-boundaries is the term given to an organization that has outsourced one or several business functions. The organization may have outsourced the function to another company in the US or perhaps to a company that is outside the US (called offshoring). This trend is changing the nature of organizations in a variety of ways. As with national and multi-national firms, employees may be located anywhere in the US or the world. Typically, communication and coordination of business processes are very important so that the customer experiences seamless service from the firm. As an example, Amazon.com (headquartered in Seattle, WA) outsourced (offshored) some of their customer service functions to a company in India. When customers have problems, it is likely that an e-mail response will originate in India. However, the customer e-mails Amazon.com – not the company in India where the response is generated. Amazon.com has customers worldwide and believes that the customer service function should respond to customer concerns 24/7. By offshoring this function to various companies in the world, as well as outsourcing to some companies in the US, Amazon.com is able to respond to customers very quickly. As a result of improved technology, networks and improved communications capabilities, companies can interact with each other in new and different ways to provide better, more efficient service to customers, while cutting the cost of doing business. Of course, this also presents new risks and challenges to companies that outsource business processes, because they are no longer able to directly monitor and control the quality of service that is provided to their customers. 7-10. This means that companies have outsourced one or more business functions (processes) to companies that are not located in the US. According to a recent META Group report (www.metagroup.com, Worldwide IT Benchmark Report, 2004), India continues to be the SM 7.2
preferred offshore country with more than 500,000 knowledge workers. Other countries compete with India for this offshore business – such as Russia, the Philippines, Ireland, Israel, and China. 7-11. Students might strongly agree or disagree with these claims regarding the availability of qualified IT personnel. However, the responses they give should be based on their research (number of IT graduates at your university or other statistics that might support their view). Encourage students to base their opinions on data that they might find on the Internet or data that might be available in their university library (either reference books or digital media), rather than their “feelings”. This topic can lead to a very lively classroom discussion if half of the students are required to “support” the claims and the other half of the students must find support to refute the claims. A mock debate can be used to bring out both sides of this issue. In this case, 2-3 students from each group would present their findings (perhaps using PowerPoint slides) in front of the class and present their respective points of view. After both presentations, the students in the front of the class could act as facilitators to encourage the rest of the class to give their opinions. A web site that discusses IT Offshoring and the impact on employees is: http://www.mckinsey.com/mgi/rp/offshoring/ 7-12. One interesting new use of RFID tags is for passports. The US Government believes that the benefits outweigh the costs (http://news.cnet.com/RFID-passports-take-off/21007348_3-6130016.html). Another interesting use is that they are implanting in people as an “in” thing (http://www.prisonplanet.com/articles/april2004/040704bajabeachclub.htm) to be considered a VIP at a beach club in Spain. 7-13. For a list of the “Top 15 Weirdest, Funniest, and Scariest Uses of RFID”, visit the following website: http://www.rfidgazette.org/2007/04/top_15_weirdest.html 7-14. Students’ opinions of this technology will likely differ based on how they interpret the privacy issues surrounding RFID tags. Advantages: • ability to track people (e.g., patients and babies in hospitals) • ability to track items of all types, such as inventory in warehouses, office buildings, university buildings • convenience (like the smart passes for cars to pass quickly through toll gates) Disadvantages: • for individuals, the primary concern surrounds the perception that personal privacy could be violated • from a manufacturing perspective, the primary concern is the cost of the tags
SM 7.3
Problems 7-14. a) sequence code such as a social security number b) block code or group code c) block code or group code d) block code or group code e) sequence code (by one's) f) sequence code (by one's) g) sequence code (by one's) h) group code i) mnemonic code j) block code k) sequence code (by one's) l) sequence code (by one's) m) sequence code (by one's) n) group code o) sequence code or group code p) sequence code or group code q) block code r) block code s) block code t) alphabetic code or mnemonic code u) sequence code (by ones) v) sequence code or group code 7-15.
A group code of the following format is recommended for Novelty Gadgets:
Product code = L SSS NNNN A DD PP C R where: L = product line (1=toys and games, 2=party and magic tricks, 3=gifts) SSS = subproduct code (numeric) NNNN = product number (numeric) A = geographic area (mnemonic) DD = sales district (numeric) PP = salesperson (numeric) C = customer type (mnemonic) R = credit rating (numeric) Note that this is a transaction code, not a product code. The product line, subproduct code and product number may be used as a product number. The remaining code is not known until a sales transaction takes place. 7-16. The figure in this problem is a document flowchart for the preparation of purchase orders for the P. Miesing and Company. Three source documents are involved in the data processing: (1) new vendor authorization forms, (2) new product authorization forms, and (3) authorized purchase requisitions.
SM 7.4
When a new vendor is approved, the vendor information from the new vendor form is keyed online through a computer edit program which creates a new vendor record on the vendor master file. Similarly, when a new product is approved, the information from the new product authorization form is keyed on line though a computer edit program which creates a new product record on the product master file. When corporate purchasing agents (or other approved personnel) receive authorization to make a purchase, an authorized purchase requisition form is obtained. The information on this form is keyed into an online terminal which in turn connects to a CPU using a “Prepare Purchase Orders” program. This program (1) creates a computer record on the purchase orders pending file, (2) creates a multiple copy purchase order (at least one copy of which is sent to the vendor), and (3) creates a purchase order summary report. 7-17. The events in SSR-Save’s sales process are: i. Customer selects goods ii. Customer and sales clerk participate in sale iii. Customer pays a. The sales process in an online environment is similar, with one main exception. The most important difference is that the store must ship the goods to the customer. This is an additional event. Attributes of the other events change to some degree. The customer still selects the goods, but does so without physical inspection. The customer interacts with software rather than a human sales clerk. As for payment, the customer will always use a credit card if that is the payment option allowed in the online store. b. In the retail store, the sales clerk may collect some data about the customer at the point of sale. However, if the sale is for cash, it is possible that the store never collects data about the customer. In the online store, the system can collect data about the customer at any point. For instance, when the customer first opens the site, there could be a registration screen. c. Some stores ask customers for their zip code and/or phone number. They do this to track demographic data about customers and sales. Online stores can collect a lot of data about customers easily. If you buy online, you need to supply address and, frequently, credit card information. You may need to provide other data as well. To improve customer satisfaction, you could post an optional satisfaction survey at the web site. You can also use the data you collect about the sale to improve customer satisfaction. For example, you could use data about products most frequently sold online to organize your product offerings online. You can also use data about the pages customers most frequently open to organize your site. In addition, the data collected about customer purchases could be used to suggest similar types of products (cross-selling) the next time the customer visited the website (like Amazon.com). d. Public accounting firms sell services instead of goods. There are many differences between selling goods and selling services. For example, services are intangible and are experienced. The way a public accounting firm gets its customers is different from a retail store. The firm may have to bid on jobs and the sales process takes place over time as work is performed. Public accounting firms will definitely be interested in customer satisfaction. They can collect the data through surveys and by asking for suggestions from clients on ways to improve their service. One way to collect data to improve service in a public SM 7.5
accounting firm or any professional service firm is to create a knowledge management system. These systems may contain data about client Best Practices that professionals can use to better service new and existing clients. Some public accounting firms are creating customer portals where they interact with their clients, providing them updates, for example, on new accounting standards.
Case Studies Larkin State University (Purchasing Process) 1. The events are: Purchase Requisition; Purchase Order; Receipt of Goods/Services; and Cash Payment 2. Employees could complete Purchase Requisition forms on the company’s intranet. The completed requisitions could be forwarded to the appropriate authorities for approval. Approvals could be online and then the purchase order would be routed to the purchasing department. The accounting or enterprise software could check for approval and forward the requisition to the appropriate purchasing agent. The agent could match the order to an appropriate supplier and enter the data needed to complete a purchase order. Copies of the purchase order can be routed through the Intranet to receiving and accounts payable departments. Receiving clerks can complete receipt information and forward that via e-mail to the appropriate accounts/payable clerk based on vendor name. The accounting or enterprise software can check all documentation for discrepancies. The software can also perform checks of vendor names, payment dates, invoice numbers, and invoice amounts as an internal control against duplicate payments. The software could also print out a discrepancy report when the vendor invoice, receiving report and purchase order amounts do not agree.
The Caribbean Club (Customer Relationship Management) 1. The students might have a lot of different ideas from their own point of view, but what we want them to do in this case is to consider the business advantages and disadvantages from an accounting perspective. The possible advantages could include those that are discussed in the chapter: • more accurate data in AIS (avoid human error in entering sales data) • perhaps increased sales (VIP status in club) • servers more attentive to customers (don’t have to spend time getting bill, delivering to table, collecting money) • perhaps avoid fraud (no cash, debit or credit cards in use)
SM 7.6
Possible disadvantages might include: • initial cost of RFID readers • malfunction of RFID readers – would need alternate means of collecting money for food and drinks • some patrons might object to this sort of technology due to privacy concerns 2. In a retail environment such as this, the following information might be useful: • gender and perhaps age of patron • types of drinks that are most popular • types of entertainment that is preferred by patrons • types of music patrons like to listen to while visiting/talking with friends • peak times for patrons to visit There are a number of CRMs available that students might select. This would be a good time for students to have group discussions in class and then “report” to their classmates which CRM they selected for Ross and why they selected that choice. Some web sites of CRM’s for restaurants and bars include: • http://www.opentable.com/info/newspage.aspx?id=127 • http://www.destinationcrm.com/Articles/Editorial/Magazine-Features/CRM-Where-YouLeast-Expect-It-42800.aspx (discussion of how IHOP uses their CRM) • http://www.netsuite.com The instructor might also want to lead a discussion of the pros/cons of a “hosted” CRM solution vs. an “on-premise” CRM (i.e., cost, upgrades, training, support, etc.) 3. From a patron’s point of view, there might be several advantages: • no need to carry an ID, credit card, or debit card • some patrons appreciate being “known” by the owners/servers who would be able to bring them their favorite beverages without being asked for their order • the status of having access to a VIP area of the club Perhaps the biggest disadvantage is again linked to the concern for personal privacy, although there are many places these days where patrons sacrifice privacy for convenience. 4. This is an interesting question, which the students might enjoy discussing. The point here is this – would having the chip implanted be worth it for just the duration of the vacation? Or, might the person be able to take advantage of this technology in his or her home environment? This would probably be a key question. However, some individuals would have the chip implanted strictly for the novelty even if it were useful only on vacation.
SM 7.7
Chapter 8 Accounting Information Systems and Business Processes: Part II Discussion Questions 8-1. Four data items that both payroll and personnel functions would use are: employee number (or SSN), employee name, department, and title. Personnel data would also include data such as date hired, date of birth, and contact and family data. Payroll data would include pay rate, job code, and information about deductions. 8-2. Accounting transactions for payroll processing involve essentially the same steps for each employee. Gross pay, deductions, and net pay must all be calculated. These calculations involve a lot of basic math (e.g., footing and cross-footing). Outside service bureaus may be less expensive for payroll processing. They may also offer some advantages in terms of confidentiality. 8-3. Data items likely to be added when inputting a new raw materials inventory item include: merchandise number, description, quantity measure (e.g., yard, pound, pair, etc.), vendor, and cost. When a worker records time spent on a production line, data to be input include: worker identification number, time started and stopped, department to be charged, and rate. In both these examples, there are other data items that an AIS may capture, depending on the nature of the reports to be output. 8-4. Nonfinancial information that an AIS might capture about a manufacturing firm’s production process would primarily consist of information that would help in evaluating productivity and performance. For example, information needed for control would be the amount of wasted materials and machine downtime. Productivity information would relate to the amount of time needed to produce a product or each product component. AISs tend to focus on dollar measurements, but in many cases, measurements of quantities are equally important to a business organization. 8-5. The basic concepts are a commitment to eliminate waste, simplify procedures and speed up production. There are five areas that drive lean manufacturing, and they are cost, quality, delivery, safety, and morale. Non-value added activities (waste) are eliminated through continuous improvement efforts (http://www.1000ventures.com/business_guide/lean_production_main.html). The concepts that are at the heart of lean production/manufacturing are total quality management and continuous improvement. 8-6. AIM Industries, a metal stamping company, located in Grand Haven, MI has been in business for over 40 years. Jeanne Duthler had 10 employees when she bought the plant in 1984. Now there are 37, and last year’s sales were $5 million. The company is doing the same numbers dollar wise as they did last year, but showing more profit as a result of lean manufacturing. For 2007, the company expected to increase profitability by 10%. Lean practices at AIM include: • Consolidating production steps • Having raw materials set up at hand to save time and increase productivity • Moving presses to make production flow smoother • Finishing a product in one space rather than walking to another room for finishing
SM 8.1
For more examples, see Karen Kroll, “The Lowdown on Lean Accounting,” The Journal of Accountancy (July 2004), pp. 69-76. 8-7. For examples, see Karen Kroll, “The Lowdown on Lean Accounting,” The Journal of Accountancy (July 2004), pp. 69-76. 8-8. Both homebuilders and cement companies have information needs related to their manufacturing processes. The primary difference between these two companies concerns the need to maintain a job order versus a process costing system. The homebuilder is likely to track many costs for each individual house built. The cement company will use an AIS that uses input and output data to calculate costs for specific quantities. This distinction is likely to impact the type of accounting software a company chooses. Some software packages are specially designed for either job order or process costing manufacturing environments. 8-9. This chapter discussed AISs for the professional services, health care, and not-for-profit industries. Some students feel that “the absence of merchandise inventory” is the unique characteristic of service organizations that causes the greatest problem in their AISs (i.e., budget forecasting of “returns-on-assets employed” can be difficult). However, the greatest problem may be the difficulty in measuring the quantity and quality of output, which gives rise to difficulties in budgetary planning activities, as well as developing preestablished operational quality goals for its intangible products. These difficulties can cause various negligence suits against service organizations. Other vertical market industries include insurance, banking, construction, manufacturing, retail, hospitality, and government organizations. Each is somewhat unique in its AIS needs. Insurance has many special issues including co-insurance. The insurance industry is quite diverse and various kinds of insurers need a variety of accounting information. An important issue for the insurance industry is fraud. The banking industry must deal with check clearing, credit ratings and credit histories, as well as information about financial markets. The construction industry is concerned with projects and has a need for job cost accounting systems and bidding capabilities. Retailers use POS (point-of-sale) systems to collect a variety of data helpful in analyzing sales. Manufacturing systems need inventory control systems that allow them to efficiently manage a variety of inventories. These systems may be quite sophisticated and can include MRP II and/or ERP capabilities (input technologies might also be used, such as RFIDs and bar codes). The hospitality industry includes restaurants and hotels and so its information systems vary. Restaurants are concerned with monitoring costs and perishable inventories. Hotels need sophisticated reservation systems that can handle various billing rates. AISs for government entities are built around fund accounting and must comply with governmental accounting standards. These are just a few of the issues you might discuss relative to these industries. 8-10. To ensure that a business reengineering effort is successful, managers will want to “champion” the effort. This means obtaining a buy in from employees and showing unwavering commitment and enthusiasm for the project. Honesty is important because many workers equate reengineering with downsizing. Managers should be realistic about jobs that may be lost and should prepare to retrain workers or provide career counseling to affected employees. Management should be conservative in estimating the benefits to accrue from reengineering efforts, as well as the costs that may be incurred. The cost of reengineering can be high. Several good reference articles on this topic are: “Change Champions,” J. Berk, The Internal Auditor, April 2006, pp.64-68.
SM 8.2
“Get Ready: The Rules are Changing,” K. Melymuka, Computerworld, June 13, 2005, p. 38. “Are Companies Really Ready for Stretch Targets?” C. Chen and K. Jones, Management Accounting Quarterly, Summer 2005, pp.10-18.
Problems 8-11. This question requires students to do some outside research. It is useful for students since it helps them to understand how industries vary in their accounting information needs. Students might be randomly assigned to investigate health care, insurance, banking, construction, manufacturing, retail, professional service, hospitality, not-for-profit, or government organizations. Each of these organizations has very specialized AIS needs. Students may find that accounting systems for these organizations consist of generic accounting software, supplemented by spreadsheets and databases. They may also learn that many of the organizations use very specific programs. For instance, a student who looks at catering firms might learn about catering software and its special complexities. Students can be sent to doctor's offices, retail stores, restaurants, and so on to interview employees about the accounting software used. There are many sources of information about vertical market software programs, including personal interviews and accounting magazines/journals. Students might also use an Internet search engine, such as Yahoo or Google, to find sites for many accounting software programs. Using the terms “construction software,” “health software,” and “retail software,” students will find many specialized software vendors. You may want to ask students to print web pages for specific vendors, or to do some analysis of the special features associated with software for each industry. For example, the following web sites offer information on software for dentists to manage their practice: http://www.dentrix.com http://gbsystems.com/os96i.htm http://www.dentalexec.com/dental-exec 8-12. As you might imagine there are a wide variety of choices that students might identify for this problem. The important point to make with the students is that the solution should match the company size, needs, and other factors that the supervisor “should” identify before the search is conducted. However, the following are a representative sampling of the choices available:
•
ADP Payroll Software for Microsoft Office Small Business Accounting (http://www.microsoft.com/smallbusiness/products/office/accounting/payroll-software.mspx)
•
ZPay Payroll Systems offers technical support, tutorials, and a free 30-day trial (http://www.zpay.com/)
•
PenSoft Payroll Solutions is designed for small to mid-sized businesses, and can process virtually any payroll and related tax requirements. (http://www.pensoft.com/aboutus.asp)
8-13. Again, there are a wide variety of choices that students might identify to help CEOs and CFOs deal with the compliance requirements of the Sarbanes-Oxley Act, specifically the Section 302 and Section 404 reviews. Many business process management solutions are already available to managers. The following web sites offer information on this type of BPM software: http://www.longview.com http://www.approva.net/products SM 8.3
8-14. An automated time and billing system could help this firm in several ways. First, by investing in an in-house time and billing software, it may be possible to significantly reduce the expense associated with the outside accountant. Since this type of software may be integrated with a complete AIS, the outside accountant would not need to compile financial statements. The system would do this automatically. Another way the automated time and billing system would help is by capturing more detail. A manual system cannot keep track of so many items without becoming unwieldy. The automated system can keep track of specific charges by customer and therefore reduce overhead to be allocated. With an automated system, many indirect costs may become direct costs. For instance, secretarial work, phone expenses, and copying may all be directly related to a particular client. An automated system will be able to analyze data in many different ways. Each lawyer's billable hours can be computed and compared for various periods, for example. Productivity reports and reports highlighting budget overruns can be produced easily with an automated system. What an automated system cannot do is to force lawyers to record their activities on a timely basis. This is frequently a problem in professional service firms. Some organizations resolve the problem by holding up paychecks until time sheets are filled out completely and accurately. Other solutions lie in technology that makes it easier for professionals to record their time or automatically records the time for individuals. Lawyers who use computers may record time spent on a client's work in the following way. Every time the lawyer logs into a particular file, software can keep track of the time the file is in use. Alternatively, a professional might keep track of time in an on-line organizer. As the individual begins work on a particular client's file, he or she might enter the time in the organizer and then enter the time when finished. Online time sheets work the same way. By assigning a special code to a customer that is used when copying, the amount spent for copying can be captured directly. Special codes entered into the telephone can help record phone charges, particularly long distance charges. Use of customer codes when special mail services are necessary, such as Federal Express, also allows for tracking expenses directly. Software: A number of companies offer this type of software, such as QuickBooks (http://quickbooks.intuit.com) and Imagine Time (http://www.imaginetime.com). Features include: Time & billing (tracks billable time; some programs create reports for individual billing; stopwatch feature accurately times tasks; billable time can be recorded on an hourly, contingent, transactional, or user defined fee rate individually or firm-wide); due date monitor; calendar/contacts; integrated scheduling; client relations manager; credit card processing; and others.
SM 8.4
Case Studies Hammaker Manufacturing I (AIS for New Manufacturing Firm) 1. Many companies are turning to an AIS or ERP to help them better manage inventory. Automated systems are able to react faster than manual ones. An AIS may place automatic orders when inventories fall below specified levels. Use of e-business or EDI can also help as electronic orders are faster than the ones that rely on phone or mail systems. Data analysis and logistics tools can help to manage inventories by considering variables such as lead times, delivery schedules, routing, safety stocks, and others. 2. There are many data elements that the system may include about inventory items. Vendor, delivery time, safety stock, lead times, and average order size are a few of them. As an example of the complexity of configuring a system to manage inventories, consider McDonalds’ distributors. McDonald’s has nine distributors and hundreds of suppliers. They need frozen foods and other perishable food items, in addition to restaurant supplies. They must estimate inventory needs with very tight windows. Further, they need to take into account items such as promotions (remember when McDonald’s ran out of beanie babies?). Delivery times can be very tight. For example, a store may want frozen goods delivered each Tuesday between noon and 12:30 p.m. – leaving only a ½ hour window. As it happens, McDonald’s distributors use JD Edwards software. The software had to be customized to allow for different fields when suppliers used EDI versus manual orders, among other data items needed to accommodate the special needs of this particular business.
Hammaker Manufacturing II (Business Process Reengineering or Outsource) 1. Students might select any of the documentation tools identified in Chapter 3 (flowcharts, process maps, or one of the graphical tools such as CASE tools). Most likely, HMC would work on the manufacturing processes – or they might limit their efforts to the inventory process first. By restructuring the manufacturing process or by looking into just-in-time inventory purchasing, the company might be able to save money and jobs. 2. Students might locate a variety of sources that list reasons for outsourcing. The Introduction section of Part Two of the textbook, identifies several reasons: global pressures to cut costs, to reduce capital expenditures, and to become as efficient as possible at core competencies. Additional reasons that different companies might use are: • access resources that are not available within the company (people, capacity, technology) a. To access innovative ideas, solutions, expertise of individuals b. To provide flexibility to meet changing volume requirements – to increase or decrease capacity as needed c. To access plant and equipment without the time and cost of building d. To gain quick access to new process, production, or information systems technology (perhaps too costly or unproven so company is not ready to buy it yet – if at all) • To improve speed-to-market of products • To accelerate reengineering benefits • To share risks • To take advantage of offshore capabilities (human capital, lower cost) • To better manage difficult or non-core processes and functions • To enjoy economies of scale (vendor can accomplish process on much larger scale) SM 8.5
Some believe that investors want companies to expense context work (anything that is not considered a core process of the firm) rather than invest in it. That is, investors would rather see it on the income statement than the balance sheet, which in effect would free up resources (employees) to focus on the processes that generate revenue, and increase share value. For example, if we outsource the accounting function, then we might be able to better use the talents of the staff accountants in analyzing other business opportunities, analyzing and improving business processes, etc. So we could use our human capital in endeavors more directly related to our core processes. Hammaker might consider a number of these reasons to decide to outsource. Of course, the first question is: What process (or processes) might Dick want to outsource? Denise does not know the answer to this question, so the company should study the various processes discussed in Chapters 4 and 5 to make this determination. Since frequently outsourced processes are human resources, finance and accounting, customer services, learning services and training, janitorial services, and information technology, these should probably be examined first. Once one or several of these processes have been identified as possible candidates for outsourcing, we would then ask: Which of these processes are core to our business? Of course, in the effort to examine each of these processes, Dick might want his employees to determine where efficiencies may be realized through Business Process Reengineering. 3.
We would probably all agree that producing automotive parts is a core business process for Hammaker. It’s the primary thing the company does. It’s what the company does to generate revenue. It’s also whatever you do to differentiate your company’s products from your competitors’ products.
4. The answer is yes, businesses do sometimes outsource what we would call core processes. A number of examples may be cited here. Probably the best known example is Nike. This sneaker company doesn’t manufacture any sneakers. The entire production process has been outsourced. Insurance companies are another example. Several of their core business processes are risk management, information services, underwriting, claims administration, and customer service. Both customer service and underwriting are processes that are now outsourced by some insurance companies. Why would companies outsource a core process? There is no one answer for every situation, but most likely firms would do this for the same reasons cited above in the answer to requirement #2. Sometimes this becomes a strategic alliance with another company (or companies) so that the company that does the outsourcing can focus on other products or on other services to generate revenue. 5. Most likely any business decision that displaces employees will have social and legal implications. Socially responsible organizations are typically admired by the community and the marketplace, so developing options for the displaced workers is always an important consideration. If the employee’s job is deleted, what other jobs might the person do for Hammaker? Is training required? What if there are no employment choices? Should Hammaker offer transition-assistance packages to those employees to help them find jobs at other firms? At what cost? These are all important questions that should be asked. Regarding legal implications, we need to know if the company employees are represented by a union. We might have restrictions that are in contracts with the union that would limit what SM 8.6
options we can and cannot exercise. In this case, we know that Hammaker Manufacturing is not limited by any union contracts. The company might have other contractual obligations that it needs to honor. For example, is there a mortgage on the manufacturing complex or is there a long-term lease? The lease contract might have certain penalties for breaking the contract if the facilities are no longer needed. 6. This is certainly a case that has many facets and interesting possibilities. Unfortunately, we don’t really have enough information at this point to make an informed recommendation, but many intriguing clues may be found in the case to suggest that some sort of outsourcing would be advantageous to Hammaker.
Hammaker Manufacturing III (Lean Production/Lean Accounting) 1. To adopt lean production, HMC would probably want to focus on the five principles of lean thinking that are identified in an article in Strategic Finance, May 2007 (How do your measurements stack up to lean? By Kennedy et al.). These include: • Customer Value: Lean enterprises continually redefine value from a customer’s standpoint. This means that HMC would need to get feedback from their customers. • Value Stream: The lean enterprise is organized in value streams. This means that HMC would need to rethink how they collect data for decision making. • Flow and Pull: In a lean enterprise the customer order triggers or pulls production. This might represent the biggest change in philosophy for HMC – which would be a change from stockpiling inventory to more of a JIT philosophy. • Empowerment: Lean enterprises’ employees are empowered with the authority to interpret information and to take necessary actions. • Perfection: Lean enterprises seek perfection, defined as 100% quality flowing in an unbroken flow at the pull of the customer. HMC is already committed to quality products so this does not represent a change from current thinking. 2. Firms that implement lean production concepts typically benefit in the following ways: • Waste reduction • Production cost reduction • Labor reduction • Inventory reduction • Production capacity increase • Employee involvement and empowerment (multi-skilled workforce) • Higher quality products • More information: http://www.1000ventures.com/presentations/production_systems.html 3. Denise and her financial analysts might gain the following benefits from attending a Lean Accounting Summit: • Perhaps the most important benefit is the ability to network with professionals at other organizations who have already implemented lean production concepts to gain insights from their efforts – i.e., lessons learned from those who have already worked with these concepts • Learn cutting-edge thoughts and ideas • Discover helpful software packages and accounting methods that support lean production • Identify some best practices from companies currently using lean production concepts • Identify companies to benchmark these concepts SM 8.7
Chapter 9 Introduction to Internal Control Systems Discussion Questions 9-1. The primary provisions for the 1992 COSO Report and the 2004 Report are outlined in Figure 9-1. 9-2. The primary provisions of the original version of COBIT, as well as the current version (5), are outlined in Figure 9-1. 9-3. COSO stands for Committee of Sponsoring Organizations, which was established by the Treadway Commission to work on a common definition for internal control. COBIT stands for Control Objectives for Information and Related Technology. It was a project undertaken by the Information Systems Audit and Control Foundation that involved an extensive examination of the internal control area. An important role played by COSO in the internal control area was to come up with a definition of internal control along with a description of five interrelated components (control environment, risk assessment, control activities, information and communication, and monitoring) that should be included within an internal control system. Regarding COBIT and its role in the internal control area, COBIT adapted its definition of internal control based on the COSO report. COBIT (as well as COSO) emphasizes that people at every level of an organization are a very important part of the organization’s internal control system. COSO is an important framework that management of organizations might use to help ensure that they have effective corporate governance. This is the case because the COSO framework presents criteria to evaluate an organization’s internal control systems. According to SOX, Section 404, management must now document the effectiveness of their internal controls and then issue a report that accompanies the company’s annual report. Similarly, COBIT is used by managers to ensure effective IT governance. 9-4. The control environment establishes the tone of a company, influencing the control awareness of the company’s employees. It is the foundation for all the other internal control components. Risk assessment recognizes the fact that every organization faces risks to its success and that risks which appear to affect the accomplishment of a company’s goals should be identified, analyzed, and acted upon. Control activities reflect the policies and procedures that help ensure that management directives are carried out. Regarding information and communication, the former refers to the accounting system, which includes the methods and records used to record, process, summarize, and report a company’s transactions as well as maintain accountability for the company’s assets, liabilities, and equity. The latter, communication, refers to providing a company’s personnel with an understanding of their roles and responsibilities in regard to internal control over financial reporting. Finally, monitoring is the process that assesses the quality of internal control performance over time. Performance reports prepared on a timely basis contribute to the monitoring component of an internal control system. Concerning which component is the most important, this is a matter of opinion. Most students indicate that the control environment is the most important component of an internal control
SM 9.1
system because, as mentioned in the textbook, it is the foundation for all the other internal control components, providing discipline and structure. 9-5. Accountants should be concerned that their organization’s financial resources are protected from activities such as loss, waste, or theft. To protect organizational assets, an internal control system must be developed and implemented within a company’s AIS as well as within other parts of the company’s system. In addition to safeguarding assets, an efficient and effective internal control system should also: 1) Check the accuracy and reliability of accounting data 2) Promote operational efficiency 3) Encourage adherence to prescribed managerial policies. Accountants should be concerned that all of these objectives are accomplished by their organization’s internal control system. 9-6. Preventive control procedures are designed and implemented before an activity is performed to prevent some potential problem (e.g., the inaccurate handling of cash receipts) from occurring that relates to the activity. Detective control procedures are designed and implemented to provide feedback to management regarding whether or not operational efficiency and adherence to prescribed managerial policies have been achieved. In other words, preventive controls should be developed prior to operating activities taking place and detective controls should be developed to evaluate if operating efficiency and adherence to policies of management have occurred after operating activities have taken place. Corrective control procedures come into play based on the findings from the detective control procedures. That is, through detective controls, corrective control procedures should be developed to identify the cause of an organization’s problem, correct any difficulties or errors resulting from the problem, and modify the organization’s processing system so that future occurrences of the problem will hopefully be eliminated or at least minimized. Examples of each type of controls are as follows: Preventive: scenario planning, risk management, segregation of duties, controlling access to assets Detective: duplicate check of calculations, bank reconciliations, monthly trial balances Corrective: backup copies of transactions and master files, training personnel to perform their jobs 9-7. Competent employees are definitely important to an organization's internal control system because employees will be working continually with the organization's various asset resources. The employees will be, for example, handling cash, acquiring and disbursing inventory, and operating expensive production equipment. If the organization has incompetent employees, there is a strong likelihood that inefficient use of the firm's asset resources will result. This inefficiency will lead to overall operating inefficiency within the organization, thereby preventing the adherence to management's prescribed policies. 9-8. The “separation of duties” element of an organization’s internal control system means that, for instance, employees who are given responsibility for the physical custody of specific company assets (e.g., handling cash or inventory) should not also be given responsibility for the record-keeping functions relating to the assets (e.g., recording cash or inventory transactions in the company's journals and ledgers). Otherwise, an employee could misappropriate company assets and then attempt to conceal this fraud by falsifying the accounting records.
SM 9.2
Through the separation of duties, one employee acts as a check on the work of another employee. Thus, if an employee attempts to embezzle cash from a customer payment, but does not have access to the accounts receivable subsidiary ledger to cover up this theft, he or she would likely be detected. The other employee who performs the record-keeping activities for accounts receivable would not have recorded the customer's payment since it was embezzled by the employee handling cash. Consequently, the customer would complain to the company upon receiving a subsequent billing statement which would not reflect his or her recent payment. Upon investigating this complaint, the dishonest employee would likely be caught. It should be noted, however, that through collusion among the employees handling assets and recording assets, irregularities are usually not detected as quickly as when individuals work alone (as described earlier). In addition to detecting irregularities, separation of duties can also be helpful in detecting accidental errors. If the same employee performs all accounting functions related to a specific activity (e.g., handling inventory items and recording the inventory transactions), an accidental human error by this employee, such as incorrectly recording an inventory transaction, may not be detected. However, with two or more employees handling the accounting functions relating to a specific activity, an accidental human error made by one employee should be detected by another employee involved with the same activity. 9-9. Many organizations have a large volume of cash disbursement transactions. In order to detect any errors and irregularities relating to cash disbursements, a good audit trail for cash issuances is essential. If an organization uses both a voucher system and prenumbered checks for cash disbursement transactions, its audit trail of cash outlays can easily be traced. The use of prenumbered checks for making authorized cash disbursements enables a company to maintain accountability over its issued checks and its unissued checks. After the issued checks clear the bank in a particular month and are returned to the organization with the monthly bank statement, these checks represent evidence of the actual cash disbursements that were made. Two advantages of employing a voucher system along with prenumbered checks are (1) the number of cash disbursement checks that are written is reduced, since several invoices to the same vendor can be included on one disbursement voucher, and (2) the disbursement voucher is an internally generated document; thus, each voucher can be prenumbered to simplify the tracking of all payables, thereby contributing to an effective audit trail over cash disbursements. Sometimes, prenumbered checks are not efficient for an organization to use. For example, for expenditures of small dollar amounts (e.g., spending a few dollars to have the company president's car washed) cash payment might be a better choice. Because of the time and effort involved in processing checks, it is normally more efficient to use a petty cash fund for making various small, miscellaneous expenditures. However, to exercise good internal control over the petty cash fund's use, one employee (called the petty cash custodian) should be given the responsibility for handling petty cash transactions. 9-10. Under the cost-benefit concept, an analysis is performed on each potential control procedure (i.e., compare the expected costs of designing, implementing, and operating each control to its expected benefits). Only those controls whose benefits are expected to be greater than, or at least equal to, the expected costs should be implemented into the company’s system. Cost-effective controls are those whose anticipated benefits exceed their anticipated costs.
SM 9.3
Ideal control procedures (i.e., those that would reduce the risk to practically zero of any undetected errors and irregularities occurring) may be impractical for a company because the expected costs may be larger than their expected benefits. The implementation of controls whose costs are expected to exceed the controls benefits would not contribute to a company’s overall operating efficiency. In these cases, control procedures which are less than ideal for detecting errors and irregularities (but whose expected benefits exceed the expected costs) should be implemented within the company’s internal control system. From the standpoint of evaluating a company’s internal control system, a performance report is a type of report that provides information to management on how efficiently and effectively its company’s internal controls are functioning. Based on accurately prepared performance reports, management receives feedback on the success or failure of the previously implemented package of internal controls. The preparation of a performance report is a detective control procedure. Performance reports should be an essential element within a company’s internal control system because they are the major means of communicating to management regarding the actual operations of the company’s internal control systems. For specific controls that are not operating the way they were originally planned, as indicated by a performance report, management can then take action to correct identified problems. Timely information to managers, regarding internal control problems, is critical so that mangers can initiate action to correct the problems. Thus, performance reports should be prepared on a timely basis in order that a minimum period elapses between the occurrence of operational problems with certain controls and the feedback to management on these poorly functioning controls. 9-11. Discussion question 9-5 identifies a number of reasons why accountants are so concerned about their organizations’ internal control systems. However, the managers of these organizations are particularly concerned about the effectiveness and efficiency of internal controls due to the SOX legislation. Under Section 302 of this legislation, the CEO and CFO are legally responsible for establishing and maintaining internal controls in the organization. In addition, they must have evaluated the effectiveness of the company’s internal controls and submitted their report to the external auditors, who evaluate the sufficiency of those internal controls. Further, when we talk about the control environment of an organization, we know that management’s support of a strong internal control system is critical. 9-12. COSO’s 2008 Guidance on Monitoring Internal Control Systems (COSO’s Monitoring Guidance) was developed to clarify the monitoring component of internal control. It does not replace the guidance first issued in the COSO Framework or in COSO’s 2006 Internal Control over Financial Reporting — Guidance for Smaller Public Companies (COSO’s 2006 Guidance). Rather, it expounds on the basic principles contained in both documents, guiding organizations in implementing effective and efficient monitoring. To read the entire document “Guidance on Monitoring Internal Control Systems”, go to this site: http://www.coso.org/documents/COSO_Guidance_On_Monitoring_Intro_online1.pdf
SM 9.4
Problems 9-13.
Weaknesses
Recommended Improvements
1. Raw materials may be removed from the storeroom upon oral authorization from one of the production foremen.
1. Raw materials should be removed from the storeroom only upon written authorization from an authorized production foreman. The authorization forms should be prenumbered and accounted for, list quantities and job or production number, and be signed and dated.
2. Alden's practice of monthly physical inventory counts does not compensate for the lack of a perpetual inventory system. Quantities on hand at the end of one month may not be sufficient to last until the next month's count. If the company has taken this into account in establishing reorder levels, then it is carrying too large an investment in inventory.
2. A perpetual inventory system should be established under the control of someone other than the storekeepers. The system should include quantities and values for each item of raw material. Total inventory value per the perpetual records should be compared with the general ledger at reasonable intervals. When physical counts are taken, they too should be compared to the perpetual records. Where differences occur, they should be investigated, and if the perpetual records are in error, they should be adjusted. Also, controls should be established over obsolescence of stored materials.
3. Raw materials are purchased at a predetermined reorder level and in predetermined quantities. Since production levels may often vary during the year, quantities ordered may be either too small or too great for the current production demands.
3. Requests for purchases of raw materials should come from the production department management and be based on production schedules and quantities on hand per the perpetual records.
4. The accounts payable clerk handles both the purchasing function and payment of invoices. This is not a satisfactory separation of duties.
4. The purchasing function should be centralized in a separate department. Prenumbered purchase orders should originate from and be controlled by this department. A copy of the purchase order should be sent to the storeroom clerks. Consideration should be given as to whether the storeroom clerks’ copy should show quantities.
5. Raw materials are always purchased from the same vendor.
5. The purchasing department should be required to obtain competitive bids on all purchases over a specified amount.
SM 9.5
6. There is no receiving department or receiving report. For proper separation of duties, the individuals responsible for receiving should be separate from the storeroom clerks.
6. A receiving department should be established. Personnel in this department should count or weigh all goods received and prepare prenumbered receiving reports. These reports should be signed, dated, and controlled. Copies should be sent to the accounting department, purchasing department, and storeroom.
7. There is no inspection department. Since high cost electronic components are usually required to meet certain specifications, they should be tested for these requirements when received.
7. An inspection department should be established to inspect goods as they are received. Prenumbered inspection reports should be prepared and accounted for. Copies of these reports should be sent to the accounting department.
9-14. a. The separation of duties is meant to safeguard assets; in this case, cash receipts. b. Signature plates are used to authenticate checks. Keeping them secure is a means of preventing their unauthorized use. c. Matching the vendor invoice with a receiving report (or similar document) ensures payment for goods or services actually received. d. Separating these functions helps ensure payment only for legitimate obligations of the organization. e. This procedure would help ensure that disbursements are made only for authorized purchases. f. Prenumbered documents have to be securely stored if this preventive control is to be effective. g. Using an imprest or special account for payroll limits the loss due to incorrectly printed checks associated with each period’s total payroll. h. Separation of functions prevents one person from diverting cash assets and subsequently concealing the wrongdoing. i. Check protectors use a number of methods which make it difficult to successfully change the check amount. j. Both the surprise counts and the knowledge of their likelihood deter the unauthorized use of cash. k. Approved vendor lists help prevent unauthorized purchases (irregularities or embezzlement of assets). l. Such separation of duties helps prevent unauthorized purchases. 9-15. a) As a member of the company’s management, you would hopefully reject the control recommendations. Specific internal controls should not be implemented into a company’s system unless the anticipated benefits from the controls are expected to exceed the anticipated costs of the controls. In the case of Sandra’s recommendations, it is obvious that the costs to operate these suggested controls would exceed the benefits from having the controls. The maximum monthly benefit from Sandra’s recommended controls would be the $350 estimated monthly loss that could be eliminated; however, to achieve this benefit, a separate room for storing supplies would have to be used and an employee would have to
SM 9.6
be assigned the full-time job of supervising the issuance of supplies. The costs of using a separate room and having an employee work full-time in handling office supplies would definitely be much greater than the $350 estimated monthly loss that could be eliminated. A couple of possible control procedures that the company might wish to implement to reduce the monthly loss from employee theft of office supplies are mentioned below. b)
Rather than storing the supplies on shelves at the back of the office facility whereby employees have easy access to these supplies, they could be locked in a cabinet. An authorized company employee (such as a secretary) would be given the responsibility for issuing supplies when requested by various employees. The authorized employee in charge of the supplies would have this new job responsibility along with his or her existing job responsibilities. When an individual needs office supplies, he or she would go to the authorized employee's desk and indicate the request. The employee in charge of supplies would then unlock the cabinet and issue the requested supplies. The person receiving the supplies would have to sign a supplies-received voucher, which serves as evidence of the specific supplies issued. Another suggestion might be to use a separate room for storing the supplies (as suggested by Sandra). This room would be kept locked throughout the day except for possibly one hour each day. Company employees would be made aware of the specific time every day during which the supply room is open. As a result of this procedure, an employee would not be used full-time in issuing the supplies. Rather, the employee assigned the responsibility for supervising the issuance of supplies could still perform his or her other job functions throughout the day. Approximately one hour each day away from his or her other job functions would be required to issue office supplies. As in the preceding suggestion, each person receiving supplies would have to sign a supplies-received voucher.
9-16. 1.
Most students believe that Ron Mitchell’s method of stealing cash receipts will be detected by the movie theater's manager assuming that the manager uses a few internal control procedures. First, the tickets issued by Ron to theater patrons should be prenumbered and controlled by the manager. At the beginning of Ron's work shift, he should be made accountable for a specific quantity of prenumbered tickets and not have access to any other tickets. At the end of Ron's work shift, the manager should count the total number of ticket-halves that he has accumulated from customers who have entered the theater. From multiplying the selling price per ticket by the number of ticket-halves in his possession, the manager can determine the total cash receipts that should have been collected by Ron. If there is more than one price for tickets, such as children prices and adult prices, the differently priced-tickets can be color-coded to enable the manager to compute the total cash receipts that should have been collected. The manager can then count the total actual cash that Ron collected during his work shift. (Of course, the amount of change fund that Ron was provided at the start of his shift should be subtracted from his total cash.) Through this procedure, the manager can determine if the actual cash receipts collected by Ron are equal to the cash receipts that should have been collected (based on the manager's accumulated ticket-halves). The cash receipts that were pocketed by Ron should thus be detected, since the manager's count of actual cash receipts would fall short of the cash receipts that should have been collected.
SM 9.7
2. An additional control procedure that the theater manager may want to implement is to periodically observe Ron while he is performing his work functions. This procedure should take place without Ron being aware that he is being observed. If, as a result of observing Ron's work activities, the manager is suspicious of irregular acts, he can watch Ron even closer until his suspicions are fully confirmed. 9-17. a. Cost-benefit analysis:
Cost of reproducing production cost data Risk of data errors Reprocessing cost expected ($12,000 * risk) Cost of validation control procedure (an incremental cost) Net estimated benefit from validation control procedure
Without Control Procedure
With Control Procedure
Net Expected Difference
$12,000
$12,000
16% $ 1,920
2% $ 240
$1,680
$0
$ 800
($ 800)
$ 880
b. Management should implement the data validation control procedure because of the $880 net estimated benefit that is projected with this procedure.
Case Studies Gayton Menswear (Risk Assessment and Control Procedures) 1. (a) The risk is that merchandise is stolen. (b) Shoplifting is a very large problem for retailers. There should be better inventory controls. These might include closed circuit cameras, tags that are removed at the end of the sales process, and security personnel. 2. (a) The risk is that stolen merchandise (perhaps at the same two stores in point #4) is being returned for cash. (b) Returns should require a sales receipt. The store may also consider a policy of allowing returns for merchandise credit only. 3. (a) The risk is that the store is losing income. (b) Either revenues are down or cost of sales has increased. Management needs to inspect these numbers closely to see where the problem lies. At least part of it could be attributable to poor inventory control. 4. (a) The risk is that cash was not deposited. (b) This can easily be controlled by requiring daily reconciliations by an employee not involved in receiving or depositing cash.
SM 9.8
5. (a) The risk is that cash was not collected from customers. (b) The employee should be reprimanded. Either all checks or checks exceeding a specific dollar amount should be approved by someone other than the salesperson. 6. (a) The risk is that petty cash was pilfered. (b) There should be a custodian over petty cash who has sole responsibility for it. The custodian should never disburse cash without obtaining a receipt.
Emerson Department Store (Control Suggestions to Strengthen Payroll System) 1. The use of currency rather than checks for paying employees makes it essential that effective separation of duties exist in both the payroll preparation and the payroll distribution functions. Regarding payroll preparation, Morris is responsible for submitting payroll information to the computer center for data processing. Therefore, Morris should not be involved in the work of placing currency in each employee's pay envelope. Another company accountant and a secretary could perform this function. Also, the individuals responsible for placing currency in employees pay envelopes should be provided with the exact amount of currency necessary to cover the total net pay for all employees. Using the information from the payroll register, each employee's gross wages, individual deductions, and net pay should be printed on the outside of the employee's pay envelope. This information could be prepared by the computer in the form of an individual printed label for each employee, which would then be affixed to the employee's envelope. The two employees would then insert in each wage earner's envelope the correct amount of currency. Regarding payroll distribution, the completed pay envelopes should not be given to the department managers for distribution to their employees because these managers are involved in the payroll record-keeping functions (e.g., the managers submit their employees’ time cards to Morris). Rather, an individual who has no other payroll related duties should be designated as paymaster and be responsible for distributing pay envelopes. At preestablished times on Monday afternoon, pay envelopes should be distributed to the employees from a central payroll window. The employees would line up at this window and upon each employee showing proper identification (such as a driver's license or social security card), he or she would be issued a pay envelope by the paymaster. The employee should also be required to count immediately his or her currency within the envelope and then sign his or her name on the payroll register. The employee's signature verifies that he or she received the correct amount of currency in the pay envelope. Any unclaimed pay envelopes should be returned to the accounting department and should be locked in the company safe until the employees come in person and sign for their envelopes. Regarding all company employees involved in the payroll process, a further control would be to have fidelity bond coverage for these employees. 2. Now that management is willing to change from cash payroll disbursements, students will recommend that checks or direct deposit are better alternatives. Other arguments for these options are: • Freeing up the payroll employees from inserting cash into 500 envelopes every week saving valuable time
SM 9.9
• • • • •
When the information is sent to the computing center, that department can write the checks and stubs Use an imprest account for payroll Continue to have employees come to the payroll office to pick up their wages Continue to put unclaimed checks in the safe Continue to use separation of duties
SM 9.10
Chapter 10 Computer Controls For Organizations And Accounting Information Systems Discussion Questions 10-1. A security policy is a comprehensive plan that helps protect the organization from internal and external threats. More and more organizations have become dependent on networks (of all sorts) to conduct business, share data, and communicate with suppliers, customers, business partners, and employees who are traveling or working at home. As a result, more proprietary data and organizational information must be accessible to a wide variety of individuals. However, very real risks are present and more prevalent than ever before. Firms are realizing that the traditional approach to security is not efficient or sufficient. That is, even if a firm has several products, they are usually not integrated and do not work together. The result is that integrated security has emerged as the most useful plan to protect the firm. By adopting a comprehensive, holistic strategy that addresses network security at the gateway, server, and client tiers, organizations may be able to reduce costs, improve manageability, enhance performance, tighten security, and reduce the risk of exposure (enterprisesecurity.symantec.com, article ID 1128). This article claims that the following key security technologies can be integrated to more efficiently protect the firm against a variety of threats at each tier to minimize the effects of network attacks: firewalls, intrusion detection, content filtering, virtual private networks, vulnerability management, and virus protection. In general, integrated security is getting a lot more attention in the business press and in technical journals. The reason is obvious – companies are more aware than ever before that security breaches can be very costly! As a result, organizations are becoming more attentive to such precautions as: physical security of computers and networks (access controls), authentication procedures for access to applications and data, and encryption procedures. 10-2. The concept of convergence of physical and logical security means that an organization has integrated these two forms of security. Thus, incidents that might individually go unnoticed do not go undetected when they are combined. Referring again to Figure 10-3 in the textbook, we can see how the combination of these two forms of security can make an organization less vulnerable to embezzlement or fraud. 10-3. To help organizations comply with SOX and the PCAOB requirements, the IT Governance Institute (ITGI) issued “IT Control Objectives for Sarbanes-Oxley” in April 2004. Neither the SOX legislation, nor PCAOB Standards No. 2 or No.5, includes detailed guidance for organizations. The ITGI publication provides that detail by starting with the IT controls from COBIT and linking those to the IT general control categories in the PCAOB standard, and then the control objectives are linked to the COSO framework. As we discussed in Chapter 9, COBIT is an IT governance framework that provides company-level objectives and controls around those objectives, as well as activity-level objectives and controls. Thus, it may be used effectively by managers at all levels of the firm. It is important to remind students that COBIT identifies controls that may be used for both operational and compliance objectives. The ITGI document only focuses on controls that support financial reporting.
SM 10.1
10-4. First, we should probably define a Local Area Network (LAN). A LAN is where you have a number of computers that are geographically close together – usually in the same building or a group of buildings. However, one LAN can be connected to other LANs over any distance via telephone lines and radio waves (which is then called a Wide Area Network or WAN). LANs are capable of transmitting data at very fast rates, much faster than data can be transmitted over a telephone line; but the distances are limited, and there is also a limit on the number of computers that can be attached to a single LAN. Probably the primary difference between a wireless LAN and a hard-wired LAN is the method used to transmit information. Wireless LAN technology is based on radio wave transmission, whereas hard-wired LANs might be based on twisted-pair cable (used by older telephone networks), coaxial cables (more expensive than standard telephone wire, but is much less susceptible to interference and can carry much more data), or fiber optic cables (very popular for LANs – data can be transmitted in digital form). Wireless LAN technology is relatively new, whereas hard-wired LANs (using twisted-pair cable) have been in use for quite some time. Security risks are important considerations for both types of LANs, and the technology for each is different. A wireless local area network (WLAN) must have a secure gateway, such as a Virtual Private Network (VPN), so that users may safely access the network. Such a VPN handles authentication of users and appropriately encrypts the information that is transmitted. Of course, data encryption is an important control for all networks. Others include a checkpoint control procedure, routing verification procedures, and message acknowledgment procedures (These procedures are discussed in the chapter). 10-5. Business continuity planning (BCP) is also called contingency planning and disaster planning. A business continuity plan is necessary because a variety of unforeseen disasters might occur that would cause a data processing center to not be operational. Examples of these disasters include natural events such as fires, floods, hurricanes, earthquakes, and manmade catastrophes such as terrorist attacks. A company’s BCP should describe procedures to be followed in the event of an emergency, as well as the role of every member of the disaster recovery team (which is made up of specific company employees). The company’s management should appoint one person to be in charge of disaster recovery and one person to be second-in-command. Part of BCP specifies backup sites to use for alternate computer processing. These backup sites may be other locations owned by the company, such as another branch of the same bank. Alternatively, these sites may be owned by other organizations and used for short-term periods in the event of a disaster. It is a good idea for the various hardware locations for data processing to be some distance away from the original processing sites in case a disaster affects a regional location. An example would be companies located near the San Andreas Fault in California. Since a severe earthquake could destroy the data processing centers of those companies within the earthquake area, organizations within this area should have disaster recovery arrangements with organizations located outside any area likely to be affected by an earthquake.
SM 10.2
There are a number of reasons to test the business continuity plan on a regular basis and these are identified below.1 • To practice a succession plan for the CEO, in the event something happens to the CEO. • To train backup employees to perform emergency tasks. The employees a firm counts on to lead in an emergency may not always be available. • To practice crisis communication with employees, customers, and the outside world. • To determine alternate means of communication in case the telephone networks go down. • To involve all employees in the exercises so that they get practice in responding to an emergency. • To make exercises realistic to tap into employees' emotions so that you can see how they'll react when the situation gets stressful. • To form partnerships with local emergency response groups (such as firefighters, police and EMTs) and establish a good working relationship. Let them become familiar with your company and site. • To evaluate your company's performance during each test, and work toward constant improvement. Continuity exercises should reveal weaknesses. • To reveal and accommodate changes. Technology, personnel, and facilities are in a constant state of flux at any company. 10-6. Backup is an example of a control designed to mitigate or reduce business risk. As pointed out in the chapter, backup is similar to redundancy in creating fault tolerant systems. Through backup, a duplicate copy of a data file is created. To illustrate, data that you currently have stored on your hard drive could be copied onto a CD, flash drive, or other portable media for backup purposes. An example was provided in this chapter of a common control procedure that companies use for backing up accounting data – called the grandfather-parent-child procedure of file security. Backup is extremely important when operating a computerized accounting system. If, for example, backup copies containing important accounting data become corrupted or lost, all of the accounting data will be lost. Within a company's computerized accounting system, the loss of data that is not backed up could result in a severe interruption of business and loss of income. The term "backup" is not limited to just the backup of data. A company can also back up its hardware and electrical power. For example, through its disaster recovery plan, a company might provide for backup of its hardware by making arrangements for renting computer time from another organization should the company's own computer become inoperative. Regarding electrical power backup, surge protectors, for instance, provide protection should short, intermittent power shortages or failures occur. 10-7. The unique control risks associated with the use of PCs and laptops compared to mainframes occur in two basic areas: (1) hardware, and (2) data and software. Regarding hardware, because laptops are portable, they or any part of their peripheral equipment can easily be stolen or destroyed. Limiting access to such equipment is difficult. It is not difficult to remove the hard drive from a PC or take a monitor home. The problem is 1
Source: http://www.csoonline.com/article/print/204450.
SM 10.3
compounded further with laptop computers since many powerful laptops can now be hidden inside a briefcase. Regarding data and software, these two items are easy to access, modify, copy, or destroy, and thus are difficult to control. A person with reasonable computer know-how and access to a PC can access all the data and software on the machine. Consequently, there is a danger that an employee of the organization using PCs might make unauthorized access to records and manipulate the data, or that a disgruntled employee might decide to reformat a PC’s hard disk, destroying all software and data it contained. Students will likely come up with different lists of the three most important control procedures that should be implemented for laptops and the reasons these procedures are important. A suggested list with reasons is presented below.
Control Procedures
Reasons
1. An inventory should be taken of all laptops used in a company along with the various applications for which each laptop is used.
This control procedure is important because a company is able to physically account for all of its laptops and based on the various applications for which each laptop is used, a determination can be made of the types of risks and exposures associated with every laptop’s applications. For those laptops whose applications are subject to greater risks and exposures, stronger control procedures are required.
2. Secret passwords that are periodically changed should be required for all authorized users of laptops.
This control procedure is important because it prevents unauthorized individuals from using laptops to access data files and possibly tamper with the data within the files.
3. Each employee having a laptop should be required to place his or her laptop in a locked cabinet before leaving at night.
This control procedure is important because of the size of laptops. The laptops’ smallness of size makes them susceptible to theft if left on employees’ desks when they go home at night.
10-8. 1) Test of completeness: The number should be exactly eight digits. 2) Test of sign: The number should be positive. 3) Test of numeric field content: The number should contain only numeric data; no letters or special characters. 4) Test of reasonableness: Each eight-digit number should fall within a range of allowable values.
SM 10.4
5) Redundancy test: The four-digit product number should be valid for the four-digit "major-category" number. 6) Check digit: A ninth digit can be added to the eight-digit number for checking purposes. 10-9. a) Edit tests are computer routines that examine selected fields of input data for such attributes as accuracy, completeness, reasonableness, and sequence. They reject those data items that fail preestablished standards of data quality. b) A check digit helps ensure the accurate and complete input of an important number, such as an account number. If the check digit computed by a computer fails to match the associated check digit input by the user, the number (and perhaps the associated transaction) is rejected. Check digits thus help guard against the accidental alteration of the wrong master file record when an incorrect account number was input. c) Passwords are sets of numbers or letters that computer system users must input to gain access to further computer time or files. Well-constructed passwords and associated lock-out and dial-back systems guard against unauthorized computer access by denying computer time to "hackers" or other unwarranted users. d) Activity or proof listings are detailed listings of computerized data processing. Typically, these listings indicate what data processing was performed for each transaction or account in the system. Thus, these listings help assure data processing accuracy by providing system users with hard-copy evidence (and therefore an audit trail) of processing results. e) Control totals are financial, nonfinancial, hash, or record-count totals that are computed from input data. The initial control totals, input separately, are recomputed during actual data processing and ultimately compared. Unmatched values are investigated for causes. Thus, control totals guard against the loss of data during data processing activities. Matching control totals also helps assure users that data input was accurate and complete. 10-10. Logical access to the computer is typically performed by using a remote terminal to log onto the computer system to obtain access to software and data. Control of such access is usually accomplished by having procedures that limit access to only those individuals who are properly authorized (i.e., properly identified and authenticated by the computer system). Physical access to the computer means being physically able to gain access to the computer system or the data processing center. Good security requires that both logical and physical access to the computer system be restricted to only those individuals who have authorization for such access. Computerized accounting information systems require human interaction with computers at many levels, including the input of data, the distribution of output, the programming of computer runs, and the inquiry of the system. However, not everyone involved with the accounting information system needs logical access to the computer system and few of the above activities require physical access to the computer. Restrictions on logical access safeguard computer time and maintain the privacy of the data files available to remote users. Restrictions on physical access protect the physical assets of the computer system and the data processing center. 10-11. The separation of duties control is intended to deter an individual from committing an intentional accounting error and concealing this error in the normal course of his or her duties.
SM 10.5
To the extent that computerized accounting systems will handle functions that would be performed by more than one person under a manual system, the computerized version of the accounting information system can not entirely adhere to this policy of separate responsibilities for related accounting processing functions. On the other hand, strict control over the development and use of computer programs, for instance, through the requirement of authorization for program changes and through the strict distinction between programmers and operators, is an example of effective separation of duties. Good separation of duties in the data processing center, for example, would require that a computer operator would not have authority to make computer program changes and that a programmer would not have access to the computer for running programs. A computerized accounting information system will tend to combine certain traditionally separated accounting tasks in its data processing, but use alternate means for the application of the separation of duties control. 10-12. The purpose of the hash total in accounting information systems is to ensure completeness in a set of accounting data. Hash totals, compute meaningless values such as the sum of customer account numbers.
Problems 10-13. We agree with the seminar leader's statement that all errors in processing accounting data can be classified as either accidental or intentional. A key point to emphasize is that many of the controls installed in an accounting information system are designed to detect accidental errors, not intentional errors. Edit tests are particularly important in this regard inasmuch as they are performed at the time of data input and therefore early in the processing stream of the system. Not all personnel controls are concerned with intentional errors, but the vast majority of them are concerned with this matter. An example of a personnel control which is not necessarily aimed at thwarting intentional errors is the requirement that employees take their earned vacations to relax from a stressful job. Nonetheless, intentional errors are, by definition, not accidents. If an error is intentional, it is committed purposefully and therefore involves an individual. Controls that limit the amount of harm an employee or outsider can do to a company's accounting information system are aimed at thwarting intentional errors. 10-14. Among other things, this question is intended to emphasize the importance of employee relations as a component of computer security. Thus, perhaps the most important control which the organization might have used would be adherence to the general policy of dismissing employees who are not happy with their jobs. Additional controls are also possible, however. The pre-testing of computer programs by alternate programming staff members and the requirement that only authorized versions of computer programs be used to update and maintain computer files might also have prevented the problem. It is also likely that record counts were not being used since, if they were, there would have been a discrepancy between the number of records written on the new file and the number of records read from the old file. 10-15. These transactions might have been discovered by the absence of merchandise in the company warehouse. However, the problem with this is timing: the final proof of fraud could only be established after it had been established that the merchandise was not lost in shipment or misplaced at the warehouse. A perpetual inventory system with close monitoring of discrepancies between actual physical inventory on hand and the quantity balances recorded in the accounting records would be an effective control for the present situation. Also, the
SM 10.6
company should require cash disbursement checks be issued for merchandise purchases only after the purchase order, the purchase invoice, and the inventory receiving report have all been reviewed by an authorized employee, other than the check writer. Other effective controls would include: 1) Requiring a supervisor’s authorization for creation of all accounts payable master-file records. 2) Requiring a supervisor’s authorization for all orders exceeding a pre-determined level. 3) Requiring a computer printout of all orders exceeding a given dollar level. 4) Authorizing payment for merchandise only upon documented receipt of merchandise in good condition. The receipts voucher must include a signature of the person receiving the merchandise. 10-16. a. An edit test for a reasonable number of hours worked would guard against this problem. Requiring a supervisor to verify hours worked would also be useful. b. A control should be programmed into the computer enabling the credit manager to cut off credit sales to delinquent accounts. The account representative for Grab and Run Electronics should also be notified that no new sales on credit are to be made to this account. c. This problem could be solved through a separation of duties control procedure and insistence on the two-week vacation rule. d. The system should prompt any key-entry operator about which account is being accessed. The system should also be programmed to: 1. Require the input of the account number as part of the update process 2. Indicate an error message when account numbers fail to match 3. Refuse to create multiple account records with identical account numbers. e. The creation of vendor records for suppliers eligible for payments should require an authorization procedure. This controls against the creation of dummy companies. Also, the existence of damaged merchandise should be confirmed by more than one person; for example, through a supervisory control. Finally, an informal knowledge of Ben Landsford may have provided clues to his fraud. 10-17. a. Bank transactions should be pre-coded with either a deposit code or withdrawal code. Transactions encoded on different colored paper may help. Also, the bank should batch transactions by type. Finally, the error would cause a teller to be out of balance at the end of the day. b. An edit test of length would guard against this error. c. An edit test of reasonableness should be used. d. This is a programming error. The program should also be tested first with a test deck. The program should not be permitted to withhold deductions in excess of earnings and a sign test would be useful.
SM 10.7
e. A check digit with “ordering of digits” feature would catch this error at run time. f.
The computer program which processes this form should compare the first two digits of the employee number against a list of acceptable codes by performing an edit check. The input should be rejected if a nonexistent department was encoded on the form.
g. The computer system involved should use passwords (or ID cards and passwords) limiting access to authorized users. h. A batch control total should be used. 10-18.
Some of the ways that this “separation of duties” is achieved is as follows:
1. All systems changes and transactions should be initiated and authorized by user departments. 2. Asset custody should reside with designated operational departments. 3. Corrections for errors detected in processing data should be entered on an error log, referred back to the specific user department for correction, and subsequently followed up on by the data control group. 4. Changes to existing systems as well as all new systems should involve a formal written authorization from the user department. 10-19. a. It is likely that former employees are going to work for the competition - and taking proprietary information with them! The former employees may even continue to have remote access to Bristol's information system. b. There are several controls that could help here. One is to have each employee sign a confidentiality agreement or a non-compete agreement. Another is to allow employees limited access only to the database on a "need to know" basis. A third control would be to make sure that employee user IDs (access privileges) are deactivated upon termination with the company.
SM 10.8
10-20.
Sequence
X
X
X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X
X
X
X X X
X X
X X
X
X
X
X
X
X
X
X X X X
X X X X
X X X X
X
X
X
X
X
X
X
X X X
X X X
X X X
X
X
X
X X X X
X X X X
X X X X
Consistency
Code from Internal Table
X
X
Redundancy
Sign
X
Alphabetic Data
Completeness
INVOICING: Customer number Customer name Salesperson number Invoice number Item catalog number Quantity sold Unit price Total price SALESPERSON ACTIVITY: Salesperson number Salesperson name Department number Sales volume Regular hours worked Overtime hours worked INVENTORY CONTROL: Item catalog number Item description Unit cost Units out Units in PURCHASING: Vendor catalog number Item description Vendor number Number ordered Cost per unit Total amount
Numerical Data
APPLICATIONS: Field name
Reasonableness
-----------------------------------------Test for---------------------------------
X
X X X X X X X X X X X
X
X X X X X
SM 10.9
X
X
Case Studies The Big Corporation (Controls in Large, Integrated Systems) 1. The Big Corporation could experience several data security problems if proper controls are not instituted with the new system. Without proper controls, unauthorized employees could gain access to the data files, authorized employees could gain access to the data files outside their jurisdiction and responsibility, or outsiders could monitor data transmission lines without the management’s knowledge. As a result, data could be used improperly, interpreted improperly, or altered, causing significant problems for the company. Confidential data files of a sensitive nature should be protected from unauthorized use. Personal data, such as personnel records (health records, salary) and customer records (account balance, credit rating), could be damaging to the company if they were disseminated improperly. If proprietary information (i.e., product profit margin) were not restricted, competitors eventually would learn of this information, which could put The Big Corporation at a competitive disadvantage. 2. The Big Corporation must incorporate control measures to limit access to the system itself and to the data files. Only those individuals who need to use the system should be provided access to the system and data files. Access can be restricted by the use of secret password codes or by the use of both ID cards and passwords, or by the use of biometric identifications. Some users may be authorized to use the system, but are not authorized to access all data within the files. Protective techniques can be extended below the file level at the data-set level. This entails an examination of the field of each record involved before data are released for use. If the company is concerned with unauthorized access by outsiders, data encryption could be employed. 3. (a) The following are some of the physical safeguards The Big Corporation could adopt to protect its computer equipment: 1) Restrict access to only those who are authorized to use the equipment. 2) Protect against fire damage by installing water-fed sprinkler or carbon dioxide systems. 3) Protect against water damage by providing a proper water drainage system under the floor of the computer room. In addition, plastic covers should be available to place over the equipment to provide protection from overhead leakage. 4) Properly insure all equipment. (b) Some physical safeguards which can be employed to provide protection for the data are as follows: 1) Protect the files from deliberate damage by limiting the number of people who have access to them, by limiting access to the data processing facilities, and by establishing a strong librarian function. 2) Files should be stored in a fire-resistant cabinet or vault when not in use. In addition, the company should have regularly scheduled backup of files (and they should be stored in a safe location – perhaps electronic vaulting) in case the current copy of a file is damaged or destroyed. 3) All files should have external labels for easy identification.
SM 10.10
(c) Possible measures which can be employed to provide physical security for the data processing center facilities are listed below: 1) Select a location for the data processing facilities that is away from possible hazards or high risk areas. Factors which should be considered are location above anticipated flood levels, location away from steam lines, water lines, and windows, and limit the number of doors. 2) Limit access to the data processing center facilities by employing guards, by requiring personnel to wear security badges, and/or by the use of dial-lock combinations. 3) Fire-resistant materials should be employed in the construction of the facilities. Smoke detectors and/or heat sensors should be installed to detect fires; water-fed sprinkler or carbon dioxide systems should be installed to extinguish fires. 4) The company should make arrangements for backup sites (or electronic vaulting) in case there is a major breakdown for an extended period of time. Arranging for backup sites should be part of the company’s development of a formal disaster recovery plan.
Bad, Bad Benny: A True Story (Identifying Controls for a System) 1. The same person handles all cash functions/lack of segregation of duties, lack of sufficient oversight or reviews (e.g., internal/external audits), no control infrastructure, no forced vacations or cross-training, improper monitoring of key employee, organizational structure not set up to encourage ethical behavior, too much trust put in family for sensitive positions, too much authority given to one employee. 2. Set policies for cash handling (e.g., require two signatures on checks over a certain amount, procedures for vendor selection), mandatory vacations and cross-training; separate recording, reconciliation, custody functions; institute regular audits (both internal and external); set up an internal control structure to include authorization/signature requirements; define organizational structure and responsibilities; keep updated list of approved vendors and customers; segregate duties related to cash and liquid asset oversight. 3. Testing audit trails (transactions from origination to destination), reconciliations of account balances, confirmation of bank balances, accounts receivable and accounts payable, physical counts of inventory compared to records, visit vendors, tests of logical relationship with business activity, review of procedures for purchases and cash disbursements.
SM 10.11
Chapter 11 Computer Crime, Fraud, Ethics, and Privacy Discussion Questions 11-1. Most experts agree with the claim that the known cases of computer crime are just the tip of the iceberg, and most students are likely to agree with them. Of course, it is not known what percent of all computer crime is caught because we do not have any measure for the denominator of such a computation. However, if we only detect most computer crime by luck, chance, or accident, it is reasonable to ask, "What are the really clever computer criminals doing?" Thus, there is every indication that what we have observed about computer crime in recent years is much less than the total of all computer crime. 11-2. Among the reasons why most computer crimes are not reported are the following: 1. They are not detected. 2. There are no legal requirements to report computer crime, especially if the "crime" is detected in private industry. 3. Managers feel that the computer abuses detected within their organizations are embarrassments. Thus, private businesses are reluctant to report them. 4. Some experts fear that certain types of computer crime are susceptible to the "sky-jack" syndrome—i.e., that reporting a particular computer abuse will lead to a rash of similar ones. 5. Some people consider certain practices unethical but not illegal. Thus, for example, several organizations in the past have chosen not to press charges against students stealing computer time from university computers or employees for using the company resources for privately-contracted programming efforts. These activities are rarely reported. 6. A definition of computer crime is elusive. Thus, some computer crime is never reported because it falls into a gray area. 7. For some “small” crimes involving little money, the trouble of reporting it might be greater than the gains from such reporting. 8. Many IT personnel are not fully aware of the laws governing computer usage, and therefore fail to report it because they don’t realize it violates federal or state statutes. The matter of whether or not these reasons are valid is subjective. Currently, there is a debate in the literature over how much computer crime should be reported and what should be revealed if it is reported. Among the arguments in favor of reporting computer crime are: 1. Disclosure will alert other organizations about the dangers of computer crime and may result in better protection against it. 2. Disclosure will lead to better controls and a more informed security-conscious society. 3. Disclosure will strengthen the case for computer crime legislation and/or a stricter enforcement of the laws. 4. Ultimately, computer crime injures the public at large. Therefore, the public has a right to know about it. 5. We must learn to use our technology in constructive ways. Philosophically speaking, we must know about our environment, especially where technological abuse works against the common good. 11-3. Most experts believe that computer crime today is growing, not diminishing. To understand this claim, we must first distinguish between the amount of computer crime that is SM 11.1
committed and the amount of computer crime that is reported. As stressed in the chapter, experts believe that the number of reported cases of computer crime is much less than the amount of computer abuse that goes undetected and/or unreported. Other factors that suggest that computer crime is growing include: 1. The number of computers in use today is growing rapidly. It is reasonable to expect the potential for computer abuse to grow with it. 2. A large number of new computers are personal computers, netbooks, and hand-held PDAs. These systems are usually less secure than larger computer installations and have relatively limited control procedures. 3. More is known about the successes of computer criminals than about the ways such criminals can be thwarted. It is reasonable to assume that the high-gain computer abuse that has accidentally been caught in one place is currently also being tried elsewhere. 4. We believe that expenditures on computer security are growing much more slowly than expenditures on computer hardware and software. The difference between such expenditures is a widening gap that allows for increased computer abuse. 5. We believe that copyright infringement for software usage is common, but that most companies, as well as most police bodies, may not be aware of such infringements or may lack the resources to protect their rights. 6. A growing amount of computer abuse involves phishing and financial scams involving other individuals, not companies. 7. The number of spam emails received by individuals is growing. This is actually illegal in certain states and countries. Losses from known cases of computer crime have been much greater than the losses resulting from other types of white-collar crime. From this we learn that the vulnerability of a typical computerized accounting information system is much greater than the vulnerability of a typical manual system and those special controls and other safeguards must be installed in an AIS to protect it from abuse. When reviewing specific cases of computer crime, such as those presented in this chapter, one is struck by the fact that they differ widely in target system, method of approach, and means of deception. These diversities raise the question of whether an accounting information system can really be adequately protected from systematic abuse. Most experts feel that they cannot. Thus, the current decade promises yet more computer crime of even more spectacular proportions than those crimes of the past. 11-4. Students may strongly agree or disagree on this issue. However, the responses they give should be based on their research (visits to various websites to determine exactly what information different e-retailers collect and what they do with the information that is collected— or other data that might support their point of view). Encourage students to base their opinions on data that they might find on the Internet or data that might be available in their university library (either reference books or digital media), rather than their “feelings”. This topic can lead to a very lively classroom discussion if half of the students are required to “support” the view that retailers have the right, and the other half of the students are required to find data that suggests retailers do not have this right (For example, are there any laws that might limit what retailers can collect?). A mock debate can be used to bring out both sides of this issue, where 2-3 students from each group might present their findings (perhaps using PowerPoint slides) in front of the class and present their respective points of view. After both
SM 11.2
presentations, the students in the front of the class could act as facilitators to encourage the rest of their classmates to give their opinions. The protection of computer-based information rests upon the need to safeguard individual rights to privacy. These rights include the protection of personal information when it is collected, maintained, used, or distributed. The issue becomes increasingly important when some of these activities were not authorized by those individuals who (perhaps unwillingly or unknowingly) provided the information. Examples of such vulnerable information include state and federal tax returns, responses to surveys, consumer behavior observed with hidden cameras, employee work evaluations, and medical records. There is remarkably little that an individual can do to protect personalized information in health, mail-order, and private banking applications. However, the following safeguards are available for certain other applications: 1. FAIR CREDIT REPORTING ACT OF 1970 This act guarantees the individual certain rights regarding the use of credit information gathered about him. Among these rights are: a) access to the information b) the ability to challenge the information c) the right to make the credit-information company change the information at company expense if it is shown to be in error 2. PRIVACY ACT OF 1974 This act places general restrictions on the use of personal information collected by agencies of the federal government. An individual is now permitted: a) to ascertain what records pertaining to him are collected, maintained, and used by any agency b) to prevent his records from being used or made available to others without his consent c) to gain access to the information, and to have copies made at a reasonable expense (his expense) d) to correct file information if found to be in error e) to file civil suits to collect for damages in the event that information collected about him is misused by a federal agency 3. SUPREME COURT RULING OF GRISWOLD VERSUS CONNECTICUT This case involved the right of privacy. While the Supreme Court did not make any definite statement about privacy in the constitution, it did suggest that the right of privacy was implied in the First, Third, Fourth, Fifth, and Ninth Amendments. 4. STATE LEGISLATION Almost all states have now enacted computer crime laws of some type. 5. FREEDOM OF INFORMATION ACT OF 1970 This "sunshine law" guarantees individuals the right to see any information gathered about them by federal agencies, and also prohibits these agencies from gathering information about individuals that is not germane to agency needs.
SM 11.3
6. COMPUTER SECURITY ACT OF 1987 This act requires more than 550 federal agencies to develop security plans for each computer system that processes sensitive information. 7. NATIONAL ASSOCIATION OF STATE INFORMATION SYSTEMS (NASIS) This organization, along with concerned consumer groups, has been active in seeking state and federal legislation that regulates the use of computerized information. 11-5. There were a number of factors favorable to the TRW employees in the commission of their crime. Perhaps the most important was the fact that the change of information in the company's computer files, in and of itself, did not involve any cash transactions. Thus, unlike many other computer crimes in which a perpetrator must make a false debit or credit to cover up his activities, the TRW employees merely changed the credit ratings of the individuals who had paid for this “service.” Another factor that aided the participants was the lack of feedback checks which are so often a natural part of other types of accounting information systems. For example, in an accounts receivable system, an improper customer billing is likely to be noticed and brought to the attention of a company manager for correction. In the TRW case, however, TRW’s clients apparently accepted the credit ratings without question and thus extended credit to individuals who were not creditworthy. A final factor that helped TRW employees commit this crime was the seeming lack of internal control on credit-changes in TRW's input operations. In particular, it appears that the input clerk was able to make unauthorized credit-rating changes which reversed individual evaluations from bad ones to acceptable ones. This capability enabled the TRW employees to sell good credit ratings to customers and thus permitted them to carry out their schemes. One control that might have prevented this computer crime would be more stringent supervision in the altering of credit information in TRW's files. For example, the company might have insisted that all credit-rating reversals be first approved by management. A similar policy might have also been applied to all file changes in which favorable credit information was to be added to unfavorably-rated accounts. Another control might be the maintenance of duplicate credit information by both TRW and the credit-card companies. Although this procedure would be expensive, it has the advantage of installing a feedback characteristic in TRW's credit operations which was obviously missing when the crime was committed. Given the fact that damages resulting from this crime were estimated at over $1 million, such a control procedure has the potential to be cost effective despite such expense. A number of similar cases of computer abuse fall into the category of “valuable information computer abuse.” Examples include: 1. Industrial espionage cases, in which corporate budget plans, bidding data on forthcoming projects, or patent information stored on computer files is the major target 2. Computer snooping, in which information about the volume of accounts of a company or the salaries of specific individuals is the target 3. Software theft, in which the source code for an application program or operating system program is desired
SM 11.4
4. Student pilferage, in which one student steals an assignment from another 5. Extortion, in which the information stored on a company's files is threatened if the company does not agree to the perpetrator's demands 6. Blackmail, in which computerized information will be revealed if payment is not made 7. File-napping, which is like kidnapping except that the "kid" is really the computer files of a company, which are subsequently held for ransom 11-6. As commonly used, hacking means gaining illegal or unauthorized access to computers, computer networks, or computer files. To ensure anonymity, the typical hacker accomplishes this from remote locations and with assumed identities. Some hackers gain little financially from their activities, but instead seem to enjoy some psychological satisfaction by successfully gaining access to their target computer resources. The growth of microcomputer usage has added to the problem because anyone with a microcomputer and access to the Internet can "hack." Two major deterrents to hacking are (1) education and (2) prevention. Education includes teaching students, employees, and the general public about computer ethics, helping them understand how costly computer breaches can be to victim organizations, and making them aware of the fact that hacking is now a punishable federal offense. Prevention includes installing and using firewalls, non-dictionary passwords, lockout, dial-back, and/or other security systems, changing passwords often, and prosecuting hackers as examples to others. 11-7. A computer virus is a program or subroutine that can replicate itself in other programs or computer systems. Typically, viruses are also destructive, although a few "benign" viruses have commandeered computer systems just long enough to display harmless messages before returning control to the end user. The damage that can be caused by other virus programs can be much more serious, and includes destroying system or user files, disrupting computer operations, denying others access to a system, launching distributed denial of service attacks against other systems, or disrupting the functioning of a complete system or network. 11-8. As noted in the text, employees are not likely to be aware of the importance or cost of computer abuse. Thus, educating employees about computer crime laws, the telltale signs of computer abuse, and the importance of making periodic file backups to recover from computer abuse are important. Research also suggests that computer crime is less likely if companies inform employees about the seriousness of such abuse and aggressively prosecute computer abusers. Although employees can be educated without the support of top management, most experts agree that such support is critical to successful security programs. The education process itself takes valuable employee time, of course, and managers must prepare the necessary policy manuals and training programs must exist with the full consent and encouragement of top executives. 11-9. Given that the Internet is a medium of information exchange and a free market, almost any crime that can be committed in a physical venue can also be committed in an electronic one. This includes misrepresentation, fraud, theft, racketeering, bribery, extortion, etc. In addition, as noted in the chapter, the Internet also gives computer abusers the opportunity to spread computer viruses, hack into computer systems and files for illicit purposes, and destroy or alter computer records or software without permission. Finally, it is important to note that the Internet provides perpetrators the critical anonymity they need to execute these forms of computer abuse.
SM 11.5
The types of resources targeted by computer abusers vary widely. In some cases, the financial information maintained by a computer system is the target, as illustrated by the TRW case. In other cases, it is the personal identities of customers or taxpayers. In still other cases such as in denial-of-service attacks, the system itself is the target. The controls that are needed to safeguard such recourses also vary widely. This chapter, as well as chapter 12, discusses them in detail. 11-10. Ethical behavior means acting in accord with standards of moral conduct. Examples of ethical behavior within AIS environments include protecting confidential information, being socially responsible, respecting the privacy of others, avoiding conflicts of interest, and using work computers only for business purposes. Five ways of encouraging ethical behavior include: 1. Educating employees about the importance of ethical behavior 2. Training employees by providing them with actual cases of ethical behavior in formal educational settings 3. Teaching by example 4. Rewarding ethical behavior with job promotions and similar benefits 5. Asking employees to subscribe (e.g., by signature) to professional codes of conduct 6. Penalizing those who violate ethical codes of conduct At one of the author’s universities, the student judicial office keeps lists of students caught cheating. If the instructor wishes, a student caught cheating can be asked to attend one or more workshops that teach them about student ethics (point 1 above) and what can happen to students who violate the university’s student code (point 6 above). 11-11. Hopefully, Mr. Randy Allen is an honest, hard-working bank employee deserving of the "Employee-of-the-Year" award. However, the presence of (1) a computerized bank data processing system to handle accounts, (2) the number of complaints from customers about account-balance errors, and (3) the ability of Mr. Allen to rectify these errors manually without additional approval or supervision suggest that additional investigation may be in order. An enforcement of the two-week vacation rule for Mr. Allen, and perhaps an audit of the accounts of customers who have been complaining in his absence, would be good ideas. There are just too many danger signs here to let this situation go unexamined.
Problems 11-12. The scenarios presented in these brief descriptions actually happened. They are controversial matters and can lead to good classroom discussions. Although there are no right or wrong answers, the authors suggest the following as preferred responses: a. Here we have a student filing a formal complaint against a university because it did not rectify a problem caused by her own forgetfulness. If the university has a written policy forbidding techs to provide computer passwords over the phone, the university should be on solid ground. b. An individual’s right to privacy sometimes conflicts with corporate goals. This scenario points to the importance of developing corporate policies about such matters—especially the issue of what materials employees can maintain on business computers. Educating this particular employee to how embarrassing it would be if customers learned about his pornographic materials might be all that was needed to solve this problem. In the end, this
SM 11.6
c.
d.
e.
f. g.
case deals with a corporate computer, owned by the company, which therefore should have the final say about what can be stored on it. Research shows that allowing individuals to select their own passwords usually results in easy-to-guess, simple passwords and/or the post-it-note behavior described here. But these are undesirable security problems. Again, corporate policies that (1) require employees to use company-assigned or strong passwords, and (2) explicitly require employees to hide their passwords from public view can help. This event actually happened. The employee objected to someone snooping his old hard drive on the grounds that it contained personal information, but his superiors argued that he had accepted the new computer and therefore given up his rights to the old one. The information on the old hard drive provided clear evidence that this particular employee was violating corporate policy by working a second job, resulting in a near-dismissal for this employee. The discovery from this audit is a major red flag. The company should employ a forensic accountant, and perhaps a lawyer, to investigate further. An interesting question to answer is “Who is cashing the checks?” If it is the same person, this would be evidence of fraud. This action is perhaps unethical but not illegal. It is not much different from hiring shills in live auctions to bid up prices. This is an example of click fraud. Because the activity appears intentional, it is prosecutable as fraud.
11-13. This problem requires students to create a report on a recent computer abuse that they find discussed in a recent journal or other publication. Although finding such abuses is relatively easy, the lack of detailed information in most of them usually makes it more difficult to create meaningful analyses of them. The important points to emphasize here are students’ research skills and their ability to find an appropriate example. A good source of information for these types of examples may be found at the following website: http://www.crime-research.org. 11-14.
The Salami Technique. .01 per month = .03 in three months per account .03 x number of accounts = $200,000 number of accounts = 6,666,667 .01 x 90 days (3 months) = .90 per account .90 x 100,000 = $90,000 in three months
10-15.
Suggested Control procedures are as follows:
a. The invoiced company itself may reject the invoice as unauthorized. But Paul’s company should eliminate incompatible functions: the clerk who prepares the invoices should not be the same clerk who handles the checks that pay the invoices. b. The company should have only one account for payroll checks. Only one owner should sign payroll checks. The bookkeeper should not be permitted to prepare her own payroll check. (This is a true story.) c. The company should eliminate incompatible functions: the clerk should not be permitted to both create payroll records and be in a position to intercept the payroll checks. The system would also be able to alert others to this activity if it automatically generated confirmation slips of new hires to department managers.
SM 11.7
d. The company should eliminate incompatible functions. The incompatible function in this example allows a clerk to handle cash and to manipulate the accounts affected by the cash payments. e. Purchasing agents should not be permitted to create supplier (vendor) records and handle the checks made out to vendors - these are incompatible functions. Rather, the master records for new suppliers should be prepared by an independent person. f. Passwords should not be dictionary words, but nonsense terms like "RES234" instead. Access to corporate computers from outside callers can also be controlled by limiting the number of password tries a caller can make (e.g., to three attempts), or by using a dial-back system. g. The only way lapping accounts receivable can be performed successfully over this much time is by continued access and diligent activity. Enforcing the two-week vacation rule usually thwarts it. h. Educating employees to the problems of viruses and how viruses are introduced to LANs may help. A policy forbidding employees from downloading computer games to corporate computers would also be useful. Finally, many companies now routinely use antivirus software that automatically screens new software for known viruses before it is loaded onto hard disks. i. This is a breach of confidentiality, and certainly unethical behavior. The employees of medical facilities are usually cautioned about the strict, private nature of the information they access. "Education" and "corporate policies" regarding the confidentiality of this information are important controls. Firing employees who violate such policies also helps other employees understand their importance and seriousness. 11-16. 1. 2. 3. 4. 5. 6. 7.
The Association of Fraud Examiners (ACFE) Checklist and points are as follows: Fraud risk oversight (20 points) Fraud risk ownership (10 points) Fraud risk assessment (10 points) Fraud risk tolerance and risk management policy (10 points) Process-level anti-fraud controls/reengineering (10 points) Environmental level anti-fraud controls (30 points) Proactive fraud detection (10 points)
This question also asks students whether this checklist “is likely to help organizations prevent most types of fraud.” Although most students are likely to feel that this checklist can help managers and employees prevent and/or detect fraud, it is important to note that even the most stringent controls are worthless if managers ignore them. 11-17. This question requires students to research information from the ACFE Compensation Guide for Anti-fraud professionals. The answers to the questions are: a. b. c. d.
Number of survey participants: 3,011 in 2008 Median compensations: CFE: $90,300; non-CFE: $74,111 Modal years of experience: CFE: 10-19 years; non-CFE: 5-9 years Modal highest level of education: CFE: 4-year college degree; non-CFE: 4-year college degree e. Median Total compensation: CFE females: $84,013; CFE males: $95,000. As stated in part (a) the total median compensations are: CFE: $90,300; non-CFE: $74,111. Explaining the differences: Usually, employees with credentials are paid more than those without them.
SM 11.8
Thus, it could be that more males than females have CFE certifications. It is also possible that more CFE males than females live in higher-wage areas of the country. Finally, because this survey is voluntary, it could be that more higher-paid females than males chose to ignore it. f. The table on page 9 of the report entitled “Compensation Ranges by Primary Industry of Focus” indicates that salary levels do vary somewhat by industry. For example, the median salary for CFEs in education was $86,000 while the median salary for CFEs working in real estate was $123,000. The tables on page 8 of the report compare the salaries of CFEs and internal auditors. Like CFEs, the salary levels of internal auditors vary somewhat by functional area—for example, from a low median salary of $82,500 in financial institutions to a high median salary of $107,000 in manufacturing. g. The median salary levels of CFEs also vary somewhat by geographic region, ranging from a low value of $74,482 in the mountain states to a high value of $102,000 for the mid-Atlantic states. A host of factors probably contribute to these variations, including differences in cost of living, concentration of industry, differences in demand for accountants with fraud examination backgrounds, and number of existing CFEs in the area.
Case Studies The Magnificent Four Seasons Resort 1. This case illustrates the difficulty of defining “computer crime.” The key to this particular fraud is an employee’s ability to pose as a travel agent and collect a commission on an easy sale. Yet, because it involves a computer, it is possible to call this a “computer crime.” 2. One obvious control for this application is for the resort to formally adopt a policy prohibiting employees from receiving booking commissions when they double as travel agents—or perhaps pay them small, fixed bonuses for such work instead of full commissions. The resort should also maintain a current list of approved travel agencies, and use this list before paying booking commissions. It may also be cost effective for managers to handle nonapproved agency commissions on an exceptions basis. For example, each month before paying commissions to such agencies, the resort might obtain a printout of unrecognized firms and contact each of them for verification. 3. Classification will depend on the controls that students identify. A good reference for students is Chapter 11, where preventive, detective, and corrective controls are defined and illustrated. Using the first example above, any “policy” is intended to be a preventive control. Notice that the content of the policy is to segregate duties, which is itself a preventive control. The last example in #2 (above) would be a detective control. Students also might suggest training for employees at this resort so that they learn how management expects them to behave in the future, which would be an example of a corrective control. 4. The lack of accountability is critical to this fraud because it is the resort’s policy of paying unverified travel agencies booking commissions that enables this deception to continue. It is not clear that the resort should change its policy (e.g., it may not be cost effective to do so). However, this seems unlikely. Catching and disciplining one employee may also act as a deterrent to others.
SM 11.9
The Department of Taxation 1. a) Confidentiality problems that could arise processing input data and recommended corrective actions are as follows: Problems
Controls
1) Unauthorized use of terminal.
a) Limit physical access to terminal room used for data input and/or require data input personnel to wear color-coded badges for identification. b) Use different passwords for each user and change them frequently.
2) Online modification of program by operator to by-pass controls.
a) Prohibit program modification from input or inquiry terminals. b) Secure the documentation that indicates how to perform operations other than input of tax returns. c) Do not hire operators with programming skills. d) Prohibit programmers from computer room.
3) Use of equipment for unauthorized processing or searching through files.
a) Use passwords that limit access to only that part of the system needed for input of current tax data. b) Secure the documentation that indicates how to perform operations other than input of tax returns.
b) Confidentiality problems that could arise in processing returns and recommended corrective actions are as follows: Problems
Controls
1) Operator intervention to input data or to gain output from files.
a) Limit operator access to only that part of the documentation needed for equipment operation. b) Prohibit operators from writing programs or modifying the system. c) Daily review of console log messages and/or run times.
2) There might be attempts to screen individual returns on the basis of sex, race, surname, etc.
a) Institute programming controls such that there is a definite sequence to creating or maintaining programs. This sequence should contain reviews at general levels and complete trial runs.
SM 11.10
c) Confidentiality problems that could arise in the inquiry of data and recommended corrective actions are as follows: Problems
Controls
1) Unauthorized user with a valid taxpayer ID using the system.
a) Use a sign-in/sign-out register for persons using the system. b) Require users to show some form of identification. c) Use a programmed sequence of questions which only valid users are likely to be able to answer. d) Prohibit phone responses.
2) Taxpayers’ or regional state employee’s use of equipment for unauthorized processing or searching through files.
a) Use passwords to limit access to output of tax information. b) Secure the documentation that indicates how to perform tasks other than taxpayer inquiries. c) Have the terminals locked out for repeated login errors or attempts to break security. d) Have a code system that logs each entry and data inquiry by user. e) Provide daily activity reporting to supervisors and/or auditors showing terminal numbers, user numbers, type of processing, name of files accessed, and unacceptable requests.
2. Potential problems and possible controls to provide data security against loss, damage, and improper input or use of data are as follows: Problems
Controls
1) Loss of tax return data before any file updates.
a) Keep copies of tax returns in a safe location and (temporarily) organized for reprocessing if necessary. b) Maintain a transaction log on backing media for possible recall.
2) Improper input or use of data during processing.
a) Verify data entry or enter twice by different operators. b) Prohibit data entry through inquiry terminals. c) Process routine items at specified times, thus preventing unauthorized runs of vital information.
3) Incomplete processing of tax returns.
a) Computer prompting of terminal operators for appropriate input. b) Balancing of computer processing at each stage back to input and run control totals.
4) Fraudulent program modifications entered from input or inquiry terminals.
a) Prohibit programming from input or inquiry terminals; log all such attempts on console log for immediate supervisory action. b) Periodic checks of all software packages so that any illegal modifications can be detected.
SM 11.11
SM 11.12
Chapter 12 Information Technology Auditing Discussion Questions 12-1. As noted in the text, an internal auditor is an individual working for the company being audited while the external auditor works for an outside organization, typically a CPA firm. Thus, the responsibility of the internal auditor is to report to the staff supervisor conducting the audit while the responsibility of the external auditor is to report to external parties. Whereas the activities of both the internal and external auditors are governed by “generally accepted accounting principles” or GAAP, the external auditors’ procedures are also affected by federal and state laws that specifically define the relationship between the external auditor and client, and how this relationship is to be implemented during the course of an audit. The chief concern of the external auditor is that the financial condition of the organizational entity be accurately and fairly represented in its financial statements. In this sense the external auditor is limited to the attest function. Among the matters that may have more interest to the internal auditor are: • Inventory records that have no financial implications • Personnel records that have no financial implications • Production or marketing records that have no financial implications • Inefficiencies in reporting that affect the timing, rather than the accuracy, of monetary variables • Minor discrepancies in financial accounts (immaterial) • Organizational procedures that are primarily a matter of policy and do not involve assets or liabilities • The moral, motivation, and productivity of individual departments or work groups Preferences vary. Many accounting graduates begin their career as external auditors and then move into internal auditing. 12-2. The primary objective of a financial audit is to attest to the reliability of financial statements. The audit process includes an evaluation of internal controls (now mandated). Some of these controls are present in all processing environments, while others are unique to computerized data processing. The financial auditor may lack the expertise needed to evaluate the computer-type controls. In this event, the information systems auditor is called in. The information systems auditor’s primary objective is to evaluate internal controls and risks associated with the computerized data processing system (general and application controls). The information systems auditor may also become engaged in assisting a client to improve security over the computerized system environment. Financial auditors should possess technical accounting skills, knowledge of accounting and business processes, a certain amount of skepticism, knowledge of the audit process, internal control expertise, knowledge of financial audit standards, communication skills, and interpersonal skills. Information systems auditors should possess an understanding of technical information systems security, internal control expertise, knowledge of information systems audit standards, computer expertise, communication skills, a certain amount of skepticism, and interpersonal skills. It would be best if financial auditors possessed knowledge of information systems audit standards and technical information systems security knowledge, and computer SM 12.1
expertise. It would also be best if information systems auditors possessed technical accounting skills, knowledge of accounting and business processes, and knowledge of the financial audit process. The reality is that it is difficult for one individual to possess all skills in both realms. This reality has led to a shortage of information systems auditors with a solid foundation in accounting. Because of this, it may be difficult for financial auditors to know how to use the work of the information systems auditor. Likewise, it may be hard for the information systems auditor to understand which accounting areas are high risk and particularly vulnerable. Courses in AIS help to bridge the gap in knowledge. 12-3. General-use software is software that has a wide range of applicability. This software may be used by auditors, managers, accountants, system designers, and others. It includes word processing, spreadsheet, database, presentation, and communication software. Generalized audit software is software that has been developed specifically for use by auditors. Spreadsheet software is most useful when computations are required. Recalculating totals for fixed assets or depreciation schedules can be facilitated with spreadsheet software. Database software might be used to keep track of fixed assets and repairs and maintenance to these assets. An auditor might use word processing software to communicate with the client about audit issues related to fixed assets. Word processing software can also generate letters verifying the existence of fixed assets. 12-4. Interviewing is one of the most important functions performed by auditors. Interestingly, auditing and accounting curricula do not always work on these skills with students. Some techniques and skills that would be helpful to an interviewer would include: session planning, interview structuring, understanding the use of various question formats, options for controlling and documenting an interview, and, perhaps most important – how to listen. Interviewers need to understand the need to plan for an interview session. This includes structuring the interview a priority, informing the person to be questioned of the interview, deciding on how much time will be needed, researching the interview subject, and deciding on messages the interviewer wants to convey. Interviews may be structured in a variety of ways to maximize information gathering. A common technique is to ask innocuous questions first in order to relax the subject of the interview. Both general and specific questions are useful but each has advantages and disadvantages. The interviewer needs to know when to use which and also must decide how open-ended the questions should be. A skilled interviewer is always in control of the session and knows how to bring a subject back on track. Each approach to documenting an interview (i.e., note-taking, recording, or having an observer) has advantages and disadvantages. The interviewer should be familiar with these and decide on the best approach for documentation. Finally, an effective interview is one where the subject does most of the talking rather than the questioner. A good listener is the best interviewer. 12-5. With an integrated test facility, it is necessary to observe the complete cycle of activities. Thus, a set of fictitious purchase transactions would be introduced to the transaction stream representing hypothetical business activity with one or more bogus companies. These transactions would be designed to test the processing efficiency of the company and also, the ability of the company’s system to handle exceptions conditions. For example, one important test would be to see how the system handles a fictitious account. Another test would be to see how effectively the system pays debt in time to take advantage of time-dependent discounts. Yet a third test would be to see whether or not the system will pay an outside company for SM 12.2
goods which in fact have not been received, or for goods which have been received in damaged condition. With the passage of time, the auditor would observe the systems response to these and other such tests and compare his findings with those as expected from documentation outlines and interviews with company officials. Discrepancies would be noted and the auditor would prepare a final report, complete with recommendations, to top management. 12-6. The recommendations to use certain controls or not is ultimately dependent upon the organizations attitude towards risk. More often than not, a collective group is likely to be conservative and avoid risks. In such instances, it would only take a very small probability of hazards before any given control for it would be desirable. Individuals may sometimes exhibit less risk aversion than groups, as for example, when an individual gambles. Thus, in such cases, a larger probability of occurrence is required before a given accounting control becomes cost effective. For the case at hand, we are not told who the decision maker might be or the organizations attitude toward risk. Thus, it would seem prudent for Mr. Rodriguez to present an analysis of his findings with neither a positive recommendation nor a negative recommendation for controls which are not determined to be cost effective. This is a decision for management rather than the auditor. 12-7. The Better Business Bureau offers a BBB Online Trustmark that symbolizes compliance with a variety of standards and rules of practice. These include privacy and security standards, as well as advertising and other business policies. CPA WebTrust provides assurance that a Certified Public Accountant has examined a site and finds it to meet the standards set by the AICPA for a particular set of criteria, such as that over privacy or security. The TRUSTe seal has two forms. One provides assurance with respect to privacy and the other is for email. Several accounting firms and other organizations offer their own assurance. These may rely on the brand of the company offering the assurance, rather than on a generic assurance label. Another website seal is the Good Housekeeping website seal. This capitalizes on the brand of the offline seal of approval program that has existed for decades.
SM 12.3
Problems 12-8. a. Hazard
Equipment failure Software failure Vandalism Embezzlement Brownout Power surge Flood Fire
Probability that loss will occur .08 .10 .65 .05 .40 .40 .15 .10
Expected Losses
Estimated
Low
High
Control Costs
$ 4,000 400 650 150 340 340 37,500 15,000
$12,000 1,800 9,750 450 800 800 75,000 30,000
$ 2,000 1,400 8,000 1,000 250 300 2,500 4,000
b. Comparing the expected losses with the hazard control costs would result in the following decisions: 1) The hazard controls should be implemented for equipment failure, brownout, power surge, flood, and fire. The costs of implementing these controls are outweighed by the expected savings. 2) The hazard control for embezzlement should not be implemented as its cost exceeds any potential benefit. 3) The implementation of hazard controls for software failure and vandalism fall in the grey area of the decision process. The control costs exceed the low expected loss estimate but are less than the high expected loss estimate. These findings should simply be reported for managers’ decisions. 12-9. The purpose of certification is to get recognized as an expert in your profession. With a globally accepted and recognized ISACA certification, you hold the power to move ahead in your career, increase your earning potential, enhance your credibility and prove to employers that you have what it takes to add value to their enterprise. The types of auditing CISA’s perform are further described in the various credentials available: CISM: Certified Information Security Manager CGEIT: Certified in the Governance of Enterprise IT CRISC: Certified in Risk and Information Systems Control 12-10. Simply by searching on the term “computer security,” students will be able to identify many resources that would be helpful in auditing an information system. There are also a few guides or indices available that classify audit advisories, tools, and security techniques. An example of a site that issues security advisories is Carnegie Mellon’s Computer Emergency Response Team at www.cert.org. An example of help available is the Department of Defense’s online guide to selecting effective passwords. 12-11. By searching on the phrase “continuous auditing examples,” a student should be able to find many instances of organizational use of continuous auditing (CA) techniques. As an SM 12.4
example, I found a health care company that used CA for efficiency. They were typically only auditing various parts of the organization every three or four years but by adopting CA techniques, they could have more confidence in their systems on an ongoing basis, freeing resources for other analyses.
Case Studies Basic Requirements (Systems Reliability Assurance) 1. There are many security, availability, and privacy risks faced by Basic Requirements due to their online business. (Comprehensive lists of general risks may be found in the AICPA’s Trust Services document, which describes principles and criteria for trust services.) Security risks concern unauthorized physical and/or logical access. For Basic Requirements, some specific security risks would include hacker access to the web site, student access to the computer (while in the store), and unauthorized access to accounts or passwords by student customers. Availability of the web site is important to a retail business as downtime may mean lost sales and lack of credibility. For Kara and Scott, availability risks include hardware and software malfunctions that make the website inoperable for any period of time, problems with software that disallow customers from accessing their order status, and failure of logon procedures for accounts. Privacy is particularly important for online customers. Basic Requirements needs to take many actions to ensure that customer information is kept private. This means ensuring that hackers cannot “steal” mailing lists and that there is no unauthorized access to customer accounts. A small business such as Basic Requirements will have difficulty in segregating duties to ensure that there are multiple controls over access to information. Store workers need to be carefully monitored and cautioned over discussion or dissemination of customer information. 2. Risk Hacker access to web site Student access to computers (physical)
• • • •
Student access to accounts or passwords (logical)
• • • •
Hardware and software malfunctions
• •
Failure of logon procedures
•
SM 12.5
Control Maintain anti-virus software Use acceptable length passwords Do not leave student customers in store alone Do not use group logons for access in office Use a hierarchy of passwords and logons to secure sections of the system Change default passwords of system administrators Maintain anti-virus software Maintain proper environmental conditions over hardware Have backup and contingency plans and test them Provide quick response to online customers experiencing difficulties with logon or forgotten passwords Be sure to describe logon procedures fully to online
Student workers compromising privacy
• •
customers, including case sensitivity of passwords. Possibly maintain a system for forgotten passwords where a private question is used to authenticate (e.g., mother’s maiden name) Check student references Convey policies and privacy warnings to workers
3. To be effective, an internal control must be auditable. This means that the auditor must be able to inspect it. For example, Kara might tell the auditor that she always checks references of student workers. However, if she doesn’t maintain documentation showing this was done, the auditor has no way to verify her assertion. The IT auditor could check all of the controls described in Part 2 in a variety of ways, providing that Basic Requirements kept evidence of those controls. Some specific examples are: • The IT auditor would check that the system uses current versions of anti-virus software and that there is a subscription that allows for continuous updates • The IT auditor will check the access control software to view the requirements for passwords with respect to length • The IT auditor will check the user listing for the system to ensure that there are no group passwords (e.g., STUCSTMR) • The IT auditor will ask to see evidence that management has checked references of workers (e.g., reference letters, logs of phone interviews) • The IT auditor will test the system to see if the described logon procedures actually work
Tiffany Martin, CPA (Information Technology Audit Skills) 1. Unfortunately, Dick's approach is a typical one. Small accounting firms, in particular, lack personnel with information systems audit expertise. The inability of a financial auditor to understand risks associated with computerized processing pose a threat to the validity of the audit process. Expanding the scope of an audit to 100% of all transactions is one way to reduce risk. However, it is inefficient as significantly increased substantive testing is costly. It is also not as beneficial to the client as a controls review would be. If errors are found, the sources of the errors will still be unknown with increased transaction testing. A controls review would show where potential problems are and the scope of the audit could be adjusted accordingly. 2. Tiffany should suggest calling in personnel who are experienced in information systems auditing for a controls review. If the firm does not employ these personnel, this stage of the audit should be subcontracted. The firm might decide in future hiring to take on some personnel with accounting information systems or management information systems backgrounds.
SM 12.6
3. Public accounting firms are faced with a dilemma. The nature of auditing is changing rapidly due to computerized information systems. Many firms are moving towards the concept of providing "assurance" rather than "audit" services to clients. These call for different training for personnel and non-traditional hiring practices. Hiring a certain number of accounting majors and a certain number of management information systems majors will not solve the problem. Accountants and systems staff need to be cross-trained. Without the ability for financial and information systems auditors to communicate with each other, the audit will be both inefficient and ineffective. For instance, financial auditors might be told to call in information systems auditors for engagements where the information systems processing has a certain level of complexity. The information systems auditors may then evaluate the general and application controls associated with computerized processing and deliver a report detailing this evaluation to the financial auditors. Unless the financial auditors understand what lies behind the report, they are likely to disregard it and expand the scope of the audit to a conservative level with respect to risk. 4. Tiffany needs to call in information systems auditors for this particular engagement. She should also work with them so that she understands what they are doing. In addition, the firm should provide her with some formal training in information systems technology and information systems controls. One thing an accounting firm can do to facilitate crossunderstanding between financial auditors and information systems auditors is to have individual members of each group work in the other group’s area for a certain period of time each year.
Consolidated Company (Audit Program for Access Controls) 1. There are many risks associated with a lack of controls to restrict logical access to programs and data. These include posting of erroneous or fraudulent transactions allowed by bypassing approval levels and segregation of duties controls. 2. It is important to include an audit of User IDs and passwords in order to evaluate the levels of access allowed and the potential for breaching access controls. This evaluation might also allow the auditor to consider what mitigating controls could be used to protect data. Any breach in logical access makes all assets of an organization, including information and data, at risk. 3. There are many different control procedures that Jason could use to ensure that only authorized users access the system. Some of them are: • Unique IDs - each user is assigned their own unique ID and a system setting exists to prevent the same ID being used twice • Preloaded IDs - the passwords for preloaded IDs are changed or these are locked/deleted • Groups - groups are established within the application according to SoD determinations and group rights are reviewed periodically • Periodic review - individual rights and access is reviewed regularly by appropriate management • Automated removal - when a user is terminated they are automatically removed from having ERP access or a strong manual process is in place • Job changes - a process is in place to change user rights when a user's job title changes SM 12.7
• •
Passwords are of a certain length, complex, rotating, and an indefinite lockout exists Process to add users requires documented authorization from management
SM 12.8
Chapter 13 Developing and Implementing Effective Accounting Information Systems Discussion Questions 13-1. Although some tasks in systems studies overlap, there are major differences between the planning, analysis, and design phases of such studies. The analysis phase involves organizing the system study team, perhaps hiring consultants, and making strategic plans for conducting the systems study. In a sense, the planning phase is continuous, since strategic planning is usually an iterative process. The major purpose of the analysis phase is to enable the study team members to familiarize themselves with a company's current system so that they can make recommendations for improving it. The systems analysis work includes understanding the goals of the current system, performing one or more surveys to acquire information about the company's present system, and generating possible solutions. The analysis phase leads directly to the design phase because the system planners use the information obtained in the analysis phase to design a new system. Therefore, the planning, analysis, and design phases all involve planning at increasing levels of detail. For example, the analysis phase provides a general design for a new system, while the design stage involves detailed design work for system development work. The major purpose of the design phase is to develop specific changes for a company's current system so that weak points can be minimized, if not eliminated. Thus, each phase draws on the information obtained in the prior phase. 13-2. Top managers appoint steering committees to oversee the work of an analysis and design team when it performs a systems study. Thus, a steering committee should be continuously involved in systems development work. The members of its committee should include top management personnel as well as one or more auditors. The role of the steering committee is to represent top management. Thus, its major tasks are to monitor, and interact with, a study team through all the phases of the systems study, and to facilitate communication between an organization’s managers and its study team(s). In many organizations, a steering committee is also responsible for hiring consulting firms to perform systems studies. In such situations, the steering committee serves as an oversight committee that monitors the consultant’s progress and critically reviews its systems analysis reports. These reports enable the committee to consider the consultant’s findings and evaluate the solutions recommended by its team members for solving current system problems. 13-3. Student responses on this question are usually mixed, and it is possible to argue for any one of the three levels here. Some students feel that "general systems goals" are the most important to the effective operation of an organization's information system because such goals as “cost awareness,” “relevant output,” “simplistic structure,” and “flexible structure” are global in scope and create a framework for an organization’s entire information systems work. Without this framework, an organization’s information systems cannot function effectively. It is also possible to argue that "top management systems goals" are the most important to the effective operation of an organization's information systems because top managers are ultimately the individuals whom the systems must satisfy. This line of thinking in effect says that SM 13.1
what is most important is what the top bosses say is most important. Then too, top managers also play an important role as supervisors of successful operational activities and top management's long-range planning and controlling functions are critical to organizational success. Furthermore, top management requires a large variety of decision-making information. Unless the study team gives careful thought and consideration to top management's systems goals, the likelihood of an effective information system will be small. In addition, the systems goals of operating management for the coming year are difficult to develop without taking into consideration top management's systems goals. Finally, if top management's systems goals are not effectively satisfied, it is unlikely that operating management's systems goals could be effectively developed. Finally, it is possible to argue that the most important goals to satisfy are “operating management system goals.” This argument rests on the notion that only operational goals are meaningful. For example, “providing managers with the right information” is a strategic objective which only becomes meaningful when it is restated as “provide Manager X with Payroll Report Y every Monday morning.” 13-4. The purpose of a feasibility evaluation is to determine whether or not a specific new or modified system is technically, operationally, schedule, legally, and economically feasible— i.e., that the system is justifiable and practical in each of these five areas. For this reason, the feasibility evaluation should precede the preparation of a systems specifications report because the data for this report comes from the findings of the feasibility evaluation work (as well as the findings from the detailed systems design work). A systems specifications report should be prepared for only those system designs that are totally feasible—i.e., technical, operational, schedule, legal, and economic feasible. 13-5. This question requires students to imagine what cash benefits and costs an organization might incur when creating an online ordering system. We outline potential benefits and costs below. Note to Instructor: Most students cannot imagine that everything isn’t already computerized and online. However, if you think about such simple applications as address books, recipe files, stamp or doll collections, or the businesses of struggling mom-and-pop shops, manual applications still abound. Before discussing this problem, therefore, it might be interesting to ask the class what manual or non-online applications they can think of. Potential cash benefits: a) Reduced clerical errors b) Increased ability to generate customized sales reports c) Reduced costs of creating and distributing managerial reports d) Reduced clerical costs and paper usage e) Round-the-clock customer ordering capabilities f) Reduced lost sales and inconvenience caused by stock-outs g) Increased sales to both new and existing customers h) Ability to notify customers of shipping times or problems more quickly through collected email addresses i) Better customer services j) Better market planning k) More efficient management control
SM 13.2
SM 13.3
Potential cash costs (assuming inhouse provision of the online system) a) Computer hardware and software costs b) Costs to initially prepare the company's premises for the computer installation as well as the additional site preparation costs and hardware upgrade costs required during the life of the system c) Physical installation costs d) Employee training costs e) Programming and maintenance costs f) Conversion costs g) Operational costs 13-6. Prototyping involves developing a skeletal software model, or prototype, of an accounting information system. Thus, the prototype is a scaled-down, experimental version of the information system desired by the company’s users. The users should experiment with the prototype and then provide feedback to the developers explaining what they like and dislike about the mockup model. Based on this feedback, the developers will modify the prototype model and again present it to the users for further testing and feedback. This iterative process of “trial use and modification” continues until the users are satisfied that the proposed system adequately meets their needs. As explained in the text, prototyping works well when one or more of the following conditions are present: (1) system users do not understand their information needs very well, (2) system requirements are difficult to define and experimental designs are easier than with a live model, (3) the system to be developed is critical and needed quickly, (4) past interactions have resulted in misunderstandings between users and designers, (5) design mistakes are costly, or (6) the risks associated with developing and implementing the wrong system are high. But prototyping is not always the best solution. As the chapter discusses, prototyping is not recommended when: (1) neither managers nor users trust it, (2) modification requirements are small or outputs and processing needs are already well-defined (many accounting applications fall into this category), (3) only a small subset of a large number of potential users are able to evaluate the model(s), or (4) the application itself, although large, is well understood—for example, a general ledger system—and developing a prototype merely duplicates the design work already deployed in existing software packages. 13-7. A system’s specifications report contains detailed information about each design proposal that meets the feasibility requirements of the company's system. The purpose of this report is to facilitate discussions between the design team and the new system’s developers or software vendor(s). But before a vendor can submit a specific system proposal to a client, it must first receive detailed descriptions of that company's information processing needs. The systems specification report provides this information. Regarding the second question, the data included in the systems specifications report differs substantially from the data collected or generated by the design team during its feasibility evaluation work. The systems specification report builds upon the feasibility evaluation data (as well as the detailed systems design work). When members of the design team perform their feasibility evaluation work, they do not normally analyze in detail the specifications of each system proposal. This detailed work is unnecessary because the purpose of the feasibility evaluation is to ascertain whether or not a new system is "totally feasible" for the client company.
SM 13.4
Only after the steering committee decides that the new system is totally feasible can the design team work on the detailed specifications. Some of the items included in the systems specifications report (that probably would not appear in a feasibility evaluation) are: a) Historical background information regarding the client company's operating activities b) Detailed information about the problems in the client company's present data processing system c) Detailed descriptions of the consultants’ (or study team’s) systems design proposals d) Indication of what the consultants expect the computer vendors to include in their proposals to the client company e) Request for a time schedule from vendors or system developers concerning their implementation of a new system into the client company 13-8. When establishing controls, an implementation team should also design effective audit trails, develop general and application controls for the new computerized system, and create good documentation for the system. Because these controls will affect both the form and content of a company's computer files, the team should create and implement these controls before converting accounting data files to alternate formats. 13-9. Under direct conversion, the organization immediately discontinues using its old system as soon as the new system is installed. Direct conversion may be appropriate when (1) there are many weaknesses in the old system and almost any change is likely to be an improvement, (2) there are only minor or simple revisions to the company's current system, (3) well-tested PC software or hardware is acquired and only a small number of users are involved, or (4) there are drastic differences between the new system and the old system. Compared with parallel or modular conversion, the major advantages of direct conversion are (1) cost, and (2) time savings. Direct conversion saves costs because it is relatively inexpensive—the changeover is immediate. Direct conversion saves time because no time is lost between the changeovers from one system to another. The major disadvantage of direct conversion is the possibility that the new system does not function well after it is implemented. This can be very disruptive, costly, and even fatal. Under parallel conversion, an organization operates both its old system and its new system simultaneously for a certain period of time in order to test the new system and compare outputs. The implementation team will investigate differences and either request or make revisions in the new system as required. The major advantage of parallel conversion is that it protects a company’s business processes if the new system does not work properly or fails completely. The major disadvantage of parallel conversion is cost. Because both the old and the new system will process almost all of its accounting transactions throughout the conversion period, organizational facilities and personnel must handle the double-processing workload. This usually leads to overtime work and other extra costs. Under modular conversion, an implementation team decomposes an AIS into smaller units or “modules.” The implementation team then installs the new system "piecemeal" for the specific units associated with the activity. As individual modules are successfully tested and installed, further units are then implemented and tested until the entire system is successfully implemented. The major advantage of modular conversion, therefore, is that the team can identify specific problems early and correct them before implementing the remainder of the system. Because the implementation process takes place on a step-by-step basis, there is a high probability that the complete system will function well. The major disadvantage of modular conversion is that it takes a long time to complete the entire implementation process, thus increasing organizational costs.
SM 13.5
13-10. Both Gantt charts and PERT network diagrams are useful tools for scheduling, monitoring, and managing the activities required to implement a new accounting information system (see Figures 13-11 and 13-12 of the text). Of the two, PERT is the more important project management tool. It allows project leaders to plan complex implementation projects, estimate the completion times of these projects, identify the activities on critical paths, and examine “what-if” scenarios in which managers reallocate project resources from some activities to others. Gantt charts are simpler and easier to understand, but they do not indicate the precedence relationships between the various activities as do PERT network diagrams. For this reason, project managers are more likely to use Gantt charts for simple applications, or to illustrate actual-versus-planned completion times of the activities in larger PERT projects. 13-11. When an organization installs a new accounting system, its managers hope that it will eliminate all the old problems and not create new ones. However, as the new system operates on a day-to-day basis, some of the company's original systems problems may reoccur or new problems may develop. The purpose of the follow-up phase of a systems study is to evaluate the new system and determine what problems still exist. A new system should help a company achieve its general systems goals, top management systems goals, and operating management systems goals. Through follow-up analysis work, an implementation team attempts to identify those goals that the new system does not help management achieve. Systems revisions will then be required in these areas. Similarly, new revisions may be needed due to internal and/or external environmental changes, or because the new system no longer provides the types of information required by the company's management. Some specific examples of follow-up work are: 1) Determine whether top management and operating management are satisfied with both the content and the timeliness of the output reports received from the information processing subsystem 2) Evaluate the system controls of the system to ensure they function properly 3) Observe employee work performances to determine if the new system helps them perform their assigned job functions effectively 4) Determine whether processing functions are performed adequately, and also if output schedules for both internal and external reports under the new system are met 5) Talk with local area network users to determine these users’ satisfaction with the information they are accessing from the network 6) Test computer security, privacy, and confidentiality controls to ensure that the new system meets or exceeds expectations in this area
The implementation team will prepare a follow-up review report at the end of its follow-up work, which it then submits to the company’s steering committee. It is up to the steering committee to decide what to do next. 13-12. Three major ways that an organization can acquire software are: (1) by acquiring or leasing it from one or more independent vendors, (2) by developing the software in-house, and (3) by outsourcing the data processing tasks required by the system. Technically, however, this last option more refers to accomplishing system tasks than acquiring software.
SM 13.6
Rather than reinvent the wheel, most organizations obtain their operating systems, communications, and utility program software from outside vendors. The one remaining type of software is application software. When a company has very specific data processing requirements and no available commercial software can satisfy its needs, an organization typically has no choice but to write its own. However, this advantage of “in-house development” also carries over even when commercial software is available—i.e., the fact that the software is customized to meet the organization's specific processing requirements. Because vendor software is usually written for a larger market, it may require considerable modifications to satisfy the organization's data processing needs. The counter argument is that canned software typically costs much less than custom-developed software, and thus, the question is usually whether the costs of purchasing or leasing the initial software, plus the modification costs, are still cheaper than the in-house development alternative. Which approach is better? Depending upon their individual experiences, some students may prefer to acquire software from an independent vendor whereas other students will favor inhouse development. Those students recommending an independent vendor for the acquisition of software often give "lower cost" as the major reason for favoring the independent vendor over the in-house development, but this is not always so. It depends upon the specific software needs of the organization. As a practical matter, however, most companies today prefer to purchase existing software than develop their own. Also, as we noted in earlier chapters, existing software typically incorporates “best practices,” which often requires companies to reengineer some of their processes. While this represents a cost in terms of time and money, successful BPR initiatives can sometimes reap significant advantages for companies over the long run (i.e., in terms of cost savings due to more efficient and effective processes). 13-13. Business process outsourcing (BPO) means just that—outsourcing the tasks required to perform a specific business function. An example is preparing the weekly company payroll. Typically in such circumstances, the vendor uses its own software, labor, and materials to perform the job. “Knowledge process outsourcing” (KPO) means hiring an outside vendor to perform a knowledge-oriented task. An example is developing software according to client specifications or performing a particular research task. Companies outsource business processes, such as back-office accounting functions, for a variety of reasons. As noted in the text, the number one reason companies outsource is “cost.” Globalization means that any company anywhere in the world may contract with anyone, located anywhere, to perform the required work. Because labor rates vary around the globe, labor-intensive tasks that may be done more cheaply elsewhere have the potential for outsourcing. Other reasons mentioned in the textbook include convenience, the ability to depend upon an outside vendor to handle large changes in processing volume, the availability of expertise not found in-house, and relief from the pressures of keeping current with technology.
Problems 13-14.
The Chris Hall Company
(a) Information needs of a production plant supervisor: 1) Estimates of periodic requirements (weekly, monthly, etc.) of different types of wine in order to develop periodic production schedules
SM 13.7
2) Comparisons of production activities relative to the capacity of production equipment to identify periods when there will be idle plant capacity or overtime work required 3) Information concerning quantities of raw materials needed for manufacturing so that managers can ensure adequate supplies of these materials will be on hand for production 4) Information regarding labor requirements for production so that adequate personnel will be available to meet production schedules 5) Cost reports reflecting variances of actual production costs in comparison to budgeted and standard production costs so that corrective action can be initiated on those production costs that vary significantly from the budget and standard cost data (b) Information needs of top management: 1) Information regarding competitors’ activities (e.g., competitors’ introduction of new products) and any price and quality changes anticipated or already initiated for competitors present products and how these changes are likely to affect the company's current share of the market 2) Estimates of the company's long-range market potential for each of its product lines 3) Information on the future economic outlook for the country and how the company's future sales will be affected by inflation, unemployment, etc. 4) Projected cost and revenue data associated with wine production and sales in order that long-range budgetary planning can be performed 5) Information on long-term trends in wine consumption both domestically and internationally 6) Information on competing beverages such as beer (c) Marketing manager: 1) Forecasts of expected sales by product line for the coming budget year 2) Information regarding the contribution margin of each product line so that an optimal sales mix can be developed 3) Information regarding production capacities of the manufacturing plant so that managers can determine the ability of the plant to manufacture adequate inventory quantities to meet the anticipated sales mix in the coming budget year 4) Information regarding the effectiveness of various advertising efforts for stimulating demand for the company's products (this information may lead to changes in various promotional endeavors) 5) Information comparing the actual sales to budgeted sales by both product lines and sales personnel; this information can be reported on a management-by-exception basis 13-15.
Lilly Li Apparel
Note to Instructor: This problem asks students to identify four problems with the system. Here are six of them. Problems 1. New cashiers are awkward in their use of the POS system. 2. Printing sales tickets seems to take too long.
Remedies 1. Conduct POS training for new cashiers. 2. Replace the existing printers with faster models, or speed the processing of sales transactions leading to the printing.
SM 13.8
3. Automatic opening of the cash drawers is erratic. 4. The four-digit STN is inadequate for the number of merchandise items, resulting in frequent dumps of information for discontinued items to make room for new items.
3. Test the voltages sent to the cash drawers under PC control and adjust them to give predictable responses. 4. Add one or more digits to the STN field in all files, reorganize databases, and/or recompile programs (if necessary) for the new STN size, and reload existing STN files. Even better: use automated scanners that eliminate manual keying.
5. Customers become impatient with the long credit approvals.
5. Install electronic credit card verifiers that read the customer’s credit card number and automatically dial the credit card approval service for authorization. Alternately, or in addition, automatically approve credit-card purchases under a set limit—for example, $25.
6. All sales cease when the store server is down.
6. Implement procedures that permits the POS system to ring up sales independent of the computer by: a) Continue to accept sales for cash, but manually record transactions for later computer input b) Maintaining an automated backup server or generator c) Creating a program disk that can be used to restart the PCs and a data disk containing the STN file d) Having cashiers load the program when the computer fails e) Having the computer retrieve PCcontrolled sales when the computer returns to operation
13-16.
AAZ Consulting Firm
Here are areas where an online, real-time computer system might help the managerial decision making for a professional football team: a) The system could be useful in maintaining up-to-the minute counts of attendance during game days as well as counts by category, e.g., general admission, box seats, VIP, complimentary, etc. b) The system would be able to take ticket orders for future games—an important capability if seats for a certain future game were limited and there were several sales centers for such seats scattered about the ball park or the city. c) For such sports teams as baseball, basketball, and football, the system could be useful in simulating various game-playing situations that could happen during a game and providing statistics about the success of each outcome. d) For all types of athletic teams, the system could help maintain current inventory records for such critical items such as medical and athletic supplies that are needed by the team. SM 13.9
e) For all types of athletic teams, a real-time system could be useful to aid the projections of future attendance at games and to help forecast future cash flows as well as other budgetary activities (such as forecasts of future capital expansion). f) For professional baseball, basketball, and football teams that draw heavily upon college graduates when seeking new players, the system could provide current information about each year's available college graduates as well as future college graduates and their unique qualifications. Also, the computer system could maintain information about which players have already been signed to contracts by other teams, which individuals are still free agents, and which teams are competing for these free agents. 13-17.
Cook Consultants
Students typically don’t like May’s suggestion. True, implementing the new system on time is important, and can probably be completed much faster under “direct conversion” than “parallel conversion.” However, meeting this date at the expense of installing an inefficient or untested system should normally be avoided. Because The Samuel Company is making major changes to its system, there is a strong likelihood that various problems may occur. “Direct conversion” means that the old system will be discontinued immediately after the new system is implemented. If problems occur with the new system, these problems may be costly, such as losing customers, wasting employee time, and will normally be more difficult to solve if the old system is gone. Furthermore, a company can have serious difficulties maintaining accurate data files if only the new system is operative and problems with the new system corrupt the data in these files. Under parallel conversion, both the old system and the new system operate simultaneously for a period of time until managers believe the new system is free of errors. The problem with parallel conversion is that it takes more time than direct conversion. However, the likelihood is much greater that, under parallel conversion, the new system will operate more efficiently and effectively. For these reasons, parallel conversion should be used even though it may delay the systems implementation schedule. 13-18.
A preliminary Investigation
Although this problem is open-ended, the authors have had great success encouraging students to examine the information system of specific companies and requiring them to report their findings in class. One common difficulty is the fact that the study of even the smallest systems tends to be a large and complex undertaking. This is a useful lesson, however, for understanding “scope creep,” and certainly points out the difference between in-class theory and real-world practice. As a practical matter, however, instructors should urge their students to look at very simple systems in very small companies. 13-19.
Understanding PERT Charts
a. Only activity B must be completed before activity C can begin. b. Both activities E and F must be completed before activity G can begin. In turn, activity E requires activity A and activity F requires activity B. c. Activity J requires the immediate completion of activities I, G, and D before it can commence. Indirectly, activity J requires the completion of all the other activities before it can begin.
SM 13.10
d. The five paths through the network (and their completion times) are: (1) AEHIJ (55), (2) AEGJ (50), (3) BFHIJ (58), (4) BFGJ (53), and (5) BCDJ (48). The critical path is BFHIJ because it is the longest path through the network. e. Activity F can only begin after the company completes activity B. If Activity B requires 14 weeks to complete, then activity F can begin at the beginning of week 15. f. The two paths leading to activity G are AE (requiring 18 weeks) and BF (requiring 21 weeks). Because activity G requires the completion of both activities E and F, the earliest start time for activity G is the beginning of week 22. g. From Part (d) of this question, we know that the entire project can be completed in 58 weeks. If activity J requires 26 weeks to complete, then we can subtract 26 from 58 to get “32.” This means that the latest start time for activity J is at the end of week 32, or the beginning of week 33. h. This part of the problem continues part (g). We know that activity J must start no later than the beginning of week 33. Because activity G requires 6 weeks to complete, we can subtract 6 from 33 to get “27.” Thus, the latest start time for activity G is the beginning of week 27. i. From part (f) of this problem we know that the earliest start time for activity G is the beginning of week 22. From part (h) of this problem, we know that the latest start time for activity G is the beginning of week 27. Subtracting, we obtain the slack time for this activity: 5 weeks. 13-20. a. b. c. d. e.
f.
Understanding GANTT charts
Activity G (“convert data files”) is scheduled to begin at the beginning of week 22 and end 6 weeks later (the end of week 27). Activity I (“test computer software”) is scheduled to begin at the beginning of week 28 and end 5 weeks later (the end of week 32). The Gantt chart shows that the actual time to complete activity A (“prepare the physical site”) was 11 weeks. This was less than the 17 weeks originally planned for it. The Gantt chart shows that the actual time to complete activity B (“determine the functional changes”) was 16 weeks. This was more than the 14 weeks originally planned for it. Activity E (“acquire and install computer equipment”) can only begin after the company completes activity A. Because the company was able to complete activity A early (in 11 weeks), it can also begin activity E early—i.e., at the start of week 12. Activity C (“select and assign personnel”) can only begin after the company completes activity B (“determine the functional changes”). According to the Gantt chart, there was a delay in completing this activity, which was completed at the end of week 16. Thus, activity C can actually begin at the start of week 17.
Case Studies Prado Roberts Manufacturing (What Type of Computer System to Implement?) 1. Four advantages of mainframe computer systems are: • The available speed, power, and memory needed to perform the largest, most complex tasks without the complexity and concerns of networks • Multi-user capabilities, enabling hundreds or even thousands of users to access the same computer and files simultaneously • The mainframe programs, partially because they have existed for a long time, are debugged, and, therefore, cheaper than new microcomputer software
SM 13.11
•
A centralized computing environment leads to better control of applications, program development, data files, computer operations, and quality standards with greater uniformity
Four disadvantages of mainframe computer systems are: • Such systems may not be user friendly • Such systems may require a high level of expertise to operate and require highly trained, expensive IT staff • There may be time delays in developing and implementing new systems as the programs are complex • New software for the mainframe may not be available, or may be expensive if it is available These advantages and disadvantages are likely to also apply to other manufacturing companies. 2. Factors and/or activities that prolong the lives of mainframe computer systems are: • Systems that were originally developed in-house have now been debugged and work properly • The availability of parallel processing and emerging software capabilities • The high cost of replacing customized systems Two reasons why companies may not want to retire their mainframe computer systems are: • These companies have enormous investments in mainframe platforms that would have to be written-off on the financial statements • Many users rely on mainframes to perform their most vital computing functions which may require more memory, processing power, and data files than those available on microcomputers Again, these factors are also likely to apply to other manufacturing companies. 3. Five advantages of microcomputer/client-server systems are: • They are more user-friendly, thus, making it easy for employees to use • They more easily meet rapidly changing business needs with new systems applications • Microcomputers’ standalone capabilities allow users to continue to perform computer tasks even if the host or server is disabled • Microcomputers’ low acquisition and maintenance costs, which continue to decline over time • Many software applications are available in the marketplace Two disadvantages of microcomputer/client-server systems are: • The loss of central control. Security is more difficult relative to remote stations, the server, and data files • Personnel are tempted to use microcomputer work stations for personal purposes These advantages and disadvantages also apply to Prado.
Wright Company (Analyzing System Reports)
SM 13.12
Note to Instructor: In the solution below, the word “dysfunctional" refers to a negative contribution toward the company's operating efficiency and the word “functional” refers to a positive contribution toward the company's operating efficiency. 1. Indicate whether each of the four reactions cited in the text contribute positively or negatively to the Wright Company’s operating effectiveness. 1) If the reports contain information that requires immediate attention, any delay in action is likely to be dysfunctional. If the reports continue to accumulate with no action taking place (e.g., the department heads do not catch up during the lulls), this definitely is dysfunctional behavior. 2) Generating too many reports or generating so many of them that managers take the wrong action is a dysfunctional response and a good example of information overload. The department heads were unable to assimilate the supplied information properly, and therefore they either did not use it or used it incorrectly. 3) Delaying action until reminded by someone can be dysfunctional. If delays continually take place and result in complications and/or delays in other departments, this lack of action is dysfunctional. 4) Seeking information from external sources can be both functional and dysfunctional. Gathering information from alternative sources can be dysfunctional because the formal system is not producing the information in a usable form and the process of developing information from other sources probably has a cost. However, the fact that the department heads generate needed information from other sources might be taken as a functional response to the problem. 2. For each negative reaction, recommend alternative procedures that the Wright Company can employ. The dysfunctional behavior that occurred in Wright Company is most likely a direct result of management's failure to recognize that information systems are dynamic. Once a system is designed and implemented, it should be continually reviewed to acknowledge and incorporate any changes. It does not make sense to attack these problems piecemeal. Instead, a follow-up systems study committee composed of both systems staff and users should be established to review the present system and to interview users about their information needs and uses of the system’s outputs. During the systems survey review, the committee should focus on the information needed by department heads, the content, form, and formats this information should take, and the timing of the information. Unnecessary reports should be eliminated, and individual reports should be redesigned to include only relevant information. Once revised, the reporting system should be reviewed periodically to make sure it is functioning smoothly and to make necessary corrections.
Kenbart Company (Redesigning Profit Plan Reports)
SM 13.13
1-2. First, the most obvious addition is a date field at the top of the report that indicates the day the report was created. This should help managers better identify individual reports and updates. Within the body of the report, the format for the account titles and their order of presentation in the first column will not change, and data will still be presented for both the current month and year-to-date. To help management review results and planning operations, however, we recommend that Kenbart add three new columns (“original,” “revised,” and “flexed revised”) under both the “Month” and the “Year-to-Date” headings as shown below. Furthermore, we recommend that the report include a “current outlook” column. An example of the revised format for the Profit Plan Report is shown below. Some additional notes are: • • •
The Original Plan and Revised Plan columns are included for reference purposes. These two plans were the predecessor of the Flexed Revised Plan and may be useful in tracing changes. The Flexed Revised Plan is the most current plan and is the one to which “Actual Results” should be compared. A comparison of Actual Results to this plan yields the Over/Under Plan calculations in dollar and percentage amounts. The Current Outlook column was not included in the original report but has been added here and should give management an idea of what the results for the year are expected to be. KENBART COMPANY PROFIT PLAN REPORT DATE OF REPORT: xx/xx/xx
ACCOUNT TITLE
*_______
_____MONTH_____
ORIGINAL PLAN
REVISED PLAN
FLEXED REVISED PLAN
_________*
ACTUAL RESULTS
*____ OVER/ UNDER $ %
SALES . . NET INCOME
SM 13.14
ORIGINAL PLAN
_ YEAR-TO-DATE____________*
REVISED PLAN
FLEXED REVISED PLAN
ACTUAL RESULTS
OVER/ UNDER $ %
CURRENT OUTLOOK
Chapter 14 Accounting on The Internet Discussion Questions 14-1. An intranet is an internal network created by an organization for the benefit of its employees. Most intranets are local area networks that utilize convenient web-browsing software. Extranets are similar to intranets, except that they are also accessible by a limited number of external parties—for example, employees working from home or suppliers. Both intranets and extranets are valuable to accountants. For example, intranets enable businesses to distribute, and end users to read, information about such items as production reports, announcements, or financial activities. They also enable accountants to collaborate with each other, using group collaboration tools. These same ideas apply to extranets. Finally, these networks are important to accountants because so much commercial and financial information is transmitted over them and also because their security and efficiency are important auditing concerns. 14-2. The term “blogs” is an abbreviation for web logs, and is a groupware (collaboration) tool that allows computer users and web browsers to publish personal messages online. Blogs enable their users to create, share, and leverage knowledge in any kind of organization. Those who are currently exploring the potential of blogs are for-profit companies, government organizations, and universities. 14-3. Hypertext markup language (html) is a computer programming language that enables users to create web pages for use on the Internet. Most of the web pages that we view on the Internet employ it. If you use Microsoft Internet Explorer, you can view the source code for a given web page by selecting “Source” from the View menu. HTML is mostly an editing language that tells a web browser how to display the contents of a web page. But HTML tags cannot be changed or customized. To solve this problem, developers have extended HTML with XML—an acronym for “extensible markup language” that allows users to create their own tags. Anyone can create such tags, but businesses need standards. For example, we don’t want one entity using <SalesRevenues> while another uses <Sales>. One standardized subset of XML is XBRL—an acronym for “extensible business reporting language.” As noted in the text, the XBRL International Consortium develops international standards for this language. 14-4. As explained in question 3 above, XBRL is a standardized subset of XML. Businesses can use the documents created and saved in XBRL format in many different ways without having to re-key the data—a very real advantage. Until recently, however, most government agencies stored the data submitted to them by individuals or businesses in either hard-copy formats or word documents. Today, however, government agencies are also storing such data in XBRL formats. One such agency is the Securities and Exchange Commission (SEC), which stores corporate financial data such as 10-k reports in a database called IDEA— an acronym for “Interactive Data and Electronic Applications.” The relationship between XBRL and IDEA is very direct, therefore: IDEA is a database containing XBRL-coded, financial information.
SM 14.1
14-5. Electronic commerce means conducting business electronically. Examples of electronic business include retail sales over the Internet and EDI (the ability to electronically transmit such documents as invoices, credit memos, purchase orders, bids for jobs, and payment remittance forms). Much electronic commerce is performed over the Internet, but companies such as Wal-Mart, IGT, and some of the phone companies also transmit messages over private networks or communications channels to which the general public does not have access. Electronic commerce is important because (1) there is so much of it today, (2) the uses of electronic commerce are expanding, (3) even the smallest company can create a website and compete with larger businesses, and (4) Internet retail sales are growing. As noted in the text, some businesses now rely on the Internet for over half of their annual sales revenues. For businesses such as Dell, Amazon.com, or E-trade, the percentage is much larger. Electronic commerce is important to accountants because electronic documents can be more difficult to control, authenticate, or audit. Security is also a major issue because assets are less tangible, compromised systems are not obvious, and information losses are not easy to verify. The final section of the chapter discusses some major privacy and security concerns. 14-6. Electronic payments (E-payments) are payments that customers make to sellers electronically. They are similar to credit card payments except that they use third parties. It works like this: A customer buys something from a seller, using credit advanced by the third party—e.g., PayPal. The third party pays the seller and then, in turn, debits the buyer’s credit card or account. One advantage of using such a system is that buyers only need to provide their credit card numbers or otherwise establish accounts with one company—the e-payment company—not each company with which they wish to do business. Another major justification for using E-payments is security. Credit-card information is at risk when it is transmitted over data communications lines or stored in the computer files of many vendors. 14-7. Electronic data interchange (EDI) refers to transmitting routine business documents such as shipping notices, customs forms, invoices, and purchase orders electronically. Companies use EDI because it is often a superior way of doing business. For example, because the outputs from one company (e.g., the information on a computerized purchase order) are the inputs to another company, EDI allows its users to avoid the time delays and costs of transcribing the data once the information has been received. This eliminates dataentry bottlenecks and reduces the errors such data transcription typically introduces into an AIS. Other advantages of EDI discussed in the chapter are: (1) streamlining processing tasks, (2) faster response to customer queries or vendor data transmissions, (3) reductions in paperwork, and (4) a secure processing environment that is separate from the post office or an overnight delivery system. 14-8. This question asks students how comfortable they are giving their credit card numbers to retail websites and therefore has no right or wrong answer. While some individuals are comfortable entering their credit card numbers into websites for Internet purchases, others fear for their cards’ security. There is certainly much to fear. Identity theft, in which someone steals the identity of another, is easy when the thief knows such important information as a person’s credit card number(s) and similar personal information. 14-9. A common way for the owners of one website to charge for advertising from a second party is to charge a set fee (for example, $1) each time a viewer clicks on the advertiser’s link(s). But this requires the website administrator to count the actual number of SM 14.2
clicks, per month. Click fraud occurs when website personnel either repeatedly click on that link themselves, or artificially inflate the count, thereby defrauding the advertising company. The advertising company loses out in such situations because it pays for advertising services that do not lead to sales, while the website owner benefits from the inflated billing revenues. Judging by the amount of advertising for click-fraud services and software, click fraud is either common or often feared. We also know that savvy computer programmers can write java scripts to simulate user clicks, thereby automating click-fraud activities. Wikipedia notes that it is a felony in many jurisdictions—for example, is covered by Penal code 502 in California as well as the Computer Misuse Act 1990 in the United Kingdom. Several arrests have been made relating to click fraud. Finally, it should be noted that a host’s website personnel are not the only perpetrators of click fraud. Other possibilities include competitors seeking to deplete the advertising budgets of their targets, individuals seeking to damage the reputation of the host-companies, misguided supporters of the host company (who seek to help it by increasing its ad revenues), and private vandals, who randomly target a particular company. 14-10. Spamming is the act of sending unsolicited emails to a large number of accounts— usually for advertising purposes. Spam is also a growing problem in instant-messaging, faxing, web-searching, and mobile phone texting venues. One reason why spamming is of interest to accountants is because spamming is relatively costless to advertisers but relatively costly to recipients and Internet service providers who must transmit and deliver spam messages. In 2007, for example, the California legislature estimated that spamming costs the U.S. more than $13 billion in lost time and productivity. Spammers often attempt to pay ISPs for their data transmissions with stolen credit cards—an added cost. Spammers require large lists of email accounts—the types of lists often found in accounting information systems. This makes AISs natural targets for spammers, and therefore a known security risk. The purpose or intent of spammers is also of concern to AISs, as a great deal of spam advertising is to sell pornography, perform an identity theft, or commit some other kind of fraud. Who has not gotten an unsolicited email from an African country, offering to share millions of dollars in exchange for the recipient’s help in the U.S. and of course some additional small payments for “taxes” or other “transaction fees?” Finally, spammers clog the data transmission channels with their communications, reducing the total bandwidth. Although students may argue that all spamming should be illegal, there are several counter arguments as well. Spammers can argue that some of their communications contain legitimate advertising, information that is of use to recipients, or valuable information about political activities or pending legislation. They might also claim that spam email is easily deleted, and often automatically filtered from recipient mail boxes. Wikipedia contains an extensive (and fascinating) discussion of spam at http://en.wikipedia.org/wiki/Spam_(electronic). 14-11. A firewall is an electronic barrier that limits access to corporate intranets or local area networks to bona fide users. Some firewalls are separate hardware systems while others are simply software programs installed on web servers. These firewalls are implemented by IT professionals. The specialized software in firewalls compares the IP addresses of outside users requesting information to current access control lists.
SM 14.3
As noted in the text, firewalls are themselves limited in what they can do. For example, they cannot guard against certain forms of hacking such as spoofing—i.e., a hacker who uses a bonafide IP address to gain access to a system. A proxy server is a computer and related software that acts as a gateway between internal corporate users and the Internet. One of the primary security functions of a proxy server is to control web access (e.g., to limit employee accesses to professionally-related sites). However, proxy servers can also run the software that creates internal firewalls. 14-12. Data encryption refers to transforming original, plaintext data into scrambled, cyphertext messages that cannot be understood even if it is intercepted during data transmission. The data used to encrypt (code) the message is called the encryption key. Secret key encryption relies upon a shared algorithm and an encryption key that must be kept secret to be effective. Public key encryption uses two keys, a “private key” and a “public key,” both of which must be known before a message can be decoded. These methods are discussed in greater detail in the text. 14-13. The three levels of authentication are (1) what you have, (2) what you know, and (3) who you are. An example of “what you have” is a driver’s license with your picture on it. An example of “what you know” is a password. An example of “who you are” is a fingerprint or retina scan. Most business security systems depend on only one or two of these—rarely all three. High-level security in business and government environments might require all three. Instructors are encouraged to ask students about different situations in which they had to use these different types of authentication. You might also ask students to recall movies such as Mission Impossible or Entrapment, where characters used advanced technologies to prove “who they are.” 14-14. A digital signature is an electronic attachment that verifies and authenticates a business transaction (e.g., a purchase order, bidding document, or contract). The digital signature replaces a hand-written signature, which is difficult to transmit in non-graphic electronic documents. Like hand-written signatures, however, the objective of a digital signature is to assure the recipient that the document itself is legitimate and faithfully represents the intentions of an authentic sender. Thus, digital signatures are important on the Internet and value-added networks as a security tool. 14-15. Electronic commerce is booming on the Internet, and most (but certainly not all) businesses have been able to boost both sales and profits as a result. Will all businesses do well? This is unlikely. However, the chapter notes that selling products and services on the Internet enables businesses to reach wider audiences, stay open around the clock, and maintain up-to-the-minute information on prices and products. Such selling also helps businesses reduce selling costs (because there is less sales labor and overhead-costs), inventory costs (because finished products are produced or ordered from suppliers in response to sales rather than in anticipation of sales), and processing costs (because sales and shipping documents are created by the buyer and/or the system). For businesses that sell many products, a web-based system requires a large investment in technology—both in upfront costs of development and ongoing costs of routine maintenance. Thus, most businesses must weigh the cost of building and maintaining a web presence against the additional revenues that such business generates. It is not a given that revenues will always offset costs.
SM 14.4
The Internet provides opportunities as well as challenges for businesses. Thus, for individual companies, the Internet can spell “boom” or “bust,” and students should be able to cite specific examples for both possibilities. To illustrate, the very smallest companies typically profit from a web presence because they are no longer limited to physical sales in local markets. At the same time, larger businesses feel increased pressure on prices and therefore profits due to the ease with which both retail and wholesale consumers now have access to a wealth of information and alternate sources for common goods and services. This chapter provides several additional reasons why businesses can increase both sales and profits using Internet-based technologies. One example is the use of intranets and extranets to better secure LAN communications and increase access to and from trusted suppliers— possibilities that might decrease costs and therefore increase profits. Another example is the use of groupware to increase employee productivity. A third example is the expanded use of XBRL, which may enable a business to better report financial information and therefore reduce its accounting expenses (see Problems 14-20 and 14-21). Similar comments apply to firms that expand sales by accepting e-payments or reducing costs by expanding their e-business or EDI capabilities.
Problems 14-16.
Acronyms:
a. blog b. e-commerce c. EDI d. e-mail e. HTTP f. IDS g. IETF h. IP address i. TCP/IP j. URL k. VANs l. VPN m. www n. XBRL o. XML
web log electronic commerce electronic data interchange electronic mail hypertext markup language intrusion detection system internet engineering task force Internet protocol address transmission control protocol/internet protocol universal resource locator value-added networks virtual private network world wide web extensible business reporting language extensible markup language
14-17. Depending on the sources of information used, the students may have a variety of points about the advantages and disadvantages of implementing an intranet in the local company. Some of the main points are: Disadvantages: • • • •
Developing intranets requires an investment in time, money, and perhaps training Once created, an intranet must be maintained, thus an increase in operating costs Intranets create a security hazard because shared information is potentially vulnerable to abuse Cloud computing companies may offer cheaper and better alternatives
SM 14.5
Advantages: • • • • •
• • •
Intranets can be an important group collaboration tool Intranets allow companies to use existing web browsers Intranets can be a valuable method of sharing documents on a secure platform within the company The data stored on an intranet can be made secure so that proprietary data and information are only accessed by authorized users Intranets offer a wide variety of administration tools within the organization such as an online calendar (to schedule appointments, group meetings, and company-wide events), a task manager (for employees to keep track of their tasks, or those of their subordinates), a contact directory of employees, a list of e-mail accounts, and templates for corporate forms such as expense reports Intranets allow an organization to make databases available to authorized employees across the entire company Intranets can be scalable (i.e., can grow with the organization and/or its informational needs) Companies can frequently justify the cost of an intranet by quantifying some savings in operating costs (publish HR manuals, employee manuals, and other company publications on the intranet rather than on paper)
14-18. This problem requires students to create their own HTML documents, using the example in Figure 14-1. It is important that students use Notepad or a similar word processor that stores data in ASCII (txt) format. 14-19. This problem requires students to log onto EDGAR and access the information from two companies. Note: the website has changed slightly. Students should click on the link “Company or fund name, ticker symbol, CIK (Central Index Key), file number, state, country, or SIC (Standard Industrial Classification)“ instead of “Companies and other Filers.” Instructors may get best use of this question if they require each student to obtain the financial information of a different company. 14-20. This problem requires students to log onto the XBRL home page and then (a) write a one-page summary of a new development and (b) select an article from those describing XBRL benefits and write a summary of it. For example, some of the benefits listed on the XBRL website at the time this instructor’s manual was prepared include (1) improved business processes, (2) improved communications, and (3) enhanced business reporting through standardized tags. 14-21. This problem requires students to write a one page report on each of the items listed below. The answers to most of these questions may be found at: (1) www.xbrl.org, (2) http://accounting.smartpros.com (type XBRL in the search box to find many articles on XBRL), or (3) http://www.xbrleducation.com/. a. History of XBRL. In April 1998, Charles Hoffman, a CPA in Tacoma, WA, investigated XML as a medium for the electronic reporting of financial information. He developed prototypes of financial statements and audit schedules using XML. Charlie contacted Wayne Harding, Chairman of the AICPA High Tech Task Force, in July 1998, about the potential of using XML in financial reporting. Charlie made a presentation to the AICPA Task Force in
SM 14.6
September of1998. The AICPA was active in supporting the development of the language by funding a project to create prototype financial statements in XML. b. XBRL Specifications. An explanation of XBRL specifications can be found by choosing “Specifications” from the main menu. “Specifications” provide the fundamental technical definition of how XBRL works. The current specification or version for XBRL is “2.1,” but new ones may become available by the time you assign this problem in class. Current needs are for new formula, functions and taxonomy requirements. c. Continuous Reporting. XBRL-tagged data enable businesses to create a steady stream of reports based on the underlying information, hence the term “continuous reporting.” Three articles on this subject are: (1) Garbellotto, Gianluca (2009) “How to Make your Data Interactive Strategic Finance Vol. 90, No. 9 (March), pp. 56-57, (2) Chan, Slew H. and Sally Wright (2007) “Feasibility of More Frequent Reporting: A field Study Informed Survey of InCompany Accounting and IT Professionals” Journal of Information Systems Vol. 21, No. 2 (Fall, 2007), pp. 101-115, and (3) Robert Pinsker (2003) “XBRL Awareness in Auditing: A Sleeping Giant?” Managerial Auditing Journal Vol. 18, No. 9, pp. 732-736. Continuous reporting is an interesting concept. Generally speaking, the technology already exists for companies to report information more frequently than they currently do. Presumably, other reasons exist for not reporting more often (and certainly not daily or weekly!). One might be the familiar cost/benefit analysis, which suggests that companies do not believe the benefits of continuous reporting (or reporting more frequently than quarterly) outweigh their costs. A number of articles discuss the topic of continuous auditing. Some authors believe that continuous auditing is inevitable, while others suggest that this is not necessary. In any case, this question should start a lively dialog with the students regarding the future of IT auditing and the implications for corporate America. The following links provide several articles of interest: http://aaahq.org/AM2004/abstract.cfm?submissionID=1118 http://accounting.smartpros.com/x43141.xml http://accounting.smartpros.com/x34375.xml d. XBRL Required Reporting. The first conference on “Financial reporting in the 21 st century: standards, technology, and tools” took place in Macerata, Italy, in September of 2011. The SEC now requires all public companies to file their financial reports in XBRL format. Students who access the IDEA database will have no problem answering this question. The following websites identify industries and companies that currently produce financial statements in XBRL format: http://www.edgar-online.com/xbrl/industry.asp http://www.XBRLeducation.com 14-22. This problem requires students to encrypt a message, using a simple cyclic substitution cipher. The encrypted message is: BPWAM EPW QOVWZM PQABWZG IZM NWZKML BW ZMWMIB QB 14-23. This problem requires students to decrypt an encrypted message, using a simple cyclic substitution cipher. The decrypted message is: Message 1: “It is not what we don’t know that hurts us, it is what we do know that just ain’t so.” SM 14.7
Message 2: Justice delayed is justice denied. Message 3: Too many cooks spoil the broth. As suggested in the problem, this task becomes much easier if you use a spreadsheet. Here’s an example for the last message: Trial key:
12
Msg F A A
Value 6 1 1
Value minus Displacement -6 -11 -11
Y M Z K
25 13 26 11
13 1 14 -1
Etc.
Etc.
Add 26 if required 20 15 15
New Letter T O O
13 1 14 25
M A N Y
14-24. This problem asks students to write a one-page summary of an article they find online. Various accounting journals are going online. Besides the AICPA’s Journal of Accountancy website, there is also Strategic Finance (www.imanet.org) and The CPA Journal (www.cpajournal.com). An obvious advantage for readers is the ability to search the archives for articles on a specified topic online. The advantages to publishers include (1) making information more accessible to both members and non-members, (2) fulfilling organizational mandates to disseminate information, and (3) enabling users to search articles electronically for specific information or topics. To date, many journals do not charge for online access to articles, although some professional groups limit access to members. Instructors may wish to limit students to specific subjects or to articles less than one year old. 14-25. This problem involves the privacy statement of a fictitious company named Small Computers, Inc. As a general statement, online consumers have several concerns about computer security: • They want to make sure that they will receive what they order • They want their privacy protected • They want a secure method of payment • They want to be sure they will be billed only for what they purchased Small Computers, Inc. addresses some of these concerns, but not all of them. For example, the disclosure of business practices, shipping, and billing is reassuring. It will comfort the consumer to know goods are shipped at an early date and that the consumer need only accept items ordered. The return policy appears lenient although it does not state who is responsible SM 14.8
for paying shipping on returned items. The statement about accidental billing actually may make a consumer aware that the chance for this exists. Consumers are more likely to buy from a business online than they do off-line. They are also more likely to buy products with brand names. A business selling goods to end-consumers online that does not have these characteristics will need to be extremely careful in crafting statements about privacy and business policies.
Case Studies Hammaker Manufacturing IV (XBRL-Enabled Software) This case continues the systems studies of the cases in Chapter 8. At a minimum, instructors should require students to read Hammaker Manufacturing III to become familiar with the names of the individuals in this case. 1. XBRL-enabled software means that the software has the ability to create financial reports in XBRL format. It usually also means the ability to extract information from XBRL-formatted data. In this latter mode, you simply key in your request for information and quickly receive the data, the analysis, or graph(s) you desire. Finally, it means that software applications can import XBRL-coded data for analysis, further data processing, and archiving purposes. Today, most accounting packages provide XBRL formatting capabilities. 2. Figure 14-3 identifies a number of advantages that Lloyd might wish to discuss with Dick. The following articles are also available for additional benefits: http://www.cato.org/pubs/regulation/regv26n3/v26n3-13.pdf http://www.icaew.co.uk/library/index.cfm?AUB=TB2I_53335,MNXI_53335 3. Each student’s memo will be unique. 4. Several examples of XBRL PowerPoint presentations may be found on the Internet. Some examples can be found at: http://www.icgfm.org/XBRLPresentations.htm, http://www.xbrl.org/us/us/SanJose200601/Huh.pdf, and http://www.uhu.es/ijdar/documentos/Present04/Eric.pdf.
DeGraaf Office Supplies (Business Websites and Security) 1. There are several companies in this market niche. Interestingly, only a few office supply stores began their businesses online. For example, Staples entered the online marketplace long after it was first established. Examples of online office supply store sites include www.OfficeDepot.com, www.OfficeMax.com, www.wholesalewarehousesupply.com, and www.staples.com. In addition, a number of retailers also support large office-supply departments, including Home Depot, Sam’s Club, and Amazon.com. Criteria for evaluating their websites include: (1) ease of search for a particular product or service, (2) general web page design/layout, (3) ease of making a purchase, (4) amount of extraneous advertising, (5) product organization and availability, and (6) security policies. 2. DeGraaf may be able to catch up, but companies with well-recognized websites have an advantage because brand names seem to translate well in online marketplaces. While SM 14.9
Amazon has been able to beat out the established brick and mortar book stores, for example, many traditional retailers who have entered the online world late are making up for lost time. On the other hand, there were several small office supply start-ups that have now lost out to Staples and Office Depot. 3. Security is a concern for any company doing business online. The website for applying for TRUSTe is http://www.connect.truste.com Verisign, and Bizrate certifications are also available. These are third party assurances for privacy and security. DeGraaf should consider obtaining one or more of these assurances for its website. In recent months, hackers have compromised the sites of several online retailers. There are concerns that websites can provide hackers with access to Intranets and other company network systems. Protecting customer files is particularly important because they typically contain a wealth of personal information and are therefore valued targets of identity thieves. Firewalls and other security measures are a must as DeGraaf moves forward with its electronic commerce initiative.
Barra Concrete (XOR Encryption) This case requires students to use XOR operations to both encrypt and decrypt a message. 1. Applying the XOR cipher to the ciphered message, we have: Cyphertext: Key: XOR Result:
0 1
1 1
0 1
0 0
1 1
0 1
1 1
1 0
1
0
1
0
0
1
0
1
This brings us back to the plaintext message of 1010 0101. 2: Applying the XOR cipher to each letter, we have the results shown below. The encrypted letters are shown in the XOR Result lines:
SM 14.10
Digit 1 0 1
Digit 2 1 1
Digit 3 0 0
Digit 4 0 0
Digit 5 0 0
Digit 6 1 0
Digit 7 1 1
Digit 8 1 1
1
0
0
0
0
1
0
0
O Key: XOR Result:
0 1
1 1
0 0
0 0
1 0
1 0
1 1
1 1
1
0
0
0
1
1
0
0
, Key: XOR Result:
0 1
0 1
1 0
0 0
1 0
1 0
0 1
0 1
1
1
1
0
1
1
1
1
T Key: XOR Result:
0 1
1 1
0 0
1 0
0 0
1 0
0 1
0 1
1
0
0
1
0
1
1
1
E Key: XOR Result:
0 1
1 1
0 0
0 0
0 0
1 0
0 1
1 1
1
0
0
0
0
1
1
0
A Key: XOR Result:
0 1
1 1
0 0
0 0
0 0
0 0
0 1
1 1
1
0
0
0
0
0
1
0
M Key: XOR Result:
0 1
1 1
0 0
0 0
1 0
1 0
0 1
1 1
1
0
0
0
1
1
1
0
G Key: XOR Result:
SM 14.11
Chapter 15 Accounting and Enterprise Software Discussion Questions 15-1. Retail businesses often adopt software with "point-of-sale" features. The most important data for a retailer is likely to concern sales and inventory control. Having software that is able to record sales as they occur, and at the same time, deplete inventory, is vital to success. And of course, differences will be apparent for different sorts of retail merchandisers. For example, some retail stores sell merchandise and others rent merchandise. A store that rents merchandise must track the goods after they've left the store. Ideally the software would also include automatic messaging that would notify the store when an item is overdue. Students might give a number of reasons for selecting specific software – like the ability to download a free trial, support offered by the vendor, price, etc. a. boutique software: http://www.wfxondemand.com/ b. golf management software: http://www.activegolfsolutions.com/technologysolutions?gclid=CKCXl4bY5JcCFQSenAodVWE_DQ c. Time and Billing for CPAs: http://www.imaginetime.com/?gclid=CPzghanY5JcCFRgqHgoda0YNDg d. software for animal breeders: http://Capterra.com/ e. equipment rental software: http://www.orion-soft.com/ f. retail stores (56 employees and growing): http://www.apparelsearch.com/software_retail_pos.htm 15-2. Actually the features available in low-end packages today are truly amazing, when you consider that a decade ago, these features would only have been available in high-end packages. Still, the high end software is often worth its price, primarily because of flexibility and customization capabilities. High-end packages may allow for features such as "user-defined codes." These are extra fields that users can designate to meet the special needs of a particular business. High-end software also typically offers much more in terms of reporting. 15-3. Traditional ERP systems were back-office systems and addressed the internal information system needs of an enterprise. Today’s extended enterprise systems include a variety of software that allows customers, vendors, employees, and others to access information within the company to enable collaboration across the enterprise and across outside groups such as strategic partners. 15-4. Some of the basic features of an ERP are: a single database and integration across the enterprise for sharing data (typically includes Manufacturing, Supply Chain Management, Financials, Projects, Human Resources and Customer Relationship Management). Although accounting software has changed a great deal (i.e., increasingly sophisticated with more and more features available in lower end packages and for less cost than before), they lack the integration feature of ERPs – that is, data is not shared across the many functions of the organization. 15-5. A centralized database architecture minimizes data redundancy. Data redundancy refers to representing a data element more than once. While data redundancy uses up storage space, that isn't its primary drawback. When data elements are stored multiple times, it is easy SM 15-1
for them to lose integrity because the values of the same data item may be different in different storage sites. For example, if you have student addresses stored in several files or databases, one may be updated when a student moves, and the others may not. Over time, the data can lose its value as data integrity is lost. Combining multiple databases requires deciding on just one name for each data element. Along with one name, there must be one value, and one field specification. For example, in multiple databases an inventory item may have been represented differently by each one. In one, the field name may have been mnemonic, and in another it could have been a 12 position numerical field. Combining the databases means that you must choose which to use in the new centralized database. 15-6. Perhaps the best way to select an AIS is to hire a consultant or work with the company’s CPA to get help identifying the best software for the new company. Even though a number of companies have developed ERPs for mid-sized companies, a new business may not have the capital initially to invest in even a smaller ERP package. However, some companies do acquire an ERP package when they start up their business. The primary advantage is that the company can adopt the best practices for processes that are incorporated in the package - from the beginning. There will literally be nothing to reengineer. The downside would be that if the company actually was going to have some unique processes, these would not be part of the software. 15-7. There are many articles available about enterprise-wide (or ERP, enterprise resource planning) systems. Good sources for these articles include the Wall Street Journal, Computerworld, Management Accounting, and Business Week. Students will discover that many of the cost savings relate to process improvement. This improvement could create a reduction in work force, and is also likely to decrease paper and paper-handling costs. Some companies adopting these systems have found that it was costing $50 to $75 to process an accounts payable transaction. Reengineering this process can reduce this cost to only a few dollars. Many of the articles concerning enterprise-wide information systems are written because an organization has encountered problems. These problems usually relate to cost overruns or time delays. Companies can spend literally hundreds of millions of dollars on their information systems (e.g., General Motors and Procter and Gamble). It can take anywhere from a few months to several years for an installation of these systems to be completed. Regarding implementation issues, data conversion might be most time-consuming but designing new business processes is likely to be the most challenging. Moving to an ERP represents a great deal of change for an enterprise. Most businesses are "silo-ed." Each functional area is separate and keeps its own data. The ERP requires breaking down the silos and integrating. An ERP represents new ways of doing things also because it typically involves redesigning business processes. When you implement an ERP, you will not receive the benefits from it without making significant changes in the way things are done. Change management activities help to counter some of the fears people have about change. These activities also help employees to understand the differences in the new system and how those differences affect them. Using the new system the old way will not achieve the goals of the ERP. Oddly it may be more difficult to select a low-end accounting package than an ERP. There are very limited choices with ERP software and the packages have reached the point where all the major ones have the capability to handle the basics. Specific vendors have staked out certain SM 15-2
territory in terms of industry so that it would be easy to choose a package that incorporates best practices for your industry. While there are dominant players in the lower end and middle markets, no one package has everything, so it may require more analysis to make sure you choose the best fit. 15-8. A VAR will, by definition, have sales relationships with a set of software vendors. For example, a VAR may be trained in Great Plains software. Therefore it is in the VAR's best interest to recommend the package(s) they represent. Students can use an Internet search engine, such as Yahoo, to find sites for many accounting software programs. Using the terms “construction software,” “health software,” and “retail software,” students will find many specialized software vendors. You may want to ask students to print web pages for specific vendors, or to do some analysis of the special features associated with software for each industry. For example, many retail packages are specifically designed to accommodate point-of-sale transactions. 15-9. There are many consequences in making a bad decision in acquiring a new accounting information system. Aside from the wasted financial investment, time will have been wasted. In trying to “make it work,” employees are likely to become frustrated and discouraged. Managers will not have the information they need to make good decisions about the business. In the worst case scenario, a company may have trouble managing its inventories, paying its bills, collecting on accounts receivable, managing cash flows, reporting net income, and meeting payroll deadlines. 15-10. ERPs support and integrate business processes, and as such, incorporate “best practices” for business processes. Thus, it is important for companies to align their business processes with the methodology embedded in the ERP to gain maximum efficiencies and effectiveness from the ERP. In fact, some experts claim that an ERP implementation is not as much about technology as it is about business transformation. Successful aspects for a BPR project include (from Figure 15-6): • Appropriate allocation of time for the BPR project: approximately 2/3 of the time planning and designing; and 1/3 of the time on development and implementation • Allow an appropriate amount of time to complete the project. An average BPR project takes a little over a year (13.8 months) • Engage a proven change management consultant, which is critical to meet or exceed project objectives • Successful BPR teams are dedicated to the project, they have support from top management, and they have a clear vision of objectives and goals • The company should use consultants as leaders/key facilitators of the BPR project to coordinate team efforts and for IT or technical systems advice and expertise
Problems 15-11. To find lists of vendors for low-end and enterprise systems, visit http://www.2020software.com. Another site to start your search is http://www.erp.com. The depth behind web sites is sometimes related to the product price—but not always. Many packages today also are scalable, which means that one web site for the package will serve software ranging from low-end to high middle-end. 15-12.
Scalable, as we defined in the chapter, is the ability of software or hardware to SM 15-3
seamlessly accommodate growth of a company (i.e., increased demands on the system) – to easily be expanded or upgraded as necessary. For a business owner (and managers of larger firms), this means that an investment in a software package and/or hardware is a long-term investment, i.e., the system will not have to be replaced when the company grows and expands – the system can grow with the company. 15-13. a. This question should get a lively discussion started among the students. Obviously, we have an entrepreneur who started a business, took on a business partner to help him grow the bike shop, and now has a business that is growing “out of control.” As with many small, family-owned businesses or small partnerships, growth seems desirable, but many problems and issues may confront the owner(s). For example, the owners must concern themselves with issues of cash flows, buying vs. leasing (office or production space, equipment, etc.), inventory control, internal controls, division of responsibilities, etc. It sounds like Steven and Tom only have an accountant to do their annual financial statements. While that may have been fine for one small bike shop, more than likely it is not adequate for a growing business such as this one. For example, how do the owners address such questions as: How are we managing our Accounts Payable? How do we know we’re paying our bills on time? How are we managing cash receipts? Accounts Receivable? Do we have cash reserves? If so, what are we doing with them? Do we have any internal controls? What are they? Are they adequate? b. Most likely, students will go to the web sites for the Entry-Level software solutions identified in Figure 15-11. The bicycle shop meets the criteria for this level of accounting software (i.e., revenues < $5 million, and up to 20 employees). Several vendors that students might also consider are the “Top 7” Small Business Accounting software options that are identified (and compared) by 2020 Software (http://www.2020software.com). However, you might want to discuss the fact that the business is growing and is at the upper limit of the capabilities of a number of the software solutions in the “small business” section. Perhaps the bicycle shop should consider the next higher level of software (mid-market) so that the capabilities will not soon be exceeded. It would undoubtedly be very costly for the bike shop to invest in an accounting software package immediately and then discover in the following year or two that the software is inadequate. Steven and Tom might want to consider the following features: sales, payroll, inventory control, purchasing, accounts payable, accounts receivable, etc. They should also ask questions such as: What reports are available? Will we be able to query the system to get answers to questions (those we have now or new questions we may have in the future that we have not thought about yet)?
SM 15-4
c. There is no easy answer to this question. Frequently, students will say a consultant is necessary and give very little thought to the cost of such services and whether the firm would be financially able to do so. In the case of our bicycle shop, most likely a consultant would be able to help Steven and Tom. However, they should first do their homework! Steven and Tom should do a sufficient amount of research on the available software solutions that are targeted for the size of their company. They should read professional journals and probably talk with a number of their business associates in the Chamber of Commerce, the State Society of CPAs, and other professional organizations so that they obtain as much information as possible about the software systems that others are using (businesses that are of a comparable size) and about the consulting firm that they might choose. Steven and Tom need to decide what they expect of the software and what they hope to achieve by selecting an appropriate system. Several of the articles in the Recommended Readings section at the end of this chapter offer help in comparing software and understanding the variety of features available (e.g., Johnston 2003; Menninger 2003). Specifically, Johnston (A Strategy for Finding the Right Accounting Software) cautions that this is not a task to take lightly, claiming that it is one of the most challenging tasks of a professional career! Here are some steps that Johnston recommends: (1) establish a technology advisory committee (this would be Steve and Tom); (2) prepare a needs analysis (this should include all of the employees) that identifies all the tasks that each person (department) does; (3) consider an outside consultant – a wise decision if this project is beyond the time and technical resources of the business. 15-14. a. B&R, Inc. may want to implement ERP. The company is concerned with reducing expenses and ERP is a way to accomplish that. Other benefits may be better supply chain relationships with suppliers and customers. The Internet features of this software are particularly beneficial. A consumer products company probably also needs the software to maintain a competitive stance in the industry. Many of the benefits are intangible – such as customer satisfaction – and are difficult to evaluate or quantify. The most quantifiable benefit is usually a reduction of employees which may or may not actually occur. ‘ b. Customers of ERP software are usually big companies – often Fortune 500. However, as we mentioned in the chapter, a number of software companies now offer downsized ERPs to accommodate the needs of mid-sized companies that could not afford millions of dollars for the earlier versions of ERPs. The SAP web site allows you to search its list of customers by country, industry, and solution. c. The horror stories often concern cost overruns, unrealistic expectations, poor implementation consulting, and prolonged implementation. For example, several universities had problems with PeopleSoft implementations. The software did not solve some problems and created some new ones. Some companies have found that they can only use parts of the ERP system and need to keep some of their old systems running. Because some ERP software handles business processes one way only (according to best practices), some organizations may not be able to fit the mold. There are many articles available to read that have stories about failed ERP implementations. A search of the Wall Street Journal interactive web site can turn up some of these. One of the most famous stories was Hershey’s failure to deliver Halloween candy on time – and the company blamed it on the new ERP.
SM 15-5
Case Studies The RETAIL Cooperative (Creating an Enterprise Portal) 1. Enterprise portals (EPs) are gaining in popularity based on their ability to address the information and application access requirements of knowledge workers. Firms want the capability to offer information “inside the enterprise” to different groups of people (employees, partners, vendors, distributors, etc.). In general, a well-designed EP can help reduce inefficiencies from different computer systems and technologies, paper-intensive processes, and outdated manual procedures. There are many ways to describe a portal but the characteristic that distinguishes a portal (from say, a web site) is that a portal organizes both data and functions from multiple sources across the organization into a single, easy-to-use interface. Several recognizable examples of successful portal technology are Amazon.com, Landsend.com, and eBay – each offers the convenience of purchasing products and services online. Enterprise portal platform vendors include IBM WebSphere, SAP Enterprise Portal, Oracle, and Microsoft SharePoint. Some of the advantages of an Enterprise Portal include: For the organization: • a tool for knowledge management • early implementation of an EP might give a competitive advantage • could help with improving “time-to-market” • might offer opportunities to change how company is operating For employees: • online support, training, and worldwide information distribution • access information quickly for decision-making • convenience of quick access to applications that are used frequently For suppliers, partners, customers, and those with strategic alliances: • opportunity to place orders, confirm status, or search resources at any time; presumably this will also increase loyalty to the firm with the portal • Examples: Hewlett-Packard implemented a human resources portal for employees Whirlpool implemented a B2B portal to handle sales growth from $7B to $10B Virginia Commonwealth University has a human resources portal for staff and faculty to access all sorts of payroll and personal data maintained by the university As we might imagine, organizations have a wealth of structured and unstructured information that is stored across the enterprise in a variety of enterprise applications, databases, content repositories, archives, and perhaps legacy systems. The challenge for a successful implementation of an Enterprise Portal is to integrate the current content management with the portal application so that the organization’s information will be easily accessed and used by the intended individuals and groups of people.
SM 15-6
2. Students should have fun with this and should be encouraged to develop interesting and informative presentations. 3. Surveys of companies who implemented EPs indicate that: • Most firms were in the financial management, process manufacturing, and business/legal services industries • Almost half had no performance metrics in place to measure the financial impact of their portal initiative • The EP implementations were usually accomplished by a cross-functional team • Implementations usually started with a specific department or departments and then expanded to the rest of the organization (providing time to focus on problems and issues with individuals, software, technology, etc.) A variety of sources suggest useful steps that organizations might take to implement an EP. Not surprisingly, these steps are similar to any large project implementation that an organization might attempt. Accordingly, students should identify several of the following: • • • • •
Select a function or department in the organization to get started (don’t try to implement an EP for the entire organization immediately) As with any project, select a team of individuals (preferably from across the organization) and have them define the scope of the project and the information needs of the department The project team should next work with IT people (and perhaps consultants) to identify the systems requirements and determine what is feasible If possible, have the vendor do a prototype for individuals in the organization to use and test the features of the portal; evaluate and continue to work with the vendor until users are satisfied Implement the portal application, perhaps in parallel with existing systems so that employees and other stakeholders are comfortable with the new system before the old one is disabled
4. Depending on how many EP vendors are considered, students might come up with a variety of different recommendations. As the instructor, you may wish to select 2-4 vendors and then ask the students to only evaluate those vendors and make a selection from this short list. Either way, the students will learn a great deal more about EPs and be able to evaluate (and hopefully benefit from) such an application when they are in the workforce.
Linda Stanley and State University (Transitioning from a Legacy System to an ERP) 1. Probably the ERP adopted by most universities is the Banner Suite that includes the following modules: Student, Financial Aid, Human Resources, Finance, and Advancement. The source for the following information on each of these modules is the Banner home page: http://www.sungardhe.com/Products/Product.aspx?id=1024. Student module: fuses administrative and academic functions, giving prospects, current students, and faculty secure, 24x7, online access to the information they need. Prospects can apply for admissions. Students can search and register for classes by term or date, and retrieve financial aid data. Faculty can manage course information, rosters, and grading, and advise students. SM 15-7
Financial Aid module: aligns with enrollment practices, including early decision, early action, and regular admissions, to provide financial aid services to students; automates dayto-day responsibilities; offers students many services (i.e., complete requirements; accept, decrease, and reject awards; and communicate with the financial aid office – all over the web). Human Resources module: administrative and self-service solution to manage personnel information across the institution; accommodates payrolls, budgeting policies and procedures, and workforce management; enables employees to obtain answers to routine inquiries, personnel and payroll information. Finance module: makes data available 24x7 to all key stakeholders—from procurement and accounts payable to sponsored research programs and endowment management; finance professionals can prepare and control budgets to facilitate sound decisions. Banner Finance was built using higher education fund accounting principles, so it is easier and more cost-effective to implement, configure, maintain, upgrade, and use. Advancement module: facilitates relationships with alumni, donors, friends, parents, community members, corporations, foundations, and other organizations. Offers fundraising support that includes campaign management, event management, annual giving programs, stewardship activities, corporate/foundation programs, planned giving, and major donor efforts. Self-service features provide internet access to staff, alumni, and other friends of the institution. This makes it easy for alumni to make donations and keep in touch with their former classmates, and it gives fundraising staff quick access to complete constituent information—anytime, anywhere. Staff can monitor the progress of assigned prospects. All activity recorded for a prospect, including new gift and contact information, is immediately available. It is not unusual for a university that is in the process of adopting an ERP to have a place on the university web site that is dedicated to informing the university community of all aspects of the implementation. 2. The business processes that would be most affected would be those that correspond to the modules of the ERP that the university intends to adopt (see #1 above).
SM 15-8
3. A number of the benefits are identified above in the descriptions of the modules, such as: • Integration of data across the modules for information sharing, enabling better decision making • Stakeholders have access to appropriate information 24x7 over the Internet • Enables better communication across user groups • Enables better customer service (includes students, faculty, and many others identified in #1 above) Some of the typical costs include: • Cost of the software package • Consultants to help implement the ERP • BPR projects, especially the employee time spent (opportunity cost because they can’t do their normal responsibilities while they work on the BPR project) • Potential morale issues that must be considered and dealt with (change management) • Training so employees can use the system and that the university can more fully realize benefits of the new system 4.
As we discussed in the chapter, and included in Figure 15-6, the use of consultants is very directly related to a successful implementation of an ERP. One of the keys to a successful ERP implementation is the leadership, and an interesting article on this topic is by Edwin Cornelius, entitled, “Who Should Lead Your Campus ERP Implementation?” and may be found at this site: http://www.collegiateproject.com/articles/Who%20should%20lead%20your%20campus%20 ERP%20implementation.pdf The different types of support that consultants can offer are: • Change management • Leader/key facilitator of the project (working with the university project manager) • Coordination of the ERP implementation team(s) efforts • IT or technical systems advice and expertise
5.
A number of examples are available for expected timelines to implement an ERP (for example, see Temple University: http://www.temple.edu/cs/erp/timeline.htm). Some use graphical representations, some use a table format, but the information conveyed is the same – giving the viewer an idea of the length of time to implement the ERP and the progression of the implementation across the university. Since there are many modules to implement, Linda would undoubtedly want to include timelines for implementation. She would suggest which modules to install first and how long it will take to install and train users in the new systems. Installing in stages has many advantages, one of which is success in smaller increments which raises confidence and moral.
SM 15-9